Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update all non-major dependencies #425

Merged
merged 1 commit into from
Nov 1, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 1, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@apollo/server (source) 4.11.0 -> 4.11.2 age adoption passing confidence
@lerna/legacy-package-management (source) 8.1.8 -> 8.1.9 age adoption passing confidence
@types/node (source) 20.17.1 -> 20.17.5 age adoption passing confidence
@types/passport (source) 1.0.16 -> 1.0.17 age adoption passing confidence
lerna (source) 8.1.8 -> 8.1.9 age adoption passing confidence

Release Notes

apollographql/apollo-server (@​apollo/server)

v4.11.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.11.1

Compare Source

Patch Changes
  • #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

    @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

    However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

    The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

    However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

lerna/lerna (@​lerna/legacy-package-management)

v8.1.9

Compare Source

Bug Fixes
lerna/lerna (lerna)

v8.1.9

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "before 5am on Saturday" in timezone Asia/Singapore, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@TrejGun TrejGun merged commit 3950c20 into master Nov 1, 2024
1 check passed
@renovate renovate bot deleted the renovate/all-minor-patch branch November 1, 2024 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant