Update dependency apollo-server-express to v2.14.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
apollo-server-express	dependencies	minor	2.9.7 -> 2.14.2

GitHub Vulnerability Alerts

GHSA-w42g-7vfc-xf37

We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.

Impact

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.

The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.

Note: Unless subscriptions: false is explicitly passed to the constructor parameters of new ApolloServer({ ... }), subscriptions are enabled by default, whether or not there is a Subscription type present in the schema. As an alternative to upgrading to a patched version, see the Workarounds section below to disable subscriptions if it is not necessary.

In cases where subscriptions: false is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the SubscriptionServer.create invocation (seen here, prior to the patch).

The omitted validation rules for the subscription server include any validationRules passed by implementors to the ApolloServer constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internal NoIntrospection validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the SubscriptionServer creates even though it was not possible on other transports (e.g. HTTP).

The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.

Affected packages

The bug existed in apollo-server-core versions prior to version 2.14.2, however, this means all integration packages (e.g., apollo-server-express, etc.) prior to version 2.14.2 which depend on apollo-server-core for their subscriptions support are affected. This includes the apollo-server package that automatically provides an Express server.

Therefore, for officially published Apollo Server packages, the full list of affected packages includes: apollo-server, apollo-server-azure-functions, apollo-server-cache-memcached, apollo-server-core, apollo-server-cloud-functions, apollo-server-cloudflare, apollo-server-express, apollo-server-fastify, apollo-server-hapi, apollo-server-koa, apollo-server-lambda, and apollo-server-micro.

Note: The full list included here doesn't fit into the box provided by the GitHub Security Advisories form.

Resolution

The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g., apollo-server-express) and the apollo-server-core package are both updated to the patched versions. (The version numbers should both be 2.14.2.)

Workarounds

Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with subscriptions: false to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:

const server = new ApolloServer({
  subscriptions: false,
  /* Other options, such as typeDefs, resolvers, schema, etc. */
});

For more information

If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.

Credit and appreciation

Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.

Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.

---

Release Notes

apollographql/apollo-server

v2.14.2

Compare Source

Note: This release is is related to a GitHub Security Advisory published by the Apollo Server team. Please read the attached advisory to understand the impact.

• ⚠️ SECURITY: Pass all schema validation rules to the subscription server, including validation rules that restrict introspection when introspection is meant to be disabled. Read the full GitHub Security Advisory for details.

v2.14.1

Compare Source

See complete versioning details.

• apollo-server-testing: Ensure that user-provided context is cloned when using createTestClient, per the instructions in the intergration testing section of the Apollo Server documentation. Issue #​4170 PR #​4175

v2.14.0

Compare Source

See complete versioning details.

• apollo-server-core / apollo-server-plugin-base: Add support for willResolveField and corresponding end-handler within executionDidStart. This brings the remaining bit of functionality that was previously only available from graphql-extensions to the new plugin API. The graphql-extensions API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #​3988

• apollo-server-core: Deprecate graphql-extensions. All internal usages of the graphql-extensions API have been migrated to the request pipeline plugin API. For any implementor-supplied extensions, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #​4135

• apollo-engine-reporting: Currently only for non-federated graphs.
  Added an experimental schema reporting option,
  experimental_schemaReporting, for Apollo Graph Manager users. During
  this experiment, we'd appreciate testing and feedback from current and new
  users of the schema registry!

  Prior to the introduction of this feature, the only way to get schemas into
  the schema registry in Apollo Graph Manager was to use the CLI and run
  apollo schema:push. Apollo schema reporting protocol is a new
  specification for GraphQL servers to automatically report schemas to the
  Apollo Graph Manager schema registry.

  To enable schema reporting, provide a Graph Manager API key (available
  free from Apollo Graph Manager) in the
  APOLLO_KEY environment variable and set the experimental_schemaReporting
  option to true in the Apollo Server constructor options, like so:

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    engine: {
      experimental_schemaReporting: true,
      /* Other existing options can remain the same. */
    },
  });

  When enabled, a schema reporter is initiated by the apollo-engine-reporting agent. It will loop until the ApolloServer instance is stopped, periodically calling back to Apollo Graph Manager to send information. The life-cycle of this reporter is managed by the agent.

  For more details on the implementation of this new protocol, see the PR which
  introduced it to Apollo Server and the preview documentation.

  PR #​4084

• apollo-engine-reporting: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated) graphql-extensions API to the new request pipeline plugins API. PR #​3998

  This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:

  • The federated tracing plugin's ftv1 response on extensions (which is present on the response from an implementing service to the gateway) is now placed on the extensions after the formatResponse hook. Anyone leveraging the extensions.ftv1 data from the formatResponse hook will find that it is no longer present at that phase.

• apollo-tracing: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3991

• apollo-cache-control: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3997

v2.13.1

Compare Source

v2.13.0

Compare Source

See complete versioning details.

• Allow passing a WebSocket.Server to ApolloServer.installSubscriptionHandlers. PR #​2314
• apollo-server-lambda: Support file uploads on AWS Lambda Issue #​1419 Issue #​1703 PR #​3926
• apollo-engine-reporting: Fix inadvertant conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #​3986
• apollo-engine-reporting: Deprecate the ENGINE_API_KEY environment variable in favor of its new name, APOLLO_KEY. Continued use of ENGINE_API_KEY will result in deprecation warnings and support for it will be removed in a future major version. #​3923
• apollo-engine-reporting: Deprecated the APOLLO_SCHEMA_TAG environment variable in favor of its new name, APOLLO_GRAPH_VARIANT. Similarly, within the engine configuration object, the schemaTag property has been renamed graphVariant. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #​3855
• apollo-engine-reporting-protobuf: (This is a breaking change only if you directly depend on apollo-engine-reporting-protobuf.) Drop legacy fields that were never used by apollo-engine-reporting. Added new fields StatsContext to allow apollo-server to send summary stats instead of full traces, and renamed FullTracesReport to Report and Traces to TracesAndStats since reports now can include stats as well as traces.

v2.12.0

Compare Source

See complete versioning details.

• apollo-server-core: Support providing a custom logger implementation (e.g. winston, bunyan, etc.) to capture server console messages. Though there has historically been limited output from Apollo Server, some messages are important to capture in the larger context of production logging facilities or can benefit from using more advanced structure, like JSON-based logging. This also introduces a logger property to the GraphQLRequestContext that is exposed to plugins, making it possible for plugins to leverage the same server-level logger, and allowing implementors to create request-specific log contexts, if desired. When not provided, these will still output to console. PR #​3894
• apollo-server-core: When operating in gateway mode using the gateway property of the Apollo Server constructor options, the failure to initialize a schema during initial start-up, e.g. connectivity problems, will no longer result in the federated executor from being assigned when the schema eventually becomes available. This precludes a state where the gateway may never become available to serve federated requests, even when failure conditions are no longer present. PR #​3811
• apollo-server-core: Prevent a condition which prefixed an error message on each request when the initial gateway initialization resulted in a Promise-rejection which was memoized and re-prepended with Invalid options provided to ApolloServer: on each request. PR #​3811
• apollo-server-express: Disable the automatic inclusion of the x-powered-by: express header. PR #​3821
• apollo-engine-reporting: Avoid creating new arrays when building trace trees. PR #​3479
• apollo-server-core: Bump graphql peerDependencies range to include ^15.0.0. PR #​3944

v2.11.0

Compare Source

See complete versioning details.

• The range of accepted peerDepedencies versions for graphql has been widened to include graphql@^15.0.0-rc.2 so as to accommodate the latest release-candidate of the graphql@15 package, and an intention to support it when it is finally released on the latest npm tag. While this change will subdue peer dependency warnings for Apollo Server packages, many dependencies from outside of this repository will continue to raise similar warnings until those packages own peerDependencies are updated. It is unlikely that all of those packages will update their ranges prior to the final version of graphql@15 being released, but if everything is working as expected, the warnings can be safely ignored. PR #​3825

v2.10.1

Compare Source

See complete versioning details.

• apollo-server-core: Update GraphQL Playground to latest version to remove a rogue curly-brace appearing in the top-right corner of the interface under certain conditions. PR #​3702 Playground PR
• apollo-server-core: Typings: Allow the cache property inside persistedQueries to be optional. This was already optional at runtime where it defaults to the top-level global cache when unspecified, but with the introduction of the ttl property, it now makes sense that one may be provided without the other. #​3671

v2.10.0

Compare Source

See complete versioning details.

• apollo-server-express: Support CorsOptionsDelegate type on cors parameter to applyMiddleware, to align with the supported type of the underlying cors middleware itself. #​3613
• apollo-server-core: Allow asynchronous initialization of datasources: the initialize method on datasources may now return a Promise, which will be settled before any resolvers are called. #​3639
• apollo-server-core: experimental: Allow configuration of the parsed/validated document store by introducing an experimental_approximateDocumentStoreMiB property to the ApolloServer constructor options which overrides the default cache size of 30MiB. #​3755

v2.9.16

Compare Source

See complete versioning details.

• apollo-server-core: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #​3662

v2.9.15

Compare Source

See complete versioning details.

• apollo-engine-reporting: Fix regression introduced by #​3614 which caused PersistedQueryNotFoundError, PersistedQueryNotSupportedError and InvalidGraphQLRequestError errors to be triggered before the requestDidStart handler triggered treeBuilder's startTiming method. This fix preserves the existing behavior by special-casing these specific errors. #​3638 fixes #​3627
• apollo-server-cloud-functions: Transmit CORS headers on OPTIONS request. #​3557
• apollo-server-caching: De-compose options interface for KeyValueCache.prototype.set to accommodate better TSDoc annotations for its properties (e.g. to specify that ttl is defined in seconds). #​3619
• apollo-server-core, apollo-server-caching: Introduce a ttl property, specified in seconds, on the options for automated persisted queries (APQ) which applies specific TTL settings to the cache sets during APQ registration. Previously, all APQ cache records were set to 300 seconds. Additionally, this adds support (to the underlying apollo-server-caching mechanisms) for a time-to-live (TTL) value of null which, when supported by the cache implementation, skips the assignment of a TTL value altogether. This allows the cache's controller to determine when eviction happens (e.g. cache forever, and purge least recently used when the cache is full), which may be desireable for network cache stores (e.g. Memcached, Redis). #​3623
• apollo-server-core: Upgrade TS to 3.7.3 #​3618

v2.9.14

Compare Source

See complete versioning details.

• apollo-server-core: Ensure that plugin's didEncounterErrors hooks are invoked for known automated persisted query (APQ) errors. #​3614
• apollo-server-plugin-base: Move TContext generic from requestDidStart method to ApolloServerPlugin Interface. #​3525

v2.9.13

Compare Source

See complete versioning details.

• @apollo/gateway: Add @types/node-fetch as a regular dependency to avoid missing dependency for TypeScript consumers. #​3546 fixes #​3471
• apollo-engine-reporting: Declare acceptable graphql versions ranges in peerDependencies rather than allowing it to occur implicitly (and less ideally) via its consumers (e.g. most apollo-server-* packages). #​3496

v2.9.12

Compare Source

• Reinstate #​3530 via #​3539 - after a patch release of the @apollo/protobufjs fork, the build issue for consumers should be resolved.

v2.9.11

Compare Source

• Revert #​3530 via #​3535- the introduction of the @apollo/protobufjs fork is causing TS errors in consumer projects. Reverting this change for now, and will reintroduce it after the issue is resolved within the forked package.

v2.9.10

Compare Source

See complete versioning details.

• apollo-engine-reporting: Swap usage of protobufjs for a newly published fork located at @apollo/protobufjs. This is to account for the relative uncertainty into the continued on-going maintenance of the official protobuf.js project. This should immediately resolve a bug that affected Long types in apollo-engine-reporting and other non-Apollo projects that rely on protobuf.js's Long type. #​3530

v2.9.9

Compare Source

See complete versioning details.

• apollo-server-core: Don't try parsing variables and extensions as JSON if they are defined but empty strings. #​3501
• apollo-server-lambda: Introduce onHealthCheck on createHandler in the same fashion as implemented in other integrations. #​3458
• apollo-server-core: Use graphql's isSchema to more defensively check the user-specified schema's type at runtime and prevent unexpected errors. #​3462

v2.9.8

Compare Source

See complete versioning details.

• apollo-server-core: Provide accurate type for formatResponse rather than generic Function type. #​3431
• apollo-server-core: Pass complete request context to formatResponse, rather than just context. #​3431

---

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^2.9.7). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.