refactor: Bump @apollo/server and parse-server

[dependabot]

Bumps @apollo/server to 5.5.0 and updates ancestor dependency parse-server. These dependencies need to be updated together.

Updates @apollo/server from 5.4.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• See full diff in compare view

Updates parse-server from 9.6.1 to 9.7.0

Release notes

Sourced from parse-server's releases.

9.7.0

9.7.0 (2026-03-30)

Bug Fixes

• Auth data exposed via verify password endpoint (GHSA-wp76-gg32-8258) (#10323) (770be86)
• Batch login sub-request rate limit uses IP-based keying (#10349) (63c37c4)
• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)
• Cloud function validator bypass via prototype chain traversal (GHSA-vpj2-qq7w-5qq6) (#10342) (dc59e27)
• Duplicate session destruction can cause unhandled promise rejection (#10319) (92791c1)
• GraphQL API endpoint ignores CORS origin restriction (GHSA-q3p6-g7c4-829c) (#10334) (4dd0d3d)
• GraphQL complexity validator exponential fragment traversal DoS (GHSA-mfj6-6p54-m98c) (#10344) (f759bda)
• LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65) (#10330) (776c71c)
• LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2) (#10350) (f63fd1a)
• Maintenance key blocked from querying protected fields (#10290) (7c8b213)
• MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf) (#10326) (e7efbeb)
• Missing error messages in Parse errors (#10304) (f128048)
• Postgres query on non-existent column throws internal server error (#10308) (c5c4325)
• Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22) (#10347) (9080296)

Features

• Add protectedFieldsSaveResponseExempt option to strip protected fields from save responses (#10289) (4f7cb53)
• Add protectedFieldsTriggerExempt option to exempt Cloud Code triggers from protectedFields (#10288) (1610f98)
• Add support for partialFilterExpression in MongoDB storage adapter (#10346) (8dd7bf2)
• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

9.7.0-alpha.18

9.7.0-alpha.18 (2026-03-30)

Features

• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

9.7.0-alpha.17

9.7.0-alpha.17 (2026-03-29)

Bug Fixes

• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)

9.7.0-alpha.16

9.7.0-alpha.16 (2026-03-29)

Bug Fixes

... (truncated)

Commits

• 84ca533 chore(release): 9.7.0 [skip ci]
• 6d0bd1e build: Release (#10354)
• d01675b empty commit to trigger CI
• 99fc339 chore(release): 9.7.0-alpha.18 [skip ci]
• aea7596 feat: Extend storage adapter interface to optionally return matchedCount an...
• 6183d4b chore(release): 9.7.0-alpha.17 [skip ci]
• d5f5128 fix: Cloud Code trigger context vulnerable to prototype pollution (#10352)
• e573cfa chore(release): 9.7.0-alpha.16 [skip ci]
• f63fd1a fix: LiveQuery protected-field guard bypass via array-like logical operator v...
• f897d83 chore(release): 9.7.0-alpha.15 [skip ci]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.