fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed #1735

renovate · 2023-08-30T23:25:56Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
apollo-server-core (source)	`3.6.6` -> `3.12.1`

GitHub Vulnerability Alerts

GHSA-j5g3-5c8r-7qfx

Impact

What kind of vulnerability is it?

Apollo Server can log sensitive information (Studio API keys) if they are passed incorrectly (with leading/trailing whitespace) or if they have any characters that are invalid as part of a header value.

Who is impacted?

Users who (all of the below):

use either the schema reporting or usage reporting feature
use an Apollo Studio API key which has invalid header values
use the default fetcher (node-fetch) or configured their own node-fetch fetcher

The following node snippet can test whether your API key has invalid header values. This code is taken directly from node-fetch@2's header value validation code.

const invalidHeaderCharRegex = /[^\t\x20-\x7e\x80-\xff]/;
if (invalidHeaderCharRegex.test('<YOUR_API_KEY>')) {
  console.log('potentially affected');
}
console.log('unaffected');

If the provided API key is not a valid header value, whenever Apollo Server uses that API key in a request (to Studio, for example), node-fetch will throw an error which contains the header value. This error is logged in various ways depending on the user's configuration, but most likely the console or some configured logging service.

Patches

This problem is patched in the latest version of Apollo Server as soon as this advisory is published.

Workarounds

Try retrieving a new API key from Studio. Note: this may not work if the invalid character is not part of the secret (it may be derived from identifiers like graph name, user name).
Override the fetcher
Disable schema reporting and/or usage reporting

Solution

Apollo Server will now call .trim() on incoming API keys in order to eliminate leading/trailing whitespace and log a warning when it does so.
Apollo Server will now perform the same validation of API keys as node-fetch@2 performs on header values on startup. Apollo Server will throw an error on startup (i.e., fail to start completely) and notify the user their API key is invalid along with the offending characters.

Release Notes

apollographql/apollo-server (apollo-server-core)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 3 times, most recently from 3e30e47 to cadb461 Compare September 8, 2023 09:17

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from 0520e5a to 4208690 Compare October 1, 2023 08:03

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from b33cdfc to 8a52e81 Compare October 15, 2023 15:39

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 8a52e81 to ea135a9 Compare October 23, 2023 15:25

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from bc9ab45 to 5c2e566 Compare November 6, 2023 07:48

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 5c2e566 to bb920a6 Compare November 16, 2023 13:09

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 3 times, most recently from f32d503 to f4859aa Compare December 5, 2023 10:21

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from ef6682b to 755437a Compare December 12, 2023 10:14

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 755437a to a0236cb Compare December 19, 2023 06:37

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch 2 times, most recently from 7c6959f to 2864fab Compare February 4, 2024 11:53

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 2864fab to 9ee4780 Compare February 20, 2024 19:06

fix(deps): update dependency apollo-server-core to v3.12.1 [security]

b20baca

renovate bot force-pushed the renovate/npm-apollo-server-core-vulnerability branch from 9ee4780 to b20baca Compare February 21, 2024 19:07

renovate bot changed the title ~~fix(deps): update dependency apollo-server-core to v3.12.1 [security]~~ fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed Mar 1, 2024

renovate bot closed this Mar 1, 2024

renovate bot deleted the renovate/npm-apollo-server-core-vulnerability branch March 1, 2024 23:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed #1735

fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed #1735

renovate bot commented Aug 30, 2023 •

edited

Loading

fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed #1735

fix(deps): update dependency apollo-server-core to v3.12.1 [security] - autoclosed #1735

Conversation

renovate bot commented Aug 30, 2023 • edited Loading

GitHub Vulnerability Alerts

Impact

What kind of vulnerability is it?

Who is impacted?

Patches

Workarounds

Solution

Release Notes

Configuration

renovate bot commented Aug 30, 2023 •

edited

Loading