Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency apollographql/router to v1.52.1 #2077

Merged
merged 1 commit into from
Aug 28, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 27, 2024

This PR contains the following updates:

Package Update Change
apollographql/router patch v1.52.0 -> v1.52.1

Release Notes

apollographql/router (apollographql/router)

v1.52.1

Compare Source

[!IMPORTANT]
If you have enabled Distributed query plan caching, this release changes the hashing algorithm used for the cache keys. On account of this, you should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service.

🔒 Security
CVE-2024-43783: Payload limits may exceed configured maximum

Correct a denial-of-service vulnerability which, under certain non-default configurations below, made it possible to exceed the configured request payload maximums set with the limits.http_max_request_bytes option.

This affects the following non-default Router configurations:

  1. Those configured to send request bodies to External Coprocessors where the coprocessor.router.request.body configuration option is set to true; or
  2. Those which declare custom native Rust plugins using the plugins configuration where those plugins access the request body in the RouterService layer.

Rhai plugins are not impacted. See the associated Github Advisory, GHSA-x6xq-whh3-gg32, for more information.

CVE-2024-43414: Update query planner to resolve uncontrolled recursion

Update the version of @apollo/query-planner used by Router to v2.8.5 which corrects an uncontrolled recursion weakness (classified as CWE-674) during query planning for complex queries on particularly complex graphs.

This weakness impacts all versions of Router prior to this release. See the associated Github Advisory, GHSA-fmj9-77q8-g6c4, for more information.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 27, 2024 13:18
@renovate renovate bot force-pushed the renovate/apollographql-router-1.x branch 5 times, most recently from e2d9409 to 3c2056f Compare August 28, 2024 13:20
@renovate renovate bot force-pushed the renovate/apollographql-router-1.x branch from 3c2056f to 017774b Compare August 28, 2024 13:31
Copy link
Contributor

@jonathanrainer jonathanrainer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jonathanrainer jonathanrainer enabled auto-merge (squash) August 28, 2024 13:32
@jonathanrainer jonathanrainer merged commit 9f47ced into main Aug 28, 2024
21 of 22 checks passed
@jonathanrainer jonathanrainer deleted the renovate/apollographql-router-1.x branch August 28, 2024 13:41
@jonathanrainer jonathanrainer added this to the v0.26.1 milestone Aug 30, 2024
@jonathanrainer jonathanrainer mentioned this pull request Sep 4, 2024
jonathanrainer added a commit that referenced this pull request Sep 4, 2024
# [0.26.1] - 2024-09-04

## 🚀 Features

- **Respect the use of `--output` flag in the supergraph binary -
@aaronArinder PR #2045**

In testing to attempt to reduce the runtime of `supergraph compose` we
noticed that a very large proportion of the time spent (in the case of
large supergraphs) was spent printing the result to `stdout`. With this
change we add an `--output` flag to the `supergraph` binary which means
this time can be reduced significantly, leading to much faster
compositions.

- **Add `--license` flag to `rover dev` - @loshz PR #2078**

Adds the ability to pass along an offline enterprise licence to the
router when running `rover dev`

- **Remove Rayon and reduce usage of Crossbeam - @jonathanrainer PR
#2081**
  
Now that `rover` has transitioned to using an asynchronous runtime we
don't need to use Rayon any more. This also resolves a bug whereby
`rover dev` could lock up if passed a `supergraph.yaml` file with lots
of subgraphs in.

- **Introduce new print macros - @loshz PR #2090**
  
Adds three new macros to the codebase so that we can still visually
distinguish between INFO, WARNING and ERROR log lines without the use of
emoji

- **Use new print macros in place of emoji - @loshz PR #2096**

Updates the locations that previously used emoji to utilise the new
macros defined in the previous PR

## 🐛 Fixes

- **Stop Windows Installer failing if whitespace is accidentally passed
to the `rover install` command - @jonathanrainer PR #1975**

In some situations it was possible for whitespace to be passed to the
`rover install` command which then caused the installer to fail. A guard
has now been added to strip whitespace out before it is passed to the
install command.

## 🛠 Maintenance

- **Move CI to using newly create Ubuntu images - @jonathanrainer PR
#2080**

CircleCI is removing support for older Ubuntu machine images, this
brings us up to date but does **not** change any of our `glibc` support
etc.

- **Add check for aarch-64-unknown-linux-musl to installers - @loshz PR
#2079**
- **Update node.js packages - @jonathanrainer PR #2070**

  Includes `eslint` to v9.9.1 and `node` to 20.17.0

- **Update `node` CircleCI orb to v5.3.0 - @jonathanrainer PR #2071**
- **Update `apollographql/federation-rs` to v2.9.0 - @jonathanrainer PR
#1983**
- **Update `apollographql/router` to v1.52.1 - @jonathanrainer PR
#2077**
- **Update `node` Docker Image to v20.17.0 - @jonathanrainer PR #2072**
- **Update `apollographql/router` to v1.53.0 - @jonathanrainer PR
#2084**
- **Update `npm` to v10.8.3 - @jonathanrainer PR #2091**
- **Update `slackapi/slack-github-action` to v1.27.0 - @jonathanrainer
PR #2092**
- **Update `node` CircleCI orb to v6.1.0 - @jonathanrainer PR #2093**
- **Fix some bugs in the smoke tests - @jonathanrainer PR #2094**

## 📚 Documentation

- **Add `cloud config` docs - @loshz PR #2066**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant