1 | # graphql-playground-middleware-express
|
2 |
|
3 | > Express middleware to expose an endpoint for the GraphQL Playground IDE
|
4 | > **SECURITY NOTE**: All versions of `graphql-playground-express` until `1.7.16` or later have a security vulnerability when unsanitized user input is used while invoking `expressPlayground()`. [Read more below](#security-notes)
|
5 |
|
6 | ## Installation
|
7 |
|
8 | Using yarn:
|
9 |
|
10 | ```console
|
11 | yarn add graphql-playground-middleware-express
|
12 | ```
|
13 |
|
14 | Or npm:
|
15 |
|
16 | ```console
|
17 | npm install graphql-playground-middleware-express --save
|
18 | ```
|
19 |
|
20 | ## Usage
|
21 |
|
22 | See full example in [examples/basic](https://github.com/prisma/graphql-playground/tree/main/packages/graphql-playground-middleware-express/examples/basic).
|
23 |
|
24 | ```js
|
25 | const express = require('express')
|
26 | const expressPlayground = require('graphql-playground-middleware-express')
|
27 | .default
|
28 |
|
29 | const app = express()
|
30 |
|
31 | app.get('/playground', expressPlayground({ endpoint: '/graphql' }))
|
32 | ```
|
33 |
|
34 | ## Security Notes
|
35 |
|
36 | All versions before `1.7.16` were vulnerable to user-defined input to `expressPlayground()`. Read more in [the security notes](https://github.com/prisma/graphql-playground/tree/main/SECURITY.md)
|
37 |
|
38 | ### Security Upgrade Steps
|
39 |
|
40 | To fix the issue, you can upgrade to `1.6.12` or later. If you aren't able to upgrade, see the security notes for a workaround.
|
41 |
|
42 | **yarn:**
|
43 | `yarn add graphql-playground-express@^1.7.16`
|
44 |
|
45 | **npm:**
|
46 | `npm install --save graphql-playground-express@^1.7.16`
|