Update koa-bodyparser to ^4.2.1 (Fixes content-length mismatch)#3229
Merged
abernix merged 4 commits intoAug 29, 2019
Merged
Conversation
|
@brendanmoore: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Meteor Contributor Agreement here: https://contribute.meteor.com/ |
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
It was going to come to this sooner or later, since Node.js v6 is no longer supported by the Node.js Foundation. In this case, I'm adding this exception because after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is — I think — important enough that we should make sure it's included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This micro-framework-management will no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
It was going to come to this sooner or later, since Node.js v6 is no longer supported by the Node.js Foundation. In this case, I'm adding this exception because after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is — I think — important enough that we should make sure it's included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This micro-framework-management will no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
It was going to come to this sooner or later, since Node.js v6 is no longer supported by the Node.js Foundation. In this case, I'm adding this exception because after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is — I think — important enough that we should make sure it's included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This micro-framework-management will no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
It was going to come to this sooner or later, since Node.js v6 is no longer supported by the Node.js Foundation. In this case, I'm adding this exception because after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is — I think — important enough that we should make sure it's included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This micro-framework-management will no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
Since Node.js v6 is no longer supported by the Node.js Foundation, it was going to come to this sooner or later since transitive packages are inching their ECMAScript compilation targets to more and more recent versions of the language. While Apollo Server itself will drop support for Node.js v6 in 3.x, the current Koa integration necessitates a more immediate exception since, after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is important enough on its own, but there's also a [CVE][1] for the [`qs`][2] dependency, which makes it even more pressing. We should make sure both of those are included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This doesn't necessarily mean that those who are still on Node.js v6 are completely out of luck, since they could probably modify their `package-lock.json` files to use an older copy of `koa-bodyparser`, but anyone still using Node.js v6 should certainly make considerations - sooner rather than later — about upgrading to more recent and more supported versions of Node.js! Luckily, this micro-framework-management will soon no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184 [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048 [2]: https://npm.im/qs Fixes: #3050
abernix
added a commit
that referenced
this pull request
Aug 31, 2019
Since Node.js v6 is no longer supported by the Node.js Foundation, it was going to come to this sooner or later since transitive packages are inching their ECMAScript compilation targets to more and more recent versions of the language. While Apollo Server itself will drop support for Node.js v6 in 3.x, the current Koa integration necessitates a more immediate exception since, after bringing #3229 (2dd0592), the `koa-bodyparser` package was updated to a new major version which, itself, dropped Node.js 6 support. That update to `koa-bodyparser`, which fixes an incorrect/malformed `Content-length` header calculation is important enough on its own, but there's also a [CVE][1] for the [`qs`][2] dependency, which makes it even more pressing. We should make sure both of those are included in Apollo Server, which currently drives the underlying version of Koa for all users because of its close coupling with Koa itself (via the `apollo-server-koa` package). This doesn't necessarily mean that those who are still on Node.js v6 are completely out of luck, since they could probably modify their `package-lock.json` files to use an older copy of `koa-bodyparser`, but anyone still using Node.js v6 should certainly make considerations - sooner rather than later — about upgrading to more recent and more supported versions of Node.js! Luckily, this micro-framework-management will soon no longer be a concern with Apollo Server, particularly because of the introduction of a transport abstraction, which I've proposed in #3184. Ref: #3184 [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048 [2]: https://npm.im/qs Fixes: #3050
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue:
apollo-server-koawill incorrectly throwrequest size did not match content lengthfromraw-bodydependency when a well form request withcontent-lengthheader is followed by well formed request without acontent-lengthheader i.e. (chunked encoding)Cause:
koa-bodyparsercreates singleton options objects forco-bodyon this line, the version ofco-bodythat Apollo server koa resolves to will mutate that options object fixed in this commit whencontent-lengthheader is present the value is persisted in the singleton. So any follow-up request that might not containcontent-lengthwill use the previous value.Reproduction
apollo-server-koawith a valid body and correctcontent-lengthheader.apollo-server-koawithtransfer-encoding: chunkedwith a different body so the resultant length is different to the first requestrequest size did not match content lengthwill be thrownFix:
The
co-bodydependency has been fixed (in 2017!). Updating thekoa-bodyparserto a version that supports the fix will resolve the issue.