New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 3.9.0 #6537
Release 3.9.0 #6537
Conversation
✅ Deploy Preview for apollo-server-docs canceled.
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 36ecbb1:
|
TODO:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small styling changes, besides that everything looks good!
docs/source/api/apollo-server.mdx
Outdated
|
||
By default, the cache is unbounded. We don't recommend this, since a malicious client can run your server out of memory and cause it to crash by filling it with APQs. | ||
|
||
If you don't want to configure your own cache, you should set `cache: "bounded"`. The bounded cache is an [`InMemoryLRUCache`](https://www.npmjs.com/package/@apollo/utils.keyvaluecache) with a default size of roughly 30MiB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing the first sentence because we now address this above:
If you don't want to configure your own cache, you should set `cache: "bounded"`. The bounded cache is an [`InMemoryLRUCache`](https://www.npmjs.com/package/@apollo/utils.keyvaluecache) with a default size of roughly 30MiB. | |
The default bounded cache is an [`InMemoryLRUCache`](https://www.npmjs.com/package/@apollo/utils.keyvaluecache) with a default size of roughly 30MiB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that the duplication doesn't help but I think we should merge it with the previous paragraph and write something like "This bounded cache". Otherwise it's too easy to misread this as describing the default if you specify nothing. It's not a default, it's what "bounded"
does.
#6522) Migrate caching dependencies away from `apollo-server-caching` which will no longer be actively developed as of AS v3.9.0. AS will now use `@apollo/utils.keyvaluecache` and support the use of `keyv` caches via a `KeyvAdapter` exported by `@apollo/utils.keyvadapter`.
This introduces a simple Map-backed, unbounded, in-memory cache which implements TTLs. This lets us remove the dependency on keyv and @apollo/utils.keyvadapter for a thing that we're going to actively tell people not to use anyway.
This commit introduces the `cache: "bounded"` option. AS3 has an unbounded cache by default, which means that a malicious client can take an open-ended amount of memory in the cache, crashing the server. Rather than breaking what has been the status quo since the beginning of the project, we've chosen to add an opt-in option in order to use a bounded cache with very little configuration. Similar to `csrfPrevention`, we've updated all examples in our docs to use this `bounded` option. This option will go away in AS4 when a bounded cache becomes the default.
Remove apollo-server-caching, apollo-server-cache-redis, and apollo-server-cache-memcached packages. We will continue to offer bugfixes for these packages as needed but don't intend to continue active development on them. Our recommendation going forward will be to use the keyv package along with our KeyvAdapter from the @apollo/utils.keyvadapter package. Docs updates to come in a following PR (but coupled with this release). The KeyValueCache interface and InMemoryLRUCache wrapper around lru-cache (as well as a few useful cache wrappers like PrefixingKeyValueCache) will continue to exist in the @apollo/utils.keyvaluecache package. It's worth mentioning that InMemoryLRUCache is on a newer major version of lru-cache which doesn't permit the unbounded behavior which we've had by default. In AS 3.9 you can opt into the bounded cache, and in AS4 it will be the default.
Issue a warning in production mode if neither the cache nor the APQ cache (persistedQueries.cache) are configured. We've provided a simple path to using a bounded cache via: #6536 The current default for AS3 is an unbounded in memory cache, which is susceptible to a DOS attack since APQs can fill up the server's memory with no limit. This warning provides an actionable recommendation to update their configuration in order to prevent this.
Add new page for configuring Apollo Server's cache. Include details on how to use `InMemoryCache` as well as `Keyv` + `KeyvAdapter`. Add information about the new `cache: "bounded"` option and the associated risks. Update other cache-related docs to point to the new cache-backends page when appropriate. Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com> Co-authored-by: Stephen Barlow <stephen@apollographql.com>
a46072f
to
e30c903
Compare
Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com>
e30c903
to
a640e91
Compare
- apollo-datasource-rest@3.6.1 - apollo-datasource@3.3.2 - apollo-server-azure-functions@3.9.0 - apollo-server-cloud-functions@3.9.0 - apollo-server-cloudflare@3.9.0 - apollo-server-core@3.9.0 - apollo-server-express@3.9.0 - apollo-server-fastify@3.9.0 - apollo-server-hapi@3.9.0 - apollo-server-integration-testsuite@3.9.0 - apollo-server-koa@3.9.0 - apollo-server-lambda@3.9.0 - apollo-server-micro@3.9.0 - apollo-server-plugin-base@3.6.1 - apollo-server-plugin-response-cache@3.6.1 - apollo-server-types@3.6.1 - apollo-server@3.9.0
As with release PRs in the past, this is a PR tracking a
release-x.y.z
branch for an upcoming release of Apollo Server. 🙌 The version in the title of this PR should correspond to the appropriate branch.Check the appropriate milestone (to the right) for more details on what we hope to get into this release!
The intention of these release branches is to gather changes which are intended to land in a specific version (again, indicated by the subject of this PR). Release branches allow additional clarity into what is being staged, provide a forum for comments from the community pertaining to the release's stability, and to facilitate the creation of pre-releases (e.g.
alpha
,beta
,rc
) without affecting themain
branch.PRs for new features might be opened against or re-targeted to this branch by the project maintainers. The
main
branch may be periodically merged into this branch up until the point in time that this branch is being prepared for release. Depending on the size of the release, this may be once it reaches RC (release candidate) stage with an-rc.x
release suffix. Some less substantial releases may be short-lived and may never have pre-release versions.When this version is officially released onto the
latest
npm tag, this PR will be merged intomain
.