Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , , , execa, make-fetch-happen #501

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

WontonSam
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

@apollo/rover
from 0.14.2 to 0.25.0 | 26 versions ahead of your current version | 2 months ago
on 2024-07-22
@types/debug
from 4.1.7 to 4.1.12 | 5 versions ahead of your current version | 10 months ago
on 2023-11-09
@types/jest
from 29.5.1 to 29.5.12 | 11 versions ahead of your current version | 7 months ago
on 2024-02-01
@types/make-fetch-happen
from 10.0.1 to 10.0.4 | 3 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/node
from 18.16.3 to 22.4.2 | 259 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 21 days ago
on 2024-08-21
execa
from 5.1.1 to 9.3.1 | 15 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-14
make-fetch-happen
from 11.1.1 to 13.0.1 | 3 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-04-30

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
167 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
167 Proof of Concept
Release notes
Package name: @apollo/rover
  • 0.25.0 - 2024-07-22

    🚀 Features

    • Enable Retries For Transient Errors Connecting To Graphs/Subgraphs - @ jonathanrainer PR #1936

      This turns on retries at the HTTP level for connections to graphs/subgraphs to minimize connection resets and cancellations. Also, a new --subgraph-retries flag for rover dev lets you set the number of retries allowed when trying to re-establish a connection.

    • Add --graph-ref flag to rover dev - @ dotdat PR #1984

      Introduces subgraph mirroring to rover dev. Subgraph mirroring inherits the subgraph routing URLs and schemas from an existing Studio graphref. This makes it easy to spin up a locally running supergraph without maintaining a supergraph config. See here for more information.

    🐛 Fixes

    • Fixes issues related to passing filenames to --output - @ jonathanrainer PR #1996

      An issue was raised whereby previous versions of Rover supported passing filenames to the --output flag but this was
      broken in v0.24.0. This has now been fixed and the previous functionality restored.

    🛠 Maintenance

    📚 Documentation


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.25.0-rc.0 - 2024-07-17

    The main feature of the release candidate is the new rover dev with graphref feature - #1984. Testing effort should focus here.


    This release was automatically created by CircleCI.

    If you would like to verify that the binary you have downloaded was built from the source code in this repository, you can compute a checksum of the zipped tarball and compare it to the checksums that are included as release artifacts.

    Binaries built for MacOS are signed, notarized, and automatically verified with Gatekeeper.

  • 0.24.0 - 2024-07-15

    ❗ BREAKING ❗

    • Removed the deprecated plain and json options for --output - @ dylan-apollo PR #1804

      The --output option is now only for specifying a file to write to. The --format option should be used to specify the format of the output.

    🚀 Features

    • Return the name of the linting rule that is violated, as well as the code - @ jonathanrainer PR #1907

      Originally only the message from the linting violation was included in the response, but now it also includes the name of the specific linting rule to aid debugging

    • Use the Router's /health?ready endpoint to check readiness - @ nmoutschen PR #1939

      Previously rover dev used a simple query to establish readiness, but this did not allow for router customizations.

    • Adding architecture and OS metrics - @ aaronArinder PR #1947

      Allows us to track the Operating Systems and Architectures in use by our users, this will give us more information as to where to focus support efforts

    • Allow aarch64 macOS to pull correct supergraph binaries where available - @ jonathanrainer PR #1971

      We recently started publishing supergraph binaries for aarch64, so if they are available Rover will use them in preference to x86_64 binaries.

    🐛 Fixes

    • Don't panic if the telemetry client cannot be initialised - @ dylan-apollo PR #1897 - Issue #1893

    • Rename .cargo/config to .cargo/config.toml - @ jonathanrainer PR #1921

    • Fix pnpm installs by moving the binary download location - @ jonathanrainer PR #1927 - Issue #1881

      After we inlined the binary-install dependency in v0.23.0 this changed where the downloaded binary was stored when using pnpm. This caused users running the binary to enter an infinite loop. This moves the binary to a new location which avoids this.

    • Don't panic on file watcher errors - @ nmoutschen PR #1935

      Instead of panicking when errors occur watching files return those errors gracefully to the user.

    • Store binaries with version numbers attached so upgrades are possible - @ jonathanrainer PR #1932 - Issue #1563

      When downloading binaries via npm they were always stored as rover despite the version. As such, when a new version came out the upgrade would fail. This now doesn't happen, as binaries are stored with their versions number in the name.

    • Ensure correct URL is used if subgraph_url and routing_url are provided in a supergraph schema - @ jonathanrainer PR #1948 - Issue #1782

    • Let --output accept paths with missing intermediate directories - @ jonathanrainer PR #1944 - Issue #1787

    • Allow rover dev to read Federation Version from supergraph schema - @ jonathanrainer PR #1950 - Issue #1735

      The Federation version could be set in the supegraph schema but was being ignored by rover dev. It now is taken into account, along with the overriding environment variable.

    • Stop .exe being printed after Federation version during composition - @ jonathanrainer PR #1951 - Issue #1390

    • Reinstate support for glibc 2.17 - @ jonathanrainer PR #1953

      In resolving the issues with CentOS 7 we accidentally removed support for glibc 2.17, this has now been restored

    • Be more lenient about supergraph binary versions - @ dylan-apollo PR #1966

      In resolving #1390, we were too restrictive in what counted as a valid version. This restores the correct behaviour

    • Set package.json to a stable version when testing NPM Installers - @ jonathanrainer PR #1967

      When testing whether our NPM installers worked correctly we were trying to download the latest rover binary. On release PRs, where the binary didn't yet exist, this was causing problems.

    • Fix mocking of calls to Orbiter in Installer tests - @ jonathanrainer PR #1968

    • Remove noisy errors from intermediate composition states - @ aaronArinder PR #1956

      When rover dev composes multiple subgraphs it does so one at a time. As such if there are dependencies there can be noisy ephemeral errors, this fixes that by waiting until all subgraphs are added before trying composition.

    🛠 Maintenance

    📚 Documentation

    • Minor update to README.md - @ tratzlaff PR #1880

      Fixes use of numbered lists in the README.md

    • Remove failing/redundant links from docs - @ dotdat PR #1894

    • Update docs style - @ Meschreiber PR #1883

      Update formatting and admonitions to most recent conventions.

    • Update frontmatter - @ Meschreiber PR #1898

      Updates title casing and adds metadata to subtitles

    • Clarify subgraph publish can only create variants not graphs - @ Meschreiber PR #1938

    • Make example using - instead of filepath clearer - @ aaronArinder PR #1963

    • Update Router terminology - @ Meschreiber PR #1925

      Update the uses of Apollo Router to GraphOS Router or Apollo Router Core where necessary

    • Update documentation to make it clear we collect CPU Architecture, per command - @ aaronArinder PR #1964

  • 0.23.0 - 2024-03-26

    🚀 Features

    This is slightly more convenient and less awkward than --routing-url --allow-invalid-routing-url

    Since its 1.43.0 release, the Router can now connect to subgraph over unix sockets. This removes a warning when publishing a schema with a unix:// URL.

    🐛 Fixes

    • Use task specific rayon threadpools and not the global threadpool - @ garypen PR #1872

    This increases rover's reliability by executing independent tasks in different thread pools.

    • Prevent an infinite loop when restarting the router - @ Geal PR #1855

    When restarting a Router on schema updates, it could happen that an internal task of Rover would go in an infinite loop and consume CPU needlessly. This is now fixed and should make rover dev more reliable.

    • Use proposalCoverage in addition to severityLevel to build correct proposal check messaging - @ swcollard PR #1845

    This updates the message on proposal checks depending on the proposalCoverage field

    🛠 Maintenance

    The vulnerability didn't affect rover, but now you won't get a warning for it!

    📚 Documentation

  • 0.23.0-rc.3 - 2024-02-20

    To install this specific version of Rover:

    # Note the `v` prefixing the version number
    curl -sSL https://rover.apollo.dev/nix/v0.23.0-rc.3 | sh
    

    This release was automatically created...

Snyk has created this PR to upgrade:
  - @apollo/rover from 0.14.2 to 0.25.0.
    See this package in npm: https://www.npmjs.com/package/@apollo/rover
  - @types/debug from 4.1.7 to 4.1.12.
    See this package in npm: https://www.npmjs.com/package/@types/debug
  - @types/jest from 29.5.1 to 29.5.12.
    See this package in npm: https://www.npmjs.com/package/@types/jest
  - @types/make-fetch-happen from 10.0.1 to 10.0.4.
    See this package in npm: https://www.npmjs.com/package/@types/make-fetch-happen
  - @types/node from 18.16.3 to 22.4.2.
    See this package in npm: https://www.npmjs.com/package/@types/node
  - execa from 5.1.1 to 9.3.1.
    See this package in npm: https://www.npmjs.com/package/execa
  - make-fetch-happen from 11.1.1 to 13.0.1.
    See this package in npm: https://www.npmjs.com/package/make-fetch-happen

See this project in Snyk:
https://app.snyk.io/org/cachiman/project/2ba7535c-d490-4c77-b7a2-b1bcec80f2dc?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

google-cla bot commented Sep 11, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Copy link

sonarcloud bot commented Sep 11, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants