chore(deps): update apollo graphql packages to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/server-integration-testsuite (source)	4.11.3 → 5.5.1

---

Release Notes

apollographql/apollo-server (@​apollo/server-integration-testsuite)

v5.5.1

Compare Source

Patch Changes

• Updated dependencies [3f46c51]:
  • @​apollo/server@​5.5.1

v5.5.0

Compare Source

Minor Changes

• #​8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

v5.4.0

Compare Source

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

v5.3.0

Compare Source

Patch Changes

• Updated dependencies [8e54e58, 26320bc]:
  • @​apollo/server@​5.3.0

v5.2.0

Compare Source

Patch Changes

• Updated dependencies [51acbeb]:
  • @​apollo/server@​5.2.0

v5.1.0

Compare Source

Patch Changes

• Updated dependencies [80a1a1a]:
  • @​apollo/server@​5.1.0

v5.0.0

Compare Source

Major Changes

• Drop support for Node.JS v14, v16, and v20.

• The integration test suite no longer uses lib: ["dom"] to tell TypeScript to assume DOM-related symbols are in the global namespace. If your integration library's test suite relied on this behavior, you may need to add lib: ["dom"] to the compilerOptions section of your test suite's tsconfig.json.

Patch Changes

• #​8078 dabe7ba Thanks @​renovate! - Support Jest v30 as well as Jest v29.

• Updated dependencies [5b26558, 100233a, 100233a, 100233a, 100233a]:

  • @​apollo/server@​5.0.0

v4.13.0

Compare Source

Patch Changes

• Updated dependencies [e9d49d1]:
  • @​apollo/server@​4.13.0

v4.12.2

Compare Source

Patch Changes

• #​8070 0dee3c9 Thanks @​glasser! - Provide dual-build CJS and ESM for @apollo/server-integration-testsuite.

  We previously provided only a CJS build of this package, unlike @apollo/server
  itself and the other helper packages that come with it. We may make all of
  Apollo Server ESM-only in AS5; this is a step in that direction. Specifically,
  only providing this package for CJS makes it challenging to run the tests in
  ts-jest in some ESM-only setups, because the copy of @apollo/server fetched
  directly in your ESM-based test may differ from the copy fetched indirectly via
  @apollo/server-integration-testsuite, causing the "lockstep versioning" test
  to fail.

• Updated dependencies:

  • @​apollo/server@​4.12.2

v4.12.1

Compare Source

Patch Changes

• Updated dependencies [41f98d4]:
  • @​apollo/server@​4.12.1

v4.12.0

Compare Source

Patch Changes

• Updated dependencies [89e3f84, 2550d9f]:
  • @​apollo/server@​4.12.0

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: @as-integrations/koa@1.1.1
npm error Found: graphql@16.10.0
npm error node_modules/graphql
npm error   dev graphql@"16.10.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer graphql@"^16.11.0" from @apollo/server-integration-testsuite@5.5.1
npm error node_modules/@apollo/server-integration-testsuite
npm error   dev @apollo/server-integration-testsuite@"5.5.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-11T18_01_46_370Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-11T18_01_46_370Z-debug-0.log