Skip to content

chore: small security fix to update superagent #7649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 21, 2023
Merged

chore: small security fix to update superagent #7649

merged 2 commits into from
Jul 21, 2023

Conversation

mastrzyz
Copy link
Contributor

Problem Super Agent is a package used but implicitly installed in node_module due to other packages importing it :

image

Solution

specify it in the main package.json so to alleviate surprises in the future.

Problem "CookieJar" is a dependency used by Super Agent which currently has a security bulletin :

cookiejar  <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix`
node_modules/cookiejar

Solution , perform a minor bump of SuperAgent which has a fix for the CookieJar issue

Does it all work?

formidable and cookiejar are only used by superAgent so we can just verify the current tests using superAgent

So Let's run every test!

image

@apollo-cla
Copy link

@mastrzyz: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Apollo Contributor License Agreement here: https://contribute.apollographql.com/

@netlify
Copy link

netlify bot commented Jul 17, 2023
edited
Loading

👷 Deploy request for apollo-server-docs pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit b05ef19

@codesandbox-ci
Copy link

codesandbox-ci bot commented Jul 17, 2023
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit b05ef19:

Sandbox Source
Apollo Server Typescript Configuration
Apollo Server Configuration

@trevor-scheer trevor-scheer mentioned this pull request Jul 21, 2023
Closed
@trevor-scheer trevor-scheer force-pushed the mastrzyz/small_security_fix branch from 6dfc093 to b05ef19 Compare July 21, 2023 00:36
trevor-scheer
trevor-scheer approved these changes Jul 21, 2023
View reviewed changes
Copy link
Contributor

@trevor-scheer trevor-scheer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for spotting this, I made a couple tweaks to your branch for the sake of expediency, probably going to cut a release first thing tomorrow.

The main thing is: this should be installed as a dependency to the integration testsuite package specifically rather than the top-level monorepo.

@trevor-scheer trevor-scheer merged commit d33acdf into apollographql:main Jul 21, 2023
@github-actions github-actions bot mentioned this pull request Jul 21, 2023
Merged
trevor-scheer pushed a commit that referenced this pull request Jul 21, 2023
@github-actions
Version Packages (#7635)
9139a28 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @apollo/[email protected]

### Minor Changes

- [#7634](#7634)
[`f8a8ea08f`](f8a8ea0)
Thanks [@dfperry5](https://github.com/dfperry5)! - Updating the
ApolloServer constructor to take in a stringifyResult function that will
allow a consumer to pass in a function that formats the result of an
http query.

    Usage:

    ```ts
    const server = new ApolloServer({
      typeDefs,
      resolvers,
      stringifyResult: (value: FormattedExecutionResult) => {
        return JSON.stringify(value, null, 2);
      },
    });
    ```

## @apollo/[email protected]

### Patch Changes

- [#7649](#7649)
[`d33acdfdd`](d33acdf)
Thanks [@mastrzyz](https://github.com/mastrzyz)! - Add missing
`supertest` dependency

- [#7632](#7632)
[`64f8177ab`](64f8177)
Thanks [@renovate](https://github.com/apps/renovate)! - Update
graphql-http dependency

- Updated dependencies
\[[`f8a8ea08f`](f8a8ea0)]:
    -   @apollo/[email protected]

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@mastrzyz
Copy link
Contributor Author

Thanks @trevor-scheer , there is a Eslint rule we can enable here as a follow up I can take a look if sounds good —> https://github.com/import-js/eslint-plugin-import/blob/main/docs/rules/no-extraneous-dependencies.md

@trevor-scheer
Copy link
Contributor

@mastrzyz sounds good, go ahead and open a PR. Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@trevor-scheer trevor-scheer trevor-scheer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mastrzyz @apollo-cla @trevor-scheer