Releases: apollographql/apollo-server
@apollo/usage-reporting-protobuf@4.1.1
Patch Changes
@apollo/server@4.7.5
Patch Changes
-
#7614
4fadf3ddc
Thanks @Cellule! - Publish TypeScript typings for CommonJS modules output.This allows TypeScript projects that use CommonJS modules with
moduleResolution: "node16"
or
moduleResolution: "nodeNext"
to correctly resolves the typings of apollo's packages as CommonJS instead of ESM. -
Updated dependencies [
4fadf3ddc
]:- @apollo/cache-control-types@1.0.3
- @apollo/server-gateway-interface@1.1.1
- @apollo/usage-reporting-protobuf@4.1.1
@apollo/server-plugin-response-cache@4.1.3
Patch Changes
@apollo/server-integration-testsuite@4.7.5
Patch Changes
- Updated dependencies [
4fadf3ddc
]:- @apollo/cache-control-types@1.0.3
- @apollo/server@4.7.5
- @apollo/usage-reporting-protobuf@4.1.1
@apollo/server-gateway-interface@1.1.1
Patch Changes
-
#7614
4fadf3ddc
Thanks @Cellule! - Publish TypeScript typings for CommonJS modules output.This allows TypeScript projects that use CommonJS modules with
moduleResolution: "node16"
or
moduleResolution: "nodeNext"
to correctly resolves the typings of apollo's packages as CommonJS instead of ESM. -
Updated dependencies [
4fadf3ddc
]:- @apollo/usage-reporting-protobuf@4.1.1
@apollo/cache-control-types@1.0.3
Patch Changes
@apollo/server@4.7.4
Patch Changes
-
0adaf80d1
Thanks @trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the
renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before).
@apollo/server-integration-testsuite@4.7.4
Patch Changes
-
#7604
aeb511c7d
Thanks @renovate! - Updategraphql-http
dependency -
0adaf80d1
Thanks @trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the
renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before). -
Updated dependencies [
0adaf80d1
]:- @apollo/server@4.7.4
@apollo/server@4.7.3
Patch Changes
-
#7601
75b668d9e
Thanks @trevor-scheer! - Provide a new configuration option for landing page pluginsprecomputedNonce
which allows users to provide a nonce and avoid calling intouuid
functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
PRECOMPUTED_NONCE
variable in yourwrangler.toml
file.Example usage:
const server = new ApolloServer({ // ... plugins: [ ApolloServerPluginLandingPageLocalDefault({ precomputedNonce: PRECOMPUTED_NONCE, }), ], });
@apollo/server-integration-testsuite@4.7.3
Patch Changes
- Updated dependencies [
75b668d9e
]:- @apollo/server@4.7.3