chore(deps): update @whatwg-node/fetch to fix vulnerability (ardatan#4605)

* chore(deps): update @whatwg-node/fetch to fix vulnerability

* Create pink-ads-warn.md

* Fix

* Update changeset

* Fix lint

Co-authored-by: Arda TANRIKULU <ardatanrikulu@gmail.com>

Author: charlypoly

.changeset/pink-ads-warn.md

@@ -0,0 +1,7 @@
+---
+'@graphql-tools/apollo-engine-loader': patch
+'@graphql-tools/github-loader': patch
+'@graphql-tools/url-loader': patch
+---
+
+chore(deps): update @whatwg-node/fetch to fix vulnerability

packages/loaders/apollo-engine/package.json

@@ -52,7 +52,7 @@
   },
   "dependencies": {
     "@graphql-tools/utils": "8.9.0",
-    "@whatwg-node/fetch": "^0.0.2",
+    "@whatwg-node/fetch": "^0.2.4",
     "sync-fetch": "0.4.1",
     "tslib": "^2.4.0"
   },

packages/loaders/github/package.json

@@ -53,7 +53,7 @@
   "dependencies": {
     "@graphql-tools/utils": "8.9.0",
     "@graphql-tools/graphql-tag-pluck": "7.3.1",
-    "@whatwg-node/fetch": "^0.0.2",
+    "@whatwg-node/fetch": "^0.2.4",
     "sync-fetch": "0.4.1",
     "tslib": "^2.4.0"
   },

packages/loaders/url/package.json

@@ -70,7 +70,7 @@
     "@graphql-tools/wrap": "8.5.1",
     "@n1ru4l/graphql-live-query": "^0.9.0",
     "@types/ws": "^8.0.0",
-    "@whatwg-node/fetch": "^0.0.2",
+    "@whatwg-node/fetch": "^0.2.4",
     "dset": "^3.1.2",
     "extract-files": "^11.0.0",
     "graphql-ws": "^5.4.1",

packages/loaders/url/src/event-stream/handleAsyncIterable.ts

@@ -1,17 +1,11 @@
 /* eslint-disable no-labels */
+import { TextDecoder } from '@whatwg-node/fetch';
 
-let decodeUint8Array: (uint8Array: Uint8Array) => string;
-
-if (globalThis.Buffer) {
-  decodeUint8Array = uint8Array => globalThis.Buffer.from(uint8Array).toString('utf-8');
-} else {
-  const textDecoder = new TextDecoder();
-  decodeUint8Array = uint8Array => textDecoder.decode(uint8Array, { stream: true });
-}
+const textDecoder = new TextDecoder('handleAsyncIterable');
 
 export async function* handleAsyncIterable(asyncIterable: AsyncIterable<Uint8Array | string>) {
   outer: for await (const chunk of asyncIterable) {
-    const chunkStr = typeof chunk === 'string' ? chunk : decodeUint8Array(chunk);
+    const chunkStr = typeof chunk === 'string' ? chunk : textDecoder.decode(chunk, { stream: true });
     for (const part of chunkStr.split('\n\n')) {
       if (part) {
         const eventStr = part.split('event: ')[1];

packages/loaders/url/src/event-stream/handleEventStreamResponse.ts

@@ -3,14 +3,20 @@ import { inspect, isAsyncIterable } from '@graphql-tools/utils';
 import { handleAsyncIterable } from './handleAsyncIterable.js';
 import { handleReadableStream } from './handleReadableStream.js';
 
-export async function handleEventStreamResponse(response: Response): Promise<AsyncGenerator<ExecutionResult>> {
+export function isReadableStream(value: any): value is ReadableStream {
+  return value && typeof value.getReader === 'function';
+}
+
+export async function handleEventStreamResponse(response: Response): Promise<AsyncIterable<ExecutionResult>> {
   // node-fetch returns body as a promise so we need to resolve it
   const body = response.body;
   if (body) {
+    if (isReadableStream(body)) {
+      return handleReadableStream(body);
+    }
     if (isAsyncIterable<Uint8Array | string>(body)) {
       return handleAsyncIterable(body);
     }
-    return handleReadableStream(body);
   }
   throw new Error('Response body is expected to be a readable stream but got; ' + inspect(body));
 }

packages/loaders/url/src/event-stream/handleReadableStream.ts

@@ -1,28 +1,49 @@
-/* eslint-disable no-labels */
+import { observableToAsyncIterable } from '@graphql-tools/utils';
+import { TextDecoder } from '@whatwg-node/fetch';
+import { ExecutionResult } from 'graphql';
 
-export async function* handleReadableStream(readableStream: ReadableStream<Uint8Array>) {
-  const textDecoderStream = new TextDecoderStream();
-  const decodedStream = readableStream.pipeThrough(textDecoderStream);
-  const reader = decodedStream.getReader();
-  outer: while (true) {
-    const { value, done } = await reader.read();
-    if (value) {
-      for (const part of value.split('\n\n')) {
-        if (part) {
-          const eventStr = part.split('event: ')[1];
-          const dataStr = part.split('data: ')[1];
-          if (eventStr === 'complete') {
-            break outer;
+const textDecoder = new TextDecoder('handleReadableStream');
+
+export function handleReadableStream(readableStream: ReadableStream<Uint8Array>) {
+  return observableToAsyncIterable<ExecutionResult>({
+    subscribe: observer => {
+      const reader = readableStream.getReader();
+      let completed = false;
+      function pump() {
+        return reader.read().then(({ done, value }) => {
+          if (completed) {
+            return;
+          }
+          if (value) {
+            const chunk = typeof value === 'string' ? value : textDecoder.decode(value, { stream: true });
+            for (const part of chunk.split('\n\n')) {
+              if (part) {
+                const eventStr = part.split('event: ')[1];
+                const dataStr = part.split('data: ')[1];
+                if (eventStr === 'complete') {
+                  observer.complete();
+                }
+                if (dataStr) {
+                  const data = JSON.parse(dataStr);
+                  observer.next(data.payload || data);
+                }
+              }
+            }
           }
-          if (dataStr) {
-            const data = JSON.parse(dataStr);
-            yield data.payload || data;
+          if (done) {
+            observer.complete();
+          } else {
+            pump();
           }
-        }
+        });
       }
-    }
-    if (done) {
-      break;
-    }
-  }
+      pump();
+      return {
+        unsubscribe: () => {
+          reader.cancel();
+          completed = true;
+        },
+      };
+    },
+  });
 }

packages/loaders/url/tests/handleEventStreamResponse.test.ts

@@ -13,8 +13,9 @@ describe('handleEventStreamResponse', () => {
     });
 
     const response = new Response(readableStream);
-    const generator = await handleEventStreamResponse(response);
-    const { value } = await generator.next();
+    const asyncIterable = await handleEventStreamResponse(response);
+    const iterator = asyncIterable[Symbol.asyncIterator]();
+    const { value } = await iterator.next();
 
     expect(value).toMatchInlineSnapshot(`
           Object {
@@ -32,8 +33,9 @@ describe('handleEventStreamResponse', () => {
       },
     });
     const response = new Response(readableStream);
-    const generator = await handleEventStreamResponse(response);
-    const iteratorResult = await generator.next();
+    const asyncIterable = await handleEventStreamResponse(response);
+    const iterator = asyncIterable[Symbol.asyncIterator]();
+    const iteratorResult = await iterator.next();
 
     expect(iteratorResult).toMatchInlineSnapshot(`
       Object {

packages/loaders/url/tests/url-loader.spec.ts

@@ -840,7 +840,7 @@ input TestInput {
         const secondResult = await iterator.next();
         expect(secondResult.value).toStrictEqual(sentDatas[1]);
         // Stop the request
-        await iterator.return!().catch(() => null);
+        await iterator.return?.();
         const doneResult = await iterator.next();
         expect(doneResult).toStrictEqual({ done: true, value: undefined });
         expect(await serverResponseEnded$!).toBe(true);

yarn.lock

@@ -3031,6 +3031,33 @@
   resolved "https://registry.yarnpkg.com/@opentelemetry/api/-/api-1.0.2.tgz#921e1f2b2484b762d77225a8a25074482d93fccf"
   integrity sha512-DCF9oC89ao8/EJUqrp/beBlDR8Bp2R43jqtzayqCoomIvkwTuPfLcHdVhIGRR69GFlkykFjcDW+V92t0AS7Tww==
 
+"@peculiar/asn1-schema@^2.1.6":
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/@peculiar/asn1-schema/-/asn1-schema-2.2.0.tgz#d8a54527685c8dee518e6448137349444310ad64"
+  integrity sha512-1ENEJNY7Lwlua/1wvzpYP194WtjQBfFxvde2FlzfBFh/ln6wvChrtxlORhbKEnYswzn6fOC4c7HdC5izLPMTJg==
+  dependencies:
+    asn1js "^3.0.5"
+    pvtsutils "^1.3.2"
+    tslib "^2.4.0"
+
+"@peculiar/json-schema@^1.1.12":
+  version "1.1.12"
+  resolved "https://registry.yarnpkg.com/@peculiar/json-schema/-/json-schema-1.1.12.tgz#fe61e85259e3b5ba5ad566cb62ca75b3d3cd5339"
+  integrity sha512-coUfuoMeIB7B8/NMekxaDzLhaYmp0HZNPEjYRm9goRou8UZIC3z21s0sL9AWoCw4EG876QyO3kYrc61WNF9B/w==
+  dependencies:
+    tslib "^2.0.0"
+
+"@peculiar/webcrypto@^1.4.0":
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/@peculiar/webcrypto/-/webcrypto-1.4.0.tgz#f941bd95285a0f8a3d2af39ccda5197b80cd32bf"
+  integrity sha512-U58N44b2m3OuTgpmKgf0LPDOmP3bhwNz01vAnj1mBwxBASRhptWYK+M3zG+HBkDqGQM+bFsoIihTW8MdmPXEqg==
+  dependencies:
+    "@peculiar/asn1-schema" "^2.1.6"
+    "@peculiar/json-schema" "^1.1.12"
+    pvtsutils "^1.3.2"
+    tslib "^2.4.0"
+    webcrypto-core "^1.7.4"
+
 "@percy/config@^1.0.0-beta.36":
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/@percy/config/-/config-1.0.5.tgz#a479e5ead928820da4deb1d33575690009f13747"
@@ -4195,17 +4222,19 @@
     "@webassemblyjs/ast" "1.11.1"
     "@xtuc/long" "4.2.2"
 
-"@whatwg-node/fetch@^0.0.2":
-  version "0.0.2"
-  resolved "https://registry.yarnpkg.com/@whatwg-node/fetch/-/fetch-0.0.2.tgz#4242c4e36714b5018ccac0ab76f4ab5a208fbc1c"
-  integrity sha512-qiZn8dYRg0POzUvmHBs7blLxl6DPL+b+Z0JUsGaj7/8PFe2BJG9onrUVX6OWh6Z9YhcYw8yu+wtCAme5ZMiCKQ==
+"@whatwg-node/fetch@^0.2.4":
+  version "0.2.4"
+  resolved "https://registry.yarnpkg.com/@whatwg-node/fetch/-/fetch-0.2.4.tgz#2290257d089cf3b85bcb59f4b0c2429512833d18"
+  integrity sha512-/bCrTp7TYUiP37hFjBb6aIAxS3VR2jSTxKArrV8UVwKeqP2yxadmgJDPBO8lQYDKvnVVf8ipP8rCu/jUMSR0kQ==
   dependencies:
+    "@peculiar/webcrypto" "^1.4.0"
     abort-controller "^3.0.0"
     busboy "^1.6.0"
+    event-target-polyfill "^0.0.3"
     form-data-encoder "^1.7.1"
     formdata-node "^4.3.1"
     node-fetch "^2.6.7"
-    undici "5.5.1"
+    undici "^5.8.0"
     web-streams-polyfill "^3.2.0"
 
 "@wry/context@^0.6.0":
@@ -4616,6 +4645,15 @@ asap@~2.0.3:
   resolved "https://registry.yarnpkg.com/asap/-/asap-2.0.6.tgz#e50347611d7e690943208bbdafebcbc2fb866d46"
   integrity sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=
 
+asn1js@^3.0.1, asn1js@^3.0.5:
+  version "3.0.5"
+  resolved "https://registry.yarnpkg.com/asn1js/-/asn1js-3.0.5.tgz#5ea36820443dbefb51cc7f88a2ebb5b462114f38"
+  integrity sha512-FVnvrKJwpt9LP2lAMl8qZswRNm3T4q9CON+bxldk2iwk3FFpuwhx2FfinyitizWHsVYyaY+y5JzDR0rCMV5yTQ==
+  dependencies:
+    pvtsutils "^1.3.2"
+    pvutils "^1.1.3"
+    tslib "^2.4.0"
+
 assign-symbols@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/assign-symbols/-/assign-symbols-1.0.0.tgz#59667f41fadd4f20ccbc2bb96b8d4f7f78ec0367"
@@ -6894,6 +6932,11 @@ etag@~1.8.1:
   resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887"
   integrity sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=
 
+event-target-polyfill@^0.0.3:
+  version "0.0.3"
+  resolved "https://registry.yarnpkg.com/event-target-polyfill/-/event-target-polyfill-0.0.3.tgz#ed373295f3b257774b5d75afb2599331d9f3406c"
+  integrity sha512-ZMc6UuvmbinrCk4RzGyVmRyIsAyxMRlp4CqSrcQRO8Dy0A9ldbiRy5kdtBj4OtP7EClGdqGfIqo9JmOClMsGLQ==
+
 event-target-shim@^5.0.0:
   version "5.0.1"
   resolved "https://registry.yarnpkg.com/event-target-shim/-/event-target-shim-5.0.1.tgz#5d4d3ebdf9583d63a5333ce2deb7480ab2b05789"
@@ -11407,6 +11450,18 @@ purgecss@^4.0.3:
     postcss "^8.3.5"
     postcss-selector-parser "^6.0.6"
 
+pvtsutils@^1.3.2:
+  version "1.3.2"
+  resolved "https://registry.yarnpkg.com/pvtsutils/-/pvtsutils-1.3.2.tgz#9f8570d132cdd3c27ab7d51a2799239bf8d8d5de"
+  integrity sha512-+Ipe2iNUyrZz+8K/2IOo+kKikdtfhRKzNpQbruF2URmqPtoqAs8g3xS7TJvFF2GcPXjh7DkqMnpVveRFq4PgEQ==
+  dependencies:
+    tslib "^2.4.0"
+
+pvutils@^1.1.3:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/pvutils/-/pvutils-1.1.3.tgz#f35fc1d27e7cd3dfbd39c0826d173e806a03f5a3"
+  integrity sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==
+
 qs@6.10.3:
   version "6.10.3"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.3.tgz#d6cde1b2ffca87b5aa57889816c5f81535e22e8e"
@@ -13483,6 +13538,11 @@ undici@5.5.1:
   resolved "https://registry.yarnpkg.com/undici/-/undici-5.5.1.tgz#baaf25844a99eaa0b22e1ef8d205bffe587c8f43"
   integrity sha512-MEvryPLf18HvlCbLSzCW0U00IMftKGI5udnjrQbC5D4P0Hodwffhv+iGfWuJwg16Y/TK11ZFK8i+BPVW2z/eAw==
 
+undici@^5.8.0:
+  version "5.8.0"
+  resolved "https://registry.yarnpkg.com/undici/-/undici-5.8.0.tgz#dec9a8ccd90e5a1d81d43c0eab6503146d649a4f"
+  integrity sha512-1F7Vtcez5w/LwH2G2tGnFIihuWUlc58YidwLiCv+jR2Z50x0tNXpRRw7eOIJ+GvqCqIkg9SB7NWAJ/T9TLfv8Q==
+
 unicode-canonical-property-names-ecmascript@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz#301acdc525631670d39f6146e0e77ff6bbdebddc"
@@ -13943,6 +14003,17 @@ web-streams-polyfill@^3.2.0:
   resolved "https://registry.yarnpkg.com/web-streams-polyfill/-/web-streams-polyfill-3.2.0.tgz#a6b74026b38e4885869fb5c589e90b95ccfc7965"
   integrity sha512-EqPmREeOzttaLRm5HS7io98goBgZ7IVz79aDvqjD0kYXLtFZTc0T/U6wHTPKyIjb+MdN7DFIIX6hgdBEpWmfPA==
 
+webcrypto-core@^1.7.4:
+  version "1.7.5"
+  resolved "https://registry.yarnpkg.com/webcrypto-core/-/webcrypto-core-1.7.5.tgz#c02104c953ca7107557f9c165d194c6316587ca4"
+  integrity sha512-gaExY2/3EHQlRNNNVSrbG2Cg94Rutl7fAaKILS1w8ZDhGxdFOaw6EbCfHIxPy9vt/xwp5o0VQAx9aySPF6hU1A==
+  dependencies:
+    "@peculiar/asn1-schema" "^2.1.6"
+    "@peculiar/json-schema" "^1.1.12"
+    asn1js "^3.0.1"
+    pvtsutils "^1.3.2"
+    tslib "^2.4.0"
+
 webidl-conversions@^3.0.0:
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/webidl-conversions/-/webidl-conversions-3.0.1.tgz#24534275e2a7bc6be7bc86611cc16ae0a5654871"