fix(deps): update apollo graphql packages#8540
Open
renovate[bot] wants to merge 1 commit intolatestfrom
Open
Conversation
renovate
Bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
aa512d0 to
77b2f4a
Compare
renovate
Bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
77b2f4a to
bedb969
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.6→4.1.95.4.0→5.5.0Release Notes
apollographql/apollo-client (@apollo/client)
v4.1.9Compare Source
Patch Changes
099954bThanks @copilot-swe-agent! - Remove theworkspacesfield from the publishedpackage.jsonindistto avoid Yarn v1 warnings about workspaces requiring private packages.v4.1.8Compare Source
Patch Changes
8a51ea6Thanks @phryneas! - Ship agent skill for usage with @tanstack/intent — the skill is now bundled in the npm package underskills/apollo-client/and discoverable byintent list.For more context, see the TanStack Intent QuickStart.
v4.1.7Compare Source
apollographql/apollo-server (@apollo/server)
v5.5.0Compare Source
Minor Changes
#8191⚠️ SECURITY
ada1200Thanks @glasser! -@apollo/server/standalone:Apollo Server now rejects GraphQL
GETrequests which contain aContent-Typeheader other thanapplication/json(with optional parameters such as; charset=utf-8). Any other value is now rejected with a 415 status code.(GraphQL
GETrequests without aContent-Typeheader are still allowed, though they do still need to contain a non-emptyX-Apollo-Operation-NameorApollo-Require-Preflightheader to be processed if the default CSRF prevention feature is enabled.)This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.
This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty
Content-Typeheaders withGETrequests with types other thanapplication/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.See advisory GHSA-9q82-xgwf-vj6h for more details.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.