This is a security advisory for an XSS vulnerability in graphiql.
A similar vulnerability affects graphql-playground, a fork of graphiql. There is a corresponding graphql-playgroundadvisory and Apollo Server advisory.
1. Impact
All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete.
In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur.
By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors.
If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL.
Because this exposes an XSS attack surface, it would be possible for a threat actor to exfiltrate user credentials, data, etc. using arbitrary malicious scripts, without it being known to the user.
2. Scope
This advisory describes the impact on the graphiql package. The vulnerability also affects other projects forked from graphiql such as graphql-playground and the graphql-playground fork distributed by Apollo Server. The impact is more severe in the graphql-playground implementations; see the graphql-playground advisory and Apollo Server advisory for details.
This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.
It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this.
3. Patches
graphiql@1.4.7 addresses this issue via defense in depth.
HTML-escaping text that should be treated as text rather than HTML. In most of the app, this happens automatically because React escapes all interpolated text by default. However, one vulnerable component uses the unsafe innerHTML API and interpolated type names directly into HTML. We now properly escape that type name, which fixes the known vulnerability.
Validates the schema upon receiving the introspection response or schema changes. Schemas with names that violate the GraphQL spec will no longer be loaded. (This includes preventing the Doc Explorer from loading.) This change is also sufficient to fix the known vulnerability. You can disable this validation by setting dangerouslyAssumeSchemaIsValid={true}, which means you are relying only on escaping values to protect you from this attack.
Ensuring that user-generated HTML is safe. Schemas can contain Markdown in description and deprecationReason fields, and the web app renders them to HTML using the markdown-it library. As part of the development of graphiql@1.4.7, we verified that our use of markdown-it prevents the inclusion of arbitrary HTML. We use markdown-it without setting html: true, so we are comfortable relying on markdown-it's HTML escaping here. We considered running a second level of sanitization over all rendered Markdown using a library such as dompurify but believe that is unnecessary as markdown-it's sanitization appears to be adequate. graphiql@1.4.7 does update to the latest version of markdown-it (v12, from v10) so that any security fixes in v11 and v12 will take effect.
3.1 CDN bundle implementations may be automatically patched
Note that if your implementation is depending on a CDN version of graphiql, and is pointed to the latest tag (usually the default for most cdns if no version is specified) then this issue is already mitigated, in case you were vulnerable to it before.
4. Workarounds for Older Versions
If you cannot use graphiql@1.4.7 or later
Always use a static URL to a trusted server that is serving a trusted GraphQL schema.
If you have a custom implementation that allows using user-provided schema URLs via a query parameter, database value, etc, you must either disable this customization, or only allow trusted URLs.
5. How to Re-create the Exploit
You can see an example on codesandbox. These are both fixed to the last graphiql release 1.4.6 which is the last vulnerable release; however it would work with any previous release of graphiql.
Both of these examples are meant to demonstrate the phishing attack surface, so they are customized to accept a url parameter. To demonstrate the phishing attack, add ?url=https://graphql-xss-schema.netlify.app/graphql to the in-codesandbox browser.
Erase the contents of the given query and type {u. You will see an alert window open, showing that attacker-controlled code was executed.
Note that when React is in development mode, a validation exception is thrown visibly; however that exception is usually buried in the browser console in a production build of graphiql. This validation exception comes from getDiagnostics, which invokes graphqlvalidate() which in turn will assertValidSchema(), as apollo-server-core does on executing each operation. This validation does not prevent the exploit from being successful.
Note that something like the url parameter is not required for the attack to happen if graphiql's fetcher is configured in a different way to communicate with a compromised GraphQL server.
6. Credit
This vulnerability was discovered by @Ry0taK, thank you! :1st_place_medal:
This PR contains the following updates:
^0.17.0->^1.0.0GitHub Vulnerability Alerts
CVE-2021-41248
This is a security advisory for an XSS vulnerability in
graphiql.A similar vulnerability affects
graphql-playground, a fork ofgraphiql. There is a correspondinggraphql-playgroundadvisory and Apollo Server advisory.1. Impact
All versions of
graphiqlolder thangraphiql@1.4.7are vulnerable to compromised HTTP schema introspection responses orschemaprop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete.In order for the attack to take place, the user must load a vulnerable schema in
graphiql. There are a number of ways that can occur.By default, the schema URL is not attacker-controllable in
graphiqlor in its suggested implementations or examples, leaving only very complex attack vectors.If a custom implementation of
graphiql'sfetcherallows the schema URL to be set dynamically, such as a URL query parameter like?endpoint=ingraphql-playground, or a database provided value, then this customgraphiqlimplementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL.Because this exposes an XSS attack surface, it would be possible for a threat actor to exfiltrate user credentials, data, etc. using arbitrary malicious scripts, without it being known to the user.
2. Scope
This advisory describes the impact on the
graphiqlpackage. The vulnerability also affects other projects forked fromgraphiqlsuch asgraphql-playgroundand thegraphql-playgroundfork distributed by Apollo Server. The impact is more severe in thegraphql-playgroundimplementations; see thegraphql-playgroundadvisory and Apollo Server advisory for details.This vulnerability does not impact
codemirror-graphql,monaco-graphqlor other dependents, as it exists inonHasCompletion.tsingraphiql. It does impact all forks ofgraphiql, and every released version ofgraphiql.It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this.
3. Patches
graphiql@1.4.7addresses this issue via defense in depth.HTML-escaping text that should be treated as text rather than HTML. In most of the app, this happens automatically because React escapes all interpolated text by default. However, one vulnerable component uses the unsafe
innerHTMLAPI and interpolated type names directly into HTML. We now properly escape that type name, which fixes the known vulnerability.Validates the schema upon receiving the introspection response or schema changes. Schemas with names that violate the GraphQL spec will no longer be loaded. (This includes preventing the Doc Explorer from loading.) This change is also sufficient to fix the known vulnerability. You can disable this validation by setting
dangerouslyAssumeSchemaIsValid={true}, which means you are relying only on escaping values to protect you from this attack.Ensuring that user-generated HTML is safe. Schemas can contain Markdown in
descriptionanddeprecationReasonfields, and the web app renders them to HTML using themarkdown-itlibrary. As part of the development ofgraphiql@1.4.7, we verified that our use ofmarkdown-itprevents the inclusion of arbitrary HTML. We usemarkdown-itwithout settinghtml: true, so we are comfortable relying onmarkdown-it's HTML escaping here. We considered running a second level of sanitization over all rendered Markdown using a library such asdompurifybut believe that is unnecessary asmarkdown-it's sanitization appears to be adequate.graphiql@1.4.7does update to the latest version ofmarkdown-it(v12, from v10) so that any security fixes in v11 and v12 will take effect.3.1 CDN bundle implementations may be automatically patched
Note that if your implementation is depending on a CDN version of
graphiql, and is pointed to thelatesttag (usually the default for most cdns if no version is specified) then this issue is already mitigated, in case you were vulnerable to it before.4. Workarounds for Older Versions
If you cannot use
graphiql@1.4.7or laterAlways use a static URL to a trusted server that is serving a trusted GraphQL schema.
If you have a custom implementation that allows using user-provided schema URLs via a query parameter, database value, etc, you must either disable this customization, or only allow trusted URLs.
5. How to Re-create the Exploit
You can see an example on codesandbox. These are both fixed to the last
graphiqlrelease1.4.6which is the last vulnerable release; however it would work with any previous release ofgraphiql.Both of these examples are meant to demonstrate the phishing attack surface, so they are customized to accept a
urlparameter. To demonstrate the phishing attack, add?url=https://graphql-xss-schema.netlify.app/graphqlto the in-codesandbox browser.Erase the contents of the given query and type
{u. You will see an alert window open, showing that attacker-controlled code was executed.Note that when React is in development mode, a validation exception is thrown visibly; however that exception is usually buried in the browser console in a production build of
graphiql. This validation exception comes fromgetDiagnostics, which invokesgraphqlvalidate()which in turn willassertValidSchema(), asapollo-server-coredoes on executing each operation. This validation does not prevent the exploit from being successful.Note that something like the
urlparameter is not required for the attack to happen ifgraphiql'sfetcheris configured in a different way to communicate with a compromised GraphQL server.6. Credit
This vulnerability was discovered by @Ry0taK, thank you! :1st_place_medal:
Others who contributed:
7. References
The vulnerability has always been present
In the first commit
And later moved to onHasCompletion.js in 2016 (now
.tsafter the typescript migration)8. For more information
If you have any questions or comments about this advisory:
Release Notes
graphql/graphiql
### [`v1.4.7`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.7) ##### Patch Changes - [`130ddad6`](https://togithub.com/graphql/graphiql/commit/130ddad6d0394356ec32070a6fee1840450a4660) Thanks [@acao](https://togithub.com/acao)! - **CRITICAL SECURITY PATCH** for the [GraphiQL introspection schema template injection attack](https://togithub.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8) ### [`v1.4.6`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.6) ##### Patch Changes - [`d3a88283`](https://togithub.com/graphql/graphiql/commit/d3a88283c7b618376ad4a06c7db20e60b066d1a0) [#1934](https://togithub.com/graphql/graphiql/pull/1934) Thanks [@tonyfromundefined](https://togithub.com/tonyfromundefined)! - add react 17, 18 in peerDependencies - [`afaa36c1`](https://togithub.com/graphql/graphiql/commit/afaa36c198648e84f305986a0b1dfefa97e70221) [#1883](https://togithub.com/graphql/graphiql/pull/1883) Thanks [@Sweetabix1](https://togithub.com/Sweetabix1)! - Updating font colors for line numbers, comments & brackets from [#999](https://togithub.com/graphql/graphiql/issues/999) to [#666](https://togithub.com/graphql/graphiql/issues/666) for accessibility purposes. [#666](https://togithub.com/graphql/graphiql/issues/666) passes AA accessibility standards for small text, with a contrast ratio of over 5:1. - [`75dbb0b1`](https://togithub.com/graphql/graphiql/commit/75dbb0b18e2102d271a5cfe78faf54fe22e83ac8) [#1777](https://togithub.com/graphql/graphiql/pull/1777) Thanks [@dwwoelfel](https://togithub.com/dwwoelfel)! - adopt block string parsing for variables in language parser - Updated dependencies \[[`0e2c1a02`](https://togithub.com/graphql/graphiql/commit/0e2c1a020cc2761155f7c9467d3ed4cb45941aeb), [`75dbb0b1`](https://togithub.com/graphql/graphiql/commit/75dbb0b18e2102d271a5cfe78faf54fe22e83ac8)]: - graphql-language-service@3.1.6 - codemirror-graphql@1.0.3 ### [`v1.4.5`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.5) ##### Patch Changes - [`86795d5f`](https://togithub.com/graphql/graphiql/commit/86795d5ffa2d3e6c8aee74f761d02f054b428d46) Thanks [@acao](https://togithub.com/acao)! - Remove bad type definition from `subscriptions-transport-ws` [#1992](https://togithub.com/graphql/graphiql/issues/1992) closes [#1989](https://togithub.com/graphql/graphiql/issues/1989) - Updated dependencies \[[`86795d5f`](https://togithub.com/graphql/graphiql/commit/86795d5ffa2d3e6c8aee74f761d02f054b428d46)]: - [@graphiql/toolkit](https://togithub.com/graphiql/toolkit)[@0](https://togithub.com/0).3.2 ### [`v1.4.4`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.4) ##### Patch Changes - [`62e786b5`](https://togithub.com/graphql/graphiql/commit/62e786b57cc5748eccac59814dfc8ecd0104c748) [#1990](https://togithub.com/graphql/graphiql/pull/1990) Thanks [@acao](https://togithub.com/acao)! - Remove type definition from `subscriptions-transport-ws` - Updated dependencies \[[`62e786b5`](https://togithub.com/graphql/graphiql/commit/62e786b57cc5748eccac59814dfc8ecd0104c748)]: - [@graphiql/toolkit](https://togithub.com/graphiql/toolkit)[@0](https://togithub.com/0).3.1 ### [`v1.4.3`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.3) ##### Patch Changes - [`6a459f4c`](https://togithub.com/graphql/graphiql/commit/6a459f4c235bb0d70725ae6ad7fc1cfa34f49dca) [#1968](https://togithub.com/graphql/graphiql/pull/1968) Thanks [@acao](https://togithub.com/acao)! - Remove `optionalDependencies` entirely, remove `subscriptions-transport-ws` which introduces vulnerabilities, upgrade `@n1ru4l/push-pull-async-iterable-iterator` to 3.0.0, upgrade `graphql-ws` several minor versions - the `graphql-ws@5.x` upgrade will come in a later minor release. - [`eb2d91fa`](https://togithub.com/graphql/graphiql/commit/eb2d91fa8e4a03cb5663f27f724db2c95989a40f) [#1914](https://togithub.com/graphql/graphiql/pull/1914) Thanks [@harshithpabbati](https://togithub.com/harshithpabbati)! - fix: history can now be saved even when query history panel is not opened feat: create a new maxHistoryLength prop to allow more than 20 queries in history panel - [`04fad79c`](https://togithub.com/graphql/graphiql/commit/04fad79c094318d4b4c9e0250c5cff55d9fc5116) [#1889](https://togithub.com/graphql/graphiql/pull/1889) Thanks [@henryqdineen](https://togithub.com/henryqdineen)! - feat: export ToolbarSelectOption and ToolbarMenuItem - [`cd685435`](https://togithub.com/graphql/graphiql/commit/cd6854352ac6beff57af76db7de38e8157ff13aa) [#1923](https://togithub.com/graphql/graphiql/pull/1923) Thanks [@cgarnier](https://togithub.com/cgarnier)! - Fix result window theme - Updated dependencies \[[`6a459f4c`](https://togithub.com/graphql/graphiql/commit/6a459f4c235bb0d70725ae6ad7fc1cfa34f49dca), [`2fd5bf72`](https://togithub.com/graphql/graphiql/commit/2fd5bf7239edb78339e5ac7211f09c245e47c3bb)]: - [@graphiql/toolkit](https://togithub.com/graphiql/toolkit)[@0](https://togithub.com/0).3.0 - graphql-language-service@3.1.5 ### [`v1.4.2`](https://togithub.com/graphql/graphiql/releases/graphiql@1.4.2) ##### Patch Changes - [`5b8a057d`](https://togithub.com/graphql/graphiql/commit/5b8a057dd64ebecc391be32176a2403bb9d9ff92) [#1838](https://togithub.com/graphql/graphiql/pull/1838) Thanks [@acao](https://togithub.com/acao)! - Set all cross-runtime build targets to es6 ### [`v1.3.2`](https://togithub.com/graphql/graphiql/releases/graphiql@1.3.2) [Compare Source](https://togithub.com/graphql/graphiql/compare/90be38760edbfc6d31282e2211263784f747956b...5a26a22e9bc0b6822bcc46a1c8297ddcec2d86be) **Note:** Version bump only for package graphiql ### [`v1.3.1`](https://togithub.com/graphql/graphiql/releases/graphiql@1.3.1) [Compare Source](https://togithub.com/graphql/graphiql/compare/464a8851e1a02e6ef255729b3acd6dcb0dc0abce...90be38760edbfc6d31282e2211263784f747956b) **Note:** Version bump only for package graphiql ### [`v1.3.0`](https://togithub.com/graphql/graphiql/blob/HEAD/CHANGELOG.md#GraphQL-Language-Service-Types-130---11-Aug-2019) [Compare Source](https://togithub.com/graphql/graphiql/compare/v1.2.2...464a8851e1a02e6ef255729b3acd6dcb0dc0abce) ##### Chores - BREAKING: change copyright to MIT - BREAKING: add peer support for graphql 14.x - update formatting for monorepo eslint/prettier rules - update readme, badges ### [`v1.2.2`](https://togithub.com/graphql/graphiql/blob/HEAD/CHANGELOG.md#GraphQL-Language-Service-Utils-122---11-Sep-2018) [Compare Source](https://togithub.com/graphql/graphiql/compare/ed6c94cb8240fd89324104f0a9a40ce80a2dd71c...v1.2.2) ##### Chores - add graphql-js 0.13 to peer deps of types package ([graphql/graphql-language-service#241](https://togithub.com/graphql/graphql-language-service/issues/241)) ### [`v1.2.1`](https://togithub.com/graphql/graphiql/releases/codemirror-graphql@1.2.1) [Compare Source](https://togithub.com/graphql/graphiql/compare/dc2c78eb892a08945f712b7859070cb10e411ca0...ed6c94cb8240fd89324104f0a9a40ce80a2dd71c) ##### Patch Changes - [`858907d2`](https://togithub.com/graphql/graphiql/commit/858907d2106742a65ec52eb017f2e91268cc37bf) [#2045](https://togithub.com/graphql/graphiql/pull/2045) Thanks [@acao](https://togithub.com/acao)! - fix graphql-js peer dependencies - [#2044](https://togithub.com/graphql/graphiql/pull/2044) - Updated dependencies \[[`858907d2`](https://togithub.com/graphql/graphiql/commit/858907d2106742a65ec52eb017f2e91268cc37bf)]: - graphql-language-service@3.2.2 ### [`v1.2.0`](https://togithub.com/graphql/graphiql/releases/codemirror-graphql@1.2.0) [Compare Source](https://togithub.com/graphql/graphiql/compare/v1.1.0...dc2c78eb892a08945f712b7859070cb10e411ca0) ##### Minor Changes - [`d0c22c4f`](https://togithub.com/graphql/graphiql/commit/d0c22c4fce5ea39611c7ecee553943fdf27fd03e) [#2035](https://togithub.com/graphql/graphiql/pull/2035) Thanks [@imolorhe](https://togithub.com/imolorhe)! - Added Codemirror 6 legacy support ##### Patch Changes - [`b79bf304`](https://togithub.com/graphql/graphiql/commit/b79bf304045add4b5c3b2539dd6b551a64e6ed87) [#2037](https://togithub.com/graphql/graphiql/pull/2037) Thanks [@acao](https://togithub.com/acao)! - Resolves [#1944](https://togithub.com/graphql/graphiql/issues/1944), replaces graphql-language-service-utils with graphql-language-service in codemirror-graphql ### [`v1.1.0`](https://togithub.com/graphql/graphiql/releases/codemirror-graphql@1.1.0) [Compare Source](https://togithub.com/graphql/graphiql/compare/96a387b4b205780d11add31a6dbe720cd534a933...v1.1.0) ##### Minor Changes - [`716cf786`](https://togithub.com/graphql/graphiql/commit/716cf786aea6af42ea637ca3c56ae6c6ebc17c7a) [#2010](https://togithub.com/graphql/graphiql/pull/2010) Thanks [@acao](https://togithub.com/acao)! - upgrade to `graphql@16.0.0-experimental-stream-defer.5`. thanks [@saihaj](https://togithub.com/saihaj)! ##### Patch Changes - Updated dependencies \[[`8869c4b1`](https://togithub.com/graphql/graphiql/commit/8869c4b18c900b9b35556255587ef5130a96a4d5), [`716cf786`](https://togithub.com/graphql/graphiql/commit/716cf786aea6af42ea637ca3c56ae6c6ebc17c7a)]: - graphql-language-service-interface@2.9.0 - graphql-language-service-parser@1.10.0 ### [`v1.0.6`](https://togithub.com/graphql/graphiql/releases/graphiql@1.0.6) [Compare Source](https://togithub.com/graphql/graphiql/compare/71ee5fa6d57d55c231925601f4dcbf6c1824b373...96a387b4b205780d11add31a6dbe720cd534a933) ##### Bug Fixes - enable variable editor when header editor is not enabled ([#1682](https://togithub.com/graphql/graphiql/issues/1682)) ([205fbad](https://togithub.com/graphql/graphiql/commit/205fbad84806d175d66a6f5598e0a0f521129a16)) ### [`v1.0.5`](https://togithub.com/graphql/graphiql/releases/graphiql@1.0.5) [Compare Source](https://togithub.com/graphql/graphiql/compare/cbe5d323230a2c4b043c127a612acc4eb65e0123...71ee5fa6d57d55c231925601f4dcbf6c1824b373) **Note:** Version bump only for package graphiql ### [`v1.0.4`](https://togithub.com/graphql/graphiql/releases/graphiql@1.0.4) [Compare Source](https://togithub.com/graphql/graphiql/compare/2cfb5ab350b63e5c23e7a5a785c92e05ed0f68ea...cbe5d323230a2c4b043c127a612acc4eb65e0123) ##### Bug Fixes - dont use initial query on every re-render ([#1663](https://togithub.com/graphql/graphiql/issues/1663)) ([5aa890f](https://togithub.com/graphql/graphiql/commit/5aa890f6e145a7ad49f82cc122e209a291060709)) ### [`v1.0.3`](https://togithub.com/graphql/graphiql/releases/codemirror-graphql@1.0.3) [Compare Source](https://togithub.com/graphql/graphiql/compare/1124834c0751fbd560c7909b498c605fb5d0f65d...2cfb5ab350b63e5c23e7a5a785c92e05ed0f68ea) ##### Patch Changes - [`75dbb0b1`](https://togithub.com/graphql/graphiql/commit/75dbb0b18e2102d271a5cfe78faf54fe22e83ac8) [#1777](https://togithub.com/graphql/graphiql/pull/1777) Thanks [@dwwoelfel](https://togithub.com/dwwoelfel)! - adopt block string parsing for variables in language parser - Updated dependencies \[[`75dbb0b1`](https://togithub.com/graphql/graphiql/commit/75dbb0b18e2102d271a5cfe78faf54fe22e83ac8)]: - graphql-language-service-parser@1.9.3 ### [`v1.0.2`](https://togithub.com/graphql/graphiql/releases/codemirror-graphql@1.0.2) [Compare Source](https://togithub.com/graphql/graphiql/compare/ba981390804b10ca52e7b68b807b6b885140c766...1124834c0751fbd560c7909b498c605fb5d0f65d) ##### Patch Changes - [`5b8a057d`](https://togithub.com/graphql/graphiql/commit/5b8a057dd64ebecc391be32176a2403bb9d9ff92) [#1838](https://togithub.com/graphql/graphiql/pull/1838) Thanks [@acao](https://togithub.com/acao)! - Set all cross-runtime build targets to es6 ### [`v1.0.1`](https://togithub.com/graphql/graphiql/releases/graphiql@1.0.1) [Compare Source](https://togithub.com/graphql/graphiql/compare/294fd834efe485132744c0cd9d24690a61b45501...ba981390804b10ca52e7b68b807b6b885140c766) ##### Bug Fixes - more server side rendering fixes ([#1581](https://togithub.com/graphql/graphiql/issues/1581)) ([881a19f](https://togithub.com/graphql/graphiql/commit/881a19fbd5fbe5f65678de8074e593be7deb2ede)), closes [#1573](https://togithub.com/graphql/graphiql/issues/1573) - network cancellation for 1.0 ([#1582](https://togithub.com/graphql/graphiql/issues/1582)) ([ad3cc0d](https://togithub.com/graphql/graphiql/commit/ad3cc0d1567ea49ff5677d4cd8524e5e072b605e)) - Set headers to localstorage ([#1578](https://togithub.com/graphql/graphiql/issues/1578)) ([cc7a7e2](https://togithub.com/graphql/graphiql/commit/cc7a7e2f6d25d7e8150dc89c6984e6a04b01566b)) ### [`v1.0.0`](https://togithub.com/graphql/graphiql/releases/graphiql@1.0.0) [Compare Source](https://togithub.com/graphql/graphiql/compare/c735b2227c676005607b5ed75109992df53eb0d8...294fd834efe485132744c0cd9d24690a61b45501) ##### Bug Fixes - call debounce statements as they are functions ([#1571](https://togithub.com/graphql/graphiql/issues/1571)) ([8541250](https://togithub.com/graphql/graphiql/commit/85412501307ccfffe258b7fbca74bb9309726a73)) - fix server side rendering by using type only codemirror import ([#1573](https://togithub.com/graphql/graphiql/issues/1573)) ([1ee60a6](https://togithub.com/graphql/graphiql/commit/1ee60a6db87d54c7a1e8f1089e52a65f335351b6)), closes [#118](https://togithub.com/graphql/graphiql/issues/118) - Move all componentWillUnMount functionality to respective events ([#1544](https://togithub.com/graphql/graphiql/issues/1544)) ([046b09f](https://togithub.com/graphql/graphiql/commit/046b09f541e6a9f2ce4b46de590d49c04c916716))Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.