Avoid ws CVE-2021-32640 (#5285)

Apollo Server 2 depends on `subscriptions-transport-ws` for a
superficial implementation of GraphQL subscription support. (Apollo
Server 3.0.0 will not have built-in subscription support.) This
unmaintained package depended on `ws` v5. All releases of v5 `ws` have a
server DOS vulnerability: https://www.npmjs.com/advisories/1748

This change:
- Removes the direct dependency on `ws` from `apollo-server-core`. This
  dependency was only used for types, so its imports have been changed
  to `import type` which pulls from `@types/ws`.
- Updates the `subscriptions-transport-ws` dependency in
  `apollo-server-core` and `apollo-server-express` to the newly-released
  0.9.19, which allows for `ws` v6 and v7. This means that via
  appropriate `npm` installations, you can install one of the
  non-vulnerable versions (6.2.2+ or 7.4.6+). Note that there are
  backwards incompatible changes in ws v6 and v7; see
  https://github.com/websockets/ws/releases/tag/6.0.0 and
  https://github.com/websockets/ws/releases/tag/7.0.0 for details.
- Does some other small upgrades of ws-related packages.

Note that the best way to protect yourself from this vulnerability is to
avoid using the unmaintained `subscriptions-transport-ws` entirely by
passing `subscriptions: false` to `new ApolloServer` and (if you do need
to use subscriptions) using a maintained GraphQL subscription server
such as `graphql-ws`.

Author: glasser

package-lock.json

@@ -92,7 +92,7 @@
     "@types/test-listen": "1.1.0",
     "@types/type-is": "1.6.3",
     "@types/uuid": "8.3.0",
-    "@types/ws": "7.4.2",
+    "@types/ws": "7.4.4",
     "apollo-fetch": "0.7.0",
     "apollo-link": "1.2.14",
     "apollo-link-http": "1.5.17",
@@ -128,7 +128,7 @@
     "qs-middleware": "1.0.3",
     "request": "2.88.2",
     "request-promise": "4.2.6",
-    "subscriptions-transport-ws": "0.9.18",
+    "subscriptions-transport-ws": "0.9.19",
     "supertest": "6.1.3",
     "test-listen": "1.1.0",
     "ts-jest": "26.5.6",

package.json

@@ -48,9 +48,8 @@
     "loglevel": "^1.6.7",
     "lru-cache": "^6.0.0",
     "sha.js": "^2.4.11",
-    "subscriptions-transport-ws": "^0.9.11",
-    "uuid": "^8.0.0",
-    "ws": "^6.0.0"
+    "subscriptions-transport-ws": "^0.9.19",
+    "uuid": "^8.0.0"
   },
   "peerDependencies": {
     "graphql": "^0.12.0 || ^0.13.0 || ^14.0.0 || ^15.0.0"

packages/apollo-server-core/package.json

@@ -34,12 +34,12 @@ import {
 } from 'apollo-server-plugin-base';
 import runtimeSupportsUploads from './utils/runtimeSupportsUploads';
 
-import {
+import type {
   SubscriptionServer,
   ExecutionParams,
 } from 'subscriptions-transport-ws';
 
-import WebSocket from 'ws';
+import type WebSocket from 'ws';
 
 import { formatApolloErrors } from 'apollo-server-errors';
 import { GraphQLServerOptions, PersistedQueryOptions } from './graphqlOptions';

packages/apollo-server-core/src/ApolloServer.ts

@@ -14,9 +14,7 @@ import {
   ApolloConfigInput,
 } from 'apollo-server-types';
 import { ConnectionContext } from 'subscriptions-transport-ws';
-// The types for `ws` use `export = WebSocket`, so we'll use the
-// matching `import =` to bring in its sole export.
-import WebSocket = require('ws');
+import type WebSocket from 'ws';
 import { GraphQLExtension } from 'graphql-extensions';
 export { GraphQLExtension } from 'graphql-extensions';
 

packages/apollo-server-core/src/types.ts

@@ -42,7 +42,7 @@
     "graphql-subscriptions": "^1.0.0",
     "graphql-tools": "^4.0.8",
     "parseurl": "^1.3.2",
-    "subscriptions-transport-ws": "^0.9.16",
+    "subscriptions-transport-ws": "^0.9.19",
     "type-is": "^1.6.16"
   },
   "devDependencies": {

packages/apollo-server-express/package.json

@@ -15,7 +15,7 @@ import {
   Context,
   Config,
 } from 'apollo-server-core';
-import { ExecutionParams } from 'subscriptions-transport-ws';
+import type { ExecutionParams } from 'subscriptions-transport-ws';
 import accepts from 'accepts';
 import typeis from 'type-is';
 import { graphqlExpress } from './expressApollo';