[Snyk] Upgrade @apollo/rover from 0.14.2 to 0.23.0

[WontonSam]

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade @apollo/rover from 0.14.2 to 0.23.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 23 versions ahead of your current version.

• The recommended version was released on 4 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	676	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	676	Proof of Concept

Release notes

Package name: @apollo/rover

• 0.23.0 - 2024-03-26
  

  🚀 Features

  • Add --no-url shorthand to subgraph publish - @ lennyburdette PR
    #1809

  This is slightly more convenient and less awkward than --routing-url --allow-invalid-routing-url

  • Support unix socket URLs - @ Geal PR #1879

  Since its 1.43.0 release, the Router can now connect to subgraph over unix sockets. This removes a warning when publishing a schema with a unix:// URL.

  🐛 Fixes

  • Use task specific rayon threadpools and not the global threadpool - @ garypen PR #1872

  This increases rover's reliability by executing independent tasks in different thread pools.

  • Prevent an infinite loop when restarting the router - @ Geal PR #1855

  When restarting a Router on schema updates, it could happen that an internal task of Rover would go in an infinite loop and consume CPU needlessly. This is now fixed and should make rover dev more reliable.

  • Use proposalCoverage in addition to severityLevel to build correct proposal check messaging - @ swcollard PR #1845

  This updates the message on proposal checks depending on the proposalCoverage field

  🛠 Maintenance

  • Upgrade axios to address a security warning - @ goto-bus-stop PR #1819

  The vulnerability didn't affect rover, but now you won't get a warning for it!

  • Remove yanked online check - @ dylan-apollo PR #1803

  📚 Documentation

  • Update dev docs about which Router version is used - @ smyrick PR #1822

  • Update warning about federation_version in rover compose - @ smyrick, @ Meschreiber PR #1806

  • Document how to use subgraph fetch with proposals - @ Meschreiber PR #1823

• 0.23.0-rc.3 - 2024-02-20
  

  To install this specific version of Rover:

  # Note the `v` prefixing the version number
  curl -sSL https://rover.apollo.dev/nix/v0.23.0-rc.3 | sh
  

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.23.0-rc.2 - 2024-02-16
  

  To install this specific version of Rover:

  # Note the `v` prefixing the version number
  curl -sSL https://rover.apollo.dev/nix/v0.23.0-rc.2 | sh
  

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.23.0-rc.1 - 2024-01-26
  

  To install this specific version of Rover:

  # Note the `v` prefixing the version number
  curl -sSL https://rover.apollo.dev/nix/v0.23.0-rc.1 | sh
  

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.23.0-rc.0 - 2024-01-18
  

  To install this specific version of Rover:

  # Note the `v` prefixing the version number
  curl -sSL https://rover.apollo.dev/nix/v0.23.0-rc.0 | sh
  

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.22.0 - 2023-12-14
  

  🚀 Features

  • Add offline license support - @ BrynCooke PR #1796 - Issue #1793

    Adds rover license fetch <graph_ref>

    Output:

    rover license fetch --graph-id starstuff --profile gh

    Fetching license for starstuff using credentials from the gh profile.
Success!
<redacted jwt>


  🐛 Fixes

  • Handle new rate limit error - @ bnjjj #1798

    Update the GraphQL schema and handle the new rate limit error.

  🛠 Maintenance

  • First trial use of a generator (Scaffolding code for creating a new verb for an existing noun/command) - @ tapegram PR #1786

    First try at taking the instructions from the readme on how to scaffold a new verb on an existing command and added plop tooling to be able to generate the scaffolding automatically.

    npx plop

    This is an initial exploratory PR. Later PRs will build this into the dev tooling and expand on the functionality (if we don't decide to remove it)

  📚 Documentation

  • Move Validating client ops to Apollo CLI section - @ Meschreiber #1783

    This PR moves Validating client operations into the Rover > Apollo CLI section.

  • Use shared content component for GH action instructions - @ Meschreiber #1780

    This PR replaces some text with a new shared content component containing that text.

  • Remove note on restricted supergraph.yml expansion - @ dylan-apollo #1779 - issue #1629

    supergraph.yaml files now supports environment variable expansion everywhere, not just in introspection headers.

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.21.0 - 2023-10-23
  

  🚀 Features

  • Add C# as a language in rover template - @ dylan-apollo, #1769

    This means you can now filter templates with --language c-sharp. Check out the first C# template by running rover template use subgraph-csharp-hotchocolate-annotation!

  • Display proposal check task results in rover subgraph check - @ swcollard, #1768

    When running rover subgraph check, proposal check task results will be displayed in Rover. "Proposals" are a GraphOS feature currently in private preview that allow proposing subgraph schema changes before implementation. Integrating them with checks allows subgraph teams to ensure they have properly implemented a proposed schema change. This change will not affect you if your organization has not been granted preview access by Apollo.

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.20.0 - 2023-10-05
  

  🚀 Features

  • Persisted Queries is now GA - @ glasser, #1756

    The rover persisted-queries publish command is now out of the public preview phase and has entered general availability. Check out the documentation for this enterprise feature.

  🐛 Fixes

  • Better message for a subgraph published with no changes - @ bonnici, #1757

    rover subgraph publish now logs a message to stdout when a subgraph was published and there were no changes to the schema.

  • Don't log username/password if APOLLO_ROVER_DOWNLOAD_HOST includes authentication in the URL - @ EverlastingBugstopper, #1758

    Previously, when using the APOLLO_ROVER_DOWNLOAD_HOST environment variable to override the download location of a plugin binary, Rover would log the entire URL to stdout, potentially leaking username and password authentication details if they were included in the URL. Now, Rover strips that information from the URLs before printing the download location. If Rover is not able to strip that information (likely due to an invalid URL), then it doesn't try to print the sanitized URL at all.

  📚 Documentation

  • Improve wording of persisted queries documentation - @ Meschreiber, #1760

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.19.1 - 2023-09-22
  

  🐛 Fixes

  • Fix diagnostic highlighting in rover {sub}graph lint for schemas with Unicode - @ goto-bus-stop, #1750

    Previously, Rover would incorrectly highlight GraphQL syntax in a schema that contained Unicode characters due to the byte offsets reported by Apollo GraphOS. Now, Rover correctly maps byte offsets to character widths and highlights the correct portion of the GraphQL syntax.

  🛠 Maintenance

  • Updates to Rust 1.72.1 - @ EverlastingBugstopper, #1751

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.19.0 - 2023-09-19
  

  🚀 Features

  • Publish persisted queries generated by the Relay compiler - @ EverlastingBugstopper, #1727

    The rover persisted-queries publish command now accepts the --manifest-format relay argument which allows publishing persisted queries generated by the Relay compiler to Apollo GraphOS. See the documentation for more information on this feature.

  • Make checks more resilient by retrying failures - @ swcollard, #1740

    Rover will now retry requests for the status of a check workflow. If the retries don't succeed after five minutes, the requests fail, and any intermittent errors are logged.

  🐛 Fixes

  • No output styling when writing to a file or redirecting output via a pipe - @ EverlastingBugstopper, #1747

  🛠 Maintenance

  • Don't issue HEAD request to determine latest versions when the exact version is known - @ EverlastingBugstopper, #1743 and #1744

    This change should make it easier to integrate Rover with custom binary mirrors as they do not need to be configured to return an X-Version header when responding to installation requests.

  • Move introspector-gadget crate code back into Rover - @ EverlastingBugstopper, #1736

  📚 Documentation

  • Include the list of available templates in Rover's documentation - @ smyrick, #1733

  ---

  This release was automatically created by CircleCI.

  If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

  Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

• 0.18.1 - 2023-08-23
• 0.18.0 - 2023-08-10
• 0.17.3 - 2023-08-02
• 0.17.2 - 2023-07-18
• 0.17.1 - 2023-07-14
• 0.16.2 - 2023-06-28
• 0.16.1 - 2023-06-27
• 0.16.0 - 2023-06-15
• 0.16.0-alpha.1 - 2023-06-15
• 0.16.0-alpha.0 - 2023-06-14
• 0.15.0 - 2023-06-14
• 0.15.0-alpha.1 - 2023-05-31
• 0.15.0-alpha.0 - 2023-05-25
• 0.14.2 - 2023-05-31

from @apollo/rover GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud