62e7d940d]:
ebfde0007 Thanks @trevor-scheer! - Add missing nonce on script tag for non-embedded landing pageebfde0007]:
#7617 4ff81ca50 Thanks @trevor-scheer! - Introduce new ApolloServerPluginSubscriptionCallback plugin. This plugin implements the subscription callback protocol which is used by Apollo Router. This feature implements subscriptions over HTTP via a callback URL which Apollo Router registers with Apollo Server. This feature is currently in preview and is subject to change.
You can enable callback subscriptions like so:
import { ApolloServerPluginSubscriptionCallback } from '@apollo/server/plugin/subscriptionCallback';
import { ApolloServer } from '@apollo/server';
const server = new ApolloServer({
// ...
plugins: [ApolloServerPluginSubscriptionCallback()],
});Note that there is currently no tracing or metrics mechanism in place for callback subscriptions. Additionally, this plugin "intercepts" callback subscription requests and bypasses some of Apollo Server's internals. The result of this is that certain plugin hooks (notably executionDidStart and willResolveField) will not be called when handling callback subscription requests or when sending subscription events.
For more information on the subscription callback protocol, visit the docs: https://www.apollographql.com/docs/router/executing-operations/subscription-callback-protocol/
42fc65cb2 Thanks @trevor-scheer! - Update test suite for compatibility with Node v20#7636 42fc65cb2 Thanks @trevor-scheer! - Update test suite for compatibility with Node v20
Updated dependencies [42fc65cb2]:
#7634 f8a8ea08f Thanks @dfperry5! - Updating the ApolloServer constructor to take in a stringifyResult function that will allow a consumer to pass in a function that formats the result of an http query.
Usage:
const server = new ApolloServer({
typeDefs,
resolvers,
stringifyResult: (value: FormattedExecutionResult) => {
return JSON.stringify(value, null, 2);
},
});#7614 4fadf3ddc Thanks @Cellule! - Publish TypeScript typings for CommonJS modules output.
This allows TypeScript projects that use CommonJS modules with
moduleResolution: "node16" or
moduleResolution: "nodeNext"
to correctly resolves the typings of apollo's packages as CommonJS instead of ESM.
Updated dependencies [4fadf3ddc]:
4fadf3ddc]:
#7614 4fadf3ddc Thanks @Cellule! - Publish TypeScript typings for CommonJS modules output.
This allows TypeScript projects that use CommonJS modules with
moduleResolution: "node16" or
moduleResolution: "nodeNext"
to correctly resolves the typings of apollo's packages as CommonJS instead of ESM.
Updated dependencies [4fadf3ddc]:
0adaf80d1 Thanks @trevor-scheer! - Address Content Security Policy issues
The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.
Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).
#7604 aeb511c7d Thanks @renovate! - Update graphql-http dependency
0adaf80d1 Thanks @trevor-scheer! - Address Content Security Policy issues
The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.
Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).
Updated dependencies [0adaf80d1]:
#7601 75b668d9e Thanks @trevor-scheer! - Provide a new configuration option for landing page plugins precomputedNonce which allows users to provide a nonce and avoid calling into uuid functions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.
The example below assumes you've provided a PRECOMPUTED_NONCE variable in your wrangler.toml file.
Example usage:
const server = new ApolloServer({
// ...
plugins: [
ApolloServerPluginLandingPageLocalDefault({
precomputedNonce: PRECOMPUTED_NONCE,
}),
],
});75b668d9e]:
c3f04d050 Thanks @trevor-scheer! - Update @apollo/utils.usagereporting dependency. Previously, installing @apollo/gateway and @apollo/server could result in duplicate / differently versioned installs of @apollo/usage-reporting-protobuf. This is because the @apollo/server-gateway-interface package was updated to use the latest protobuf, but the @apollo/utils.usagereporting package was not. After this change, users should always end up with a single install of the protobuf package when installing both @apollo/server and @apollo/gateway latest versions.