Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update all non-major dependencies #37

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update all non-major dependencies #37

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 2, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@apollo/server (source) 4.11.0 -> 4.11.3 age adoption passing confidence
@types/node (source) 22.8.1 -> 22.10.6 age adoption passing confidence
express (source) 4.21.1 -> 4.21.2 age adoption passing confidence
graphql 16.9.0 -> 16.10.0 age adoption passing confidence
typescript (source) 5.6.3 -> 5.7.3 age adoption passing confidence

Release Notes

apollographql/apollo-server (@​apollo/server)

v4.11.3

Compare Source

Patch Changes

v4.11.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.11.1

Compare Source

Patch Changes

  • #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

    @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

    However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

    The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

    However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

expressjs/express (express)

v4.21.2

Compare Source

graphql/graphql-js (graphql)

v16.10.0: 16.10.0

Compare Source

v16.10.0 (2024-12-15)

New Feature 🚀
Bug Fix 🐞
Docs 📝
10 PRs were merged
Internal 🏠
4 PRs were merged
Committers: 5
microsoft/TypeScript (typescript)

v5.7.3

Compare Source

v5.7.2

Compare Source

Configuration

📅 Schedule: Branch creation - "* * * * 0,6" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 9c94a92 to c2eb0b8 Compare November 5, 2024 02:16
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 333c92c to 580da6b Compare November 23, 2024 06:58
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from f53790c to 24bfdc3 Compare December 2, 2024 22:39
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 23d8224 to a8b0284 Compare December 11, 2024 11:39
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from d953bea to 8c573ed Compare December 22, 2024 11:30
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from ae25ad6 to e2d5193 Compare January 3, 2025 10:17
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from e2d5193 to ba42024 Compare January 8, 2025 22:26
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from ba42024 to c66239b Compare January 13, 2025 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants