ihateani-me / ihaapi-ts

api.ihateani.me but written in TypeScript | Mirror: https://git.ihateani.me/ihateani-me/ihaapi-ts
https://api.ihateani.me
MIT License
1 stars 1 forks source link

build(deps): bump @apollo/server from 4.7.1 to 4.7.4 #16

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps @apollo/server from 4.7.1 to 4.7.4.

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​4.7.4

Patch Changes

  • #7604 aeb511c7d Thanks @​renovate! - Update graphql-http dependency

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

  • Updated dependencies [0adaf80d1]:

    • @​apollo/server@​4.7.4

@​apollo/server@​4.7.4

Patch Changes

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

@​apollo/server-integration-testsuite@​4.7.3

Patch Changes

@​apollo/server@​4.7.3

Patch Changes

  • #7601 75b668d9e Thanks @​trevor-scheer! - Provide a new configuration option for landing page plugins precomputedNonce which allows users to provide a nonce and avoid calling into uuid functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.

    The example below assumes you've provided a PRECOMPUTED_NONCE variable in your wrangler.toml file.

    Example usage:

    const server = new ApolloServer({
      // ...
      plugins: [
    

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

4.7.4

Patch Changes

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

4.7.3

Patch Changes

  • #7601 75b668d9e Thanks @​trevor-scheer! - Provide a new configuration option for landing page plugins precomputedNonce which allows users to provide a nonce and avoid calling into uuid functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.

    The example below assumes you've provided a PRECOMPUTED_NONCE variable in your wrangler.toml file.

    Example usage:

    const server = new ApolloServer({
      // ...
      plugins: [
        ApolloServerPluginLandingPageLocalDefault({
          precomputedNonce: PRECOMPUTED_NONCE,
        }),
      ],
    });
    

4.7.2

Patch Changes

  • #7599 c3f04d050 Thanks @​trevor-scheer! - Update @apollo/utils.usagereporting dependency. Previously, installing @apollo/gateway and @apollo/server could result in duplicate / differently versioned installs of @apollo/usage-reporting-protobuf. This is because the @apollo/server-gateway-interface package was updated to use the latest protobuf, but the @apollo/utils.usagereporting package was not. After this change, users should always end up with a single install of the protobuf package when installing both @apollo/server and @apollo/gateway latest versions.
Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ihateani-me/ihaapi-ts/network/alerts).
codecov[bot] commented 1 year ago

Codecov Report

Patch coverage: 100.00% and project coverage change: +2.08 :tada:

Comparison is base (caaeba7) 97.91% compared to head (ddad57c) 100.00%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #16 +/- ## =========================================== + Coverage 97.91% 100.00% +2.08% =========================================== Files 2 2 Lines 192 162 -30 Branches 48 53 +5 =========================================== - Hits 188 162 -26 + Misses 4 0 -4 ``` | Flag | Coverage Δ | | |---|---|---| | unittests | `100.00% <100.00%> (+2.08%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ihateani-me#carryforward-flags-in-the-pull-request-comment) to find out more. | [Impacted Files](https://app.codecov.io/gh/ihateani-me/ihaapi-ts/pull/16?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ihateani-me) | Coverage Δ | | |---|---|---| | [src/utils/swissknife.ts](https://app.codecov.io/gh/ihateani-me/ihaapi-ts/pull/16?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ihateani-me#diff-c3JjL3V0aWxzL3N3aXNza25pZmUudHM=) | `100.00% <100.00%> (+2.16%)` | :arrow_up: | ... and [1 file with indirect coverage changes](https://app.codecov.io/gh/ihateani-me/ihaapi-ts/pull/16/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ihateani-me)

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

dependabot[bot] commented 1 year ago

Superseded by #20.