Update http-cache-semantics package (#159)

trevor-scheer · web-flow · commit ee018a7744a8 · 2023-02-06T14:09:06.000-08:00
Update `http-cache-semantics` package to latest patch, resolving a security issue. Unlike many security updates Apollo repos receive, this is an _actual_ (non-dev) dependency of this package which means it is actually a user-facing security issue. The potential impact of this issue is limited to a DOS attack (via an inefficient regex). This security issue would only affect you if either: * you pass untrusted (i.e. from your users) `cache-control` request headers * you sending requests to untrusted REST server that might return malicious `cache-control` headers Since `http-cache-semantics` is a careted (^) dependency in this package, the security issue can (and might already) be resolved via a `package-lock.json` update within your project (possibly triggered by `npm audit` or another dependency update which has already updated its version of the package in question). If `npm ls http-cache-semantics` reveals a tree of dependencies which only include the `4.1.1` version (and no references to any previous versions) then you are currently unaffected and this patch should have (for all intents and purpose) no effect. More details available here: GHSA-rc47-6667-2j5j
diff --git a/.changeset/five-snails-stare.md b/.changeset/five-snails-stare.md
@@ -0,0 +1,29 @@
+---
+'@apollo/datasource-rest': patch
+---
+
+Update `http-cache-semantics` package to latest patch, resolving a security
+issue.
+
+Unlike many security updates Apollo repos receive, this is an _actual_ (non-dev)
+dependency of this package which means it is actually a user-facing security
+issue.
+
+The potential impact of this issue is limited to a DOS attack (via an
+inefficient regex).
+
+This security issue would only affect you if either:
+* you pass untrusted (i.e. from your users) `cache-control` request headers
+* you sending requests to untrusted REST server that might return malicious
+  `cache-control` headers
+
+Since `http-cache-semantics` is a careted (^) dependency in this package, the
+security issue can (and might already) be resolved via a `package-lock.json`
+update within your project (possibly triggered by `npm audit` or another
+dependency update which has already updated its version of the package in
+question). If `npm ls http-cache-semantics` reveals a tree of dependencies which
+only include the `4.1.1` version (and no references to any previous versions)
+then you are currently unaffected and this patch should have (for all intents
+and purpose) no effect.
+
+More details available here: https://github.com/advisories/GHSA-rc47-6667-2j5j
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -52,7 +52,7 @@
     "@apollo/utils.keyvaluecache": "^2.0.0",
     "@apollo/utils.withrequired": "^2.0.0",
     "@types/http-cache-semantics": "^4.0.1",
-    "http-cache-semantics": "^4.1.0",
+    "http-cache-semantics": "^4.1.1",
     "lodash.isplainobject": "^4.0.6",
     "node-fetch": "^2.6.7"
   },
