From 3f4fe5aaf9c471d6ff96dfa93f0df608766b29c4 Mon Sep 17 00:00:00 2001 From: David Glasser Date: Thu, 18 Aug 2022 11:10:33 -0700 Subject: [PATCH] Backport #5537 to AS2 (#6829) Part of https://github.com/apollographql/federation/issues/2077 --- CHANGELOG.md | 4 ++++ packages/apollo-server-env/src/fetch.d.ts | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8859ff0a9b..ecf2b4cdde5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,10 @@ The version headers in this history reflect the versions of Apollo Server itself > The changes noted within this `vNEXT` section have not been released yet. New PRs and commits which introduce changes should include an entry in this `vNEXT` section as part of their development. With few exceptions, the format of the entry should follow convention (i.e., prefix with package name, use markdown `backtick formatting` for package names and code, suffix with a link to the change-set à la `[PR #YYY](https://link/pull/YYY)`, etc.). When a release is being prepared, a new header will be (manually) created below and the appropriate changes within that release will be moved into the new section. +## v2.26.0 + +- Backport [PR #5537](https://github.com/apollographql/apollo-server/pull/5537) from Apollo Server 3. This fixes a TypeScript declaration relating to the Fetch API. We believe this will make it possible to use Apollo Server 2 with Apollo Gateway 0.52.0. (This change does not provide any functionality other than hopefully fixing some TypeScript builds, so if it turns out that this breaks your TypeScript build instead, just don't take the upgrade. We encourage you to upgrade to actively supported Apollo major versions instead.) [PR #6829](https://github.com/apollographql/apollo-server/pull/6829) + ## v2.25.4 - ⚠️ **SECURITY**: If your server does not explicitly enable `graphql-upload` support via the `uploads` option to `new ApolloServer` and your schema does not use the `Upload` scalar (other than in its own definition), Apollo Server will not process the `multipart/form-data` requests sent by `graphql-upload` clients. This fixes a Cross-Site Request Forgery (CSRF) vulnerability where origins could cause browsers to execute mutations using a user's cookies even when those origins are not allowed by your CORS policy. If you *do* use uploads in your server, the vulnerability still exists with this version; you should instead upgrade to Apollo Server v3.7 and enable the CSRF prevention feature. (The AS3.7 CSRF prevention feature also protects against other forms of CSRF such as timing attacks against read-only query operations.) See [advisory GHSA-2p3c-p3qw-69r4](https://github.com/apollographql/apollo-server/security/advisories/GHSA-2p3c-p3qw-69r4) for more details. diff --git a/packages/apollo-server-env/src/fetch.d.ts b/packages/apollo-server-env/src/fetch.d.ts index 04932f68b14..b6e5e5633bc 100644 --- a/packages/apollo-server-env/src/fetch.d.ts +++ b/packages/apollo-server-env/src/fetch.d.ts @@ -21,7 +21,7 @@ export declare class Headers implements Iterable<[string, string]> { entries(): Iterator<[string, string]>; keys(): Iterator; - values(): Iterator<[string]>; + values(): Iterator; [Symbol.iterator](): Iterator<[string, string]>; }