-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading graphql-playground-middleware-express. #2482
Upgrading graphql-playground-middleware-express. #2482
Conversation
@zetlen the security issue also suggests that we use a sanitizer to clean the endpoint before providing it to the playground middleware. We are not doing that in our current implementation of PWADevServer.js. Do you think I should add that as part of this PR? Here is their suggestion: const { expressPlayground } = require('graphql-playground-middleware-express');
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
} |
|
Performance Test Results The following fails have been reported by WebpageTest. These numbers indicates a possible performance issue with the PR which requires further manual testing to validate. https://pr-2482.pwa-venia.com : LH Performance Expected 0.85 Actual 0.56, LH Best Practices Expected 1 Actual 0.92 |
@@ -83,6 +83,7 @@ | |||
"resolutions": { | |||
"graphql": "~14.3.1", | |||
"**/graphql-cli/npm-run": "~5.0.0", | |||
"**/graphql-cli/graphql-playground-middleware-express": "~1.7.18", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bummer that we can't just update this version everywhere since 1.7.12
is hardcoded in the last patch in v3 of graphql-cli
. If they just used ~
then we could have updated this without resolutions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved! The only alternative I could see is upgrading to graphql-cli@4.0.0
but that's a major change and would require more time and attention.
Yeah dude that would be a major change. |
Description
Fixes the
graphql-playground-middleware-express
security issue.https://github.com/magento/pwa-studio/network/alert/yarn.lock/graphql-playground-html/open
Related Issue
Closes PWA-678
Acceptance
Gql Playground should work as expected and the GitHub security issue should be resolved.
Verification Stakeholders
@zetlen
@jimbo
Verification Steps
yarn watch:venia
Checklist
None