This repository has been archived by the owner on Sep 25, 2023. It is now read-only.
fix(deps): update dependency @apollo/server to v4.7.4 [security] #519
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.7.1
->4.7.4
GitHub Vulnerability Alerts
GHSA-68jh-rf6x-836f
Context
Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.
Impact
There aren't any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven't been reported and patched, then all users of Apollo Server's landing pages have a vulnerability which won't be prevented by the current CSP implemented by the landing pages.
Prior to version 4.7.1, there was no CSP implemented at all. However, the initial CSP implementation (4.7.1+) reused nonces. While this sufficiently resolved the issue w.r.t. scripts not running in Safari, it did not implement CSP in a safe or conventional way.
Patches
The issue is patched in the latest version of Apollo Server, v4.7.4. The changes can be reviewed in the merge commit.
Workarounds
The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page
References
https://content-security-policy.com/nonce/
Release Notes
apollographql/apollo-server
v4.7.4
Compare Source
Patch Changes
0adaf80d1
Thanks @trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the
renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before).v4.7.3
Compare Source
Patch Changes
#7601
75b668d9e
Thanks @trevor-scheer! - Provide a new configuration option for landing page pluginsprecomputedNonce
which allows users to provide a nonce and avoid calling intouuid
functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
PRECOMPUTED_NONCE
variable in yourwrangler.toml
file.Example usage:
v4.7.2
Compare Source
Patch Changes
c3f04d050
Thanks @trevor-scheer! - Update@apollo/utils.usagereporting
dependency. Previously, installing@apollo/gateway
and@apollo/server
could result in duplicate / differently versioned installs of@apollo/usage-reporting-protobuf
. This is because the@apollo/server-gateway-interface
package was updated to use the latest protobuf, but the@apollo/utils.usagereporting
package was not. After this change, users should always end up with a single install of the protobuf package when installing both@apollo/server
and@apollo/gateway
latest versions.Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.