-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: dependency update for subscriptions-transport-ws
#2775
Comments
I disagree with this one. Just dropping protocol support because the protocol is not maintained anymore doesn't do graphql a favor. This library has full support for |
It's not dropping protocols 🤔. From my understanding websocket is still supported but using
These users could migrate to
You don't want to drag old packages that could introduce security risk |
There are two separate GraphQL protocols on top of web sockets that determine the client server communication messages. One of them (the older one) is However, I agree about using old, archived dependencies. The alternative would be to implement the I'd say as long as Apollo & server keep supporting the old protocol there should be no reason to drop support. Some older apps and clients don't support |
shouldn't the packages be peer dependencies, both subscription-transport-ws and graphql-ws? |
This package should 100% not be forced. Instead like @ssipos90 already said, it should be a peer dependency. Would not break anything, just require users to install the optional |
I checked and it's also required to be added as an optional peer dependency: https://docs.npmjs.com/cli/v7/configuring-npm/package-json#peerdependenciesmeta |
This is what semantic versioning is for. Release a major version with a breaking change that switches from |
In our project we are currently using |
Another problem with keeping subscriptions-transport-ws is that it has old dependencies that have vulnerabilities, as long as we keep subscriptions-transport-ws, we will continue to install libraries with vulnerabilities in our projects. Example: |
If you encounter this issue because of the vulnerable
|
@ruscon Would you mind sharing you setup if possible? I just tried |
As I can see, this discussion is still open.
I agree with that, since some users would still like to use the old deprecated dep Even though @iacobus mentionned a patch could be applied to fix vulnerabilities issues, I think most users would prefer to use it with the new What do you think about releasing a major version without the deprecated |
Is there an existing issue for this?
Current behavior
I've searched for it and this issue has been historically closed here: #2406
This project is now archived and flag as deprecated (as of April 14th 2023)
From official Apollo v4 documentation
Minimum reproduction code
https://github.com/nestjs/graphql/blob/master/packages/graphql/package.json#L31
Steps to reproduce
No response
Expected behavior
this package should not used deprecated package but the recommended one
Package version
11
Graphql version
graphql
:apollo-server-express
:apollo-server-fastify
:NestJS version
No response
Node.js version
18
In which operating systems have you tested?
Other
No response
The text was updated successfully, but these errors were encountered: