chore(deps): bump @apollo/experimental-nextjs-app-support from 0.5.2 to 0.7.0 in /frontend

[dependabot]

Bumps @apollo/experimental-nextjs-app-support from 0.5.2 to 0.7.0.

Release notes

Sourced from @​apollo/experimental-nextjs-app-support's releases.

0.7.0: important security fix

This version fixes CVE-2024-23841.
You can see more details in the security advisory.

There are no known workarounds for this issue, please update immediately.

0.6.0: reduced bundle size and "nonce" support

This release reduces the bundle size by changing an import from graphql. (#161)

It also adds support for a "nonce" in the script tags created by this package, by introducing a new extraScriptProps option. (#160)

Usage example:

    <ApolloNextAppProvider
      makeClient={makeClient}
      extraScriptProps={{
        nonce: actualNonce,
      }}
    >{...}</ApolloNextAppProvider>

As you should not pass a sensitive value like a nonce or a token as props from a Server Component into a Client Component, you can use the ssr-only-secrets we published for that purpose.

Generate a jwk-formatted AES-CBC key (see details in the linked package) and set it as an environment variable, e.g. "SECRET_KEY_VAR"

In a Server Component:

import { cloakSSROnlySecret } from "ssr-only-secrets";
const MyServerComponent = () => {
const nonce = headers().get('x-nonce')
return <ApolloWrapper nonce={cloakSSROnlySecret(nonce, "SECRET_KEY_VAR")} />
}

In your ApolloWrapper:

export function ApolloWrapper({
  children,
  nonce,
}: React.PropsWithChildren<{ nonce?: string }>) {
// other code, e.g. makeClient
const actualNonce = useSSROnlySecret(nonce, "SECRET_KEY_VAR");
return (
<ApolloNextAppProvider
makeClient={makeClient}
extraScriptProps={{
nonce: actualNonce,
</tr></table>

... (truncated)

Commits

• b92bc42 Merge pull request from GHSA-rv8p-rr2h-fgpg
• 4271a8c feat: adds user survey workflow and link in README (#180)
• 99acf6a chore(deps): update dependency next to v14.1.0 (#177)
• 2adedfa chore(deps): update all devdependencies (#172)
• bf8af08 Merge pull request #173 from apollographql/renovate/major-all-dev
• 6b7d50a Merge branch 'main' into renovate/major-all-dev
• 3d8ff60 also add & configure eslint-plugin-react-hooks
• 2976a0c chore(deps): update secops orb to v2.0.7 (#176)
• 745bda7 chore(deps): update all devdependencies to v6
• 4930d28 feat: SECOPS-2525 - add semgrep job (#174)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apollo-bot, a new releaser for @​apollo/experimental-nextjs-app-support since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.