search

kennethreitz / responder

A familiar HTTP Service Framework for Python.
http://responder.kennethreitz.org/
Apache License 2.0
3.59k stars 220 forks source link

GraphQL: Update GraphiQL version #569

Open amotl opened 1 week ago

amotl commented 1 week ago

@coderabbitai recommended:

:warning: Potential issue

Consider upgrading GraphiQL version.

The template uses GraphiQL v0.12.0 which is significantly outdated. The latest stable version is 3.0.1 which includes security fixes, performance improvements, and new features.

Apply this diff to update the version:

-{% set GRAPHIQL_VERSION = '0.12.0' %}
+{% set GRAPHIQL_VERSION = '3.0.1' %}
📝 Committable suggestion > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. `````suggestion {% set GRAPHIQL_VERSION = '3.0.1' %} `````

_Originally posted by @coderabbitai[bot] in https://github.com/kennethreitz/responder/pull/554#discussion_r1817559057_

amotl commented 1 week ago

Also relevant in this context, coming from https://github.com/kennethreitz/responder/pull/554#discussion_r1817559063:

:warning: Potential issue

Security and compatibility improvements needed for external dependencies.

Several concerns with the current implementation:

  1. React/ReactDOM versions (16.2.0) are outdated
  2. CDN resources lack SRI (Subresource Integrity) hashes
  3. whatwg-fetch polyfill might be unnecessary for modern browsers

[security] Apply these improvements:

-    <link href="//cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.css" rel="stylesheet"/>
-    <script src="//cdn.jsdelivr.net/npm/whatwg-fetch@2.0.3/fetch.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/react@16.2.0/umd/react.production.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/react-dom@16.2.0/umd/react-dom.production.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.min.js"></script>
+    <link 
+      href="https://cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.css" 
+      rel="stylesheet"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    />
+    <script 
+      src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>
+    <script 
+      src="https://cdn.jsdelivr.net/npm/react-dom@18.2.0/umd/react-dom.production.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>
+    <script 
+      src="https://cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>

Note: Replace [GET-ACTUAL-HASH] with actual SRI hashes generated for each resource.

Committable suggestion was skipped due to low confidence.