@apollo/[email protected]

Patch Changes

• #8064 41f98d4 Thanks @glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.

@apollo/[email protected]

Patch Changes

• Updated dependencies [41f98d4]:
  • @apollo/[email protected]

@apollo/[email protected]

Minor Changes

• #8054 89e3f84 Thanks @clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.

Patch Changes

• #8031 2550d9f Thanks @slagiewka! - Add return after sending 400 response in doubly escaped JSON parser middleware

@apollo/[email protected]

Patch Changes

• Updated dependencies [89e3f84, 2550d9f]:
  • @apollo/[email protected]

@apollo/[email protected]

Patch Changes

• #8010 f4228e8 Thanks @glasser! - Compatibility with Next.js Turbopack. Fixes #8004.

@apollo/[email protected]

Patch Changes

• #8010 f4228e8 Thanks @glasser! - Compatibility with Next.js Turbopack. Fixes #8004.

@apollo/[email protected]

Patch Changes

• #8010 f4228e8 Thanks @glasser! - Compatibility with Next.js Turbopack. Fixes #8004.

• Updated dependencies [f4228e8, 70eecce]:

  • @apollo/[email protected]

@apollo/[email protected]

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

@apollo/[email protected]

Patch Changes

• #7952 bb81b2c Thanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

  @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

  However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

  The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

  However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

@apollo/[email protected]

Patch Changes

• #7879 b0fb33b Thanks @renovate! - Update graphql-http dependency

• #7968 68977e2 Thanks @glasser! - Upgrade supertest and superagent dependencies

• Updated dependencies []:

  • @apollo/[email protected]