Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update dependency mercurius to v11.5.0 [SECURITY] #441

Merged
merged 1 commit into from
Jan 10, 2023
Merged

Update dependency mercurius to v11.5.0 [SECURITY] #441

merged 1 commit into from
Jan 10, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 10, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mercurius (source) 11.4.0 -> 11.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-22477

Impact

Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.

Patches

This was patched in https://github.com/mercurius-js/mercurius/pull/940.

Workarounds

Disable subscriptions.

References

Reported publicly as https://github.com/mercurius-js/mercurius/issues/939.
The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

Release Notes

mercurius-js/mercurius

v11.5.0

Compare Source

Security Fix

This release fixes CVE-2023-22477

What's Changed

New Contributors

Full Changelog: mercurius-js/mercurius@v11.4.0...v11.5.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 10, 2023
@beeequeue beeequeue merged commit 3ac228b into master Jan 10, 2023
@beeequeue beeequeue deleted the renovate/npm-mercurius-vulnerability branch January 10, 2023 01:28
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@beeequeue