apollo-server-core: update GraphQL Playground React app

See GHSA-qm7x-rc44-rrqw for details.
apollographql · Nov 4, 2021 · c8a3ea9 · c8a3ea9
1 parent 7861ba2
commit c8a3ea9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,11 @@ The version headers in this history reflect the versions of Apollo Server itself
 
 ## vNEXT
 
+
+## v3.4.1
+
+- ⚠️ **SECURITY** `apollo-server-core`: Update default version of the GraphQL Playground React app loaded from the CDN to be `@apollographql/graphql-playground-react@1.7.42`. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with `new ApolloServer({plugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: 'some version'})]})`, you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you do not explicitly enable GraphQL Playground via the `ApolloServerPluginLandingPageGraphQLPlayground` plugin, this vulnerability does not affect you. See [advisory GHSA-qm7x-rc44-rrqw](https://github.com/apollographql/apollo-server/security/advisories/GHSA-qm7x-rc44-rrqw) for more details.
+
 ## v3.4.0
 
 - `apollo-server-core`: You can now specify your own `DocumentStore` (a `KeyValueStore<DocumentNode>`) for Apollo Server's cache of parsed and validated GraphQL operation abstract syntax trees via the new `documentStore` constructor option. **This replaces the `experimental_approximateDocumentStoreMiB` option.** You can replace `new ApolloServer({experimental_approximateDocumentStoreMiB: approximateDocumentStoreMiB, ...moreOptions})` with:
@@ -195,6 +200,10 @@ Certain undersupported and underused Apollo Server features have been removed in
 - The non-serverless integrations now depend on their corresponding web frameworks via peer dependencies rather than direct dependencies.
 - All integrations that allow CORS headers to be customized now default to `access-control-allow-origin: *`. This was already the case for `apollo-server`, Express, Fastify, and Hapi; it is now also the same for Koa (which previously reflected the request's origin), Lambda, Cloud Functions, and Azure Functions as well (which did not set CORS by default). Micro and CloudFlare do not have a built-in way of setting CORS headers.
 
+## v2.25.3
+
+- ⚠️ **SECURITY** `apollo-server-core`: Update default version of the GraphQL Playground React app loaded from the CDN to be `@apollographql/graphql-playground-react@1.7.42`. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with `new ApolloServer({playground: {version: 'some version'}})`, you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you disable GraphQL Playground with `new ApolloServer({playground: false})`, this vulnerability does not affect you. See [advisory GHSA-qm7x-rc44-rrqw](https://github.com/apollographql/apollo-server/security/advisories/GHSA-qm7x-rc44-rrqw) for more details.
+
 ## v2.25.2
 
 - `apollo-server-express`: Update dependencies on `@types/express` and `@types/express-serve-static-core`. [PR #5352](https://github.com/apollographql/apollo-server/pull/5352)

diff --git a/packages/apollo-server-core/src/plugin/landingPage/graphqlPlayground/index.ts b/packages/apollo-server-core/src/plugin/landingPage/graphqlPlayground/index.ts
@@ -20,7 +20,7 @@ import type {
 //
 // The version is passed to `@apollographql/graphql-playground-html`'s
 // `renderPlaygroundPage` via the integration packages' `playground` config.
-const defaultPlaygroundVersion = '1.7.41';
+const defaultPlaygroundVersion = '1.7.42';
 
 export type ApolloServerPluginLandingPageGraphQLPlaygroundOptions = Parameters<
   typeof renderPlaygroundPage