Skip to content

Commit

Permalink
Version Packages (#7953)
Browse files Browse the repository at this point in the history
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @apollo/[email protected]

### Patch Changes

- [#7952](#7952)
[`bb81b2c`](bb81b2c)
Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so
that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

- Updated dependencies
\[[`bb81b2c`](bb81b2c)]:
    -   @apollo/[email protected]

## @apollo/[email protected]

### Patch Changes

- [#7952](#7952)
[`bb81b2c`](bb81b2c)
Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so
that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
github-actions[bot] and github-actions[bot] authored Oct 29, 2024
1 parent bb81b2c commit b7e7cd1
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 21 deletions.
14 changes: 0 additions & 14 deletions .changeset/young-guests-joke.md

This file was deleted.

8 changes: 4 additions & 4 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions packages/integration-testsuite/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
# @apollo/server-integration-testsuite

## 4.11.1

### Patch Changes

- [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer.

- Updated dependencies [[`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53)]:
- @apollo/server@4.11.1

## 4.11.0

### Patch Changes
Expand Down
4 changes: 2 additions & 2 deletions packages/integration-testsuite/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@apollo/server-integration-testsuite",
"version": "4.11.0",
"version": "4.11.1",
"description": "Test suite for Apollo Server integrations",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down Expand Up @@ -28,7 +28,7 @@
"dependencies": {
"@apollo/cache-control-types": "^1.0.3",
"@apollo/client": "^3.6.9",
"@apollo/server": "4.11.0",
"@apollo/server": "4.11.1",
"@apollo/usage-reporting-protobuf": "^4.1.1",
"@apollo/utils.createhash": "^2.0.0",
"@apollo/utils.keyvaluecache": "^2.1.0",
Expand Down
14 changes: 14 additions & 0 deletions packages/server/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
# @apollo/server

## 4.11.1

### Patch Changes

- [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer.

## 4.11.0

### Minor Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/server/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@apollo/server",
"version": "4.11.0",
"version": "4.11.1",
"description": "Core engine for Apollo GraphQL server",
"type": "module",
"main": "dist/cjs/index.js",
Expand Down

0 comments on commit b7e7cd1

Please sign in to comment.