This repo was archived on 2023-05-26 by the Apollo Security team.
This is a fork of graphql/graphql-playground
. Please see the upstream repository for issues and new versions.
NOTE: This is a fork of
graphql-playground
which is meant to be used by Apollo Server. It is not intended to be used directly. Those looking to use GraphQL Playground directly can refer to the upstream repository for usage instructions.
SECURITY WARNING: The upstream fork of
graphql-playground
repository had a severe XSS Reflection attack vulnerability to unsanitized user input prior to being fixed ingraphql-playground-html@1.6.20
(note, this is a different version than we publish from this fork on@apollographql/graphql-playground-html
. On the@apollographql/graphql-playground-html
fork, versions prior to 1.6.25 were theoretically vulnerable if users were using those packages directly. However, the way this package was used by Apollo Server (to provide a default GraphQL Playground experience) did not provide the ability to users to have been dynamically exposed to the attack in the same way as the package's own usage instructions may have encouraged. In order for Apollo Server users to have been affected they would have to had instrumented the package as a separate middleware or explicitly put vulnerable code into the static configuration of theplayground
property on theApolloServer
constructor. Apollo Server does not provide any ability to do per-request playground configuration. Still, we have fixed this in@apollographql/graphql-playground-html
version1.6.25
. More details are available at the upstream repository.
Future of this repository: This fork aims to be deprecated, eventually. For the upstream fork, see their announcement issue for details.
Note: You can omit the HTML or React package instructions below if you're not intending on publishing a package.
# Install it all.
yarn
# Build it all
# Technically the release does the build too, but I enjoy the pre-flight test.
yarn run build
# Release the @apollographql/graphql-playground-react package.
./scripts/release-react.sh
# Release the @apollographql/graphql-playground-html package.
./scripts/release-html.sh
# Add the package files that were version bumped.
# You'll find that these were altered by the release scripts.
git add ./packages/graphql-playground-react/package.json
git add ./packages/graphql-playground-html/package.json
# It's nice to use the version numbers in the commit summary!
git commit -m 'Released' # e.g. 'Released -react@vX.Y.Z and -html@vA.B.C'.
# Assuming your Git remote "origin" is https://github.com/apollographql/graphql-playground/
git push origin apollo