Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency apollo-server-core to v2.26.1 [security] #118

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency apollo-server-core to v2.26.1 [security] #118

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Aug 31, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
apollo-server-core (source) 2.21.0 -> 2.26.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-j5g3-5c8r-7qfx

Impact

What kind of vulnerability is it?

Apollo Server can log sensitive information (Studio API keys) if they are passed incorrectly (with leading/trailing whitespace) or if they have any characters that are invalid as part of a header value.

Who is impacted?

Users who (all of the below):

  • use either the schema reporting or usage reporting feature
  • use an Apollo Studio API key which has invalid header values
  • use the default fetcher (node-fetch) or configured their own node-fetch fetcher

The following node snippet can test whether your API key has invalid header values. This code is taken directly from node-fetch@2's header value validation code.

const invalidHeaderCharRegex = /[^\t\x20-\x7e\x80-\xff]/;
if (invalidHeaderCharRegex.test('<YOUR_API_KEY>')) {
  console.log('potentially affected');
}
console.log('unaffected');

If the provided API key is not a valid header value, whenever Apollo Server uses that API key in a request (to Studio, for example), node-fetch will throw an error which contains the header value. This error is logged in various ways depending on the user's configuration, but most likely the console or some configured logging service.

Patches

This problem is patched in the latest version of Apollo Server as soon as this advisory is published.

Workarounds

  • Try retrieving a new API key from Studio. Note: this may not work if the invalid character is not part of the secret (it may be derived from identifiers like graph name, user name).
  • Override the fetcher
  • Disable schema reporting and/or usage reporting

Solution

  • Apollo Server will now call .trim() on incoming API keys in order to eliminate leading/trailing whitespace and log a warning when it does so.
  • Apollo Server will now perform the same validation of API keys as node-fetch@2 performs on header values on startup. Apollo Server will throw an error on startup (i.e., fail to start completely) and notify the user their API key is invalid along with the offending characters.

Release Notes

apollographql/apollo-server (apollo-server-core)

v2.26.1

Compare Source

v2.26.0

Compare Source

v2.25.4

Compare Source

v2.25.3

Compare Source

v2.25.2

Compare Source

v2.25.1

Compare Source

v2.25.0

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

v2.23.0

Compare Source

v2.22.2

Compare Source

v2.22.1

Compare Source

v2.22.0

Compare Source

v2.21.2

Compare Source

v2.21.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 1577735 to 39ae0f8 Compare September 19, 2023 20:43
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from 9664053 to 277ec07 Compare September 29, 2023 20:28
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from 2090928 to 169ae47 Compare October 16, 2023 02:29
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 169ae47 to b45f4ee Compare October 24, 2023 23:36
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from b45f4ee to afe9eb4 Compare November 6, 2023 06:03
@socket-security Socket Security
Copy link

socket-security bot commented Nov 6, 2023
edited
Loading

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@apollo/[email protected] 🔁 npm/@apollo/[email protected] None +1 3.91 MB apollo-bot
npm/@apollographql/[email protected] 🔁 npm/@apollographql/[email protected] None 0 56.9 kB apollo-bot
npm/@apollographql/[email protected] 🔁 npm/@apollographql/[email protected] None 0 28.8 kB abernix
npm/@apollographql/[email protected] 🔁 npm/@apollographql/[email protected] None 0 28.5 kB glasser
npm/@josephg/[email protected] None 0 3.21 kB josephg
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.01 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.65 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 5.91 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 6.48 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 9.24 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.86 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 6.88 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 6.59 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 3.3 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.73 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 25.4 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 13.3 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 3.78 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.46 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 4.62 kB types
npm/@types/[email protected] None 0 9.85 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 7.79 kB types
npm/@types/[email protected] 🔁 npm/@types/[email protected] None 0 18.9 kB types
npm/[email protected] 🔁 npm/[email protected] None 0 45.3 kB apollo-bot
npm/[email protected] 🔁 npm/[email protected] None 0 3.11 kB apollo-bot
npm/[email protected] 🔁 npm/[email protected] None 0 464 kB apollo-bot
npm/[email protected] None 0 21 kB apollo-bot
npm/[email protected] 🔁 npm/[email protected] None 0 1.12 MB apollo-bot
npm/[email protected] 🔁 npm/[email protected] None 0 12 kB apollo-bot
npm/[email protected] 🔁 npm/[email protected] None 0 14.4 kB apollo-bot
npm/[email protected] environment, filesystem 0 116 kB vitaly
npm/[email protected] None 0 12 kB ljharb
npm/[email protected] None 0 30.6 kB ljharb
npm/[email protected] None +1 37.8 kB ljharb
npm/[email protected] None 0 3.4 kB kevva
npm/[email protected] None 0 9.63 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 5.21 kB leerobinson
npm/[email protected] None 0 20.4 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 22.9 kB ljharb
npm/[email protected] None +1 26.5 kB ljharb
npm/[email protected] None 0 6.33 kB sindresorhus
npm/[email protected] None 0 8 kB nami-doc
npm/[email protected] None 0 14.4 kB andyburke
npm/[email protected] 🔁 npm/[email protected] None 0 1.26 MB zloirock
npm/[email protected] None 0 11.3 kB ljharb
npm/[email protected] None 0 11.4 kB ljharb
npm/[email protected] None 0 11.1 kB ljharb
npm/[email protected] None 0 30.9 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 12.9 kB ljharb
npm/[email protected] environment 0 197 kB jonschlinkert
npm/[email protected] 🔁 npm/[email protected], npm/[email protected] None +1 2.41 MB ljharb
npm/[email protected] None 0 3.86 kB ljharb
npm/[email protected] None 0 12.3 kB ljharb
npm/[email protected] None 0 11.4 kB ljharb
npm/[email protected] None 0 14.5 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 44.5 kB ljharb
npm/[email protected] None 0 78.4 kB eslintbot
npm/[email protected] None 0 314 kB ariya
npm/[email protected] None +1 1.02 MB michaelficarra
npm/[email protected] None 0 13.5 kB michaelficarra
npm/[email protected] None 0 36.3 kB michaelficarra
npm/[email protected] None 0 50.6 kB michaelficarra
npm/[email protected] None 0 23.5 kB ljharb
npm/[email protected] None 0 13 kB esp
npm/[email protected] filesystem 0 25.6 kB royriojas
npm/[email protected] filesystem 0 30 kB royriojas
npm/[email protected] 🔁 npm/[email protected] None 0 21.3 kB ljharb, raynos
npm/[email protected] 🔁 npm/[email protected] None 0 31.4 kB ljharb
npm/[email protected] None 0 27.1 kB ljharb
npm/[email protected] None 0 43.5 kB mikolalysenko
npm/[email protected] None 0 16.7 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None +2 65.9 kB ljharb
npm/[email protected] None +1 23.8 kB ljharb
npm/[email protected] None 0 17.2 kB ljharb
npm/[email protected] None 0 23.7 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 31.8 kB apollo-bot
npm/[email protected] None 0 14.8 kB ljharb
npm/[email protected] None 0 14.5 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 23.4 kB ljharb
npm/[email protected] None 0 17.6 kB ljharb
npm/[email protected] None 0 8.77 kB ljharb
npm/[email protected] None 0 4.87 kB sindresorhus
npm/[email protected] None 0 23 kB ljharb
npm/[email protected] None 0 23.3 kB ljharb, tunnckocore
npm/[email protected] None 0 17.9 kB ljharb
npm/[email protected] None 0 25.4 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 28.9 kB ljharb
npm/[email protected] None 0 13.5 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 24.2 kB ljharb
npm/[email protected] None 0 17.2 kB ljharb
npm/[email protected] eval 0 35.7 kB ljharb
npm/[email protected] None 0 20.4 kB ljharb
npm/[email protected] None 0 25.2 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 35.7 kB ljharb
npm/[email protected] None 0 19.7 kB ljharb
npm/[email protected] None 0 17.1 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 27 kB ljharb
npm/[email protected] None +1 64.9 kB ljharb
npm/[email protected] None 0 20.6 kB ljharb
npm/[email protected] None 0 15.2 kB ljharb
npm/[email protected] None 0 19.8 kB ljharb
npm/[email protected] environment, filesystem 0 11 kB isaacs
npm/[email protected] eval 0 291 kB vitaly
npm/[email protected] None 0 19.6 kB esp
npm/[email protected] None 0 14.2 kB samn
npm/[email protected] None 0 12.7 kB isaacs
npm/[email protected] None 0 24.9 kB gkz
npm/[email protected] None 0 54.1 kB jdalton
npm/[email protected] 🔁 npm/[email protected] None 0 86.2 kB pimterry
npm/[email protected] None 0 17.3 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 206 kB dougwilson
npm/[email protected] 🔁 npm/[email protected] None 0 18.3 kB dougwilson
npm/[email protected] None 0 5.65 kB megawac
npm/[email protected] 🔁 npm/[email protected] None 0 101 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 60.9 kB mariocasciaro
npm/[email protected] 🔁 npm/[email protected] None 0 78.3 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None +1 40.5 kB ljharb
npm/[email protected] None 0 50.2 kB gkz
npm/[email protected] None 0 9.8 kB ljharb
npm/[email protected] None 0 3.92 kB sindresorhus
npm/[email protected] None 0 10.9 kB ljharb
npm/[email protected] None 0 36.7 kB gkz
npm/[email protected] None 0 15.5 kB turbopope
npm/[email protected] None 0 44.3 kB ljharb
npm/[email protected] filesystem, unsafe 0 4.64 kB sindresorhus
npm/[email protected] None 0 18.9 kB tim-kos
npm/[email protected] None 0 8.5 kB ljharb
npm/[email protected] None 0 11.9 kB ljharb
npm/[email protected] None +1 25.7 kB ljharb
npm/[email protected] None 0 16.7 kB ljharb
npm/[email protected] None 0 9.3 kB ljharb
npm/[email protected] None 0 2.56 kB kevva
npm/[email protected] None 0 2.83 kB sindresorhus
npm/[email protected] None 0 14.7 kB ljharb
npm/[email protected] None 0 13.3 kB ljharb
npm/[email protected] None 0 14.7 kB ljharb
npm/[email protected] None 0 21.5 kB ljharb
npm/[email protected] None 0 6.43 kB sindresorhus
npm/[email protected] None 0 34.8 kB alexei
npm/[email protected] None 0 35.2 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 23.6 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 22.9 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 271 kB apollo-bot
npm/[email protected] None 0 12.2 kB ljharb
npm/[email protected] None 0 18.4 kB ljharb
npm/[email protected] None 0 19.8 kB ljharb
npm/[email protected] None +1 47.6 kB ljharb
npm/[email protected] None 0 18.5 kB ljharb
npm/[email protected] 🔁 npm/[email protected] None 0 26.1 kB ljharb
npm/[email protected] None 0 19.3 kB ljharb
npm/[email protected] None 0 30 kB ljharb
npm/[email protected] None 0 20.1 kB ljharb
npm/[email protected] environment 0 9.97 kB isaacs
npm/[email protected] None 0 10.6 kB jonschlinkert
npm/[email protected] 🔁 npm/[email protected] None 0 145 kB leizongmin

🚮 Removed packages: npm/@babel/[email protected], npm/@hapi/[email protected], npm/@hapi/[email protected], npm/@hapi/[email protected], npm/@hapi/[email protected], npm/@next/[email protected], npm/@next/[email protected], npm/@next/[email protected], npm/@next/[email protected], npm/@opentelemetry/[email protected], npm/@opentelemetry/[email protected], npm/@sideway/[email protected], npm/@sideway/[email protected], npm/@sideway/[email protected], npm/@tokenizer/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from afe9eb4 to 46ae7d3 Compare November 17, 2023 02:41
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 46ae7d3 to 54f0336 Compare December 4, 2023 05:53
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from ebcb9fa to e13ba11 Compare February 5, 2024 02:57
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from e13ba11 to ba71ac0 Compare February 26, 2024 02:59
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from ba71ac0 to f1e353f Compare March 13, 2024 02:19
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from f1e353f to b8336ab Compare March 22, 2024 08:55
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from b8336ab to 2cc0e78 Compare April 14, 2024 14:53
@socket-security Socket Security
Copy link

socket-security bot commented Apr 14, 2024
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 2cc0e78 to bae2acd Compare April 23, 2024 02:49
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from bae2acd to 1fe149d Compare June 5, 2024 05:31
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 1fe149d to be649bc Compare July 22, 2024 02:49
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from be649bc to 4ff98a4 Compare August 8, 2024 03:00
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 4ff98a4 to 68f7326 Compare August 29, 2024 00:00
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 68f7326 to eece614 Compare October 10, 2024 05:17
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from eece614 to 242b07a Compare December 2, 2024 23:51
@renovate renovate bot changed the title chore(deps): update dependency apollo-server-core to v2.26.1 [security] fix(deps): update dependency apollo-server-core to v2.26.1 [security] Dec 11, 2024
@renovate renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 242b07a to fc01c32 Compare January 25, 2025 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants