Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , execa, make-fetch-happen #507

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

WontonSam
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

@apollo/rover
from 0.14.2 to 0.26.0 | 29 versions ahead of your current version | 22 days ago
on 2024-08-21
execa
from 5.1.1 to 9.3.1 | 15 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-14
make-fetch-happen
from 11.1.1 to 13.0.1 | 3 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-04-30

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
676 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
676 Proof of Concept
Release notes
Package name: @apollo/rover
  • 0.26.0 - 2024-08-21

    Important: 1 potentially breaking changes below, indicated by ❗ BREAKING ❗

    ❗ BREAKING ❗

    • The --client-timeout flag now represents the period over which we allow retries - @ aaronArinder PR #2019

      The documentation for this flag indicated that this was the period over which Rover would retry a command if there were retryable HTTP errors. However, this was not the case due to complexities in how the client was instantiated. This has now been corrected, so the documented behaviour matches the actual behaviour.

    🚀 Features

    • Make rover operate asynchronously - @ aaronArinder @ Geal PR #2035

      Removes the use of the reqwest blocking client allowing rover to operate using an asynchronous tokio runtime. This will bring performance improvements, particularly where working with large sets of subgraphs.

    • Add --graph-ref to supergraph compose - @ jonathanrainer PR #2001

      Adds the same capabilities to supergraph compose as were added to rover dev in 0.25.0. You can now specify an existing Studio graphref and the command will run composition over the subgraphs specified in the graphref, as well as any overrides specified in a given supergraph config.

    • Add new rover cloud command - @ loshz PR #2008

      Adds a new command to allow you to push or pull the Router config to a Cloud Router that is running in Studio

    • Add new rover cloud config validate subcommand - @ loshz PR #2055

      Adds a new command enabling you to validate the Router config for a Cloud Router

    🐛 Fixes

    • Don't run IsFederatedGraph before running SubgraphFetchQuery - @ glasser PR #2004

      Previously we were checking IsFederatedGraph before running SubgraphFetch, but the same check is actually performed in SubgraphFetch anyway so the first call to IsFederatedSubgraph is unnecessary.

    • Allow --graph-ref to support contract variants - @ jonathanrainer PR #2036

      There was a bug where using the graphref of a contract variant would cause an error about non-federated graphs. This has been resolved and now contract variant graphrefs can also be used.

    • Remove last reference to blocking reqwest client - @ loshz PR #2050

      One reference to the blocking reqwest client had been leftover from the move to async operation in #2035, this was removed.

    • Ensure NPM installer on Windows works correctly - @ jonathanrainer PR #2059

      The NPM installer on Windows had been broken because it was attempt to rename a binary from rover to its correct name, rather than from rover.exe to its correct name. This has been corrected and extra CI and unit tests added to prevent a recurrence.

    • Make sure a message is returned to the user when cloud config is updated correctly - @ loshz PR #2063

    • Fix a regression in rover dev where it would no longer watch subgraphs correctly - @ jonathanrainer PR #2065

    🛠 Maintenance

    📚 Documentation


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.26.0-rc.1 - 2024-08-14

    Testing for this release candidate should focus on operations that query multiple subgraphs as the change made here should produce better performance in those operations.


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.26.0-rc.0 - 2024-07-30

    This beta release is now out of date. If you previously installed this release, you should reinstall and see what's changed in the latest release.


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.25.0 - 2024-07-22

    🚀 Features

    • Enable Retries For Transient Errors Connecting To Graphs/Subgraphs - @ jonathanrainer PR #1936

      This turns on retries at the HTTP level for connections to graphs/subgraphs to minimize connection resets and cancellations. Also, a new --subgraph-retries flag for rover dev lets you set the number of retries allowed when trying to re-establish a connection.

    • Add --graph-ref flag to rover dev - @ dotdat PR #1984

      Introduces subgraph mirroring to rover dev. Subgraph mirroring inherits the subgraph routing URLs and schemas from an existing Studio graphref. This makes it easy to spin up a locally running supergraph without maintaining a supergraph config. See here for more information.

    🐛 Fixes

    • Fixes issues related to passing filenames to --output - @ jonathanrainer PR #1996

      An issue was raised whereby previous versions of Rover supported passing filenames to the --output flag but this was
      broken in v0.24.0. This has now been fixed and the previous functionality restored.

    🛠 Maintenance

    📚 Documentation


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.25.0-rc.0 - 2024-07-17

    The main feature of the release candidate is the new rover dev with graphref feature - #1984. Testing effort should focus here.


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.24.0 - 2024-07-15

    ❗ BREAKING ❗

    • Removed the deprecated plain and json options for --output - @ dylan-apollo PR #1804

      The --output option is now only for specifying a file to write to. The --format option should be used to specify the format of the output.

    🚀 Features

    • Return the name of the linting rule that is violated, as well as the code - @ jonathanrainer PR #1907

      Originally only the message from the linting violation was included in the response, but now it also includes the name of the specific linting rule to aid debugging

    • Use the Router's /health?ready endpoint to check readiness - @ nmoutschen PR #1939

      Previously rover dev used a simple query to establish readiness, but this did not allow for router customizations.

    • Adding architecture and OS metrics - @ aaronArinder PR #1947

      Allows us to track the Operating Systems and Architectures in use by our users, this will give us more information as to where to focus support efforts

    • Allow aarch64 macOS to pull correct supergraph binaries where available - @ jonathanrainer PR #1971

      We recently started publishing supergraph binaries for aarch64, so if they are available Rover will use them in preference to x86_64 binaries.

    🐛 Fixes

    • Don't panic if the telemetry client cannot be initialised - @ dylan-apollo PR #1897 - Issue #1893

    • Rename .cargo/config to .cargo/config.toml - @ jonathanrainer PR #1921

    • Fix pnpm installs by moving the binary download location - @ jonathanrainer PR #1927 - Issue #1881

      After we inlined the binary-install dependency in v0.23.0 this changed where the downloaded binary was stored when using pnpm. This caused users running the binary to enter an infinite loop. This moves the binary to a new location which avoids this.

    • Don't panic on file watcher errors - @ nmoutschen PR

Snyk has created this PR to upgrade:
  - @apollo/rover from 0.14.2 to 0.26.0.
    See this package in npm: https://www.npmjs.com/package/@apollo/rover
  - execa from 5.1.1 to 9.3.1.
    See this package in npm: https://www.npmjs.com/package/execa
  - make-fetch-happen from 11.1.1 to 13.0.1.
    See this package in npm: https://www.npmjs.com/package/make-fetch-happen

See this project in Snyk:
https://app.snyk.io/org/cachiman-inc/project/5312fdfd-d533-4187-9a75-33fe4986af1c?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

google-cla bot commented Sep 12, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Copy link

sonarcloud bot commented Sep 12, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants