Skip to content

fix(deps): update all major dependencies (major)#74

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-all-major-dependencies
Open

fix(deps): update all major dependencies (major)#74
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-all-major-dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Jan 8, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@apollo/server (source) 4.10.05.5.0 age confidence dependencies major
@as-integrations/fastify (source) 2.1.13.1.0 age confidence dependencies major
@fastify/static 6.12.09.0.0 age confidence dependencies major
@jest/globals (source) 29.7.030.3.0 age confidence devDependencies major
@jest/types (source) 29.6.330.3.0 age confidence devDependencies major
@mikro-orm/cli (source) 5.9.87.0.8 age confidence devDependencies major
@mikro-orm/core (source) 5.9.87.0.8 age confidence dependencies major
@mikro-orm/migrations (source) 5.9.87.0.8 age confidence dependencies major
@mikro-orm/nestjs 5.2.37.0.1 age confidence dependencies major
@mikro-orm/postgresql (source) 5.9.87.0.8 age confidence dependencies major
@nestjs/apollo 12.1.013.2.4 age confidence dependencies major
@nestjs/common (source) 10.3.311.1.18 age confidence dependencies major
@nestjs/core (source) 10.3.311.1.18 age confidence dependencies major
@nestjs/cqrs 10.2.711.0.3 age confidence dependencies major
@nestjs/graphql 12.1.113.2.4 age confidence dependencies major
@nestjs/microservices (source) 10.3.311.1.18 age confidence dependencies major
@nestjs/platform-fastify (source) 10.3.311.1.18 age confidence dependencies major
@nestjs/swagger 7.3.011.2.6 age confidence dependencies major
@types/node (source) 20.11.2424.12.2 age confidence devDependencies major
@typescript-eslint/eslint-plugin (source) 6.21.08.58.0 age confidence devDependencies major
@typescript-eslint/parser (source) 6.21.08.58.0 age confidence devDependencies major
actions/checkout v4v6 age confidence action major
actions/setup-node v4v6 age confidence action major
codecov/codecov-action v3v6 age confidence action major
docker/build-push-action v5v7 age confidence action major
docker/login-action v3v4 age confidence action major
docker/metadata-action v5v6 age confidence action major
docker/setup-buildx-action v3v4 age confidence action major
dotenv 16.4.517.4.0 age confidence dependencies major
eslint (source) 8.57.010.2.0 age confidence devDependencies major
eslint-import-resolver-typescript 3.6.14.4.4 age confidence devDependencies major
eslint-plugin-jest 27.9.029.15.1 age confidence devDependencies major
husky 8.0.39.1.7 age confidence devDependencies major
jest (source) 29.7.030.3.0 age confidence devDependencies major
lint-staged 15.2.216.4.0 age confidence devDependencies major
pnpm/action-setup v2.4.0v5.0.0 age confidence action major
rimraf 5.0.56.1.3 age confidence devDependencies major
turbo (source) 1.12.42.9.3 age confidence devDependencies major
typescript (source) 5.3.36.0.2 age confidence devDependencies major

Release Notes

apollographql/apollo-server (@​apollo/server)

v5.5.0

Compare Source

Minor Changes

  • #​8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

v5.4.0

Compare Source

Minor Changes

  • d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

    The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

    In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
    Any other character set will be rejected with a 415 Unsupported Media Type error.
    Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8.
    Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now.
    In a future major release, we may tighten this restriction further to only allow UTF-8.

    If you were not using startStandaloneServer, you were not affected by this vulnerability.

    Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
    For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

v5.3.0

Compare Source

Minor Changes

  • #​8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  executionOptions: {
    maxCoercionErrors: 50,
  },
});

  • #​8014 26320bc Thanks @​mo4islona! - Expose graphql validation options.

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationOptions: {
    maxErrors: 10,
  },
});

v5.2.0

Compare Source

Minor Changes

  • #​8161 51acbeb Thanks @​jerelmiller! - Fix an issue where some bundlers would fail to build because of the dynamic import for the optional peer dependency on @yaacovcr/transform introduced in @apollo/server 5.1.0. To provide support for the legacy incremental format, you must now provide the legacyExperimentalExecuteIncrementally option to the ApolloServer constructor.

    import { legacyExecuteIncrementally } from '@​yaacovcr/transform';

const server = new ApolloServer({
  // ...
  legacyExperimentalExecuteIncrementally: legacyExecuteIncrementally,
});

    If the legacyExperimentalExecuteIncrementally option is not provided and the client sends an Accept header with a value of multipart/mixed; deferSpec=20220824, an error is returned by the server.

v5.1.0

Compare Source

Minor Changes

  • #​8148 80a1a1a Thanks @​jerelmiller! - Apollo Server now supports the incremental delivery protocol (@defer and @stream) that ships with graphql@17.0.0-alpha.9. To use the current protocol, clients must send the Accept header with a value of multipart/mixed; incrementalSpec=v0.2.

    Upgrading to 5.1 will depend on what version of graphql you have installed and whether you already support the incremental delivery protocol.

v5.0.0

Compare Source

BREAKING CHANGES

Apollo Server v5 has very few breaking API changes. It is a small upgrade focused largely on adjusting which versions of Node.js and Express are supported.

Read our migration guide for more details on how to update your app.

  • Dropped support for Node.js v14, v16, and v18, which are no longer under long-term support from the Node.js Foundation. Apollo Server 5 supports Node.js v20 and later; v24 is recommended. Ensure you are on a non-EOL version of Node.js before upgrading Apollo Server.
  • Dropped support for versions of the graphql library older than v16.11.0. (Apollo Server 4 supports graphql v16.6.0 or later.) Upgrade graphql before upgrading Apollo Server.
  • Express integration requires a separate package. In Apollo Server 4, you could import the Express 4 middleware from @apollo/server/express4, or you could import it from the separate package @as-integrations/express4. In Apollo Server 5, you must import it from the separate package. You can migrate your server to the new package before upgrading to Apollo Server 5. (You can also use @as-integrations/express5 for a middleware that works with Express 5.)
  • Usage Reporting, Schema Reporting, and Subscription Callback plugins now use the Node.js built-in fetch implementation for HTTP requests by default, instead of the node-fetch npm package. If your server uses an HTTP proxy to make HTTP requests, you need to configure it in a slightly different way. See the migration guide for details.
  • The server started with startStandaloneServer no longer uses Express. This is mostly invisible, but it does set slightly fewer headers. If you rely on the fact that this server is based on Express, you should explicitly use the Express middleware.
  • The experimental support for incremental delivery directives @defer and @stream (which requires using a pre-release version of graphql v17) now explicitly only works with version 17.0.0-alpha.2 of graphql. Note that this supports the same incremental delivery protocol implemented by Apollo Server 4, which is not the same protocol in the latest alpha version of graphql. As this support is experimental, we may switch over from "only alpha.2 is supported" to "only a newer alpha or final release is supported, with a different protocol" during the lifetime of Apollo Server 5.
  • Apollo Server is now compiled by the TypeScript compiler targeting the ES2023 standard rather than the ES2020 standard.
  • Apollo Server 5 responds to requests with variable coercion errors (eg, if a number is passed in the variables map for a variable declared in the operation as a String) with a 400 status code, indicating a client error. This is also the behavior of Apollo Server 3. Apollo Server 4 mistakenly responds to these requests with a 200 status code by default; we recommended the use of the status400ForVariableCoercionErrors: true option to restore the intended behavior. That option now defaults to true.
  • The unsafe precomputedNonce option to landing page plugins (which was only non-deprecated for 8 days) has been removed.
Patch Changes

There are a few other small changes in v5:

  • #​8076 5b26558 Thanks @​valters! - Fix some error logs to properly call logger.error or logger.warn with this set. This fixes errors or crashes from logger implementations that expect this to be set properly in their methods.

  • #​7515 100233a Thanks @​trevor-scheer! - ApolloServerPluginSubscriptionCallback now takes a fetcher argument, like the usage and schema reporting plugins. The default value is Node's built-in fetch.

  • Updated dependencies [100233a]:

v4.13.0

Compare Source

Minor Changes

  • #​8180 e9d49d1 Thanks @​github-actions! - ⚠️ SECURITY @apollo/server/standalone:

    The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

    In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
    Any other character set will be rejected with a 415 Unsupported Media Type error.
    Additionally, upstream libraries used by this version of Apollo Server may not support all of these encodings, so some requests may still fail even if they pass this check.

    If you were not using startStandaloneServer, you were not affected by this vulnerability.

    Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
    For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

    Also please note that Apollo Server 4.x is considered EOL as of January 26, 2026, and Apollo no longer commits to providing support or updates for it. Please prioritize migrating to Apollo Server 5.x for continued support and updates.

v4.12.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.12.1

Compare Source

Patch Changes

v4.12.0

Compare Source

Minor Changes
  • #​8054 89e3f84 Thanks @​clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.
Patch Changes

v4.11.3

Compare Source

Patch Changes

v4.11.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.11.1

Compare Source

Patch Changes

  • #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

    @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

    However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

    The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

    However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

v4.11.0

Compare Source

Minor Changes

  • #​7916 4686454 Thanks @​andrewmcgivery! - Add hideSchemaDetailsFromClientErrors option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.

    Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation
    will be met with a validation error that includes a helpful "did you mean" as part of the error text.

    For example, with this option set to true, an error would read Cannot query field "help" on type "Query". whereas with this option set to false it would read Cannot query field "help" on type "Query". Did you mean "hello"?.

    We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.

    To enable, set this option to true in your ApolloServer options:

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  hideSchemaDetailsFromClientErrors: true,
});

v4.10.5

Compare Source

Patch Changes

v4.10.4

Compare Source

Patch Changes
  • #​7871 18a3827 Thanks @​tninesling! - Subscription heartbeats are initialized prior to awaiting subscribe(). This allows long-running setup to happen in the returned Promise without the subscription being terminated prior to resolution.

v4.10.3

Compare Source

Patch Changes
  • #​7866 5f335a5 Thanks @​tninesling! - Catch errors thrown by subscription generators, and gracefully clean up the subscription instead of crashing.

v4.10.2

Compare Source

Patch Changes
  • #​7849 c7e514c Thanks @​TylerBloom! - In the subscription callback server plugin, terminating a subscription now immediately closes the internal async generator. This avoids that generator existing after termination and until the next message is received.

v4.10.1

Compare Source

Patch Changes
  • #​7843 72f568e Thanks @​bscherlein! - Improves timing of the willResolveField end hook on fields which return Promises resolving to Arrays. This makes the use of the setCacheHint method more reliable.
apollo-server-integrations/apollo-server-integration-fastify (@​as-integrations/fastify)

v3.1.0

Compare Source

Changes

v3.0.0

Compare Source

-- BREAKING: Requires Node >= 20
-- BREAKING: Requires Typescript >= 5.4
-- FEATURE: Update to support fastify v5 #​302

fastify/fastify-static (@​fastify/static)

v9.0.0

Compare Source

What's Changed

Full Changelog: fastify/fastify-static@v8.3.0...v9.0.0

v8.3.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.2.0...v8.3.0

v8.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.1.1...v8.2.0

v8.1.1

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.1.0...v8.1.1

v8.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.0.4...v8.1.0

v8.0.4

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.0.3...v8.0.4

v8.0.3

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v8.0.2...v8.0.3

v8.0.2

Compare Source

What's Changed

Full Changelog: fastify/fastify-static@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

Full Changelog: <https://github.com/fastify/fastify-static

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from adrianmjim as a code owner January 8, 2024 09:48
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 92cc168 to 132f1f3 Compare January 15, 2024 08:27
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 2 times, most recently from 168e9fa to d84e471 Compare January 25, 2024 04:53
@renovate renovate bot changed the title chore(deps): update all major dependencies to v6 (major) chore(deps): update all major dependencies (major) Jan 25, 2024
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 8 times, most recently from 68316ef to ce0d625 Compare January 31, 2024 18:23
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch from ce0d625 to 10dc814 Compare February 1, 2024 17:22
@renovate renovate bot changed the title chore(deps): update all major dependencies (major) fix(deps): update all major dependencies (major) Feb 1, 2024
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 5 times, most recently from 8acca9c to 1cdda7f Compare February 11, 2024 19:16
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 5 times, most recently from a01f85d to 68d568a Compare February 19, 2024 18:16
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch from 68d568a to 4642f27 Compare February 22, 2024 00:24
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 230aadf to 6f7f3a8 Compare March 25, 2024 22:26
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 3b91183 to 954845b Compare April 4, 2024 03:59
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 6 times, most recently from e8f44c0 to ebcbd4b Compare April 9, 2024 22:52
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 2 times, most recently from deaa1af to 1118039 Compare April 15, 2024 19:33
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 4 times, most recently from 0e55cf9 to b7d1f0e Compare April 24, 2024 22:07
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 5 times, most recently from 9c8677d to 590f0cb Compare May 3, 2024 22:51
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 6c6a975 to 61ce584 Compare May 7, 2024 17:43
@renovate renovate bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 664b85d to 4e78fdd Compare May 17, 2024 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrianmjim adrianmjim Awaiting requested review from adrianmjim adrianmjim is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

breaking dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants