Avoid ws CVE-2021-32640 #5285
Merged
Avoid ws CVE-2021-32640 #5285
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Apollo Server 2 depends on `subscriptions-transport-ws` for a superficial implementation of GraphQL subscription support. (Apollo Server 3.0.0 will not have built-in subscription support.) This unmaintained package depended on `ws` v5. All releases of v5 `ws` have a server DOS vulnerability: https://www.npmjs.com/advisories/1748 This change: - Removes the direct dependency on `ws` from `apollo-server-core`. This dependency was only used for types, so its imports have been changed to `import type` which pulls from `@types/ws`. - Updates the `subscriptions-transport-ws` dependency in `apollo-server-core` and `apollo-server-express` to the newly-released 0.9.19, which allows for `ws` v6 and v7. This means that via appropriate `npm` installations, you can install one of the non-vulnerable versions (6.2.2+ or 7.4.6+). Note that there are backwards incompatible changes in ws v6 and v7; see https://github.com/websockets/ws/releases/tag/6.0.0 and https://github.com/websockets/ws/releases/tag/7.0.0 for details. - Does some other small upgrades of ws-related packages. Note that the best way to protect yourself from this vulnerability is to avoid using the unmaintained `subscriptions-transport-ws` entirely by passing `subscriptions: false` to `new ApolloServer` and (if you do need to use subscriptions) using a maintained GraphQL subscription server such as `graphql-ws`.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apollo Server 2 depends on
subscriptions-transport-wsfor asuperficial implementation of GraphQL subscription support. (Apollo
Server 3.0.0 will not have built-in subscription support.) This
unmaintained package depended on
wsv5. All releases of v5wshave aserver DOS vulnerability: https://www.npmjs.com/advisories/1748
This change:
wsfromapollo-server-core. Thisdependency was only used for types, so its imports have been changed
to
import typewhich pulls from@types/ws.subscriptions-transport-wsdependency inapollo-server-coreandapollo-server-expressto the newly-released0.9.19, which allows for
wsv6 and v7. This means that viaappropriate
npminstallations, you can install one of thenon-vulnerable versions (6.2.2+ or 7.4.6+). Note that there are
backwards incompatible changes in ws v6 and v7; see
https://github.com/websockets/ws/releases/tag/6.0.0 and
https://github.com/websockets/ws/releases/tag/7.0.0 for details.
Note that the best way to protect yourself from this vulnerability is to
avoid using the unmaintained
subscriptions-transport-wsentirely bypassing
subscriptions: falsetonew ApolloServerand (if you do needto use subscriptions) using a maintained GraphQL subscription server
such as
graphql-ws.