From ee018a7744a8c6ea7f312eec33f1b99c4ae964d9 Mon Sep 17 00:00:00 2001
From: Trevor Scheer <trevor.scheer@gmail.com>
Date: Mon, 6 Feb 2023 14:09:06 -0800
Subject: [PATCH] Update `http-cache-semantics` package (#159)

Update `http-cache-semantics` package to latest patch, resolving a security
issue.

Unlike many security updates Apollo repos receive, this is an _actual_ (non-dev)
dependency of this package which means it is actually a user-facing security
issue.

The potential impact of this issue is limited to a DOS attack (via an
inefficient regex).

This security issue would only affect you if either:
* you pass untrusted (i.e. from your users) `cache-control` request headers
* you sending requests to untrusted REST server that might return malicious
  `cache-control` headers

Since `http-cache-semantics` is a careted (^) dependency in this package, the
security issue can (and might already) be resolved via a `package-lock.json`
update within your project (possibly triggered by `npm audit` or another
dependency update which has already updated its version of the package in
question). If `npm ls http-cache-semantics` reveals a tree of dependencies which
only include the `4.1.1` version (and no references to any previous versions)
then you are currently unaffected and this patch should have (for all intents
and purpose) no effect.

More details available here: https://github.com/advisories/GHSA-rc47-6667-2j5j
---
 .changeset/five-snails-stare.md | 29 +++++++++++++++++++++++++++++
 package-lock.json               | 14 +++++++-------
 package.json                    |  2 +-
 3 files changed, 37 insertions(+), 8 deletions(-)
 create mode 100644 .changeset/five-snails-stare.md

diff --git a/.changeset/five-snails-stare.md b/.changeset/five-snails-stare.md
new file mode 100644
index 0000000..04b6486
--- /dev/null
+++ b/.changeset/five-snails-stare.md
@@ -0,0 +1,29 @@
+---
+'@apollo/datasource-rest': patch
+---
+
+Update `http-cache-semantics` package to latest patch, resolving a security
+issue.
+
+Unlike many security updates Apollo repos receive, this is an _actual_ (non-dev)
+dependency of this package which means it is actually a user-facing security
+issue.
+
+The potential impact of this issue is limited to a DOS attack (via an
+inefficient regex).
+
+This security issue would only affect you if either:
+* you pass untrusted (i.e. from your users) `cache-control` request headers
+* you sending requests to untrusted REST server that might return malicious
+  `cache-control` headers
+
+Since `http-cache-semantics` is a careted (^) dependency in this package, the
+security issue can (and might already) be resolved via a `package-lock.json`
+update within your project (possibly triggered by `npm audit` or another
+dependency update which has already updated its version of the package in
+question). If `npm ls http-cache-semantics` reveals a tree of dependencies which
+only include the `4.1.1` version (and no references to any previous versions)
+then you are currently unaffected and this patch should have (for all intents
+and purpose) no effect.
+
+More details available here: https://github.com/advisories/GHSA-rc47-6667-2j5j
diff --git a/package-lock.json b/package-lock.json
index 2bfdaf0..152c202 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,7 +13,7 @@
         "@apollo/utils.keyvaluecache": "^2.0.0",
         "@apollo/utils.withrequired": "^2.0.0",
         "@types/http-cache-semantics": "^4.0.1",
-        "http-cache-semantics": "^4.1.0",
+        "http-cache-semantics": "^4.1.1",
         "lodash.isplainobject": "^4.0.6",
         "node-fetch": "^2.6.7"
       },
@@ -5147,9 +5147,9 @@
       "dev": true
     },
     "node_modules/http-cache-semantics": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz",
-      "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ=="
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
+      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ=="
     },
     "node_modules/http-errors": {
       "version": "2.0.0",
@@ -14033,9 +14033,9 @@
       "dev": true
     },
     "http-cache-semantics": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz",
-      "integrity": "sha512-carPklcUh7ROWRK7Cv27RPtdhYhUsela/ue5/jKzjegVvXDqM2ILE9Q2BGn9JZJh1g87cp56su/FgQSzcWS8cQ=="
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
+      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ=="
     },
     "http-errors": {
       "version": "2.0.0",
diff --git a/package.json b/package.json
index 446f74b..48ce83e 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
     "@apollo/utils.keyvaluecache": "^2.0.0",
     "@apollo/utils.withrequired": "^2.0.0",
     "@types/http-cache-semantics": "^4.0.1",
-    "http-cache-semantics": "^4.1.0",
+    "http-cache-semantics": "^4.1.1",
     "lodash.isplainobject": "^4.0.6",
     "node-fetch": "^2.6.7"
   },