chore(deps): bump @apollo/experimental-nextjs-app-support from 0.4.3 to 0.7.0

[dependabot]

Bumps @apollo/experimental-nextjs-app-support from 0.4.3 to 0.7.0.

Release notes

Sourced from @​apollo/experimental-nextjs-app-support's releases.

0.7.0: important security fix

This version fixes CVE-2024-23841.
You can see more details in the security advisory.

There are no known workarounds for this issue, please update immediately.

0.6.0: reduced bundle size and "nonce" support

This release reduces the bundle size by changing an import from graphql. (#161)

It also adds support for a "nonce" in the script tags created by this package, by introducing a new extraScriptProps option. (#160)

Usage example:

    <ApolloNextAppProvider
      makeClient={makeClient}
      extraScriptProps={{
        nonce: actualNonce,
      }}
    >{...}</ApolloNextAppProvider>

As you should not pass a sensitive value like a nonce or a token as props from a Server Component into a Client Component, you can use the ssr-only-secrets we published for that purpose.

Generate a jwk-formatted AES-CBC key (see details in the linked package) and set it as an environment variable, e.g. "SECRET_KEY_VAR"

In a Server Component:

import { cloakSSROnlySecret } from "ssr-only-secrets";
const MyServerComponent = () => {
const nonce = headers().get('x-nonce')
return <ApolloWrapper nonce={cloakSSROnlySecret(nonce, "SECRET_KEY_VAR")} />
}

In your ApolloWrapper:

export function ApolloWrapper({
  children,
  nonce,
}: React.PropsWithChildren<{ nonce?: string }>) {
// other code, e.g. makeClient
const actualNonce = useSSROnlySecret(nonce, "SECRET_KEY_VAR");
return (
<ApolloNextAppProvider
makeClient={makeClient}
extraScriptProps={{
nonce: actualNonce,
</tr></table>

... (truncated)

Commits

• b92bc42 Merge pull request from GHSA-rv8p-rr2h-fgpg
• 4271a8c feat: adds user survey workflow and link in README (#180)
• 99acf6a chore(deps): update dependency next to v14.1.0 (#177)
• 2adedfa chore(deps): update all devdependencies (#172)
• bf8af08 Merge pull request #173 from apollographql/renovate/major-all-dev
• 6b7d50a Merge branch 'main' into renovate/major-all-dev
• 3d8ff60 also add & configure eslint-plugin-react-hooks
• 2976a0c chore(deps): update secops orb to v2.0.7 (#176)
• 745bda7 chore(deps): update all devdependencies to v6
• 4930d28 feat: SECOPS-2525 - add semgrep job (#174)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apollo-bot, a new releaser for @​apollo/experimental-nextjs-app-support since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)