fix(deps): update apollo graphql packages (major) #150
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
✅ Deploy Preview for graphql-testing-library canceled.
|
svc-secops
force-pushed
the
renovate/major-apollo-graphql-packages
branch
from
a304f09 to
a2e7411
Compare
svc-secops
force-pushed
the
renovate/major-apollo-graphql-packages
branch
from
a2e7411 to
10e975e
Compare
svc-secops
changed the title
✅ Deploy Preview for graphql-testing-library canceled.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.0.0->^5.0.0^1.2.1->^3.0.0Release Notes
apollographql/apollo-server (@apollo/server)
v5.0.0Compare Source
BREAKING CHANGES
Apollo Server v5 has very few breaking API changes. It is a small upgrade focused largely on adjusting which versions of Node.js and Express are supported.
Read our migration guide for more details on how to update your app.
graphqllibrary older thanv16.11.0. (Apollo Server 4 supportsgraphqlv16.6.0or later.) Upgradegraphqlbefore upgrading Apollo Server.@apollo/server/express4, or you could import it from the separate package@as-integrations/express4. In Apollo Server 5, you must import it from the separate package. You can migrate your server to the new package before upgrading to Apollo Server 5. (You can also use@as-integrations/express5for a middleware that works with Express 5.)fetchimplementation for HTTP requests by default, instead of thenode-fetchnpm package. If your server uses an HTTP proxy to make HTTP requests, you need to configure it in a slightly different way. See the migration guide for details.startStandaloneServerno longer uses Express. This is mostly invisible, but it does set slightly fewer headers. If you rely on the fact that this server is based on Express, you should explicitly use the Express middleware.@deferand@stream(which requires using a pre-release version ofgraphqlv17) now explicitly only works with version17.0.0-alpha.2ofgraphql. Note that this supports the same incremental delivery protocol implemented by Apollo Server 4, which is not the same protocol in the latest alpha version ofgraphql. As this support is experimental, we may switch over from "onlyalpha.2is supported" to "only a newer alpha or final release is supported, with a different protocol" during the lifetime of Apollo Server 5.variablesmap for a variable declared in the operation as aString) with a 400 status code, indicating a client error. This is also the behavior of Apollo Server 3. Apollo Server 4 mistakenly responds to these requests with a 200 status code by default; we recommended the use of thestatus400ForVariableCoercionErrors: trueoption to restore the intended behavior. That option now defaults to true.precomputedNonceoption to landing page plugins (which was only non-deprecated for 8 days) has been removed.Patch Changes
There are a few other small changes in v5:
#8076
5b26558Thanks @valters! - Fix some error logs to properly calllogger.errororlogger.warnwiththisset. This fixes errors or crashes from logger implementations that expectthisto be set properly in their methods.#7515
100233aThanks @trevor-scheer! - ApolloServerPluginSubscriptionCallback now takes afetcherargument, like the usage and schema reporting plugins. The default value is Node's built-in fetch.Updated dependencies [
100233a]:v4.12.2Compare Source
(No change; there is a change to the
@apollo/server-integration-testsuiteused to test integrations, and the two packages always have matching versions.)v4.12.1Compare Source
Patch Changes
41f98d4Thanks @glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.v4.12.0Compare Source
Minor Changes
89e3f84Thanks @clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration optionmaxRecursiveSelections=trueto enable with a maximum of 10,000,000, ormaxRecursiveSelections=<number>for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.Patch Changes
2550d9fThanks @slagiewka! - Add return after sending 400 response in doubly escaped JSON parser middlewarev4.11.3Compare Source
Patch Changes
f4228e8Thanks @glasser! - Compatibility with Next.js Turbopack. Fixes #8004.v4.11.2Compare Source
(No change; there is a change to the
@apollo/server-integration-testsuiteused to test integrations, and the two packages always have matching versions.)v4.11.1Compare Source
Patch Changes
#7952
bb81b2cThanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.@apollo/serverdepends onexpresswhich depends oncookie. Versions ofexpressolder than v4.21.1 depend on a version ofcookievulnerable to CVE-2024-47764. Users of olderexpressversions who callres.cookie()orres.clearCookie()may be vulnerable to this issue.However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call
startStandaloneServerwith a context function that calls Express-specific methods such asres.cookie()orres.clearCookies()on the response object, which is a violation of the TypeScript types provided bystartStandaloneServer(which only promise that the response object is a core Node.jshttp.ServerResponserather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafeastypecasts in TypeScript.However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own
expressdependency to v4.21.1 or newer.apollographql/graphql-subscriptions (graphql-subscriptions)
v3.0.0Compare Source
iteralluse with nativeSymbol.asyncIterator.PubSubEngine.asyncIteratoris nowPubSubEngine.asyncIterableIterator.@n1ru4l in #232
PubSub.@cursorsdottsx in #245
readonlyarrays of event names.@rh389 in #234
AsyncIteratoras thewithFilterresolver function.@maclockard in #220
withFilterTypeScript improvements.@HofmannZ in #230
withFilterreturnsAsyncIterableIteratorfor compatibility with Apollo Server subscriptions.@tninesling in #276
v2.0.0Compare Source
graphql@16; do not supportgraphqlolder than 15.7.2.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.