You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow bumping make-fetch-happen dependency to v15. (#3374)
This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.
The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.
There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:
this changes the underlying http agents to those provided by @npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.
As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.
We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.
Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.
The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.
This version was pushed to npm by dkuc, a new releaser for @apollo/gateway since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You have signed the CLA already but the status is still pending? Let us recheck it.
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You have signed the CLA already but the status is still pending? Let us recheck it.
This PR applies a Dependabot-generated security patch, bumping @apollo/gateway from 2.12.2 to 2.12.3. The update addresses a prototype pollution vulnerability (GHSA-pfjj-6f4p-rvmh) by fixing code paths that accessed response objects unsafely, potentially allowing unintended access to the JavaScript prototype chain.
package.json correctly updates the version constraint from ^2.12.2 to ^2.12.3.
yarn.lock is fully consistent: @apollo/gateway, @apollo/composition, @apollo/federation-internals, @apollo/query-graphs, and @apollo/query-planner are all resolved to 2.12.3.
The older @apollo/federation-internals@2.12.2 entry is preserved in the lock file, which is expected since @apollo/subgraph@^2.12.2 still depends on it — no deduplication issue here.
The format script in package.json omits .jsx, .json, .css, and .md file types, which does not meet the project's formatting convention (flagged as a style comment).
Confidence Score: 5/5
This PR is safe to merge — it is a targeted security patch with no breaking changes.
The change is a patch-level security fix for a known prototype pollution vulnerability. Both package.json and yarn.lock are consistently updated, and all transitive dependencies (@apollo/composition, @apollo/federation-internals, @apollo/query-graphs, @apollo/query-planner) are bumped in lockstep. No API surface changes are introduced.
No files require special attention.
Important Files Changed
Filename
Overview
package.json
Version bump of @apollo/gateway from 2.12.2 to 2.12.3 — a security patch fixing prototype pollution (GHSA-pfjj-6f4p-rvmh). The format script does not cover .jsx, .json, .css, or .md files per org convention.
yarn.lock
Lock file correctly updated: @apollo/gateway, @apollo/composition, @apollo/federation-internals, @apollo/query-graphs, and @apollo/query-planner all bumped to 2.12.3. The old @apollo/federation-internals@2.12.2 entry is preserved for @apollo/subgraph@^2.12.2's pinned dependency, which is expected behavior.
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
GW["@apollo/gateway@2.12.3\n(security patch: prototype pollution fix)"]
COMP["@apollo/composition@2.12.3"]
FI["@apollo/federation-internals@2.12.3"]
QG["@apollo/query-graphs@2.12.3"]
QP["@apollo/query-planner@2.12.3"]
SUB["@apollo/subgraph@^2.12.2\n(unchanged)"]
FI_OLD["@apollo/federation-internals@2.12.2\n(retained in yarn.lock)"]
GW --> COMP
GW --> FI
GW --> QP
COMP --> FI
COMP --> QG
QG --> FI
QP --> FI
QP --> QG
SUB --> FI_OLD
The format script currently only targets .ts files. Per project conventions, it should also cover .jsx, .json, .css, and .md files to ensure consistent formatting across all asset types.
Rule Used: Expand the format script in package.json to includ... (source)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
bot
added
dependencies
Bumps @apollo/gateway from 2.12.2 to 2.12.3.
Release notes
Sourced from
@apollo/gateway's releases.Changelog
Sourced from
@apollo/gateway's changelog.... (truncated)
Commits
f481a43release: on branch version-2.12 (#3404)4393cecPrevent accessing response object's prototype chain (backport of #3396 for 2....Maintainer changes
This version was pushed to npm by dkuc, a new releaser for
@apollo/gatewaysince your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.