Update CHANGELOG.md for subscription validation rules to Security Advisory.

abernix · abernix · commit 354d9910e1c8 · 2020-06-04T16:44:44.000Z
Rather than repeating, in different words, what is in the GitHub
Security advisory, this just provides a link to the advisory with a summary.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,21 +5,11 @@ The version headers in this history reflect the versions of Apollo Server itself
 - [__CHANGELOG for `@apollo/gateway`__](https://github.com/apollographql/apollo-server/blob/master/packages/apollo-gateway/CHANGELOG.md)
 - [__CHANGELOG for `@apollo/federation`__](https://github.com/apollographql/apollo-server/blob/master/packages/apollo-federation/CHANGELOG.md)
 
-### vNEXT
+### v2.14.2
 
-> The changes noted within this `vNEXT` section have not been released yet.  New PRs and commits which introduce changes should include an entry in this `vNEXT` section as part of their development.  When a release is being prepared, a new header will be (manually) created below and the appropriate changes within that release will be moved into the new section.
+> **Note:** This release is is related to a GitHub Security Advisory published by the Apollo Server team.  Please read the attached advisory to understand the impact.
 
-- **SECURITY:** If subscriptions were disabled with `subscriptions: false`, there is not a possible security risk.  When subscriptions are enabled (**the default, when `subscriptions: false` is not explicitly set, regardless of whether there is a `Subscription` type in the schema**), ALL `validationRules` (including those that prevent introspection) will now passed be through to the underlying `SubscriptionServer` which is implemented by the [`subscriptions-transport-ws` ](https://github.com/apollographql/subscriptions-transport-ws) package.  The previous behavior of not passing `validationRules` was a bug.
-
-  This change means two things, the second of which affects most use cases:
-
-  - User-provided validation rules (those provided by implementors to the `validationRules` option during `ApolloServer` construction) will now be passed to and enforced by the subscriptions server.
-
-  - Internal validation rules, like the [`NoIntrospection`](https://github.com/apollographql/apollo-server/blob/7d6f23443/packages/apollo-server-core/src/ApolloServer.ts#L77-L88) validation rule, will also be passed to - and enforced by - the subscriptions server.
-
-    > The `NoIntrospection` validation rule is used by Apollo Server to disable introspection when `introspection: true` is set explicitly, or when it is disabled implicitly when the `NODE_ENV` environment variable is set to `production`.  (The former, automatic disabling of introspection in production can be disabled by explicitly setting `introspection: true`.  If this is set on a server, then there is no change in behavior by this commit.)
-
-  **To be clear, if subscriptions were disabled with `subscriptions: false`, the server is unaffected.  In all other cases, introspection was unexpectedly enabled on the WebSocket endpoint provided by `SubscriptionServer` when it was meant to be disabled, either with `introspection: false` or when deployed to production.  The risk is largely dependent on the data exposed in the schema itself.**
+- ⚠️ **SECURITY:** Pass all schema validation rules to the subscription server, including validation rules that restrict introspection when introspection is meant to be disabled. **[Read the full GitHub Security Advisory for details](https://github.com/apollographql/apollo-server/security/advisories/GHSA-w42g-7vfc-xf37)**.
 
 ### v2.14.1
 
