diff --git a/.changeset/proud-buckets-kneel.md b/.changeset/proud-buckets-kneel.md deleted file mode 100644 index bb92352ff5f..00000000000 --- a/.changeset/proud-buckets-kneel.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -'@apollo/server': patch ---- - -Ensure API keys are valid header values on startup - -Apollo Server previously performed no sanitization or validation of API keys on startup. In the case that an API key was provided which contained characters that are invalid as header values, Apollo Server could inadvertently log the API key in cleartext. - -This only affected users who: -- Provide an API key with characters that are invalid as header values -- Use either schema or usage reporting -- Use the default fetcher provided by Apollo Server or configure their own `node-fetch` fetcher - -Apollo Server now trims whitespace from API keys and validates that they are valid header values. If an invalid API key is provided, Apollo Server will throw an error on startup. - -For more details, see the security advisory: -https://github.com/apollographql/apollo-server/security/advisories/GHSA-j5g3-5c8r-7qfx diff --git a/package-lock.json b/package-lock.json index 8c6d29f9463..975b6ef6be6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14472,12 +14472,12 @@ }, "packages/integration-testsuite": { "name": "@apollo/server-integration-testsuite", - "version": "4.9.2", + "version": "4.9.3", "license": "MIT", "dependencies": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.9.2", + "@apollo/server": "4.9.3", "@apollo/usage-reporting-protobuf": "^4.1.1", "@apollo/utils.createhash": "^2.0.0", "@apollo/utils.keyvaluecache": "^2.1.0", @@ -14562,7 +14562,7 @@ }, "packages/server": { "name": "@apollo/server", - "version": "4.9.2", + "version": "4.9.3", "license": "MIT", "dependencies": { "@apollo/cache-control-types": "^1.0.3", @@ -14845,7 +14845,7 @@ "requires": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.9.2", + "@apollo/server": "4.9.3", "@apollo/usage-reporting-protobuf": "^4.1.1", "@apollo/utils.createhash": "^2.0.0", "@apollo/utils.keyvaluecache": "^2.1.0", diff --git a/packages/integration-testsuite/CHANGELOG.md b/packages/integration-testsuite/CHANGELOG.md index 18b74523e30..66f97f95f8b 100644 --- a/packages/integration-testsuite/CHANGELOG.md +++ b/packages/integration-testsuite/CHANGELOG.md @@ -1,5 +1,12 @@ # @apollo/server-integration-testsuite +## 4.9.3 + +### Patch Changes + +- Updated dependencies [[`a1c725eaf`](https://github.com/apollographql/apollo-server/commit/a1c725eaf53c901e32a15057211bcb3eb6a6109b)]: + - @apollo/server@4.9.3 + ## 4.9.2 ### Patch Changes diff --git a/packages/integration-testsuite/package.json b/packages/integration-testsuite/package.json index 6d17af3a943..f7987563329 100644 --- a/packages/integration-testsuite/package.json +++ b/packages/integration-testsuite/package.json @@ -1,6 +1,6 @@ { "name": "@apollo/server-integration-testsuite", - "version": "4.9.2", + "version": "4.9.3", "description": "Test suite for Apollo Server integrations", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -28,7 +28,7 @@ "dependencies": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.9.2", + "@apollo/server": "4.9.3", "@apollo/utils.keyvaluecache": "^2.1.0", "@apollo/utils.createhash": "^2.0.0", "@apollo/usage-reporting-protobuf": "^4.1.1", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md index 4fd2dd8d24b..fb1c1cd67c3 100644 --- a/packages/server/CHANGELOG.md +++ b/packages/server/CHANGELOG.md @@ -1,5 +1,24 @@ # @apollo/server +## 4.9.3 + +### Patch Changes + +- [`a1c725eaf`](https://github.com/apollographql/apollo-server/commit/a1c725eaf53c901e32a15057211bcb3eb6a6109b) Thanks [@trevor-scheer](https://github.com/trevor-scheer)! - Ensure API keys are valid header values on startup + + Apollo Server previously performed no sanitization or validation of API keys on startup. In the case that an API key was provided which contained characters that are invalid as header values, Apollo Server could inadvertently log the API key in cleartext. + + This only affected users who: + + - Provide an API key with characters that are invalid as header values + - Use either schema or usage reporting + - Use the default fetcher provided by Apollo Server or configure their own `node-fetch` fetcher + + Apollo Server now trims whitespace from API keys and validates that they are valid header values. If an invalid API key is provided, Apollo Server will throw an error on startup. + + For more details, see the security advisory: + https://github.com/apollographql/apollo-server/security/advisories/GHSA-j5g3-5c8r-7qfx + ## 4.9.2 ### Patch Changes diff --git a/packages/server/package.json b/packages/server/package.json index 0628efeb90d..ebeb16cda86 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@apollo/server", - "version": "4.9.2", + "version": "4.9.3", "description": "Core engine for Apollo GraphQL server", "type": "module", "main": "dist/cjs/index.js",