Add cache: "bounded" and persistedQueries: false to default Apollo Server config

[emmatown]

This PR changes the default of cache in Apollo Server to "bounded" to ensure that an attacker cannot fill Apollo's automatic persisted queries cache to the point of memory exhaustion. This will be default in a future version of Apollo Server: https://www.apollographql.com/docs/apollo-server/performance/cache-backends#ensuring-a-bounded-cache.

This also sets persistedQueries: false. While setting cache: "bounded" ensures that an attacker cannot exhaust a server's memory, an attacker could still send a large number of different queries constantly to fill up the cache rendering automatic persisted queries pointless and actually degrade performance because trusted actors would have to frequently send a second request since the server would have replaced the queries from trusted actors in the cache with malicious queries and the client would have to send the actual query text in a second request. A safer and more predictable approach would be to persist queries at compile time from the actual applications the server is meant to serve such as what Relay suggests.

If you're aware of the above caveats of persisted queries, you can re-enable persisted queries with config.graphql.apolloConfig.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
keystone-next-docs	✅ Ready (Inspect)	Visit Preview	Sep 6, 2022 at 7:58AM (UTC)

[changeset-bot]

🦋 Changeset detected

Latest commit: 285a620

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 43 packages

Name	Type
@keystone-6/core	Major
@keystone-6/example-assets-local	Patch
@keystone-6/example-assets-s3	Patch
@keystone-6/example-auth	Patch
@keystone-6/example-app-basic	Patch
@keystone-6/example-blog	Patch
@keystone-6/example-custom-admin-ui-logo	Patch
@keystone-6/example-custom-admin-ui-navigation	Patch
@keystone-6/example-custom-admin-ui-pages	Patch
@keystone-6/example-custom-field-view	Patch
@keystone-6/example-custom-field	Patch
@keystone-6/example-with-custom-session-validation	Patch
@keystone-6/example-default-values	Patch
@keystone-6/example-document-field	Patch
@keystone-6/example-ecommerce	Patch
@keystone-6/example-embedded-nextjs	Patch
@keystone-6/example-extend-graphql-schema-graphql-ts	Patch
@keystone-6/example-extend-graphql-schema-nexus	Patch
@keystone-6/example-extend-graphql-schema	Patch
@keystone-6/example-extend-graphql-subscriptions	Patch
@keystone-6/example-feature-boilerplate	Patch
@keystone-6/example-graphql-api-endpoint	Patch
@keystone-6/example-graphql-ts-gql	Patch
@keystone-6/example-json-field	Patch
@keystone-6/example-rest-api	Patch
@keystone-6/example-roles	Patch
@keystone-6/example-task-manager	Patch
@keystone-6/example-testing	Patch
@keystone-6/example-virtual-field	Patch
@keystone-6/example-with-auth	Patch
@keystone-6/example-document-field-customisation-keystone-server	Patch
@keystone-6/example-e2e-boilerplate-keystone-server	Patch
@keystone-6/auth	Major
@keystone-6/cloudinary	Major
@keystone-6/fields-document	Major
@keystone-6/session-store-redis	Major
@keystone-6/benchmarks-legacy	Patch
@keystone-6/test-projects-basic	Patch
@keystone-6/test-projects-crud-notifications	Patch
@keystone-6/test-projects-live-reloading	Patch
@keystone-6/sandbox	Patch
@keystone-6/generate-artifacts-for-projects	Patch
@keystone-6/website	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 285a620:

Sandbox	Source
@keystone-6/sandbox	Configuration