Sourced from word-wrap's releases.
---1.2.4
-What's Changed
--
-- Remove default indent by
-@mohd-akramin jonschlinkert/word-wrap#24- 🔒fix: CVE 2023 26115 (2) by
-@OlafConijnin jonschlinkert/word-wrap#41- :lock: fix: CVE-2023-26115 by
-@aashutoshrathiin jonschlinkert/word-wrap#33- chore: publish workflow by
-@OlafConijnin jonschlinkert/word-wrap#42New Contributors
--
-- -
@mohd-akrammade their first contribution in jonschlinkert/word-wrap#24- -
@OlafConijnmade their first contribution in jonschlinkert/word-wrap#41- -
@aashutoshrathimade their first contribution in jonschlinkert/word-wrap#33Full Changelog: https://github.com/jonschlinkert/word-wrap/compare/1.2.3...1.2.4
-
f64b188 run verb to generate README03ea082 Merge pull request #42 from jonschlinkert/chore/publish-workflow420dce9 Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2bfa694e Update .github/workflows/publish.ymlace0b3c chore: bump version to 1.2.46fd7275 chore: add publish workflow30d6daf chore: fix test655929c chore: remove package-lock49e08bb chore: added an additional testcase9f62693 fix: cve 2023-26115Sourced from protobufjs's releases.
---protobufjs: v7.2.4
-7.2.4 (2023-06-23)
-Bug Fixes
- -protobufjs: v7.2.3
-7.2.3 (2023-03-27)
-Bug Fixes
- -
Sourced from protobufjs's changelog.
---7.2.4 (2023-06-23)
-Bug Fixes
- -7.2.3 (2023-03-27)
-Bug Fixes
- -
Sourced from @apollo/server's releases.
---
@apollo/server-integration-testsuite@4.7.4Patch Changes
--
-- -
-#7604
-aeb511c7dThanks@renovate! - Updategraphql-httpdependency- -
--
0adaf80d1Thanks@trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonceconfiguration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPageplugin hook. This hook can now return an object with anhtmlproperty which returns aPromise<string>in addition to astring(which was the only option before).- -
-Updated dependencies [
-0adaf80d1]:-
-- -
@apollo/server@4.7.4-
@apollo/server@4.7.4Patch Changes
--
-- -
--
0adaf80d1Thanks@trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonceconfiguration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPageplugin hook. This hook can now return an object with anhtmlproperty which returns aPromise<string>in addition to astring(which was the only option before).-
@apollo/server-integration-testsuite@4.7.3Patch Changes
- --
@apollo/server@4.7.3Patch Changes
--
- -- -
-#7601
-75b668d9eThanks@trevor-scheer! - Provide a new configuration option for landing page pluginsprecomputedNoncewhich allows users to provide a nonce and avoid calling intouuidfunctions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
-PRECOMPUTED_NONCEvariable in yourwrangler.tomlfile.Example usage:
--const server = new ApolloServer({ - // ... - plugins: [ -
... (truncated)
-Sourced from @apollo/server's changelog.
--4.7.4
-Patch Changes
--
-- -
--
0adaf80d1Thanks@trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
-The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
-precomputedNonceconfiguration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
-A final consequence of this change is an extension of the
-renderLandingPageplugin hook. This hook can now return an object with anhtmlproperty which returns aPromise<string>in addition to astring(which was the only option before).4.7.3
-Patch Changes
--
-- -
-#7601
-75b668d9eThanks@trevor-scheer! - Provide a new configuration option for landing page pluginsprecomputedNoncewhich allows users to provide a nonce and avoid calling intouuidfunctions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
-PRECOMPUTED_NONCEvariable in yourwrangler.tomlfile.Example usage:
--const server = new ApolloServer({ - // ... - plugins: [ - ApolloServerPluginLandingPageLocalDefault({ - precomputedNonce: PRECOMPUTED_NONCE, - }), - ], -}); -4.7.2
-Patch Changes
--
-- #7599
-c3f04d050Thanks@trevor-scheer! - Update@apollo/utils.usagereportingdependency. Previously, installing@apollo/gatewayand@apollo/servercould result in duplicate / differently versioned installs of@apollo/usage-reporting-protobuf. This is because the@apollo/server-gateway-interfacepackage was updated to use the latest protobuf, but the@apollo/utils.usagereportingpackage was not. After this change, users should always end up with a single install of the protobuf package when installing both@apollo/serverand@apollo/gatewaylatest versions.4.7.1
-Patch Changes
--
-- #7539
-5d3c45be9Thanks@mayakoneval! - 🐛 Bug Fix for Apollo Server Landing Pages on Safari. A Content Security Policy was added to our landing page html so that Safari can run the inline scripts we use to call the Embedded Sandbox & Explorer.4.7.0
-Minor Changes
- -
... (truncated)
-4dd276a Version Packages (#7609)0adaf80 Merge pull request from GHSA-68jh-rf6x-836f2f4b034 Version Packages (#7602)75b668d Allow landing page to be configured with a precomputed nonce (fix for CF work...51b79ac Version Packages (#7600)c3f04d0 Update @apollo/utils.usagereporting dependency (#7599)0233a2d Update codegen types and enforce keeping types up-to-date (#7580)5ab08c1 Version Packages (#7541)3f7eaed update tests7927a3f Update packages/server/src/tests/plugin/landingPage/getEmbeddedExplorerHT...