| 1 | # graphql-playground-middleware-express
|
| 2 |
|
| 3 | > Express middleware to expose an endpoint for the GraphQL Playground IDE
|
| 4 | > **SECURITY NOTE**: All versions of `graphql-playground-express` until `1.7.16` or later have a security vulnerability when unsanitized user input is used while invoking `expressPlayground()`. [Read more below](#security-notes)
|
| 5 |
|
| 6 | ## Installation
|
| 7 |
|
| 8 | Using yarn:
|
| 9 |
|
| 10 | ```console
|
| 11 | yarn add graphql-playground-middleware-express
|
| 12 | ```
|
| 13 |
|
| 14 | Or npm:
|
| 15 |
|
| 16 | ```console
|
| 17 | npm install graphql-playground-middleware-express --save
|
| 18 | ```
|
| 19 |
|
| 20 | ## Usage
|
| 21 |
|
| 22 | See full example in [examples/basic](https://github.com/prisma/graphql-playground/tree/main/packages/graphql-playground-middleware-express/examples/basic).
|
| 23 |
|
| 24 | ```js
|
| 25 | const express = require('express')
|
| 26 | const expressPlayground = require('graphql-playground-middleware-express')
|
| 27 | .default
|
| 28 |
|
| 29 | const app = express()
|
| 30 |
|
| 31 | app.get('/playground', expressPlayground({ endpoint: '/graphql' }))
|
| 32 | ```
|
| 33 |
|
| 34 | ## Security Notes
|
| 35 |
|
| 36 | All versions before `1.7.16` were vulnerable to user-defined input to `expressPlayground()`. Read more in [the security notes](https://github.com/prisma/graphql-playground/tree/main/SECURITY.md)
|
| 37 |
|
| 38 | ### Security Upgrade Steps
|
| 39 |
|
| 40 | To fix the issue, you can upgrade to `1.6.12` or later. If you aren't able to upgrade, see the security notes for a workaround.
|
| 41 |
|
| 42 | **yarn:**
|
| 43 | `yarn add graphql-playground-express@^1.7.16`
|
| 44 |
|
| 45 | **npm:**
|
| 46 | `npm install --save graphql-playground-express@^1.7.16`
|