Bump apollo-server-core from 3.6.1 to 3.12.1 in /cer-graphql#426
Bump apollo-server-core from 3.6.1 to 3.12.1 in /cer-graphql#426dependabot[bot] wants to merge 2148 commits intomasterfrom
Conversation
Expandable page part
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [apollo-server-core](https://github.com/apollographql/apollo-server/tree/HEAD/packages/apollo-server-core) from 3.6.1 to 3.12.1. - [Release notes](https://github.com/apollographql/apollo-server/releases) - [Commits](https://github.com/apollographql/apollo-server/commits/[email protected]/packages/apollo-server-core) --- updated-dependencies: - dependency-name: apollo-server-core dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/cer-graphql/apollo-server-core-3.12.1
branch
from
e529b66 to
0a45c33
Compare
lugn621
force-pushed
the
dependabot/npm_and_yarn/cer-graphql/apollo-server-core-3.12.1
branch
from
0a45c33 to
a485659
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, to fix this class of problem you add an explicit permissions: block either at the workflow root (applies to all jobs) or under the specific job, granting only the scopes actually required. For a pure linting workflow that just checks out the repository and runs local commands, contents: read is typically sufficient, since no job step needs to modify repository contents, issues, PRs, or other resources via the GITHUB_TOKEN.
For this specific file, the minimal, non-disruptive fix is to add a permissions: block at the top level of the workflow (right after name: and before on:) and set contents: read. This will apply to the run-linters job (and any future jobs that don’t override permissions) and document that the workflow only needs read access to repository contents. No other code changes, imports, or new methods are required.
Concretely:
- Edit
.github/workflows/linting.yml. - Insert:
permissions:
contents: readafter line 1 (name: Lint) and before the on: block.
No additional YAML keys or dependencies are needed.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to declare an explicit permissions block that grants only the minimal required permissions to the GITHUB_TOKEN. This can be defined at the workflow root (applies to all jobs) or within the specific job. Since CodeQL flags the job, adding permissions under jobs.sentry-release is clear and minimally invasive.
The single best fix here is to add a permissions section under the sentry-release job with contents: read, which is the minimal starting point suggested by CodeQL and is sufficient for typical use of actions/checkout and external actions that don’t need to push back to the repo or modify GitHub resources. No imports or other definitions are needed; we only modify the YAML in .github/workflows/sentry.yml by inserting the permissions block directly under the job definition, keeping indentation consistent:
- In
.github/workflows/sentry.yml, under:jobs:sentry-release:name: Create Sentry Releaseruns-on: ubuntu-latest
- Insert:
permissions:contents: read
This will constrain the GITHUB_TOKEN for that job to read-only repository contents.
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, to fix log injection issues, sanitize any user-controlled data before including it in log messages. For plain-text logs, a minimal, safe approach is to strip carriage-return and newline characters from user input before logging. You can also clearly delimit or label user input in the log entry. This prevents an attacker from injecting extra log lines while preserving the information value of the logs.
For this specific case, the best minimal fix without changing functionality is to sanitize event.body just for logging, leaving the actual event.body unchanged for parsing with JSON.parse. We will introduce a local variable safeBodyForLog that is derived from event.body with \r and \n removed (using String.prototype.replace and a regular expression). The console.log call will then log safeBodyForLog instead of the raw event.body. No changes are made to how the search works or how the body is parsed.
Concretely in hub-search-proxy/handler.js:
- Around line 53, replace
console.log(\Received query: ${event.body}`);` with:- A new constant
safeBodyForLogdefined as(event.body || '').toString().replace(/[\r\n]/g, ''). - A
console.logthat usessafeBodyForLog.
- A new constant
- No new imports or external libraries are required; we rely only on built-in string methods and regex.
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const safeBodyForLog = (event.body || '').toString().replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${safeBodyForLog}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps apollo-server-core from 3.6.1 to 3.12.1.
Commits
ea2e2c3Release1dd45b8get CI passingd38b43bMerge pull request from GHSA-j5g3-5c8r-7qfxfac578aRelease8554050Update protobuf (version-3) (#7412)6247d96Release538151bRelease69be2f7Merge pull request from GHSA-8r69-3cvp-wxc340fcd3dBackport #7107 (docs: document new usage reporting option)f519e1dReleaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.