[Snyk] Upgrade: , fastify, graphql, mercurius

[WontonSam]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

@apollo/subgraph
from 2.1.4 to 2.8.4 | 72 versions ahead of your current version | 2 months ago
on 2024-07-25
fastify
from 4.9.2 to 4.28.1 | 39 versions ahead of your current version | 2 months ago
on 2024-06-29
graphql
from 16.6.0 to 16.9.0 | 7 versions ahead of your current version | 3 months ago
on 2024-06-21
mercurius
from 11.5.0 to 14.1.0 | 17 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 5 months ago
on 2024-04-22

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-WS-7266574	66	Proof of Concept
	Denial of Service (DoS) SNYK-JS-FASTIFYWEBSOCKET-3107038	66	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	66	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UNDICI-3323845	66	Proof of Concept
	Cross-site Request Forgery (CSRF) SNYK-JS-FASTIFY-3136527	66	No Known Exploit
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181	66	Proof of Concept
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	66	Proof of Concept
	CRLF Injection SNYK-JS-UNDICI-3323844	66	Proof of Concept
	Improper Authorization SNYK-JS-UNDICI-6564964	66	No Known Exploit
	Information Exposure SNYK-JS-UNDICI-5962466	66	No Known Exploit
	Permissive Cross-domain Policy with Untrusted Domains SNYK-JS-UNDICI-6252336	66	No Known Exploit
	Improper Access Control SNYK-JS-UNDICI-6564963	66	No Known Exploit

Release notes

Package name: @apollo/subgraph

• 2.8.4 - 2024-07-25
• 2.8.3 - 2024-07-12
• 2.8.3-beta.2 - 2024-07-11
• 2.8.3-beta.1 - 2024-07-11
• 2.8.3-beta.0 - 2024-07-09
• 2.8.2 - 2024-06-28
• 2.8.1 - 2024-06-18
• 2.8.0 - 2024-05-29
• 2.8.0-connectors.5 - 2024-05-24
• 2.8.0-connectors.4 - 2024-05-15
• 2.8.0-connectors.3 - 2024-05-14
• 2.8.0-connectors.2 - 2024-05-13
• 2.8.0-connectors.1 - 2024-05-13
• 2.8.0-connectors.0 - 2024-05-10
• 2.8.0-alpha.1 - 2024-05-22
• 2.8.0-alpha.0 - 2024-05-17
• 2.7.8 - 2024-05-16
• 2.7.8-alpha.0 - 2024-05-16
• 2.7.7 - 2024-05-10
• 2.7.6 - 2024-05-07
• 2.7.5 - 2024-05-02
• 2.7.4 - 2024-04-22
• 2.7.4-testing.1 - 2024-04-23
• 2.7.3 - 2024-04-16
• 2.7.3-testing.0 - 2024-04-11
• 2.7.2 - 2024-03-21
• 2.7.1 - 2024-01-24
• 2.7.0 - 2024-01-20
• 2.6.3 - 2024-01-11
• 2.6.2 - 2023-12-11
• 2.6.1 - 2023-11-27
• 2.6.0 - 2023-11-27
• 2.5.7 - 2023-11-16
• 2.5.6 - 2023-10-13
• 2.5.5 - 2023-09-18
• 2.5.4 - 2023-08-31
• 2.5.3 - 2023-08-23
• 2.5.2 - 2023-08-04
• 2.5.1 - 2023-07-19
• 2.5.0 - 2023-07-18
• 2.4.13 - 2023-08-25
• 2.4.12 - 2023-08-04
• 2.4.11 - 2023-07-19
• 2.4.10 - 2023-07-17
• 2.4.9 - 2023-07-07
• 2.4.8 - 2023-06-15
• 2.4.7 - 2023-05-30
• 2.4.6 - 2023-05-25
• 2.4.5 - 2023-05-17
• 2.4.4 - 2023-05-17
• 2.4.3 - 2023-05-04
• 2.4.2 - 2023-04-20
• 2.4.1 - 2023-04-03
• 2.4.0 - 2023-03-17
• 2.4.0-alpha.1 - 2023-03-10
• 2.4.0-alpha.0 - 2023-03-10
• 2.3.6 - 2023-05-16
• 2.3.5 - 2023-03-15
• 2.3.4 - 2023-03-10
• 2.3.3 - 2023-03-07
• 2.3.2 - 2023-02-10
• 2.3.1 - 2023-02-06
• 2.3.0 - 2023-01-25
• 2.3.0-beta.3 - 2023-01-19
• 2.3.0-beta.2 - 2023-01-11
• 2.3.0-beta.1 - 2023-01-10
• 2.3.0-alpha.0 - 2022-12-15
• 2.2.3 - 2023-01-10
• 2.2.2 - 2022-12-09
• 2.2.2-rc0 - 2022-12-02
• 2.2.1 - 2022-11-22
• 2.2.0 - 2022-11-18
• 2.1.4 - 2022-10-24

from @apollo/subgraph GitHub release notes

Package name: fastify

• 4.28.1 - 2024-06-29
  

  What's Changed

  • [Backport 4.x] fix: server.listen listener is not cleanup properly by @ github-actions in #5523
  • [Backport 4.x] test: fix test finished earlier than expected by @ github-actions in #5541
  • fix(v4): update .npmignore by @ Eomm in #5538

  Full Changelog: v4.28.0...v4.28.1

• 4.28.0 - 2024-06-14
  

  What's Changed

  • test: fix closing - pipelining by @ climba03003 in #5486
  • refactor(backport v4.x): change reply.redirect() signature (#5483) by @ gurgunday in #5484
  • refactor(backport v4.x): hasRoute method comparison with case insensitive by @ SMNBLMRR in #5513
  • fix: (backport) Type inferrence with auxilliary hook handlers by @ aadito123 in #5518

  Full Changelog: v4.27.0...v4.28.0

• 4.27.0 - 2024-05-07
  

  What's Changed

  • docs(request): update request page by @ Tony133 in #5343
  • ci: Add Nsolid runtime to CI and Integration tests by @ riosje in #5332
  • docs(Ecosystem): add fastify-i18n, vite-plugin-fastify, and vite-plug… by @ Shyam-Chen in #5346
  • docs(ecosystem): update x-ray community plugin link by @ jorgevrgs in #5350
  • docs: spelling corrections by @ 10xLaCroixDrinker in #5349
  • docs: Remove ES module with NodeNext note by @ melroy89 in #5361
  • docs(ecosystem): add fastify-msgraph-change-notifications-webhook to community plugins by @ flower-of-the-bridges in #5360
  • docs: Add GitHub links to Type Providers + mention Zod by @ melroy89 in #5365
  • docs: fix errors table layout by @ aivopaas in #5374
  • chore: Bump pnpm/action-setup from 2 to 3 by @ dependabot in #5381
  • docs(typescript): update generic constraints link by @ Tony133 in #5379
  • types: narrow code reply type based on schema by @ hpx7 in #5380
  • fix: errorCodes import using ESM by @ melroy89 in #5390
  • fix: Extend tap with .test.mjs tests & Rename existing ESM test by @ melroy89 in #5391
  • docs(typescript): update example https server by @ Tony133 in #5389
  • docs(typescript): update snippet code by @ Tony133 in #5406
  • fix: benchmark CI by @ gurgunday in #5414
  • fix: remove-label job uses the wrong repo by @ gurgunday in #5415
  • fix: only run citgm if citgm-core-plugins label is set by @ gurgunday in #5416
  • feat: adds webdav methods that require body & content type parsing by @ johaven in #5411
  • docs: improve onError docs by specifying what the error handler is by @ tmcw in #5358
  • chore: add mercedes-benz as new sponsor by @ Eomm in #5424
  • chore(ecosystem): Add Fastify asyncforge plugin by @ rozzilla in #5429
  • types: reply.getSerializationFunction can return undefined by @ remidewitte in #5384
  • chore: Bump pino from 8.21.0 to 9.0.0 in the dependencies-major group by @ dependabot in #5431
  • chore: exclude node 14 and 16 on macOS by @ gurgunday in #5433
  • chore: Bump lycheeverse/lychee-action from 1.9.3 to 1.10.0 by @ dependabot in #5436
  • docs: update indentation on snippet code by @ Tony133 in #5418
  • docs(guides/abort): suggest explicit use of the aborted property by @ Fdawgs in #5438
  • feat: disable request logging by @ SamSalvatico in #5435
  • chore: add @ gurgunday to the Core Team by @ gurgunday in #5442
  • feat: add mkcalendar and report methods by @ keyservlad in #5439
  • feat: handle synchronous errors in errorHandler by @ mcollina in #5445
  • types: request route schema might be undefined by @ nflaig in #5394

  New Contributors

  • @ Tony133 made their first contribution in #5343
  • @ riosje made their first contribution in #5332
  • @ jorgevrgs made their first contribution in #5350
  • @ 10xLaCroixDrinker made their first contribution in #5349
  • @ melroy89 made their first contribution in #5361
  • @ flower-of-the-bridges made their first contribution in #5360
  • @ aivopaas made their first contribution in #5374
  • @ hpx7 made their first contribution in #5380
  • @ johaven made their first contribution in #5411
  • @ tmcw made their first contribution in #5358
  • @ remidewitte made their first contribution in #5384
  • @ SamSalvatico made their first contribution in #5435
  • @ keyservlad made their first contribution in #5439

  Full Changelog: v4.26.2...v4.27.0

• 4.26.2 - 2024-03-03
  

  What's Changed

  • fix: typo in module exports by @ lirantal in #5316
  • docs(ts): Fix links by @ rozzilla in #5308
  • fix: cb is not a function at fallbackErrorHandler by @ Uzlopak in #5317
  • feat: add a Firebase Functions step by step guide by @ lirantal in #5318
  • types: fix test failure by @ gurgunday in #5330
  • perf: use FifoMap to check contentType by @ gurgunday in #5331
  • docs(ecosystem): adds fastify-override to plugins list by @ matthyk in #5336
  • types: Export preClose hook types by @ matthyk in #5335
  • fix: database migration doc missing db connection code by @ nuhman in #5339
  • chore: Bump pnpm/action-setup from 2 to 3 by @ dependabot in #5341
  • chore: Bump xt0rted/markdownlint-problem-matcher from 2.0.0 to 3.0.0 by @ dependabot in #5342

  New Contributors

  • @ nuhman made their first contribution in #5339

  Full Changelog: v4.26.1...v4.26.2

• 4.26.1 - 2024-02-12
  

  What's Changed

  • docs(ecosystem): adds fastify-hana to the community plugins list by @ yoav0gal in #5289
  • docs: fix misattributed property parent in deprecation warning: request.elapsedTime by @ mscottnelson in #5299
  • chore: Bump lycheeverse/lychee-action from 1.8.0 to 1.9.3 by @ dependabot in #5300
  • chore: Bump actions/dependency-review-action from 3 to 4 by @ dependabot in #5301
  • chore(.gitignore): add .tap/ dir by @ Fdawgs in #5303
  • fix: amend error codes for latest avvio v8.3.0 by @ mcollina in #5309
  • fix(types): Request route options url add undefined by @ rozzilla in #5307
  • chore: add docs for tracing warnings by @ jsumners in #5310

  New Contributors

  • @ mscottnelson made their first contribution in #5299

  Full Changelog: v4.26.0...v4.26.1

• 4.26.0 - 2024-01-29
  

  What's Changed

  • docs(ecosystem): add missing plugins to core list by @ Fdawgs in #5234
  • ci: CITGM github workflow by @ Uzlopak in #5233
  • chore: bump find-may-way to v8.0.0 by @ mcollina in #5236
  • fix: setValidatorCompiler with addSchema by @ derammo in #5188
  • feat(routes): expose findRoute and param validator by @ sf3ris in #5230
  • feat: add use semicolon delimter config, default = true by @ dancastillo in #5239
  • chore: add autocannon and concurrently as dev dependencies by @ Uzlopak in #5240
  • fix: return the correct serializer function when no content-type is defined by @ DouglasdeMoura in #5229
  • Sync next by @ Uzlopak in #5238
  • docs: add open-collective by

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud