apollographql/apollo-server
### [`v3.6.2`](https://togithub.com/apollographql/apollo-server/blob/HEAD/CHANGELOG.md#v362)
[Compare Source](https://togithub.com/apollographql/apollo-server/compare/f3fc7d147a3bc3446f4f3452acfa5f598099b08f...022184a4d01d4452ebbcfeeef6e8ee1aae7a5db7)
- ⚠️ **SECURITY** `apollo-server-env`: Update dependency on `node-fetch` to require v2.6.7 rather than v2.6.1. This includes the fix to [CVE-2022-0235](https://nvd.nist.gov/vuln/detail/CVE-2022-0235), a vulnerability where credentials sent along with a request could be sent to a different origin if the fetched URL responds with an attacker-controlled HTTP redirect. This is the default fetcher used by `apollo-datasource-rest`, usage reporting, schema reporting, and `@apollo/gateway` in versions prior to v0.46.0. We do not believe that the way that this is used by usage reporting or schema reporting is vulnerable to the exploit, but if you use `apollo-datasource-rest` in such a way that the servers you talk to might serve a surprising redirect, this upgrade would be helpful. Note that to ensure you're using the appropriate version of `apollo-server-env` with `apollo-datasource-rest`, you need to be using v3.5.1 of that package. (We plan to separate the release process of `apollo-datasource-rest` from Apollo Server soon so that it can have a more reasonable changelog.) If upgrading to this version is challenging, you can also work around this by ensuring that `node-fetch@2.6.7` is the version used in your project, or by specifying a `fetcher` explicitly to your older Gateway, REST datasource, etc.
- `apollo-server-core`: The `typeDefs`, `resolvers`, and `parseOptions` constructor arguments are passed directly through to `makeExecutableSchema` from `@graphql-tools/schema` if provided. Now their TypeScript type definitions come directly from that package so that any types accepted by that package can be provided. [PR #5978](https://togithub.com/apollographql/apollo-server/pull/5978)
- `apollo-server-fastify`: Drop dependency on `fast-json-stringify`. [PR #5988](https://togithub.com/apollographql/apollo-server/pull/5988)
- `apollo-server-azure-functions`: Update TypeScript types package `@azure/functions` from v1 to v3 and change it to a dev dependency. (We were advised to change it to a dev dependency [by the authors of the package](https://togithub.com/Azure/azure-functions-nodejs-worker/pull/467#issuecomment-967737890); if this turns out to be problematic we can revert this part of the change. They also do not believe this is a backwards-incompatible change despite the major version bump; this package does a major version bump when the underlying Azure Functions runtime has a major version bump.) [PR #5919](https://togithub.com/apollographql/apollo-server/pull/5919)
Configuration
📅 Schedule: "before 6am" in timezone Asia/Hong_Kong.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
3.6.1->3.6.23.6.1->3.6.2Release Notes
apollographql/apollo-server
### [`v3.6.2`](https://togithub.com/apollographql/apollo-server/blob/HEAD/CHANGELOG.md#v362) [Compare Source](https://togithub.com/apollographql/apollo-server/compare/f3fc7d147a3bc3446f4f3452acfa5f598099b08f...022184a4d01d4452ebbcfeeef6e8ee1aae7a5db7) - ⚠️ **SECURITY** `apollo-server-env`: Update dependency on `node-fetch` to require v2.6.7 rather than v2.6.1. This includes the fix to [CVE-2022-0235](https://nvd.nist.gov/vuln/detail/CVE-2022-0235), a vulnerability where credentials sent along with a request could be sent to a different origin if the fetched URL responds with an attacker-controlled HTTP redirect. This is the default fetcher used by `apollo-datasource-rest`, usage reporting, schema reporting, and `@apollo/gateway` in versions prior to v0.46.0. We do not believe that the way that this is used by usage reporting or schema reporting is vulnerable to the exploit, but if you use `apollo-datasource-rest` in such a way that the servers you talk to might serve a surprising redirect, this upgrade would be helpful. Note that to ensure you're using the appropriate version of `apollo-server-env` with `apollo-datasource-rest`, you need to be using v3.5.1 of that package. (We plan to separate the release process of `apollo-datasource-rest` from Apollo Server soon so that it can have a more reasonable changelog.) If upgrading to this version is challenging, you can also work around this by ensuring that `node-fetch@2.6.7` is the version used in your project, or by specifying a `fetcher` explicitly to your older Gateway, REST datasource, etc. - `apollo-server-core`: The `typeDefs`, `resolvers`, and `parseOptions` constructor arguments are passed directly through to `makeExecutableSchema` from `@graphql-tools/schema` if provided. Now their TypeScript type definitions come directly from that package so that any types accepted by that package can be provided. [PR #5978](https://togithub.com/apollographql/apollo-server/pull/5978) - `apollo-server-fastify`: Drop dependency on `fast-json-stringify`. [PR #5988](https://togithub.com/apollographql/apollo-server/pull/5988) - `apollo-server-azure-functions`: Update TypeScript types package `@azure/functions` from v1 to v3 and change it to a dev dependency. (We were advised to change it to a dev dependency [by the authors of the package](https://togithub.com/Azure/azure-functions-nodejs-worker/pull/467#issuecomment-967737890); if this turns out to be problematic we can revert this part of the change. They also do not believe this is a backwards-incompatible change despite the major version bump; this package does a major version bump when the underlying Azure Functions runtime has a major version bump.) [PR #5919](https://togithub.com/apollographql/apollo-server/pull/5919)Configuration
📅 Schedule: "before 6am" in timezone Asia/Hong_Kong.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by WhiteSource Renovate. View repository job log here.