Skip to content

libms-npm: bump @apollo/server from 4.11.0 to 4.12.1 in /servers/lib #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dependabot-merge
Choose a base branch
from
Open

libms-npm: bump @apollo/server from 4.11.0 to 4.12.1 in /servers/lib #1247

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 18, 2025

Bumps @apollo/server from 4.11.0 to 4.12.1.

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​4.12.1

Patch Changes

  • Updated dependencies [41f98d4]:
    • @​apollo/server@​4.12.1

@​apollo/server@​4.12.1

Patch Changes

  • #8064 41f98d4 Thanks @​glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.

@​apollo/server-integration-testsuite@​4.12.0

Patch Changes

@​apollo/server@​4.12.0

Minor Changes

  • #8054 89e3f84 Thanks @​clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.

Patch Changes

@​apollo/server-integration-testsuite@​4.11.3

Patch Changes

@​apollo/server@​4.11.3

Patch Changes

@​apollo/server-integration-testsuite@​4.11.2

Patch Changes

@​apollo/server@​4.11.2

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

4.12.1

Patch Changes

  • #8064 41f98d4 Thanks @​glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.

4.12.0

Minor Changes

  • #8054 89e3f84 Thanks @​clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.

Patch Changes

4.11.3

Patch Changes

4.11.2

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

4.11.1

Patch Changes

  • #7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

    @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

    However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

    The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

    However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

Commits
  • 079a973 Version Packages (#8065)
  • 41f98d4 docs: support Express v5, recommend new separate Express packages (#8064)
  • 047357a Switch from Volta to Mise for installing dependencies (#8058)
  • 8c6579e Version Packages (#8047)
  • 89e3f84 Add optional validation to reject operations with many recursive selections (...
  • 9dd92ee Merge pull request #8031 from slagiewka/migration_middleware_return
  • c25b78b Update @apollo-server README with 2025 Summit Dates (#8042)
  • b3712f7 docs(migration): return after sending 400
  • 4ae18e7 Version Packages (#8006)
  • f4228e8 Upgrade @apollo/utils.createhash (#8010)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
libms-npm: bump @apollo/server from 4.11.0 to 4.12.1 in /servers/lib
a24571c 
Bumps [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) from 4.11.0 to 4.12.1.
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@4.12.1/packages/server)

---
updated-dependencies:
- dependency-name: "@apollo/server"
  dependency-version: 4.12.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from prasadtalasila May 18, 2025 05:35
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github May 18, 2025

Assignees

The following users could not be added as assignees: octocat. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github May 18, 2025

The reviewers field in the dependabot.yml file will be removed soon. Please use the code owners file to specify reviewers for Dependabot PRs. For more information, see this blog post.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 18, 2025
@dependabot dependabot bot mentioned this pull request May 18, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented May 18, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 2.95%. Comparing base (4e17864) to head (a24571c).

❗ There is a different number of reports uploaded between BASE (4e17864) and HEAD (a24571c). Click for more details.

HEAD has 4 uploads less than BASE
Flag BASE (4e17864) HEAD (a24571c)
client-unit-integration-tests 4 0
Additional details and impacted files 
@@                 Coverage Diff                  @@
##           dependabot-merge   #1247       +/-   ##
====================================================
- Coverage             86.47%   2.95%   -83.52%     
====================================================
  Files                   106      15       -91     
  Lines                  2669     169     -2500     
  Branches                409       9      -400     
====================================================
- Hits                   2308       5     -2303     
+ Misses                  358     164      -194     
+ Partials                  3       0        -3

see 91 files with indirect coverage changes

Components Coverage Δ
Website ∅ <ø> (∅)
Lib Microservice 2.95% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prasadtalasila prasadtalasila Awaiting requested review from prasadtalasila

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants