Skip to content

build(deps-dev): bump the graphql group across 1 directory with 2 updates#497

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/graphql-a9ffd70290
Open

build(deps-dev): bump the graphql group across 1 directory with 2 updates#497
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/graphql-a9ffd70290

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2026
edited
Loading

Bumps the graphql group with 2 updates in the / directory: @apollo/server and graphql.

Updates @apollo/server from 5.3.0 to 5.4.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

  • Updated dependencies [d25a5bd]:
    • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

  • d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

    The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

    In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

    If you were not using startStandaloneServer, you were not affected by this vulnerability.

    Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

Changelog

Sourced from @​apollo/server's changelog.

5.4.0

Minor Changes

  • d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

    The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

    In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

    If you were not using startStandaloneServer, you were not affected by this vulnerability.

    Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.


Updates graphql from 16.12.0 to 16.13.0

Release notes

Sourced from graphql's releases.

16.13.0

v16.13.0 (2026-02-24)

New Feature 🚀

Bug Fix 🐞

  • #4336 add deprecated note to assertValidExecutionArguments (@​yaacovCR)
  • #4517 fix(validation): incorrect validation errors when variable descriptions are used (@​phryneas)

Internal 🏠

Committers: 4

Commits
  • 7569989 16.13.0
  • 49450d8 Revert "deprecate (internal) buildResolveInfo in favor of (internal) ResolveI...
  • 4149722 deprecate (internal) buildResolveInfo in favor of (internal) ResolveInfo clas...
  • 4c057eb add deprecated note to assertValidExecutionArguments (#4336)
  • 3f8f27a fix(validation): incorrect validation errors when variable descriptions are u...
  • b34a4cd update contributing (#4524)
  • abddd09 Sibling errors should not be added after propagation (#4458)
  • d26810b Alter contributing
  • 5f4602d 16.12.0
  • d239841 chore: always ignore scripts (#4514)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 2, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/graphql-a9ffd70290 branch 2 times, most recently from e6d5221 to ff89380 Compare March 4, 2026 14:45
@dependabot
build(deps-dev): bump the graphql group across 1 directory with 2 upd…
cf41211 
…ates

Bumps the graphql group with 2 updates in the / directory: [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) and [graphql](https://github.com/graphql/graphql-js).


Updates `@apollo/server` from 5.3.0 to 5.4.0
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md)
- [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.4.0/packages/server)

Updates `graphql` from 16.12.0 to 16.13.0
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.12.0...v16.13.0)

---
updated-dependencies:
- dependency-name: "@apollo/server"
  dependency-version: 5.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: graphql
- dependency-name: graphql
  dependency-version: 16.13.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: graphql
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/graphql-a9ffd70290 branch from ff89380 to cf41211 Compare March 4, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants