Skip to content

chore(deps): bump the apollo group across 1 directory with 2 updates#1397

Closed
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/dev/apollo-30ff67c94e
Closed

chore(deps): bump the apollo group across 1 directory with 2 updates#1397
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/dev/apollo-30ff67c94e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026
edited
Loading

Bumps the apollo group with 2 updates in the / directory: @apollo/client and @apollo/server.

Updates @apollo/client from 3.10.4 to 4.1.9

Release notes

Sourced from @​apollo/client's releases.

@​apollo/client@​4.1.9

Patch Changes

  • #13203 099954b Thanks @​copilot-swe-agent! - Remove the workspaces field from the published package.json in dist to avoid Yarn v1 warnings about workspaces requiring private packages.

@​apollo/client@​4.1.8

Patch Changes

@​apollo/client@​4.1.7

Patch Changes

@​apollo/client@​4.1.6

Patch Changes

  • #13128 6c0b8e4 Thanks @​pavelivanov! - Fix useQuery hydration mismatch when ssr: false and skip: true are used together

    When both options were combined, the server would return loading: false (because useSSRQuery checks skip first), but the client's getServerSnapshot was returning ssrDisabledResult with loading: true, causing a hydration mismatch.

@​apollo/client@​4.1.5

Patch Changes

@​apollo/client@​4.1.4

Patch Changes

  • #13124 578081f Thanks @​Re-cool! - Ensure PersistedQueryLink merges http and fetchOptions context values instead of overwriting them.

@​apollo/client@​4.1.3

Patch Changes

  • #13111 bf46fe0 Thanks @​RogerHYang! - Fix createFetchMultipartSubscription to support cancellation via AbortController

    Previously, calling dispose() or unsubscribe() on a subscription created by createFetchMultipartSubscription had no effect - the underlying fetch request would continue running until completion. This was because no AbortController was created or passed to fetch(), and no cleanup function was returned from the Observable.

@​apollo/client@​4.1.2

Patch Changes

  • #13105 8b62263 Thanks @​phryneas! - ssrMode, ssrForceFetchDelay or prioritizeCacheValues should not override fetchPolicy: 'cache-only', fetchPolicy: 'no-cache', fetchPolicy: 'standby', skip: true, or skipToken when reading the initial value of an ObservableQuery.

  • #13105 8b62263 Thanks @​phryneas! - Fix skipToken in useQuery with prerenderStatic and related SSR functions.

  • #13105 8b62263 Thanks @​phryneas! - Avoid fetches with fetchPolicy: no-cache in useQuery with prerenderStatic and related SSR functions.

... (truncated)

Changelog

Sourced from @​apollo/client's changelog.

4.1.9

Patch Changes

  • #13203 099954b Thanks @​copilot-swe-agent! - Remove the workspaces field from the published package.json in dist to avoid Yarn v1 warnings about workspaces requiring private packages.

4.1.8

Patch Changes

4.1.7

Patch Changes

4.1.6

Patch Changes

  • #13128 6c0b8e4 Thanks @​pavelivanov! - Fix useQuery hydration mismatch when ssr: false and skip: true are used together

    When both options were combined, the server would return loading: false (because useSSRQuery checks skip first), but the client's getServerSnapshot was returning ssrDisabledResult with loading: true, causing a hydration mismatch.

4.1.5

Patch Changes

4.1.4

Patch Changes

  • #13124 578081f Thanks @​Re-cool! - Ensure PersistedQueryLink merges http and fetchOptions context values instead of overwriting them.

4.1.3

Patch Changes

  • #13111 bf46fe0 Thanks @​RogerHYang! - Fix createFetchMultipartSubscription to support cancellation via AbortController

    Previously, calling dispose() or unsubscribe() on a subscription created by createFetchMultipartSubscription had no effect - the underlying fetch request would continue running until completion. This was because no AbortController was created or passed to fetch(), and no cleanup function was returned from the Observable.

4.1.2

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​apollo/client since your current version.


Updates @apollo/server from 4.13.0 to 5.5.1

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.1

Patch Changes

  • Updated dependencies [3f46c51]:
    • @​apollo/server@​5.5.1

@​apollo/server@​5.5.1

Patch Changes

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

  • #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

  • Updated dependencies [ada1200]:
    • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

  • #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.1

Patch Changes

5.5.0

Minor Changes

  • #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

  • d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

    The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

    In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

    If you were not using startStandaloneServer, you were not affected by this vulnerability.

    Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​apollo/server since your current version.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 11, 2026
@dependabot
chore(deps): bump the apollo group across 1 directory with 2 updates
d736ce8 
Bumps the apollo group with 2 updates in the / directory: [@apollo/client](https://github.com/apollographql/apollo-client) and [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server).


Updates `@apollo/client` from 3.10.4 to 4.1.9
- [Release notes](https://github.com/apollographql/apollo-client/releases)
- [Changelog](https://github.com/apollographql/apollo-client/blob/main/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-client/compare/v3.10.4...@apollo/client@4.1.9)

Updates `@apollo/server` from 4.13.0 to 5.5.1
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.1/packages/server)

---
updated-dependencies:
- dependency-name: "@apollo/client"
  dependency-version: 4.1.9
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: apollo
- dependency-name: "@apollo/server"
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: apollo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the apollo group with 2 updates chore(deps): bump the apollo group across 1 directory with 2 updates May 11, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/dev/apollo-30ff67c94e branch from 9da8be0 to d736ce8 Compare May 11, 2026 12:42
@damsleth
Copy link
Copy Markdown
Member

damsleth commented May 11, 2026

Closing as part of narrowing dependabot scope to github-actions only (see #1408). Application npm/docker bumps will be done intentionally on chore/deps-YYYY-MM branches; security patches still flow via GitHub's native Dependabot security updates.

@damsleth damsleth closed this May 11, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 11, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/dev/apollo-30ff67c94e branch May 11, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@damsleth