From e9188a6e613a29a716d338a8fb6d25d7059fd611 Mon Sep 17 00:00:00 2001 From: Rikki Date: Sun, 10 Oct 2021 12:24:01 +0200 Subject: [PATCH 1/2] remove optionalDependencies from graphiql-toolkit --- packages/graphiql-toolkit/package.json | 11 +++---- yarn.lock | 44 ++++++++++++++++++-------- 2 files changed, 34 insertions(+), 21 deletions(-) diff --git a/packages/graphiql-toolkit/package.json b/packages/graphiql-toolkit/package.json index 7134054f478..af845a08a08 100644 --- a/packages/graphiql-toolkit/package.json +++ b/packages/graphiql-toolkit/package.json @@ -20,20 +20,17 @@ "typings": "dist/index.d.ts", "scripts": {}, "dependencies": { - "@n1ru4l/push-pull-async-iterable-iterator": "^2.1.4", - "graphql-ws": "^4.3.2", + "@n1ru4l/push-pull-async-iterable-iterator": "^3.0.0", + "graphql-ws": "^5.5.0", "meros": "^1.1.4" }, "devDependencies": { "graphql": "experimental-stream-defer", "isomorphic-fetch": "^3.0.0", - "subscriptions-transport-ws": "^0.9.18" - }, - "optionalDependencies": { - "subscriptions-transport-ws": "^0.9.18" + "subscriptions-transport-ws": "^0.9.19" }, "peerDependencies": { - "graphql": ">= v14.5.0 <= 15.5.0" + "graphql": ">= v14.5.0 <= 15.6.1" }, "keywords": [ "graphql", diff --git a/yarn.lock b/yarn.lock index 788c02b445a..2539cc6cc04 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2683,10 +2683,10 @@ call-me-maybe "^1.0.1" glob-to-regexp "^0.3.0" -"@n1ru4l/push-pull-async-iterable-iterator@^2.1.4": - version "2.1.4" - resolved "https://registry.yarnpkg.com/@n1ru4l/push-pull-async-iterable-iterator/-/push-pull-async-iterable-iterator-2.1.4.tgz#a90225474352f9f159bff979905f707b9c6bcf04" - integrity sha512-qLIvoOUJ+zritv+BlzcBMePKNjKQzH9Rb2i9W98YXxf/M62Lye8qH0peyiU8yJ1tL0kfulWi31BoK10E6BKJeA== +"@n1ru4l/push-pull-async-iterable-iterator@^3.0.0": + version "3.0.0" + resolved "https://registry.yarnpkg.com/@n1ru4l/push-pull-async-iterable-iterator/-/push-pull-async-iterable-iterator-3.0.0.tgz#22dc34094c2de5f21b9a798d0ffab16b45de0eb7" + integrity sha512-gwoIwo/Dt1GOI+lbcG1G7IeRM2K+Fo0op3OGyFJ4tXUCf2a3Q8lUCm81aoevrXC0nu4gbAXeOWy7wWxjpSvZUw== "@nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents": version "2.1.8-no-fsevents" @@ -9431,10 +9431,10 @@ graphql-config@^3.0.2: string-env-interpolation "1.0.1" tslib "^2.0.0" -graphql-ws@^4.3.2: - version "4.3.2" - resolved "https://registry.yarnpkg.com/graphql-ws/-/graphql-ws-4.3.2.tgz#c58b03acc3bd5d4a92a6e9f729d29ba5e90d46a3" - integrity sha512-jsW6eOlko7fJek1iaSGQFj97AWuhexL9A3PuxYtyke/VlMdbSFzmDR4PlPPCTBBskRg6tNRb5RTbBVSd2T60JQ== +graphql-ws@^5.5.0: + version "5.5.0" + resolved "https://registry.yarnpkg.com/graphql-ws/-/graphql-ws-5.5.0.tgz#79f10248d23d104369eaef93acb9f887276a2c42" + integrity sha512-WQepPMGQQoqS2VsrI2I3RMLCVz3CW4/6ZqGV6ABDOwH4R62DzjxwMlwZbj6vhSI/7IM3/C911yITwgs77iO/hw== graphql@experimental-stream-defer: version "15.4.0-experimental-stream-defer.1" @@ -12528,12 +12528,12 @@ moment@^2.27.0: resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.1.tgz#b2be769fa31940be9eeea6469c075e35006fa3d3" integrity sha512-kHmoybcPV8Sqy59DwNDY3Jefr64lK/by/da0ViFcuA4DH0vQg5Q6Ze5VimxkfQNSC+Mls/Kx53s7TjP1RhFEDQ== -monaco-editor-webpack-plugin@^1.9.0: - version "1.9.1" - resolved "https://registry.yarnpkg.com/monaco-editor-webpack-plugin/-/monaco-editor-webpack-plugin-1.9.1.tgz#eb4bbb1c5e5bfb554541c1ae1542e74c2a9f43fd" - integrity sha512-x7fx1w3i/uwZERIgztHAAK3VQMsL8+ku0lFXXbO81hKDg8IieACqjGEa2mqEueg0c/fX+wd0oI+75wB19KJAsA== +monaco-editor-webpack-plugin@^4.0.0: + version "4.2.0" + resolved "https://registry.yarnpkg.com/monaco-editor-webpack-plugin/-/monaco-editor-webpack-plugin-4.2.0.tgz#2be76cde9cca7bd8c3418503625990f86886927b" + integrity sha512-/P3sFiEgBl+Y50he4mbknMhbLJVop5gBUZiPS86SuHUDOOnQiQ5rL1jU5lwt1XKAwMEkhwZbUwqaHxTPkb1Utw== dependencies: - loader-utils "^1.2.3" + loader-utils "^2.0.0" monaco-editor@^0.27.0: version "0.27.0" @@ -16659,7 +16659,7 @@ stylehacks@^4.0.0: postcss "^7.0.0" postcss-selector-parser "^3.0.0" -subscriptions-transport-ws@0.9.18, subscriptions-transport-ws@^0.9.18: +subscriptions-transport-ws@0.9.18: version "0.9.18" resolved "https://registry.yarnpkg.com/subscriptions-transport-ws/-/subscriptions-transport-ws-0.9.18.tgz#bcf02320c911fbadb054f7f928e51c6041a37b97" integrity sha512-tztzcBTNoEbuErsVQpTN2xUNN/efAZXyCyL5m3x4t6SKrEiTL2N8SaKWBFWM4u56pL79ULif3zjyeq+oV+nOaA== @@ -16670,6 +16670,17 @@ subscriptions-transport-ws@0.9.18, subscriptions-transport-ws@^0.9.18: symbol-observable "^1.0.4" ws "^5.2.0" +subscriptions-transport-ws@^0.9.19: + version "0.9.19" + resolved "https://registry.yarnpkg.com/subscriptions-transport-ws/-/subscriptions-transport-ws-0.9.19.tgz#10ca32f7e291d5ee8eb728b9c02e43c52606cdcf" + integrity sha512-dxdemxFFB0ppCLg10FTtRqH/31FNRL1y1BQv8209MK5I4CwALb7iihQg+7p65lFcIl8MHatINWBLOqpgU4Kyyw== + dependencies: + backo2 "^1.0.2" + eventemitter3 "^3.1.0" + iterall "^1.2.1" + symbol-observable "^1.0.4" + ws "^5.2.0 || ^6.0.0 || ^7.0.0" + success-symbol@^0.1.0: version "0.1.0" resolved "https://registry.yarnpkg.com/success-symbol/-/success-symbol-0.1.0.tgz#24022e486f3bf1cdca094283b769c472d3b72897" @@ -18188,6 +18199,11 @@ ws@^5.2.0: dependencies: async-limiter "~1.0.0" +"ws@^5.2.0 || ^6.0.0 || ^7.0.0": + version "7.5.5" + resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.5.tgz#8b4bc4af518cfabd0473ae4f99144287b33eb881" + integrity sha512-BAkMFcAzl8as1G/hArkxOxq3G7pjUqQ3gzYbLL0/5zNkph70e+lCoxBGnm6AW1+/aiNeV4fnKqZ8m4GZewmH2w== + ws@^6.0.0, ws@^6.2.1: version "6.2.1" resolved "https://registry.yarnpkg.com/ws/-/ws-6.2.1.tgz#442fdf0a47ed64f59b6a5d8ff130f4748ed524fb" From 620e65be9eb2452c8d580044d8d42a0e15a1a833 Mon Sep 17 00:00:00 2001 From: Rikki Date: Sun, 10 Oct 2021 12:29:24 +0200 Subject: [PATCH 2/2] chore: add changeset --- .changeset/nine-days-pretend.md | 6 ++++++ packages/graphiql-toolkit/README.md | 4 ++-- packages/graphiql-toolkit/package.json | 2 +- packages/graphiql/README.md | 6 ++---- yarn.lock | 8 ++++---- 5 files changed, 15 insertions(+), 11 deletions(-) create mode 100644 .changeset/nine-days-pretend.md diff --git a/.changeset/nine-days-pretend.md b/.changeset/nine-days-pretend.md new file mode 100644 index 00000000000..41284d502d4 --- /dev/null +++ b/.changeset/nine-days-pretend.md @@ -0,0 +1,6 @@ +--- +'@graphiql/toolkit': minor +'graphiql': patch +--- + +Remove `optionalDependencies` entirely, remove `subscriptions-transport-ws` which introduces vulnerabilities, upgrade `@n1ru4l/push-pull-async-iterable-iterator` to 3.0.0, upgrade `graphql-ws` several minor versions - the `graphql-ws@5.x` upgrade will come in a later minor release. diff --git a/packages/graphiql-toolkit/README.md b/packages/graphiql-toolkit/README.md index f0613e56eb9..c3d927aca80 100644 --- a/packages/graphiql-toolkit/README.md +++ b/packages/graphiql-toolkit/README.md @@ -4,7 +4,7 @@ General purpose library as a dependency of GraphiQL. -Part of the GraphiQL 2.0.0 initiative. +A core dependency of the GraphiQL 2.0.0 initiative. ## Docs @@ -14,6 +14,6 @@ Part of the GraphiQL 2.0.0 initiative. ## Todo - [x] Begin porting common type definitions used by GraphiQL and it's dependencies -- [ ] `createFetcher` utility for an easier `fetcher` +- [x] `createGraphiQLFetcher` utility for an easier `fetcher` - [ ] Migrate over general purpose `graphiql/src/utilities` - [ ] Utility to generate json schema spec from `getQueryFacts` for monaco, vscode, etc diff --git a/packages/graphiql-toolkit/package.json b/packages/graphiql-toolkit/package.json index af845a08a08..19fd6e94c4e 100644 --- a/packages/graphiql-toolkit/package.json +++ b/packages/graphiql-toolkit/package.json @@ -21,7 +21,7 @@ "scripts": {}, "dependencies": { "@n1ru4l/push-pull-async-iterable-iterator": "^3.0.0", - "graphql-ws": "^5.5.0", + "graphql-ws": "^4.9.0", "meros": "^1.1.4" }, "devDependencies": { diff --git a/packages/graphiql/README.md b/packages/graphiql/README.md index 2a9b947426f..6389d776c12 100644 --- a/packages/graphiql/README.md +++ b/packages/graphiql/README.md @@ -90,7 +90,7 @@ GraphiQL provides a React component responsible for rendering the UI, which shou For HTTP transport implementations, we recommend using the [fetch](https://fetch.spec.whatwg.org/) standard API, but you can use anything that matches [the type signature](https://graphiql-test.netlify.app/typedoc/modules/graphiql-toolkit.html#fetcher), including async iterables and observables. -You can also install `@graphiql/create-fetcher` to make it easier to create a simple fetcher for conventional http and websockets transports. +You can also install `@graphiql/create-fetcher` to make it easier to create a simple fetcher for conventional http and websockets transports. It uses `graphql-ws@4.x` protocol by default. ```js import React from 'react'; @@ -109,7 +109,7 @@ ReactDOM.render( ); ``` -Read more about using [`createGraphiQLFetcher`](https://github.com/graphql/graphiql/tree/main/packages/graphiql-toolkit/docs/create-fetcher.md) in the readme to learn how to add headers and more. +[Read more about using `createGraphiQLFetcher` in the readme](https://github.com/graphql/graphiql/tree/main/packages/graphiql-toolkit/docs/create-fetcher.md) to learn how to add headers, support the legacy `subsriptions-transport-ws` protocol, and more. ### Usage: UMD Bundle over CDN (Unpkg, JSDelivr, etc) @@ -259,5 +259,3 @@ In order to theme the editor portions of the interface, you can supply a `editor editorTheme="solarized light" /> ``` - -### Running Operations diff --git a/yarn.lock b/yarn.lock index 2539cc6cc04..83326ece215 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9431,10 +9431,10 @@ graphql-config@^3.0.2: string-env-interpolation "1.0.1" tslib "^2.0.0" -graphql-ws@^5.5.0: - version "5.5.0" - resolved "https://registry.yarnpkg.com/graphql-ws/-/graphql-ws-5.5.0.tgz#79f10248d23d104369eaef93acb9f887276a2c42" - integrity sha512-WQepPMGQQoqS2VsrI2I3RMLCVz3CW4/6ZqGV6ABDOwH4R62DzjxwMlwZbj6vhSI/7IM3/C911yITwgs77iO/hw== +graphql-ws@^4.9.0: + version "4.9.0" + resolved "https://registry.yarnpkg.com/graphql-ws/-/graphql-ws-4.9.0.tgz#5cfd8bb490b35e86583d8322f5d5d099c26e365c" + integrity sha512-sHkK9+lUm20/BGawNEWNtVAeJzhZeBg21VmvmLoT5NdGVeZWv5PdIhkcayQIAgjSyyQ17WMKmbDijIPG2On+Ag== graphql@experimental-stream-defer: version "15.4.0-experimental-stream-defer.1"