This page collects WhisperX intelligence signals tagged #graphql. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security alert has been raised for the `subscriptions-transport-ws` package, version 0.9.16, which contains two unpatched vulnerabilities in its underlying `ws` dependency. The most severe is a high-severity flaw, CVE-2024-37890, with a CVSS score of 7.5. A second, medium-severity vulnerability, CVE-2021-326...
A security-driven dependency update is forcing a major version jump for thousands of projects relying on Apollo Server. The automated pull request mandates an upgrade from version 4.7.1 to at least version 5.0.0, a significant leap that carries inherent integration risks. The update is flagged with a [SECURITY] tag, in...
A routine dependency update for the `apollo-server-types` package has surfaced a critical security advisory, GHSA-9q82-xgwf-vj6h, linked to a Cross-Site Request Forgery (CSRF) vulnerability. The automated pull request, managed by RenovateBot, explicitly warns that some dependencies could not be looked up, adding a laye...
A critical security vulnerability in the widely used `apollo-server-plugin-base` package has been publicly disclosed, prompting urgent dependency updates across the GraphQL ecosystem. The flaw, tracked as GHSA-9q82-xgwf-vj6h, exposes applications to potential Cross-Site Request Forgery (CSRF) attacks. This is not a the...
一个针对关键 GraphQL 服务器依赖 `apollo-server-express` 的安全更新正在被强制执行。GitHub 上的自动化依赖管理机器人 Renovate 已提交拉取请求,要求将项目中的 `apollo-server-express` 从 `^5.0.0` 版本范围直接升级至 `^5.5.0`。此次更新并非普通的性能改进,而是直接关联到一个已公开的 GitHub 安全公告 GHSA-9q82-xgwf-vj6h,表明该依赖的旧版本存在需要立即修补的安全风险。 此次更新针对的是 Apollo GraphQL 组织维护的核心服务器包 `apollo-server-express`。根据 Renovate 提供的差异对...
Apollo GraphQL 官方发布安全公告,其核心服务器包 `@apollo/server` 的默认配置存在一个高危漏洞。该漏洞编号为 CVE-2026-23897,影响 `@apollo/server/standalone` 模块中的 `startStandaloneServer` 函数。在默认配置下,攻击者可以通过构造特定的请求体,对服务器发起拒绝服务攻击,导致服务不可用。 此次安全更新通过将 `@apollo/server` 依赖从 5.2.0 版本升级至 5.5.0 版本来修复此漏洞。根据自动化依赖管理工具 Renovate 生成的合并请求,此次更新属于常规安全维护。漏洞的直接影响是使运行在易受攻击配置下的 Apoll...
A critical security flaw in the Strawberry GraphQL framework allows attackers to bypass authentication on WebSocket subscription endpoints. The vulnerability, tracked as CVE-2026-35523, is present in all versions up to 0.312.2. The core failure lies in the legacy `graphql-ws` subprotocol handler, which processes subscr...
A critical security exposure has been identified within the dependency chain of Netflix's widely-used GraphQL framework, DGS (Domain Graph Service). The `graphql-dgs-platform-dependencies:7.3.6` package, a core dependency for building GraphQL services, contains 64 vulnerabilities, with the highest severity rated a maxi...
A recent code patch on GitHub exposes a previously unaddressed NoSQL injection vulnerability within a project's GraphQL API. The fix centers on critical type-safety flaws in resolver functions, where user-supplied IDs and enum values were not being properly sanitized before being passed to MongoDB queries. This oversig...