Skip to content

npm(deps): bump apollo-server-express from 2.25.3 to 3.6.2 #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

npm(deps): bump apollo-server-express from 2.25.3 to 3.6.2 #43

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 18, 2022

Bumps apollo-server-express from 2.25.3 to 3.6.2.

Changelog

Sourced from apollo-server-express's changelog.

v3.6.2

  • ⚠️ SECURITY apollo-server-env: Update dependency on node-fetch to require v2.6.7 rather than v2.6.1. This includes the fix to CVE-2022-0235, a vulnerability where credentials sent along with a request could be sent to a different origin if the fetched URL responds with an attacker-controlled HTTP redirect. This is the default fetcher used by apollo-datasource-rest, usage reporting, schema reporting, and @apollo/gateway in versions prior to v0.46.0. We do not believe that the way that this is used by usage reporting or schema reporting is vulnerable to the exploit, but if you use apollo-datasource-rest in such a way that the servers you talk to might serve a surprising redirect, this upgrade would be helpful. Note that to ensure you're using the appropriate version of apollo-server-env with apollo-datasource-rest, you need to be using v3.5.1 of that package. (We plan to separate the release process of apollo-datasource-rest from Apollo Server soon so that it can have a more reasonable changelog.) If upgrading to this version is challenging, you can also work around this by ensuring that [email protected] is the version used in your project, or by specifying a fetcher explicitly to your older Gateway, REST datasource, etc.
  • apollo-server-core: The typeDefs, resolvers, and parseOptions constructor arguments are passed directly through to makeExecutableSchema from @graphql-tools/schema if provided. Now their TypeScript type definitions come directly from that package so that any types accepted by that package can be provided. [PR #5978](apollographql/apollo-server#5978)
  • apollo-server-fastify: Drop dependency on fast-json-stringify. [PR #5988](apollographql/apollo-server#5988)
  • apollo-server-azure-functions: Update TypeScript types package @azure/functions from v1 to v3 and change it to a dev dependency. (We were advised to change it to a dev dependency by the authors of the package; if this turns out to be problematic we can revert this part of the change. They also do not believe this is a backwards-incompatible change despite the major version bump; this package does a major version bump when the underlying Azure Functions runtime has a major version bump.) [PR #5919](apollographql/apollo-server#5919)

v3.6.1

v3.6.0

  • apollo-server-core: Studio usage reporting now reports "referenced operations" for fields in addition to "field executions", which can be seen on the Studio Fields page. This new statistic provides visibility into uses of fields that are not executed. It is also more efficient to generate and (for Apollo Gateways) does not require subgraphs to support federated tracing. Additionally, the new fieldLevelInstrumentation option to ApolloServerPluginUsageReporting allows you to disable field-level tracing on a per-operation basis, and to report weights for operations to allow for estimates of the field execution count even when not all operations are instrumented. Note that the semantics of the requestContext.metrics.captureTraces field have changed. See the Studio Fields page docs and the fieldLevelInstrumentation docs for more details. [Issue #5708](apollographql/apollo-server#5708) [PR #5956](apollographql/apollo-server#5956) [PR #5963](apollographql/apollo-server#5963)
  • apollo-server-core: Usage reporting no longer sends a "client reference ID" to Apollo Studio (along with the client name and client version). This little-used feature has not been documented since 2019 and is currently entirely ignored by Apollo Studio. This is technically incompatible as the interface ClientInfo no longer has the field clientReferenceId; if you were one of the few users who explicitly set this field and you get a TypeScript compilation failure upon upgrading to v3.6.0, just stop using the field. [PR #5890](apollographql/apollo-server#5890)
  • apollo-server-core: Remove dependency on apollo-graphql package (by inlining the code which generates usage reporting signatures). That package has not yet been published with a graphql@16 peer dependency, so Apollo Server v3.5 did not fully support graphql@16 without overriding peer dependencies. [Issue #5941](apollographql/apollo-server#5941) [PR #5955](apollographql/apollo-server#5955)

v3.5.0

v3.4.1

  • ⚠️ SECURITY apollo-server-core: Update default version of the GraphQL Playground React app loaded from the CDN to be @apollographql/[email protected]. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with new ApolloServer({plugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: 'some version'})]}), you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you do not explicitly enable GraphQL Playground via the ApolloServerPluginLandingPageGraphQLPlayground plugin, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.

v3.4.0

  • apollo-server-core: You can now specify your own DocumentStore (a KeyValueStore<DocumentNode>) for Apollo Server's cache of parsed and validated GraphQL operation abstract syntax trees via the new documentStore constructor option. This replaces the experimental_approximateDocumentStoreMiB option. You can replace new ApolloServer({experimental_approximateDocumentStoreMiB: approximateDocumentStoreMiB, ...moreOptions}) with: 
    import { InMemoryLRUCache } from 'apollo-server-caching';
import type { DocumentNode } from 'graphql';
new ApolloServer({
  documentStore: new InMemoryLRUCache<DocumentNode>({
    maxSize: Math.pow(2, 20) * approximateDocumentStoreMiB,
    sizeCalculator: InMemoryLRUCache.jsonBytesSizeCalculator,
  }),
  ...moreOptions,
})
    [PR #5644](apollographql/apollo-server#5644) [Issue #5634](apollographql/apollo-server#5634)
  • apollo-server-core: For ease of testing, you can specify the node environment via new ApolloServer({nodeEnv}) in addition to via the NODE_ENV environment variable. The environment variable is now only read during server startup (and in some error cases) rather than on every request. [PR #5657](apollographql/apollo-server#5657)
  • apollo-server-koa: The peer dependency on koa (added in v3.0.0) should be a ^ range dependency rather than depending on exactly one version, and it should not be automatically increased when new versions of koa are released. [PR #5759](apollographql/apollo-server#5759)
  • apollo-server-fastify: Export ApolloServerFastifyConfig and FastifyContext TypeScript types. [PR #5743](apollographql/apollo-server#5743)
  • apollo-server-core: Only generate the schema hash once on startup rather than twice. [PR #5757](apollographql/apollo-server#5757)
  • [email protected]: When choosing whether or not to parse a response as JSON, treat any content-type ending in +json as JSON rather than just application/hal+json (in addition to application/json). [PR #5737](apollographql/apollo-server#5737)
  • apollo-server: You can now configure the health check URL path with the healthCheckPath constructor option, or disable serving health checks by passing null for this option. (This option is specific to the batteries-included apollo-server package; if you're using a framework integration package and want to serve a health check at a different path, just use your web framework directly.) [PR #5270](apollographql/apollo-server#5270) [Issue #3577](apollographql/apollo-server#3577)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
npm(deps): bump apollo-server-express from 2.25.3 to 3.6.2
5e371c0 
Bumps [apollo-server-express](https://github.com/apollographql/apollo-server/tree/HEAD/packages/apollo-server-express) from 2.25.3 to 3.6.2.
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Changelog](https://github.com/apollographql/apollo-server/blob/[email protected]/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-server/commits/[email protected]/packages/apollo-server-express)

---
updated-dependencies:
- dependency-name: apollo-server-express
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jan 18, 2022
@dependabot dependabot bot mentioned this pull request Jan 18, 2022
Closed
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 8, 2022

Superseded by #46.

@dependabot dependabot bot closed this Feb 8, 2022
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/apollo-server-express-3.6.2 branch February 8, 2022 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants