diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fd8aaa0b8..eaf649f68b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,23 @@ All notable changes to Router will be documented in this file. This project adheres to [Semantic Versioning v2.0.0](https://semver.org/spec/v2.0.0.html). +# [1.43.2] - 2024-04-03 + +## 🐛 Fixes + +### Security fix: update h2 dependency + +References: +- https://rustsec.org/advisories/RUSTSEC-2024-0332 +- https://seanmonstar.com/blog/hyper-http2-continuation-flood/ +- https://www.kb.cert.org/vuls/id/421644 + +The router's performance could be degraded when receiving a flood of HTTP/2 CONTINUATION frames, when the Router is set up to terminate TLS for client connections. + +By [@geal](https://github.com/geal) + + + # [1.43.1] - 2024-03-29 ## 🚀 Features diff --git a/Cargo.lock b/Cargo.lock index 126e18b3cb..12b48e3ab0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -250,7 +250,7 @@ dependencies = [ [[package]] name = "apollo-router" -version = "1.43.1" +version = "1.43.2" dependencies = [ "access-json", "anyhow", @@ -410,7 +410,7 @@ dependencies = [ [[package]] name = "apollo-router-benchmarks" -version = "1.43.1" +version = "1.43.2" dependencies = [ "apollo-parser", "apollo-router", @@ -426,7 +426,7 @@ dependencies = [ [[package]] name = "apollo-router-scaffold" -version = "1.43.1" +version = "1.43.2" dependencies = [ "anyhow", "cargo-scaffold", @@ -3124,9 +3124,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.3.24" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9" +checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8" dependencies = [ "bytes", "fnv", @@ -3422,7 +3422,7 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", - "socket2 0.5.5", + "socket2 0.4.9", "tokio", "tower-service", "tracing", diff --git a/apollo-router-benchmarks/Cargo.toml b/apollo-router-benchmarks/Cargo.toml index 79e6f1c4cb..63aa39063d 100644 --- a/apollo-router-benchmarks/Cargo.toml +++ b/apollo-router-benchmarks/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "apollo-router-benchmarks" -version = "1.43.1" +version = "1.43.2" authors = ["Apollo Graph, Inc. "] edition = "2021" license = "Elastic-2.0" diff --git a/apollo-router-scaffold/Cargo.toml b/apollo-router-scaffold/Cargo.toml index 6ea1de4772..fcf25e2de5 100644 --- a/apollo-router-scaffold/Cargo.toml +++ b/apollo-router-scaffold/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "apollo-router-scaffold" -version = "1.43.1" +version = "1.43.2" authors = ["Apollo Graph, Inc. "] edition = "2021" license = "Elastic-2.0" diff --git a/apollo-router-scaffold/templates/base/Cargo.toml b/apollo-router-scaffold/templates/base/Cargo.toml index 04c399c837..2f66ce5737 100644 --- a/apollo-router-scaffold/templates/base/Cargo.toml +++ b/apollo-router-scaffold/templates/base/Cargo.toml @@ -22,7 +22,7 @@ apollo-router = { path ="{{integration_test}}apollo-router" } apollo-router = { git="https://github.com/apollographql/router.git", branch="{{branch}}" } {{else}} # Note if you update these dependencies then also update xtask/Cargo.toml -apollo-router = "1.43.1" +apollo-router = "1.43.2" {{/if}} {{/if}} async-trait = "0.1.52" diff --git a/apollo-router-scaffold/templates/base/xtask/Cargo.toml b/apollo-router-scaffold/templates/base/xtask/Cargo.toml index 1f7783dee2..febb964c3c 100644 --- a/apollo-router-scaffold/templates/base/xtask/Cargo.toml +++ b/apollo-router-scaffold/templates/base/xtask/Cargo.toml @@ -13,7 +13,7 @@ apollo-router-scaffold = { path ="{{integration_test}}apollo-router-scaffold" } {{#if branch}} apollo-router-scaffold = { git="https://github.com/apollographql/router.git", branch="{{branch}}" } {{else}} -apollo-router-scaffold = { git = "https://github.com/apollographql/router.git", tag = "v1.43.1" } +apollo-router-scaffold = { git = "https://github.com/apollographql/router.git", tag = "v1.43.2" } {{/if}} {{/if}} anyhow = "1.0.58" diff --git a/apollo-router/Cargo.toml b/apollo-router/Cargo.toml index 9d05706d71..8beddec3bc 100644 --- a/apollo-router/Cargo.toml +++ b/apollo-router/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "apollo-router" -version = "1.43.1" +version = "1.43.2" authors = ["Apollo Graph, Inc. "] repository = "https://github.com/apollographql/router/" documentation = "https://docs.rs/apollo-router" diff --git a/dockerfiles/tracing/docker-compose.datadog.yml b/dockerfiles/tracing/docker-compose.datadog.yml index 72c1da840a..26967fb052 100644 --- a/dockerfiles/tracing/docker-compose.datadog.yml +++ b/dockerfiles/tracing/docker-compose.datadog.yml @@ -3,7 +3,7 @@ services: apollo-router: container_name: apollo-router - image: ghcr.io/apollographql/router:v1.43.1 + image: ghcr.io/apollographql/router:v1.43.2 volumes: - ./supergraph.graphql:/etc/config/supergraph.graphql - ./router/datadog.router.yaml:/etc/config/configuration.yaml diff --git a/dockerfiles/tracing/docker-compose.jaeger.yml b/dockerfiles/tracing/docker-compose.jaeger.yml index 753b4268dd..37ace950c4 100644 --- a/dockerfiles/tracing/docker-compose.jaeger.yml +++ b/dockerfiles/tracing/docker-compose.jaeger.yml @@ -4,7 +4,7 @@ services: apollo-router: container_name: apollo-router #build: ./router - image: ghcr.io/apollographql/router:v1.43.1 + image: ghcr.io/apollographql/router:v1.43.2 volumes: - ./supergraph.graphql:/etc/config/supergraph.graphql - ./router/jaeger.router.yaml:/etc/config/configuration.yaml diff --git a/dockerfiles/tracing/docker-compose.zipkin.yml b/dockerfiles/tracing/docker-compose.zipkin.yml index 2edb1897be..a201f5f86d 100644 --- a/dockerfiles/tracing/docker-compose.zipkin.yml +++ b/dockerfiles/tracing/docker-compose.zipkin.yml @@ -4,7 +4,7 @@ services: apollo-router: container_name: apollo-router build: ./router - image: ghcr.io/apollographql/router:v1.43.1 + image: ghcr.io/apollographql/router:v1.43.2 volumes: - ./supergraph.graphql:/etc/config/supergraph.graphql - ./router/zipkin.router.yaml:/etc/config/configuration.yaml diff --git a/helm/chart/router/Chart.yaml b/helm/chart/router/Chart.yaml index de1b96404b..917c6ca099 100644 --- a/helm/chart/router/Chart.yaml +++ b/helm/chart/router/Chart.yaml @@ -20,10 +20,10 @@ type: application # so it matches the shape of our release process and release automation. # By proxy of that decision, this version uses SemVer 2.0.0, though the prefix # of "v" is not included. -version: 1.43.1 +version: 1.43.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v1.43.1" +appVersion: "v1.43.2" diff --git a/helm/chart/router/README.md b/helm/chart/router/README.md index 80d1f98cf3..48c19541d2 100644 --- a/helm/chart/router/README.md +++ b/helm/chart/router/README.md @@ -2,7 +2,7 @@ [router](https://github.com/apollographql/router) Rust Graph Routing runtime for Apollo Federation -![Version: 1.43.1](https://img.shields.io/badge/Version-1.43.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.43.1](https://img.shields.io/badge/AppVersion-v1.43.1-informational?style=flat-square) +![Version: 1.43.2](https://img.shields.io/badge/Version-1.43.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.43.2](https://img.shields.io/badge/AppVersion-v1.43.2-informational?style=flat-square) ## Prerequisites @@ -11,7 +11,7 @@ ## Get Repo Info ```console -helm pull oci://ghcr.io/apollographql/helm-charts/router --version 1.43.1 +helm pull oci://ghcr.io/apollographql/helm-charts/router --version 1.43.2 ``` ## Install Chart @@ -19,7 +19,7 @@ helm pull oci://ghcr.io/apollographql/helm-charts/router --version 1.43.1 **Important:** only helm3 is supported ```console -helm upgrade --install [RELEASE_NAME] oci://ghcr.io/apollographql/helm-charts/router --version 1.43.1 --values my-values.yaml +helm upgrade --install [RELEASE_NAME] oci://ghcr.io/apollographql/helm-charts/router --version 1.43.2 --values my-values.yaml ``` _See [configuration](#configuration) below._ @@ -95,4 +95,4 @@ helm show values oci://ghcr.io/apollographql/helm-charts/router | virtualservice.enabled | bool | `false` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/licenses.html b/licenses.html index fb881f4226..e5d3dab6ea 100644 --- a/licenses.html +++ b/licenses.html @@ -44,7 +44,7 @@

Third Party Licenses

Overview of licenses:

    -
  • Apache License 2.0 (487)
  • +
  • Apache License 2.0 (489)
  • MIT License (155)
  • BSD 3-Clause "New" or "Revised" License (12)
  • ISC License (11)
  • @@ -65,6 +65,7 @@

    Used by:

  • aws-config
  • aws-credential-types
  • aws-runtime
  • +
  • aws-sigv4
  • aws-smithy-async
  • aws-smithy-http
  • aws-smithy-json
  • @@ -8149,6 +8150,7 @@

    Used by:

  • similar
  • smallvec
  • socket2
  • +
  • socket2
  • stable_deref_trait
  • syn
  • syn
  • @@ -11331,7 +11333,9 @@

    Used by:

    Apache License 2.0

    Used by:

    ../../LICENSE-APACHE
    @@ -11983,8 +11987,6 @@

    Used by:

    Apache License 2.0

    Used by:

      -
    • apollo-compiler
    • -
    • apollo-parser
    • curve25519-dalek-derive
    • deadpool-runtime
    • deno-proc-macro-rules
    • @@ -12959,111 +12961,6 @@

      Elastic License 2.0

      Used by:

      -
      Copyright 2021 Apollo Graph, Inc.
      -
      -Source code in this repository is covered by (i) the Elastic License 2.0 or (ii) an MIT compatible license, in each case, as designated by a licensing file in a subdirectory or file header. The default throughout the repository is a license under the Elastic License 2.0, unless a file header or a licensing file in a subdirectory specifies another license.
      -
      ---------------------------------------------------------------------------------
      -
      -Elastic License 2.0
      -
      -## Acceptance
      -
      -By using the software, you agree to all of the terms and conditions below.
      -
      -## Copyright License
      -
      -The licensor grants you a non-exclusive, royalty-free, worldwide,
      -non-sublicensable, non-transferable license to use, copy, distribute, make
      -available, and prepare derivative works of the software, in each case subject to
      -the limitations and conditions below.
      -
      -## Limitations
      -
      -You may not provide the software to third parties as a hosted or managed
      -service, where the service provides users with access to any substantial set of
      -the features or functionality of the software.
      -
      -You may not move, change, disable, or circumvent the license key functionality
      -in the software, and you may not remove or obscure any functionality in the
      -software that is protected by the license key.
      -
      -You may not alter, remove, or obscure any licensing, copyright, or other notices
      -of the licensor in the software. Any use of the licensor’s trademarks is subject
      -to applicable law.
      -
      -## Patents
      -
      -The licensor grants you a license, under any patent claims the licensor can
      -license, or becomes able to license, to make, have made, use, sell, offer for
      -sale, import and have imported the software, in each case subject to the
      -limitations and conditions in this license. This license does not cover any
      -patent claims that you cause to be infringed by modifications or additions to
      -the software. If you or your company make any written claim that the software
      -infringes or contributes to infringement of any patent, your patent license for
      -the software granted under these terms ends immediately. If your company makes
      -such a claim, your patent license ends immediately for work on behalf of your
      -company.
      -
      -## Notices
      -
      -You must ensure that anyone who gets a copy of any part of the software from you
      -also gets a copy of these terms.
      -
      -If you modify the software, you must include in any modified copies of the
      -software prominent notices stating that you have modified the software.
      -
      -## No Other Rights
      -
      -These terms do not imply any licenses other than those expressly granted in
      -these terms.
      -
      -## Termination
      -
      -If you use the software in violation of these terms, such use is not licensed,
      -and your licenses will automatically terminate. If the licensor provides you
      -with a notice of your violation, and you cease all violation of this license no
      -later than 30 days after you receive that notice, your licenses will be
      -reinstated retroactively. However, if you violate these terms after such
      -reinstatement, any additional violation of these terms will cause your licenses
      -to terminate automatically and permanently.
      -
      -## No Liability
      -
      -*As far as the law allows, the software comes as is, without any warranty or
      -condition, and the licensor will not be liable to you for any damages arising
      -out of these terms or the use or nature of the software, under any kind of
      -legal claim.*
      -
      -## Definitions
      -
      -The **licensor** is the entity offering these terms, and the **software** is the
      -software the licensor makes available under these terms, including any portion
      -of it.
      -
      -**you** refers to the individual or entity agreeing to these terms.
      -
      -**your company** is any legal entity, sole proprietorship, or other kind of
      -organization that you work for, plus all organizations that have control over,
      -are under the control of, or are under common control with that
      -organization. **control** means ownership of substantially all the assets of an
      -entity, or the power to direct its management and policies by vote, contract, or
      -otherwise. Control can be direct or indirect.
      -
      -**your licenses** are all the licenses granted to you for the software under
      -these terms.
      -
      -**use** means anything you do with the software requiring one of your licenses.
      -
      -**trademark** means trademarks, service marks, and similar rights.
      -
      ---------------------------------------------------------------------------------
      - -
    • -

      Elastic License 2.0

      -

      Used by:

      -
      Elastic License 2.0
      diff --git a/scripts/install.sh b/scripts/install.sh
      index 64b5a0ac99..b3697de80a 100755
      --- a/scripts/install.sh
      +++ b/scripts/install.sh
      @@ -11,7 +11,7 @@ BINARY_DOWNLOAD_PREFIX="https://github.com/apollographql/router/releases/downloa
       
       # Router version defined in apollo-router's Cargo.toml
       # Note: Change this line manually during the release steps.
      -PACKAGE_VERSION="v1.43.1"
      +PACKAGE_VERSION="v1.43.2"
       
       download_binary() {
           downloader --check