You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)
#7952bb81b2c Thanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.
@apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.
However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.
However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.
#6677 dc5043b
Thanks @enisdenjo! - onError and onEnd callbacks from mapAsyncIterator are invoked only once regardless of how many times throw/return was called
on the iterator
#4440a5bf6c Thanks @angrykoala! - Deprecate Cypher.Path and Cypher.NamedPath in favor of Cypher.PathVariable and Cypher.NamedPathVariable respectively
#3491 7a413bc
Thanks @n1ru4l! - Fix issue where context values being shared between
batched requests.
A bug within @whatwg-node/server caused properties assigned to a batched requests context to be
propagated to all other batched requests contexts. It is resolved by updating the dependency of @whatwg-node/server to 0.9.55.
This release tags multiple updates to dependencies and a clarification in documentation 📚
No changes are needed to update from slackapi/[email protected] - other than bumping the version - but ongoing development is now happening on version @v2 and @v1 is no longer planning to receive significant updates after this.
Please stay tuned for upcoming changes, and may all of your workflows run well ❤️
Fixed Module Federation should track all referenced chunks
Handle Data URI without base64 word
HotUpdateChunk have correct runtime when modified with new runtime
Order of chunks ids in generated chunk code
No extra Javascript chunks when using asset module as an entrypoint
Use optimistically logic for output.environment.dynamicImport to determine chunk format when no browserslist or target
Collision with global variables for optimization.avoidEntryIife
Avoid through variables in inlined module
Allow chunk template strings in output.devtoolNamespace
No extra runtime for get javascript/css chunk filename
No extra runtime for prefetch and preload in JS runtime when it was unsed in CSS
Avoid cache invalidation using ProgressPlugin
Increase parallelism when using importModule on the execution stage
Correctly parsing string in export and import
Typescript types
[CSS]css/auto considers a module depending on its filename as css (pure CSS) or css/local, before it was css/global and css/local
[CSS] Always interpolate classes even if they are not involved in export
[CSS] No extra runtime in Javascript runtime chunks for asset modules used in CSS
[CSS] No extra runtime in Javascript runtime chunks for external asset modules used in CSS
[CSS] No extra runtime for the node target
[CSS] Fixed url()s and @import parsing
[CSS] Fixed - emit a warning on broken :local and :global
New Features
Export CSS and ESM runtime modules
Single Runtime Chunk and Federation eager module hoisting
[CSS] Support /* webpackIgnore: true */ for CSS files
[CSS] Support src() support
[CSS] CSS nesting in CSS modules
Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
If you want to rebase/retry this PR, check this box
npm WARN ignoring workspace config at /tmp/renovate/repos/github/neo4j/graphql/examples/subscriptions/yoga_sse/.npmrc
npm ERR! code EUNSUPPORTEDPROTOCOL
npm ERR! Unsupported URL Type "link:": link:../../..
npm ERR! A complete log of this run can be found in:
npm ERR! /tmp/renovate/cache/others/npm/_logs/2024-11-18T15_37_19_594Z-debug-0.log
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
requested review from
angrykoala,
darrellwarde,
tbwiss,
mjfwebb,
MacondoExpress,
a-alle and
Liam-Doodson
as code owners
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
This PR contains the following updates:
4.11.0->4.11.24.11.0->4.11.29.0.8->9.0.97.0.2->7.0.310.0.7->10.0.810.5.5->10.5.610.0.12->10.0.161.22.2->1.22.420.17.2->20.17.68.5.12->8.5.139.0.1->9.1.028.8.3->28.9.05.7.0->5.10.29.1.6->9.1.713.5.5->13.5.62.12.0->2.13.0v1.27.0->v1.27.14.1.0->4.2.05.95.0->5.96.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
apollographql/apollo-server (@apollo/server)
v4.11.2Compare Source
(No change; there is a change to the
@apollo/server-integration-testsuiteused to test integrations, and the two packages always have matching versions.)v4.11.1Compare Source
Patch Changes
#7952
bb81b2cThanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.@apollo/serverdepends onexpresswhich depends oncookie. Versions ofexpressolder than v4.21.1 depend on a version ofcookievulnerable to CVE-2024-47764. Users of olderexpressversions who callres.cookie()orres.clearCookie()may be vulnerable to this issue.However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call
startStandaloneServerwith a context function that calls Express-specific methods such asres.cookie()orres.clearCookies()on the response object, which is a violation of the TypeScript types provided bystartStandaloneServer(which only promise that the response object is a core Node.jshttp.ServerResponserather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafeastypecasts in TypeScript.However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own
expressdependency to v4.21.1 or newer.ardatan/graphql-tools (@graphql-tools/merge)
v9.0.9Compare Source
Patch Changes
[
dc5043b]:ardatan/graphql-tools (@graphql-tools/resolvers-composition)
v7.0.3Compare Source
Patch Changes
[
dc5043b]:ardatan/graphql-tools (@graphql-tools/schema)
v10.0.8Compare Source
Patch Changes
[
dc5043b]:ardatan/graphql-tools (@graphql-tools/utils)
v10.5.6Compare Source
Patch Changes
dc5043bThanks @enisdenjo! -
onErrorandonEndcallbacks frommapAsyncIteratorare invoked only once regardless of how many timesthrow/returnwas calledon the iterator
ardatan/graphql-tools (@graphql-tools/wrap)
v10.0.16Compare Source
v10.0.15Compare Source
Patch Changes
[
342e044]:v10.0.14Compare Source
Patch Changes
[
e9906eb]:v10.0.13Compare Source
Patch Changes
[
da1de08]:neo4j/cypher-builder (@neo4j/cypher-builder)
v1.22.4Compare Source
Patch Changes
e0d7f4bThanks @angrykoala! - DeprecatesCypherEnvironmentexported types in favor ofRawCypherContextfor usage inCypher.Rawv1.22.3Compare Source
Patch Changes
#444
be3c49eThanks @angrykoala! - DeprecateassignToPathin clauses in favor ofassignToin PatternBefore:
Now:
Generates the Cypher:
#444
0a5bf6cThanks @angrykoala! - DeprecateCypher.PathandCypher.NamedPathin favor ofCypher.PathVariableandCypher.NamedPathVariablerespectivelyopen-cli-tools/concurrently (concurrently)
v9.1.0Compare Source
What's Changed
New Contributors
Full Changelog: open-cli-tools/concurrently@v9.0.1...v9.1.0
jest-community/eslint-plugin-jest (eslint-plugin-jest)
v28.9.0Compare Source
Features
28.8.3 (2024-09-04)
Bug Fixes
28.8.2 (2024-09-02)
Performance Improvements
28.8.1 (2024-08-29)
Bug Fixes
dotansimha/graphql-yoga (graphql-yoga)
v5.10.2Compare Source
Patch Changes
#3491
7a413bcThanks @n1ru4l! - dependencies updates:
@whatwg-node/server@^0.9.55↗︎(from
^0.9.54, independencies)#3491
7a413bcThanks @n1ru4l! - Fix issue where context values being shared between
batched requests.
A bug within
@whatwg-node/servercaused properties assigned to a batched requests context to bepropagated to all other batched requests contexts. It is resolved by updating the dependency of
@whatwg-node/serverto0.9.55.v5.10.1Compare Source
Patch Changes
20cd9b6Thanks @ardatan! - dependencies updates:
@whatwg-node/fetch@^0.10.1↗︎(from
^0.9.22, independencies)@whatwg-node/server@^0.9.54↗︎(from
^0.9.50, independencies)v5.10.0Compare Source
Minor Changes
f81501cThanks @maeldur! - Correctly handle HTTP GET requests with
?characters in the query search string.
v5.9.0Compare Source
Minor Changes
87ee333Thanks @n1ru4l! - Inject initial context into
onParamshook.Patch Changes
2523d9fThanks @kroupacz! - ### Fixed
versionv5.8.0Compare Source
Minor Changes
18fe916Thanks @kroupacz! - Add
versionproperty to get version of YogaPatch Changes
6bb19edThanks @ardatan! - dependencies updates:
@whatwg-node/fetch@^0.9.22↗︎(from
^0.9.18, independencies)@whatwg-node/server@^0.9.50↗︎(from
^0.9.44, independencies)typicode/husky (husky)
v9.1.7Compare Source
nock/nock (nock)
v13.5.6Compare Source
Bug Fixes
parcel-bundler/parcel (parcel)
v2.13.0Compare Source
Added
Core
Bundler
Dev Server
Resolver
Fixed
Core
Bundler
JavaScript
process.envreplacer to use SWC VisitMut – Details__filenameand__dirnamereplace to use SWC VisitMut – DetailsResolver
TypeScript
SASS
SVG
Image
Vue
Web Extensions
slackapi/slack-github-action (slackapi/slack-github-action)
v1.27.1: Slack Send V1.27.1Compare Source
What's changed
This release tags multiple updates to dependencies and a clarification in documentation 📚
No changes are needed to update from
slackapi/[email protected]- other than bumping the version - but ongoing development is now happening on version@v2and@v1is no longer planning to receive significant updates after this.Please stay tuned for upcoming changes, and may all of your workflows run well ❤️
📚 Documentation
🧪 Maintenance
📦 Dependencies
Full Changelog: slackapi/slack-github-action@v1.27.0...v1.27.1
dividab/tsconfig-paths-webpack-plugin (tsconfig-paths-webpack-plugin)
v4.2.0Compare Source
Added
Fixed
webpack/webpack (webpack)
v5.96.1Compare Source
v5.96.0Compare Source
Bug Fixes
output.environment.dynamicImportto determine chunk format when no browserslist or targetoptimization.avoidEntryIifeoutput.devtoolNamespaceimportModuleon the execution stageexportandimportcss/autoconsiders a module depending on its filename ascss(pure CSS) orcss/local, before it wascss/globalandcss/localnodetargeturl()s and@importparsingNew Features
/* webpackIgnore: true */for CSS filessrc()supportConfiguration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.