fix(deps): update dependency @apollo/explorer to v3 [security] - autoclosed#8083
fix(deps): update dependency @apollo/explorer to v3 [security] - autoclosed#8083renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
|
🔒 Entelligence AI Vulnerability Scanner ✅ No security vulnerabilities found! Your code passed our comprehensive security analysis. |
WalkthroughThis PR upgrades the Apollo Explorer plugin from version 2.0.0 to 3.0.0, representing a major version update with potential breaking changes and new features. The yarn.lock file shows the actual version installed is 3.7.3, which includes expanded React peer dependency support for React 19.0.0. Additionally, the PR fixes the GitOps Profiles plugin by pinning specific versions of Backstage dependencies rather than using workspace references, ensuring compatibility and stability across the application. Changes
Sequence DiagramThis diagram shows the interactions between components: sequenceDiagram
title Apollo Explorer Integration Flow (v3.0.0)
actor User
participant App as "Backstage App"
participant ApolloExplorerPlugin as "Apollo Explorer Plugin"
participant ApolloExplorer as "@apollo/explorer v3.0.0"
participant GraphQLAPI as "GraphQL API"
User->>App: Navigate to Apollo Explorer page
App->>ApolloExplorerPlugin: Load plugin
activate ApolloExplorerPlugin
ApolloExplorerPlugin->>ApolloExplorer: Initialize Explorer component
activate ApolloExplorer
Note over ApolloExplorer: New v3.0.0 with React 19 support
ApolloExplorer-->>ApolloExplorerPlugin: Render Explorer UI
User->>ApolloExplorer: Enter GraphQL query
alt User clicks "Run" button
ApolloExplorer->>GraphQLAPI: Send GraphQL query
activate GraphQLAPI
GraphQLAPI-->>ApolloExplorer: Return query results
deactivate GraphQLAPI
ApolloExplorer-->>User: Display results
else User saves query
ApolloExplorer->>ApolloExplorer: Store query locally
ApolloExplorer-->>User: Confirm save
end
User->>ApolloExplorer: Interact with schema explorer
ApolloExplorer-->>User: Show schema documentation
User->>App: Navigate away
App->>ApolloExplorerPlugin: Unmount plugin
ApolloExplorerPlugin->>ApolloExplorer: Cleanup
deactivate ApolloExplorer
deactivate ApolloExplorerPlugin
Note for WindsurfPlease change the default marketplace provider to the following in the windsurf settings:Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts belowEmoji Descriptions:
Interact with the Bot:
Also you can trigger various commands with the bot by doing The current supported commands are
More commands to be added soon. |
|
LGTM 👍 |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
|
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution! |
|
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution! |
renovate
Bot
changed the title
This PR contains the following updates:
^2.0.0->^3.0.0GitHub Vulnerability Alerts
CVE-2025-59845
Impact
A Cross-Site Request Forgery (CSRF) vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer.
The vulnerability arises from missing origin validation in the client-side code that handles
window.postMessageevents. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies.Who is impacted
Anyone embedding Apollo Sandbox or Apollo Explorer in their website may have been affected by this vulnerability.
@apollo/sandboxand@apollo/explorer) or direct links to Apollo’s CDN.NODE_ENVis not set toproduction, and embedded Sandbox and Explorer can also be enabled in production mode via landing page plugins. This served the vulnerable code from Apollo’s CDN.While all of the above methods of serving Embedded Sandbox and Explorer were vulnerable, Apollo has already updated its CDN to remove all vulnerable versions. Unless you install the npm package
@apollo/sandboxor@apollo/explorerdirectly into your website’s front end code, no action is necessary: the vulnerability has already been mitigated.Users who do not embed Sandbox/Explorer on their websites, or who only run Apollo Router/Server with production defaults were never impacted. The use of non-embedded Sandbox and Explorer hosted on studio.apollographql.com is not vulnerable.
Scope of impact
The vulnerability allows a malicious website to open the vulnerable website in a new window and force it to send GraphQL requests to its origin. The requests themselves are not "cross-origin" as they are directly issued from the vulnerable website, but their contents are dictated by the malicious website.
The malicious website cannot read the responses to the GraphQL operations, but the operations may be mutations with side effects (such as using credentials to update app-specific data access controls). These operations can contain the browser user's cookies, and the vulnerable website may be on a private network otherwise inaccessible to the attacker. Operations sent this way look and exactly like legitimate operations sent by a human interacting with the embedded Sandbox or Explorer.
Patches
The issue has been fixed by adding strict origin validation to DOM message handling.
@apollo/sandbox: Patched in v2.7.2 and later@apollo/explorer: Patched in v3.7.3 and later<script>tags pointing to Apollo’s CDN, as well as the Apollo Router and Apollo Server features. No action is necessary to adopt the fix in this case.If you manually edited the
<script>tag provided by the Explorer or Sandbox UI to replace the version string_latest,v2, orv3with a specific git-style SHA, you may find that the Explorer or Sandbox UI does not currently load. To fix this, use a supported URL instead, as documented for Sandbox or Explorer. (The third-party Go GraphQL server gqlgen provides a function ApolloSandboxHandler which serves an unsupported URL and was broken by our mitigations; upgrading to gqlgen v0.17.81 will resolve this issue.)Workarounds
NODE_ENV=productionis set in production to avoid unintentionally serving embedded Sandbox.References
Release Notes
apollographql/embeddable-explorer (@apollo/explorer)
v3.7.3Compare Source
v3.7.2Compare Source
v3.7.1Compare Source
v3.7.0Compare Source
v3.6.0Compare Source
v3.5.0Compare Source
v3.4.0Compare Source
v3.3.0Compare Source
v3.2.0Compare Source
v3.1.1Compare Source
v3.1.0Compare Source
v3.0.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.