Sourced from word-wrap's releases.
---1.2.4
-What's Changed
--
-- Remove default indent by
-@mohd-akram
in jonschlinkert/word-wrap#24- 🔒fix: CVE 2023 26115 (2) by
-@OlafConijn
in jonschlinkert/word-wrap#41- :lock: fix: CVE-2023-26115 by
-@aashutoshrathi
in jonschlinkert/word-wrap#33- chore: publish workflow by
-@OlafConijn
in jonschlinkert/word-wrap#42New Contributors
--
-- -
@mohd-akram
made their first contribution in jonschlinkert/word-wrap#24- -
@OlafConijn
made their first contribution in jonschlinkert/word-wrap#41- -
@aashutoshrathi
made their first contribution in jonschlinkert/word-wrap#33Full Changelog: https://github.com/jonschlinkert/word-wrap/compare/1.2.3...1.2.4
-
f64b188
run verb to generate README03ea082
Merge pull request #42 from jonschlinkert/chore/publish-workflow420dce9
Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2bfa694e
Update .github/workflows/publish.ymlace0b3c
chore: bump version to 1.2.46fd7275
chore: add publish workflow30d6daf
chore: fix test655929c
chore: remove package-lock49e08bb
chore: added an additional testcase9f62693
fix: cve 2023-26115Sourced from protobufjs's releases.
---protobufjs: v7.2.4
-7.2.4 (2023-06-23)
-Bug Fixes
- -protobufjs: v7.2.3
-7.2.3 (2023-03-27)
-Bug Fixes
- -
Sourced from protobufjs's changelog.
---7.2.4 (2023-06-23)
-Bug Fixes
- -7.2.3 (2023-03-27)
-Bug Fixes
- -
Sourced from @apollo/server
's releases.
---
@apollo/server-integration-testsuite
@4
.7.4Patch Changes
--
-- -
-#7604
-aeb511c7d
Thanks@renovate
! - Updategraphql-http
dependency- -
--
0adaf80d1
Thanks@trevor-scheer
! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before).- -
-Updated dependencies [
-0adaf80d1
]:-
-- -
@apollo/server
@4
.7.4-
@apollo/server
@4
.7.4Patch Changes
--
-- -
--
0adaf80d1
Thanks@trevor-scheer
! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before).-
@apollo/server-integration-testsuite
@4
.7.3Patch Changes
- --
@apollo/server
@4
.7.3Patch Changes
--
- -- -
-#7601
-75b668d9e
Thanks@trevor-scheer
! - Provide a new configuration option for landing page pluginsprecomputedNonce
which allows users to provide a nonce and avoid calling intouuid
functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
-PRECOMPUTED_NONCE
variable in yourwrangler.toml
file.Example usage:
--const server = new ApolloServer({ - // ... - plugins: [ -
... (truncated)
-Sourced from @apollo/server
's changelog.
--4.7.4
-Patch Changes
--
-- -
--
0adaf80d1
Thanks@trevor-scheer
! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before).4.7.3
-Patch Changes
--
-- -
-#7601
-75b668d9e
Thanks@trevor-scheer
! - Provide a new configuration option for landing page pluginsprecomputedNonce
which allows users to provide a nonce and avoid calling intouuid
functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
-PRECOMPUTED_NONCE
variable in yourwrangler.toml
file.Example usage:
--const server = new ApolloServer({ - // ... - plugins: [ - ApolloServerPluginLandingPageLocalDefault({ - precomputedNonce: PRECOMPUTED_NONCE, - }), - ], -}); -
4.7.2
-Patch Changes
--
-- #7599
-c3f04d050
Thanks@trevor-scheer
! - Update@apollo/utils.usagereporting
dependency. Previously, installing@apollo/gateway
and@apollo/server
could result in duplicate / differently versioned installs of@apollo/usage-reporting-protobuf
. This is because the@apollo/server-gateway-interface
package was updated to use the latest protobuf, but the@apollo/utils.usagereporting
package was not. After this change, users should always end up with a single install of the protobuf package when installing both@apollo/server
and@apollo/gateway
latest versions.4.7.1
-Patch Changes
--
-- #7539
-5d3c45be9
Thanks@mayakoneval
! - 🐛 Bug Fix for Apollo Server Landing Pages on Safari. A Content Security Policy was added to our landing page html so that Safari can run the inline scripts we use to call the Embedded Sandbox & Explorer.4.7.0
-Minor Changes
- -
... (truncated)
-4dd276a
Version Packages (#7609)0adaf80
Merge pull request from GHSA-68jh-rf6x-836f2f4b034
Version Packages (#7602)75b668d
Allow landing page to be configured with a precomputed nonce (fix for CF work...51b79ac
Version Packages (#7600)c3f04d0
Update @apollo/utils.usagereporting
dependency (#7599)0233a2d
Update codegen types and enforce keeping types up-to-date (#7580)5ab08c1
Version Packages (#7541)3f7eaed
update tests7927a3f
Update packages/server/src/tests/plugin/landingPage/getEmbeddedExplorerHT...