apollographql/apollo-server (@apollo/server)
### [`v4.11.2`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4112)
[Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.11.1...@apollo/server@4.11.2)
(No change; there is a change to the `@apollo/server-integration-testsuite` used to test integrations, and the two packages always have matching versions.)
### [`v4.11.1`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4111)
[Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.11.0...@apollo/server@4.11.1)
##### Patch Changes
- [#7952](https://redirect.github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://redirect.github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://redirect.github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability.
`@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.
However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript.
However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer.
### [`v4.11.0`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4110)
[Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.10.5...@apollo/server@4.11.0)
##### Minor Changes
- [#7916](https://redirect.github.com/apollographql/apollo-server/pull/7916) [`4686454`](https://redirect.github.com/apollographql/apollo-server/commit/46864546e131d0079785575f621d69862e635663) Thanks [@andrewmcgivery](https://redirect.github.com/andrewmcgivery)! - Add `hideSchemaDetailsFromClientErrors` option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.
Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation
will be met with a validation error that includes a helpful "did you mean" as part of the error text.
For example, with this option set to `true`, an error would read `Cannot query field "help" on type "Query".` whereas with this option set to `false` it would read `Cannot query field "help" on type "Query". Did you mean "hello"?`.
We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.
To enable, set this option to `true` in your `ApolloServer` options:
```javascript
const server = new ApolloServer({
typeDefs,
resolvers,
hideSchemaDetailsFromClientErrors: true,
});
```
### [`v4.10.5`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4105)
[Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.10.4...@apollo/server@4.10.5)
##### Patch Changes
- [#7821](https://redirect.github.com/apollographql/apollo-server/pull/7821) [`b2e15e7`](https://redirect.github.com/apollographql/apollo-server/commit/b2e15e7db6902769d02de2b06ff920ce74701c51) Thanks [@renovate](https://redirect.github.com/apps/renovate)! - Non-major dependency updates
- [#7900](https://redirect.github.com/apollographql/apollo-server/pull/7900) [`86d7111`](https://redirect.github.com/apollographql/apollo-server/commit/86d711133f3746d094cfb3b39e21fdfa3723181b) Thanks [@trevor-scheer](https://redirect.github.com/trevor-scheer)! - Inline a small dependency that was causing build issues for ESM projects
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^4.10.4->^4.11.2Release Notes
apollographql/apollo-server (@apollo/server)
### [`v4.11.2`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4112) [Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.11.1...@apollo/server@4.11.2) (No change; there is a change to the `@apollo/server-integration-testsuite` used to test integrations, and the two packages always have matching versions.) ### [`v4.11.1`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4111) [Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.11.0...@apollo/server@4.11.1) ##### Patch Changes - [#7952](https://redirect.github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://redirect.github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://redirect.github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability. `@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. ### [`v4.11.0`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4110) [Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.10.5...@apollo/server@4.11.0) ##### Minor Changes - [#7916](https://redirect.github.com/apollographql/apollo-server/pull/7916) [`4686454`](https://redirect.github.com/apollographql/apollo-server/commit/46864546e131d0079785575f621d69862e635663) Thanks [@andrewmcgivery](https://redirect.github.com/andrewmcgivery)! - Add `hideSchemaDetailsFromClientErrors` option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors. Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation will be met with a validation error that includes a helpful "did you mean" as part of the error text. For example, with this option set to `true`, an error would read `Cannot query field "help" on type "Query".` whereas with this option set to `false` it would read `Cannot query field "help" on type "Query". Did you mean "hello"?`. We recommend enabling this option in production to avoid leaking information about your schema to malicious actors. To enable, set this option to `true` in your `ApolloServer` options: ```javascript const server = new ApolloServer({ typeDefs, resolvers, hideSchemaDetailsFromClientErrors: true, }); ``` ### [`v4.10.5`](https://redirect.github.com/apollographql/apollo-server/blob/HEAD/packages/server/CHANGELOG.md#4105) [Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server@4.10.4...@apollo/server@4.10.5) ##### Patch Changes - [#7821](https://redirect.github.com/apollographql/apollo-server/pull/7821) [`b2e15e7`](https://redirect.github.com/apollographql/apollo-server/commit/b2e15e7db6902769d02de2b06ff920ce74701c51) Thanks [@renovate](https://redirect.github.com/apps/renovate)! - Non-major dependency updates - [#7900](https://redirect.github.com/apollographql/apollo-server/pull/7900) [`86d7111`](https://redirect.github.com/apollographql/apollo-server/commit/86d711133f3746d094cfb3b39e21fdfa3723181b) Thanks [@trevor-scheer](https://redirect.github.com/trevor-scheer)! - Inline a small dependency that was causing build issues for ESM projectsConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.