Version Packages (#7609)

This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @apollo/[email protected]

### Patch Changes

- [#7604](#7604)
[`aeb511c7d`](aeb511c)
Thanks [@renovate](https://github.com/apps/renovate)! - Update
`graphql-http` dependency

-
[`0adaf80d1`](0adaf80)
Thanks [@trevor-scheer](https://github.com/trevor-scheer)! - Address
Content Security Policy issues

The previous implementation of CSP nonces within the landing pages did
not take full advantage of the security benefit of using them. Nonces
should only be used once per request, whereas Apollo Server was
generating one nonce and reusing it for the lifetime of the instance.
The reuse of nonces degrades the security benefit of using them but does
not pose a security risk on its own. The CSP provides a defense-in-depth
measure against a _potential_ XSS, so in the absence of a _known_ XSS
vulnerability there is likely no risk to the user.

The mentioned fix also coincidentally addresses an issue with using
crypto functions on startup within Cloudflare Workers. Crypto functions
are now called during requests only, which resolves the error that
Cloudflare Workers were facing. A recent change introduced a
`precomputedNonce` configuration option to mitigate this issue, but it
was an incorrect approach given the nature of CSP nonces. This
configuration option is now deprecated and should not be used for any
reason since it suffers from the previously mentioned issue of reusing
nonces.

Additionally, this change adds other applicable CSPs for the scripts,
styles, images, manifest, and iframes that the landing pages load.

A final consequence of this change is an extension of the
`renderLandingPage` plugin hook. This hook can now return an object with
an `html` property which returns a `Promise<string>` in addition to a
`string` (which was the only option before).

- Updated dependencies
\[[`0adaf80d1`](0adaf80)]:
    -   @apollo/[email protected]

## @apollo/[email protected]

### Patch Changes

-
[`0adaf80d1`](0adaf80)
Thanks [@trevor-scheer](https://github.com/trevor-scheer)! - Address
Content Security Policy issues

The previous implementation of CSP nonces within the landing pages did
not take full advantage of the security benefit of using them. Nonces
should only be used once per request, whereas Apollo Server was
generating one nonce and reusing it for the lifetime of the instance.
The reuse of nonces degrades the security benefit of using them but does
not pose a security risk on its own. The CSP provides a defense-in-depth
measure against a _potential_ XSS, so in the absence of a _known_ XSS
vulnerability there is likely no risk to the user.

The mentioned fix also coincidentally addresses an issue with using
crypto functions on startup within Cloudflare Workers. Crypto functions
are now called during requests only, which resolves the error that
Cloudflare Workers were facing. A recent change introduced a
`precomputedNonce` configuration option to mitigate this issue, but it
was an incorrect approach given the nature of CSP nonces. This
configuration option is now deprecated and should not be used for any
reason since it suffers from the previously mentioned issue of reusing
nonces.

Additionally, this change adds other applicable CSPs for the scripts,
styles, images, manifest, and iframes that the landing pages load.

A final consequence of this change is an extension of the
`renderLandingPage` plugin hook. This hook can now return an object with
an `html` property which returns a `Promise<string>` in addition to a
`string` (which was the only option before).

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

.changeset/afraid-vans-boil.md

@@ -1,5 +1,24 @@
 # @apollo/server-integration-testsuite
 
+## 4.7.4
+
+### Patch Changes
+
+- [#7604](https://github.com/apollographql/apollo-server/pull/7604) [`aeb511c7d`](https://github.com/apollographql/apollo-server/commit/aeb511c7d7b3b7260b33c7e392580bac6565e465) Thanks [@renovate](https://github.com/apps/renovate)! - Update `graphql-http` dependency
+
+- [`0adaf80d1`](https://github.com/apollographql/apollo-server/commit/0adaf80d1ee51d8c7e5fd863c04478536d15eb8c) Thanks [@trevor-scheer](https://github.com/trevor-scheer)! - Address Content Security Policy issues
+
+  The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a _potential_ XSS, so in the absence of a _known_ XSS vulnerability there is likely no risk to the user.
+
+  The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a `precomputedNonce` configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.
+
+  Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
+
+  A final consequence of this change is an extension of the `renderLandingPage` plugin hook. This hook can now return an object with an `html` property which returns a `Promise<string>` in addition to a `string` (which was the only option before).
+
+- Updated dependencies [[`0adaf80d1`](https://github.com/apollographql/apollo-server/commit/0adaf80d1ee51d8c7e5fd863c04478536d15eb8c)]:
+  - @apollo/server@4.7.4
+
 ## 4.7.3
 
 ### Patch Changes

.changeset/pink-walls-train.md

@@ -1,6 +1,6 @@
 {
   "name": "@apollo/server-integration-testsuite",
-  "version": "4.7.3",
+  "version": "4.7.4",
   "description": "Test suite for Apollo Server integrations",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -28,7 +28,7 @@
   "dependencies": {
     "@apollo/cache-control-types": "^1.0.2",
     "@apollo/client": "^3.6.9",
-    "@apollo/server": "4.7.3",
+    "@apollo/server": "4.7.4",
     "@apollo/utils.keyvaluecache": "^2.1.0",
     "@apollo/utils.createhash": "^2.0.0",
     "@apollo/usage-reporting-protobuf": "^4.1.0",

package-lock.json

@@ -1,5 +1,19 @@
 # @apollo/server
 
+## 4.7.4
+
+### Patch Changes
+
+- [`0adaf80d1`](https://github.com/apollographql/apollo-server/commit/0adaf80d1ee51d8c7e5fd863c04478536d15eb8c) Thanks [@trevor-scheer](https://github.com/trevor-scheer)! - Address Content Security Policy issues
+
+  The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a _potential_ XSS, so in the absence of a _known_ XSS vulnerability there is likely no risk to the user.
+
+  The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a `precomputedNonce` configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.
+
+  Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
+
+  A final consequence of this change is an extension of the `renderLandingPage` plugin hook. This hook can now return an object with an `html` property which returns a `Promise<string>` in addition to a `string` (which was the only option before).
+
 ## 4.7.3
 
 ### Patch Changes

packages/integration-testsuite/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@apollo/server",
-  "version": "4.7.3",
+  "version": "4.7.4",
   "description": "Core engine for Apollo GraphQL server",
   "type": "module",
   "main": "dist/cjs/index.js",