Skip to content

Commit e343a94

Browse files
committed
Expanded the list of GraphQl security issues
1 parent 3a78125 commit e343a94

1 file changed

Lines changed: 11 additions & 5 deletions

File tree

docs/update_and_migration/from_4.6/update_from_4.6.md

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -602,13 +602,17 @@ Now, `0` is interpreted as "length limited to zero characters" and `NULL` as "no
602602

603603
### GraphQL package update
604604

605-
Due to the [GHSA-68jq-c3rv-pcrr security issue](https://github.com/advisories/GHSA-68jq-c3rv-pcrr), the GraphQL package requirements have been updated to allow installing higher versions in which this issue is resolved.
605+
The GraphQL dependency constraints have been updated to allow installing versions of `webonyx/graphql-php` that address the following security advisories:
606+
607+
- [GHSA-68jq-c3rv-pcrr](https://github.com/advisories/GHSA-68jq-c3rv-pcrr)
608+
- [GHSA-fc86-6rv6-2jpm](https://github.com/advisories/GHSA-fc86-6rv6-2jpm)
609+
- [GHSA-r7cg-qjjm-xhqq](https://github.com/advisories/GHSA-r7cg-qjjm-xhqq)
606610

607611
When doing the update, you have two options:
608612

609613
#### Update GraphQL packages and custom code (recommended)
610614

611-
Make sure the `webonyx/graphql-php` package is installed in a version higher or equal to v15.31.5.
615+
Make sure the `webonyx/graphql-php` package is installed in a version higher or equal to v15.32.3.
612616

613617
If you [extended GraphQL to support custom field types](graphql_custom_ft.md), update the returned expression from `@=resolver(...)` to `@=query(...)` and change the argument syntax from an array to variadic arguments as in the following example:
614618

@@ -626,15 +630,17 @@ php bin/console ibexa:graphql:generate-schema
626630

627631
#### Implement other countermeasures
628632

629-
If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issue carefully and assess the danger.
633+
If updating the GraphQL packages isn't possible right now, for example because the project is using PHP 7.4 where the fix is not available, review the security issues carefully and assess the danger.
630634

631-
If you choose to implement countermeasures without updating the GraphQL packages, for example by restricting access to the GrapQL endpoint with rate limiting, authentication, or [WAF](https://en.wikipedia.org/wiki/Web_application_firewall), then you can silence the advisory in `composer.json`:
635+
If you choose to implement countermeasures without updating the GraphQL packages, for example by restricting access to the GraphQL endpoint with rate limiting, authentication, or [WAF](https://en.wikipedia.org/wiki/Web_application_firewall), then you can silence the advisories in `composer.json`:
632636

633637
```json
634638
"config": {
635639
"audit": {
636640
"ignore": {
637-
"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented causing this one to be safe to ignore."
641+
"GHSA-68jq-c3rv-pcrr": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
642+
"GHSA-fc86-6rv6-2jpm": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
643+
"GHSA-r7cg-qjjm-xhqq": "Description of the countermeasures you've implemented causing this one to be safe to ignore."
638644
}
639645
}
640646
}

0 commit comments

Comments
 (0)