Merge branch 'main' into jessehallett/eng-1024-nested-field-aggregates

CHANGELOG.md

@@ -14,8 +14,23 @@ This changelog documents the changes between release versions.
 
 ### Fixed
 
+- Upgrade dependencies to get fix for RUSTSEC-2024-0421, a vulnerability in domain name comparisons ([#138](https://github.com/hasura/ndc-mongodb/pull/138))
 - Aggregations on empty document sets now produce `null` instead of failing with an error ([#136](https://github.com/hasura/ndc-mongodb/pull/136))
 
+#### Fix for RUSTSEC-2024-0421 / CVE-2024-12224
+
+Updates dependencies to upgrade the library, idna, to get a version that is not
+affected by a vulnerability reported in [RUSTSEC-2024-0421][].
+
+[RUSTSEC-2024-0421]: https://rustsec.org/advisories/RUSTSEC-2024-0421
+
+The vulnerability allows an attacker to craft a domain name that older versions
+of idna interpret as identical to a legitimate domain name, but that is in fact
+a different name. We do not expect that this impacts the MongoDB connector since
+it uses the affected library exclusively to connect to MongoDB databases, and
+database URLs are supplied by trusted administrators. But better to be safe than
+sorry.
+
 ## [1.5.0] - 2024-12-05
 
 ### Added

crates/integration-tests/src/tests/filtering.rs

@@ -66,26 +66,6 @@ async fn filters_by_comparisons_on_elements_of_array_field() -> anyhow::Result<(
     Ok(())
 }
 
-// This doesn't seem to work anymore in the latest engine version
-// #[tokio::test]
-// async fn filters_by_comparisons_on_elements_of_array_of_scalars() -> anyhow::Result<()> {
-//     assert_yaml_snapshot!(
-//         graphql_query(
-//             r#"
-//             query MyQuery {
-//               movies(where: { cast: { _eq: "Albert Austin" } }) {
-//                 title
-//                 cast
-//               }
-//             }
-//             "#
-//         )
-//         .run()
-//         .await?
-//     );
-//     Ok(())
-// }
-
 #[tokio::test]
 async fn filters_by_comparisons_on_elements_of_array_of_scalars_against_variable(
 ) -> anyhow::Result<()> {

docs/development.md

@@ -305,7 +305,7 @@ It's important to keep the GraphQL Engine version updated to make sure that the
 connector is working with the latest engine version. To update run,
 
 ```sh
-$ nix flake lock --update-input graphql-engine-source
+$ nix flake update graphql-engine-source
 ```
 
 Then commit the changes to `flake.lock` to version control.
@@ -332,7 +332,7 @@ any order):
 To update `rust-overlay` run,
 
 ```sh
-$ nix flake lock --update-input rust-overlay
+$ nix flake update rust-overlay
 ```
 
 If you are using direnv to automatically apply the nix dev environment note that

fixtures/hasura/app/connector/chinook/.hasura-connector/connector-metadata.yaml

@@ -1,14 +1,14 @@
 packagingDefinition:
   type: PrebuiltDockerImage
-  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.4.0
+  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.5.0
 supportedEnvironmentVariables:
   - name: MONGODB_DATABASE_URI
     description: The URI for the MongoDB database
 commands:
   update: hasura-ndc-mongodb update
 cliPlugin:
   name: ndc-mongodb
-  version: v1.4.0
+  version: v1.5.0
 dockerComposeWatch:
   - path: ./
     target: /etc/connector

fixtures/hasura/app/connector/chinook/connector.yaml

@@ -3,7 +3,7 @@ version: v2
 definition:
   name: chinook
   subgraph: app
-  source: hasura/mongodb:v1.4.0
+  source: hasura/mongodb:v1.5.0
   context: .
   envMapping:
     MONGODB_DATABASE_URI:

fixtures/hasura/app/connector/sample_mflix/.hasura-connector/connector-metadata.yaml

@@ -1,14 +1,14 @@
 packagingDefinition:
   type: PrebuiltDockerImage
-  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.4.0
+  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.5.0
 supportedEnvironmentVariables:
   - name: MONGODB_DATABASE_URI
     description: The URI for the MongoDB database
 commands:
   update: hasura-ndc-mongodb update
 cliPlugin:
   name: ndc-mongodb
-  version: v1.4.0
+  version: v1.5.0
 dockerComposeWatch:
   - path: ./
     target: /etc/connector

fixtures/hasura/app/connector/sample_mflix/connector.yaml

@@ -3,7 +3,7 @@ version: v2
 definition:
   name: sample_mflix
   subgraph: app
-  source: hasura/mongodb:v1.4.0
+  source: hasura/mongodb:v1.5.0
   context: .
   envMapping:
     MONGODB_DATABASE_URI:

fixtures/hasura/app/connector/test_cases/.hasura-connector/connector-metadata.yaml

@@ -1,14 +1,14 @@
 packagingDefinition:
   type: PrebuiltDockerImage
-  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.4.0
+  dockerImage: ghcr.io/hasura/ndc-mongodb:v1.5.0
 supportedEnvironmentVariables:
   - name: MONGODB_DATABASE_URI
     description: The URI for the MongoDB database
 commands:
   update: hasura-ndc-mongodb update
 cliPlugin:
   name: ndc-mongodb
-  version: v1.4.0
+  version: v1.5.0
 dockerComposeWatch:
   - path: ./
     target: /etc/connector

fixtures/hasura/app/connector/test_cases/connector.yaml

@@ -3,7 +3,7 @@ version: v2
 definition:
   name: test_cases
   subgraph: app
-  source: hasura/mongodb:v1.4.0
+  source: hasura/mongodb:v1.5.0
   context: .
   envMapping:
     MONGODB_DATABASE_URI:

flake.nix

@@ -43,7 +43,7 @@
     # If source changes aren't picked up automatically try:
     #
     # - committing changes to the local engine repo
-    # - running `nix flake lock --update-input graphql-engine-source` in this repo
+    # - running `nix flake update graphql-engine-source` in this repo
     # - arion up -d engine
     #
     graphql-engine-source = {