Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphQL: Update GraphiQL version #569

Open
amotl opened this issue Oct 31, 2024 · 1 comment
Open

GraphQL: Update GraphiQL version #569

amotl opened this issue Oct 31, 2024 · 1 comment

Comments

@amotl
Copy link
Collaborator

amotl commented Oct 31, 2024

@coderabbitai recommended:

⚠️ Potential issue

Consider upgrading GraphiQL version.

The template uses GraphiQL v0.12.0 which is significantly outdated. The latest stable version is 3.0.1 which includes security fixes, performance improvements, and new features.

Apply this diff to update the version:

-{% set GRAPHIQL_VERSION = '0.12.0' %}
+{% set GRAPHIQL_VERSION = '3.0.1' %}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

{% set GRAPHIQL_VERSION = '3.0.1' %}

Originally posted by @coderabbitai[bot] in #554 (comment)
@amotl amotl mentioned this issue Oct 31, 2024
Merged
@amotl
Copy link
Collaborator Author

amotl commented Oct 31, 2024

Also relevant in this context, coming from #554 (comment):

⚠️ Potential issue

Security and compatibility improvements needed for external dependencies.

Several concerns with the current implementation:

  1. React/ReactDOM versions (16.2.0) are outdated
  2. CDN resources lack SRI (Subresource Integrity) hashes
  3. whatwg-fetch polyfill might be unnecessary for modern browsers

[security]
Apply these improvements:

-    <link href="//cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.css" rel="stylesheet"/>
-    <script src="//cdn.jsdelivr.net/npm/[email protected]/fetch.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/[email protected]/umd/react.production.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/[email protected]/umd/react-dom.production.min.js"></script>
-    <script src="//cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.min.js"></script>
+    <link 
+      href="https://cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.css" 
+      rel="stylesheet"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    />
+    <script 
+      src="https://cdn.jsdelivr.net/npm/[email protected]/umd/react.production.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>
+    <script 
+      src="https://cdn.jsdelivr.net/npm/[email protected]/umd/react-dom.production.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>
+    <script 
+      src="https://cdn.jsdelivr.net/npm/graphiql@{{ GRAPHIQL_VERSION }}/graphiql.min.js"
+      integrity="sha384-[GET-ACTUAL-HASH]"
+      crossorigin="anonymous"
+    ></script>

Note: Replace [GET-ACTUAL-HASH] with actual SRI hashes generated for each resource.

Committable suggestion was skipped due to low confidence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amotl