@apollo/server@4.0.0-alpha.0 vulnerabilities

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

• Use either the schema reporting or usage reporting feature.

• Use an Apollo Studio API key which has invalid header values.

• Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

Upgrade @apollo/server to version 4.9.3 or higher.

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.

Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.

Upgrade @apollo/server to version 4.1.0 or higher.