-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency @apollo/gateway to v2.8.5 [security] #14078
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-apollo-gateway-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+3
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pull Request Test Coverage Report for Build 22ff6904-22ee-4000-8a1e-e56c2f1bdfc0Details
💛 - Coveralls |
renovate
bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
from
November 16, 2024 20:19
df666d6
to
787abb0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.4.8
->2.8.5
GitHub Vulnerability Alerts
CVE-2024-43414
Impact
Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-planner.
If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination.
This issue can be triggered if you have at least one non-
@key
field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using.You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a
@link
directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like@link(url: "https://specs.apollo.dev/federation/v2.0")
. If a similar@link
directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs.To review Federation 1 subgraphs for impact:
In Federation 1 subgraphs, fields are implicitly shareable across subgraphs. To review for impact, you will need to review for cases where multiple subgraphs can resolve the same field. For example:
To review Federation 2 subgraphs for impact:
In Federation 2 subgraphs, fields must be explicitly defined as shareable across subgraphs. This is done via the
@shareable
directive. For example:Impact Detail
This issue results from the Apollo query planner attempting to use a
Number
exceeding Javascript’sNumber.MAX_VALUE
in some cases. In Javascript,Number.MAX_VALUE
is (2^1024 - 2^971).When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options.
In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than
Number.MAX_VALUE
. In Javascript, ifNumber.MAX_VALUE
is exceeded, Javascript represents the value as “infinity”. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary.A given graph’s exposure to this issue varies based on its complexity. Consider the following Federation 2 subgraphs:
The query planner can solve requests for
Query.field
in one of two ways - either by querying subgraph 1 or subgraph 2.The following query with 1024 aliased fields would trigger this issue because 2^1024 >
Number.MAX_VALUE
:However, in a graph that provided 5 options to solve a given field, the bug could be encountered in a query that aliased the field approximately 440 times.
Patches
@apollo/query-planner 2.8.5
@apollo/gateway 2.8.5
Apollo Router 1.52.1
Workarounds
This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the
@shareable
directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs.Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs.
If you do have fields resolvable by multiple subgraphs, changing this behavior in response to this issue may be risky to the operation of your supergraph. We recommend that you update to a patched version of either Apollo Router or Apollo Gateway.
Apollo customers with an enterprise entitlement using the Apollo Router can also mitigate much of the risk from this issue by implementing Apollo’s Persisted Queries (PQ) feature. With PQ enabled, the Apollo Router will only execute safelisted queries. While customers would need to ensure that queries that induce this issue are not added to the safelist, PQs would mitigate the risk of clients submitting ad hoc queries that exploit this issue.
References
Additional information on Query Plans
Release Notes
apollographql/federation (@apollo/gateway)
v2.8.5
Compare Source
v2.8.4
Compare Source
Patch Changes
4d9e0f6390c5114132d205ab73b6aa1b9ffa8cd8
,5f4bb160d024678d6facd471c43c8ec61c86e701
,672aca7cbeb0a6a38586357a4e154f2dd91caa0c
]:v2.8.3
Compare Source
Patch Changes
38debcf2f9af1a719bd1c8acbd9335efa8427ddb
,50d648ccffb05591878de75dc5522914ed48698f
,860aace9904e787f9bf05aad94be5b5920f10543
,67b70c6e68b1cdbf8f03dacafd636e27ed9b7814
,f753d55e9a49d11389ee4f8d7976533447e95ede
,f5f6a799d6b3675eecb0eaec7a816d746cd136b2
,42bd27af6a23bcfdd36951dbfa3fb9f7ba833f3a
,f376447a820e3c0ae41d16d1fd3b681d2f1e8c14
,3af790517d662f3bec9064c0bf243014c579e9cd
]:v2.8.2
Compare Source
Patch Changes
b2e5ab66f84688ec304cfcf2c6f749c86aded549
]:v2.8.1
Compare Source
Patch Changes
61f2b6b12ee83e7ecb6509f7131f9412a37e194b
]:v2.8.0
Compare Source
Minor Changes
Implement new directives to allow getting and setting context. This allows resolvers to reference and access data referenced by entities that exist in the GraphPath that was used to access the field. The following example demonstrates the ability to access the
prop
field within the Child resolver. (#2988)Patch Changes
Various set context bugfixes (#3017)
Updated dependencies [
c4744da360235d8bb8270ea048f0e0fa5d03be1e
,8a936d741a0c05835ff2533714cf330d18209179
,daf36bd242ba4db0cfcf0e18c1eed235ff0dfaf2
]:v2.7.8
Compare Source
Patch Changes
Triggering a clean 2.7.8 release now that harmonizer build has been fixed. (#3010)
Updated dependencies [
2ad72802044310a528e8944f4538efe519424504
]:v2.7.7
Compare Source
Patch Changes
No logical changes since 2.7.5 or 2.7.6, but we fixed a bug in the release process, so we need to publish a new patch version (2.7.7). (#2999)
Updated dependencies [
bee0b0828b4fb6a1d3172ac330560e2ab6c046bb
]:v2.7.6
Compare Source
Patch Changes
856a82b1deca625b75145edd6328bed23abee33a
]:v2.7.5
Compare Source
Patch Changes
af4376f348d21ad4d8eca0e3d2a170600f391e4d
]:v2.7.4
Compare Source
Patch Changes
d80b7f0ca1456567a0866a32d2b2abf940598f77
,c89d8287e88d12cfd34c1baf1f42db672731b8a7
]:v2.7.3
Compare Source
Patch Changes
ec04c50b4fb832bfd281ecf9c0c2dd7656431b96
,3e2c845c74407a136b9e0066e44c1ad1467d3013
,a494631918156f0431ceace74281c076cf1d5d51
]:v2.7.2
Compare Source
Patch Changes
Remove out-of-band reporting in the gateway and provide a warning for users who have the endpoint configured. (#2946)
Updated dependencies [
33b937b18d3c7ca6af14b904696b536399e597d1
,09cd3e55e810ee513127b7440f5b11af7540c9b0
,d7189a86c27891af408d3d0184db6133d3342967
,33506bef6d755c58400081824167711c1747ee40
,1f72f2a361a83ebaaf15ae052f5ca9a93fc18bfc
]:v2.7.1
Compare Source
Patch Changes
493f5acd16ad92adf99c963659cd40dc5eac1219
]:v2.7.0
Compare Source
Minor Changes
Implement progressive
@override
functionality (#2911)The progressive
@override
feature brings a new argument to the@override
directive:label: String
. When a label is added to an@override
application, the override becomes conditional, depending on parameters provided to the query planner (a set of which labels should be overridden). Note that this feature will be supported in router for enterprise users only.Out-of-the-box, the router will support a percentage-based use case for progressive
@override
. For example:The above example will override the root
hello
field from the "original" subgraph 5% of the time.More complex use cases will be supported by the router via the use of coprocessors/rhai to resolve arbitrary labels to true/false values (i.e. via a feature flag service).
Patch Changes
6ae42942b13dccd246ccc994faa2cb36cd62cb3c
,66833fb8d04c9376f6ed476fed6b1ca237f477b7
,931f87c6766c7439936df706727cbdc0cd6bcfd8
]:v2.6.3
Compare Source
Patch Changes
038cf0dbbfb0e2978b69f0a14bfd2c38b0cd1326
,69495b4810f3268c45a31f9d12e4f9cde2c447b5
]:v2.6.2
Compare Source
Patch Changes
7b5b836d15247c997712a47847f603aa5887312e
,74ca7dd617927a20d79b824851f7651ef3c40a4e
,ffe67dfbdb77d15dde2ab6dee66dba05c7b5c037
]:v2.6.1
Compare Source
Patch Changes
0d5ab01a
]:v2.6.0
Compare Source
Minor Changes
Add more information to OpenTelemetry spans. (#2700)
Rename
operationName
tographql.operation.name
and add agraphql.operation.type
attribute, in conformance with the OpenTelemetrySemantic Conventions for GraphQL. The
operationName
attribute is nowdeprecated, but it is still emitted alongside
graphql.operation.name
.Add a
graphql.document
span attribute to thegateway.request
span,containing the entire GraphQL source sent in the request. This feature
is disable by default.
When one or more GraphQL or internal errors occur, report them in the
OpenTelemetry span in which they took place, as an exception event. This
feature is disabled by default.
To enable the
graphql.document
span attribute and the exception eventreporting, add the following entries to your
ApolloGateway
instanceconfiguration:
Update
license
field inpackage.json
to useElastic-2.0
SPDX identifier (#2741)Introduce the new
@policy
scope for composition (#2818)Users may now compose
@policy
applications from their subgraphs into a supergraph.The directive is defined as follows:
The
Policy
scalar is effectively aString
, similar to theFieldSet
type.In order to compose your
@policy
usages, you must update your subgraph's federation spec version to v2.6 and add the@policy
import to your existing imports like so:@​link(url: "https://specs.apollo.dev/federation/v2.6", import: [..., "@​policy"])
Add graphql.operation.name attribute on gateway.plan span (#2807)
Patch Changes
b18841be
,e325b499
]:v2.5.7
Compare Source
Patch Changes
a0bdd7cb
]:v2.5.6
Compare Source
Patch Changes
c719214a
]:v2.5.5
Compare Source
Patch Changes
Fix specific case for requesting __typename on interface entity type (#2775)
In certain cases, when resolving a __typename on an interface entity (due to it actual being requested in the operation), that fetch group could previously be trimmed / treated as useless. At a glance, it appears to be a redundant step, i.e.:
It's actually necessary to preserve this in the case that we're coming from an interface object to an (entity) interface so that we can resolve the concrete __typename correctly.
Don't preserve useless fetches which downgrade __typename from a concrete type back to its interface type. (#2778)
In certain cases, the query planner was preserving some fetches which were "useless" that would rewrite __typename from its already-resolved concrete type back to its interface type. This could result in (at least) requested fields being "filtered" from the final result due to the interface's __typename in the data where the concrete type's __typename was expected.
Specifically, the solution was compute the path between newly created groups and their parents when we know that it's trivial (
[]
). Further along in the planning process, this allows to actually remove the known-useless group.Propagate type information when renaming entity fields (#2776)
Aliased entity fields might have been incorrectly overwritten if multiple fields/aliases shared the same name. Query planner automatically renames conflicting fields to ensure we can always generate a valid GraphQL query. The underlying issue was that this key rewriting logic was assuming the same type of an object. In case of entity queries asking for those aliased fields, we ended up always attempting to apply field renaming logic regardless, whether or not a given entity was of the correct type. This fix ensures that the query planner logic correctly accounts for the object type when applying field renaming logic.
Updated dependencies [
66d7e4ce
,a37bbbf6
]:v2.5.4
Compare Source
Patch Changes
Adds header to change the format of exposed query plans, and allows formatting it as json. (#2724)
When the gateway is configured to allow it, adding the
Apollo-Query-Plan-Experimental
header to a request already allowed a "prettified" text version of the query plan used for the query is returned in the response extension. This changes adds support for a new (optional) accompanying header,Apollo-Query-Plan-Experimental-Format
, which can be set to the value "internal" to have the query plan returned as a json object (that correspond to the internal representation of that query plan) instead of the text version otherwise sent. Note that if that new header is not provided, then the query plan continues to be send in the previous prettified text version.Fix some potentially incorrect query plans with
@requires
when some dependencies are involved. (#2726)In some rare case of
@requires
, an over-eager optimisation was incorrectly considering thata dependency between 2 subgraph fetches was unnecessary, leading to doing 2 subgraphs queries
in parallel when those should be done sequentially (because the 2nd query rely on results
from the 1st one). This effectively resulted in the required fields not being provided (the
consequence of which depends a bit on the resolver detail, but if the resolver expected
the required fields to be populated (as they should), then this could typically result
in a message of the form
GraphQLError: Cannot read properties of null
).Updated dependencies [
203b0a44
]:v2.5.3
Compare Source
Patch Changes
Fix execution error in some cases where aliases are used and some values are
null
. (#2716)The error would manifest itself as an
INTERNAL_SERVER_ERROR
with a message of the formCannot read properties of null
.Updated dependencies [
4b9a512b
,c6e0e76d
,1add932c
,6f1fddb2
]:v2.5.2
Compare Source
Patch Changes
Remove extraneous call to
span.setStatus()
on a span which has already ended. (#2697)In cases where a subgraph responded with an error, we would sometimes try to set
the status of a span which had already ended. This resulted in a warning log to
the console (but no effect otherwise). This warning should no longer happen.
Fix
fallbackPollIntervalInMs
behavior. (#2709)The
fallbackPollIntervalInMs
serves 2 purposes:The second bullet is how the configuration option is documented, but not how it was previously implemented. This change corrects the behavior to respect this configuration if it's provided AND is longer than the Uplink interval.
Updated dependencies [
35179f08
]:v2.5.1
Compare Source
Patch Changes
Reapply #2639: (#2687)
Try reusing named fragments in subgraph fetches even if those fragment only apply partially to the subgraph. Before this change, only named fragments that were applying entirely to a subgraph were tried, leading to less reuse that expected. Concretely, this change can sometimes allow the generation of smaller subgraph fetches.
Additionally, resolve a bug which surfaced in the fragment optimization logic which could result in invalid/incorrect optimizations / fragment reuse.
Updated dependencies [
b9052fdd
]:v2.5.0
Compare Source
Minor Changes
Do not run the full suite of graphQL validations on supergraphs and their extracted subgraphs by default in production environment. (#2657)
Running those validations on every updates of the schema takes a non-negligible amount of time (especially on large
schema) and mainly only serves in catching bugs early in the supergraph handling code, and in some limited cases,
provide slightly better messages when a corrupted supergraph is received, neither of which is worth the cost in
production environment.
A new
validateSupergraph
option is also introduced in the gateway configuration to force this behaviour.Support responses from subgraphs which use the
application/graphql-response+json
content-type header. (#2162)See graphql-over-http spec for more details:
https://graphql.github.io/graphql-over-http/draft/#sec-application-graphql-response-json
Introduce the new
@authenticated
directive for composition (#2644)Users may now compose
@authenticated
applications from their subgraphs into a supergraph. This addition will support a future version of Apollo Router that enables authenticated access to specific types and fields via directive applications.The directive is defined as follows:
In order to compose your
@authenticated
usages, you must update your subgraph's federation spec version to v2.5 and add the@authenticated
import to your existing imports like so:@​link(url: "https://specs.apollo.dev/federation/v2.5", import: [..., "@​authenticated"])
Introduce the new
@requiresScopes
directive for composition (#2649)Users may now compose
@requiresScopes
applications from their subgraphs into a supergraph. This addition will support a future version of Apollo Router that enables scoped access to specific types and fields via directive applications.The directive is defined as follows:
The
Scope
scalar is effectively aString
, similar to theFieldSet
type.In order to compose your
@requiresScopes
usages, you must update your subgraph's federation spec version to v2.5 and add the@requiresScopes
import to your existing imports like so:@​link(url: "https://specs.apollo.dev/federation/v2.5", import: [..., "@​requiresScopes"])
Patch Changes
fe1e3d7b
,aac2893a
,6b18af50
,9396c0d6
,2b5796a9
,4f3c3b9e
]:v2.4.13
Compare Source
Patch Changes
f2264cf6
]:v2.4.12
Compare Source
Patch Changes
Remove extraneous call to
span.setStatus()
on a span which has already ended. (#2717)In cases where a subgraph responded with an error, we would sometimes try to set
the status of a span which had already ended. This resulted in a warning log to
the console (but no effect otherwise). This warning should no longer happen.
Fix
fallbackPollIntervalInMs
behavior. (#2717)The
fallbackPollIntervalInMs
serves 2 purposes:The second bullet is how the configuration option is documented, but not how it was previously implemented. This change corrects the behavior to respect this configuration if it's provided AND is longer than the Uplink interval.
Updated dependencies [
693c2433
]:v2.4.11
Compare Source
Patch Changes
Reapply #2639: (#2684)
Try reusing named fragments in subgraph fetches even if those fragment only apply partially to the subgraph. Before this change, only named fragments that were applying entirely to a subgraph were tried, leading to less reuse that expected. Concretely, this change can sometimes allow the generation of smaller subgraph fetches.
Additionally, resolve a bug which surfaced in the fragment optimization logic which could result in invalid/incorrect optimizations / fragment reuse.
Updated dependencies [
a740e071
]:v2.4.10
Compare Source
Patch Changes
Revert #2639 from v2.4.9 (#2681)
PR #2639 attempts to resolve issues with query fragment reuse, but we've since turned up multiple issues (at least 1 of which is a regression - see #2680. For now, this reverts it until we resolve the regression for a future patch release.
Updated dependencies [
b6be9f96
]:v2.4.9
Compare Source
Patch Changes
Try reusing named fragments in subgraph fetches even if those fragment only apply partially to the subgraph. Before this change, only named fragments that were applying entirely to a subgraph were tried, leading to less reuse that expected. Concretely, this change can sometimes allow the generation of smaller subgraph fetches. (#2639)
Updated dependencies [
7ac83456
,d60349b3
,1bb7c512
,02eab3ac
,fd4545c2
]:Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.