[Snyk] Upgrade: , execa, make-fetch-happen #507
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@apollo/rover
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
from 0.14.2 to 0.26.0 | 29 versions ahead of your current version | 22 days ago
on 2024-08-21
execa
from 5.1.1 to 9.3.1 | 15 versions ahead of your current version
on 2024-08-14
make-fetch-happen
from 11.1.1 to 13.0.1 | 3 versions ahead of your current version
on 2024-04-30
Issues fixed by the recommended upgrade:
SNYK-JS-AXIOS-6032459
SNYK-JS-AXIOS-6124857
Release notes
Package name: @apollo/rover
❗ BREAKING ❗
The --client-timeout flag now represents the period over which we allow retries - @ aaronArinder PR #2019
The documentation for this flag indicated that this was the period over which Rover would retry a command if there were retryable HTTP errors. However, this was not the case due to complexities in how the client was instantiated. This has now been corrected, so the documented behaviour matches the actual behaviour.
🚀 Features
Make
rover
operate asynchronously - @ aaronArinder @ Geal PR #2035Removes the use of the
reqwest
blocking client allowingrover
to operate using an asynchronoustokio
runtime. This will bring performance improvements, particularly where working with large sets of subgraphs.Add
--graph-ref
tosupergraph compose
- @ jonathanrainer PR #2001Adds the same capabilities to
supergraph compose
as were added torover dev
in 0.25.0. You can now specify an existing Studio graphref and the command will run composition over the subgraphs specified in the graphref, as well as any overrides specified in a given supergraph config.Add new
rover cloud
command - @ loshz PR #2008Adds a new command to allow you to push or pull the Router config to a Cloud Router that is running in Studio
Add new
rover cloud config validate
subcommand - @ loshz PR #2055Adds a new command enabling you to validate the Router config for a Cloud Router
🐛 Fixes
Don't run IsFederatedGraph before running SubgraphFetchQuery - @ glasser PR #2004
Previously we were checking IsFederatedGraph before running SubgraphFetch, but the same check is actually performed in SubgraphFetch anyway so the first call to IsFederatedSubgraph is unnecessary.
Allow
--graph-ref
to support contract variants - @ jonathanrainer PR #2036There was a bug where using the graphref of a contract variant would cause an error about non-federated graphs. This has been resolved and now contract variant graphrefs can also be used.
Remove last reference to blocking
reqwest
client - @ loshz PR #2050One reference to the blocking
reqwest
client had been leftover from the move toasync
operation in #2035, this was removed.Ensure NPM installer on Windows works correctly - @ jonathanrainer PR #2059
The NPM installer on Windows had been broken because it was attempt to rename a binary from
rover
to its correct name, rather than fromrover.exe
to its correct name. This has been corrected and extra CI and unit tests added to prevent a recurrence.Make sure a message is returned to the user when cloud config is updated correctly - @ loshz PR #2063
Fix a regression in
rover dev
where it would no longer watch subgraphs correctly - @ jonathanrainer PR #2065🛠 Maintenance
Integrate the Smoke Tests Into Integration Test Framework To Allow Easier Extension - @ jonathanrainer PR #1999
Add nicer names to GitHub actions workflow - @ jonathanrainer PR #2002
Add test for subgraph introspect - @ jonathanrainer PR #2003
Update node.js packages - @ jonathanrainer PR #2006
Includes
eslint
to v9.8.0 andnode
to v20.16.0Update Rust to v1.80.0 - @ jonathanrainer PR #2007
Fix up CODEOWNERS to bring us inline with standard - @ jonathanrainer PR #2016
Add E2E test for
supergraph compose
- @ aaronArinder PR #2005Add E2E test for
subgraph fetch
- @ jonathanrainer PR #2015Update Rust crates - @ aaronArinder PR #2011
Includes
apollo-parser
to v0.8 andoctocrab
to v0.39.0Update apollographql/router to v1.52.0 - @ aaronArinder PR #2010
Add E2E test for
supergraph compose
- @ aaronArinder PR #2005Rename a test and add a
#[once]
macro to a fixture - @ aaronArinder PR #2017Add E2E tests for
graph introspect
- @ jonathanrainer PR #2020Add missing inherit for secrets - @ jonathanrainer PR #2021
Add E2E tests for
whoami
- @ jonathanrainer PR #2022Update rstest to v0.22.0 - @ jonathanrainer PR #2030
Add E2E tests for
config clear
- @ aaronArinder PR #2029Add E2E tests for
subgraph lint
- @ aaronArinder PR #2023Add E2E tests for
subgraph publish
- @ jonathanrainer PR #2031Add E2E tests for
graph fetch
- @ aaronArinder PR #2026Add E2E tests for
supergraph fetch
- @ aaronArinder PR #2024Add E2E tests for
subgraph list
- @ aaronArinder PR #2027Add E2E tests for
graph check
andsubgraph check
- @ aaronArinder PR #2025Add E2E tests for
install plugin
- @ aaronArinder PR #2028Make E2E tests account for changes in #2019 - @ jonathanrainer PR #2032
Deprecate the use of Emoji - @ loshz PR #2034
Let E2E tests message Slack if there are nightly failures - @ jonathanrainer PR #2033
Tighten up Slack Messaging for E2E tests - @ jonathanrainer PR #2039
Update
axios-mock-adapter
to v2.0.0 - @ jonathanrainer PR #2043Update
derive-getters
to v0.5.0 - @ jonathanrainer PR #2042Update
eslient
to v9.9.0 - @ jonathanrainer PR #2041Update Rust to v1.80.1 - @ jonathanrainer PR #2040
Update axios to v1.7.4 - @ jonathanrainer PR #2048
Update CODEONWERS - @ aaronArinder PR #2052
Update termimad to v0.30.0 - @ jonathanrainer PR #2054
Add step to fail workflow if matrix branch fails - @ jonathanrainer PR #2044
Increase test coverage for operations/cloud/config - @ loshz PR #2057
Update
gh
CircleCI Orb to v2.4.0 - @ jonathanrainer PR #2062Update
mockito
to v1.5.0 - @ jonathanrainer PR #2061Update
dircpy
to v0.3.19 - @ jonathanrainer PR #2060📚 Documentation
--graph-ref
to supergraph compose docs - @ jackonawalk PR #2037This release was automatically created by CircleCI.
If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.
Testing for this release candidate should focus on operations that query multiple subgraphs as the change made here should produce better performance in those operations.
This release was automatically created by CircleCI.
If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.
This beta release is now out of date. If you previously installed this release, you should reinstall and see what's changed in the latest release.
This release was automatically created by CircleCI.
If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.
🚀 Features
Enable Retries For Transient Errors Connecting To Graphs/Subgraphs - @ jonathanrainer PR #1936
This turns on retries at the HTTP level for connections to graphs/subgraphs to minimize connection resets and cancellations. Also, a new --subgraph-retries flag for rover dev lets you set the number of retries allowed when trying to re-establish a connection.
Add
--graph-ref
flag torover dev
- @ dotdat PR #1984Introduces subgraph mirroring to rover dev. Subgraph mirroring inherits the subgraph routing URLs and schemas from an existing Studio graphref. This makes it easy to spin up a locally running supergraph without maintaining a supergraph config. See here for more information.
🐛 Fixes
Fixes issues related to passing filenames to
--output
- @ jonathanrainer PR #1996An issue was raised whereby previous versions of Rover supported passing filenames to the
--output
flag but this wasbroken in v0.24.0. This has now been fixed and the previous functionality restored.
🛠 Maintenance
Expand Smoke Tests To Run On All Supported Platforms - @ jonathanrainer PR #1980
Fix cron expression, so it runs only once per day - @ jonathanrainer PR #1986
Ensure we always use the correct version of Federation when testing - @ jonathanrainer PR #1987
Add manual Smoke test invocation and pin Windows to
npm@9
for testing - @ jonathanrainer PR #1989Update apollographql/router to v1.51.0 - @ jonathanrainer PR #1988
Update node.js packages - @ jonathanrainer PR #1979
Includes
@ eslint/compat
to v1.1.1,eslint
to v9.7.0,node.js
to v20.15.1,npm
to v10.8.2 andprettier
to v3.3.3Make sure x86 Mac Tests use 'latest' supergraph plugin version - @ jonathanrainer PR #1990
Make sure homebrew runs
brew update
when we use it - @ jonathanrainer PR #1993📚 Documentation
graph-ref
flag to dev subcommand docs - @ jackonawalk PR #1945This release was automatically created by CircleCI.
If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.
The main feature of the release candidate is the new
rover dev
with graphref feature - #1984. Testing effort should focus here.This release was automatically created by CircleCI.
If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.
Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.
❗ BREAKING ❗
Removed the deprecated
plain
andjson
options for--output
- @ dylan-apollo PR #1804The
--output
option is now only for specifying a file to write to. The--format
option should be used to specify the format of the output.🚀 Features
Return the name of the linting rule that is violated, as well as the code - @ jonathanrainer PR #1907
Originally only the message from the linting violation was included in the response, but now it also includes the name of the specific linting rule to aid debugging
Use the Router's
/health?ready
endpoint to check readiness - @ nmoutschen PR #1939Previously
rover dev
used a simple query to establish readiness, but this did not allow for router customizations.Adding architecture and OS metrics - @ aaronArinder PR #1947
Allows us to track the Operating Systems and Architectures in use by our users, this will give us more information as to where to focus support efforts
Allow
aarch64
macOS to pull correctsupergraph
binaries where available - @ jonathanrainer PR #1971We recently started publishing
supergraph
binaries foraarch64
, so if they are available Rover will use them in preference to x86_64 binaries.🐛 Fixes
Don't panic if the telemetry client cannot be initialised - @ dylan-apollo PR #1897 - Issue #1893
Rename
.cargo/config
to.cargo/config.toml
- @ jonathanrainer PR #1921Fix
pnpm
installs by moving the binary download location - @ jonathanrainer PR #1927 - Issue #1881After we inlined the
binary-install
dependency in v0.23.0 this changed where the downloaded binary was stored when usingpnpm
. This caused users running the binary to enter an infinite loop. This moves the binary to a new location which avoids this.Don't panic on file watcher errors - @ nmoutschen PR