chore(deps): update all apollo server non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/server (source)	5.0.0 → 5.4.0
@graphql-tools/schema (source)	10.0.24 → 10.0.31
@graphql-tools/schema (source)	9.0.13 → 9.0.19
@types/cors (source)	2.8.13 → 2.8.19
@types/node (source)	20.19.8 → 20.19.32
@types/node (source)	18.6.3 → 18.19.130
@types/ws (source)	8.2.2 → 8.18.1
@types/ws (source)	8.5.5 → 8.18.1
apollo-server-express (source)	3.12.0 → 3.13.0
cors	2.8.5 → 2.8.6
express (source)	5.1.0 → 5.2.1
express (source)	4.18.2 → 4.22.1
graphql	16.11.0 → 16.12.0
graphql	15.8.0 → 15.10.1
graphql-ws (source)	5.5.5 → 5.16.2
graphql-ws (source)	5.14.0 → 5.16.2
typescript (source)	5.8.3 → 5.9.3
typescript (source)	4.7.4 → 4.9.5
ws	8.18.3 → 8.19.0
ws	8.4.2 → 8.19.0
ws	8.13.0 → 8.19.0

---

Release Notes

apollographql/apollo-server (@​apollo/server)

v5.4.0

Compare Source

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
  Any other character set will be rejected with a 415 Unsupported Media Type error.
  Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8.
  Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now.
  In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
  For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

v5.3.0

Compare Source

Minor Changes

• #​8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },
  });

• #​8014 26320bc Thanks @​mo4islona! - Expose graphql validation options.

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    validationOptions: {
      maxErrors: 10,
    },
  });

v5.2.0

Compare Source

Minor Changes

• #​8161 51acbeb Thanks @​jerelmiller! - Fix an issue where some bundlers would fail to build because of the dynamic import for the optional peer dependency on @yaacovcr/transform introduced in @apollo/server 5.1.0. To provide support for the legacy incremental format, you must now provide the legacyExperimentalExecuteIncrementally option to the ApolloServer constructor.

  import { legacyExecuteIncrementally } from '@​yaacovcr/transform';
  
  const server = new ApolloServer({
    // ...
    legacyExperimentalExecuteIncrementally: legacyExecuteIncrementally,
  });

  If the legacyExperimentalExecuteIncrementally option is not provided and the client sends an Accept header with a value of multipart/mixed; deferSpec=20220824, an error is returned by the server.

v5.1.0

Compare Source

Minor Changes

• #​8148 80a1a1a Thanks @​jerelmiller! - Apollo Server now supports the incremental delivery protocol (@defer and @stream) that ships with graphql@17.0.0-alpha.9. To use the current protocol, clients must send the Accept header with a value of multipart/mixed; incrementalSpec=v0.2.

  Upgrading to 5.1 will depend on what version of graphql you have installed and whether you already support the incremental delivery protocol.

ardatan/graphql-tools (@​graphql-tools/schema)

v10.0.31

Compare Source

Patch Changes

• Updated dependencies
  [6f3776c]:
  • @​graphql-tools/utils@​11.0.0
  • @​graphql-tools/merge@​9.1.7

v10.0.30

Compare Source

Patch Changes

• Updated dependencies
  [2118a80]:
  • @​graphql-tools/utils@​10.11.0
  • @​graphql-tools/merge@​9.1.6

v10.0.29

Compare Source

Patch Changes

• Updated dependencies
  [2fe123a]:
  • @​graphql-tools/utils@​10.10.3
  • @​graphql-tools/merge@​9.1.5

v10.0.28

Compare Source

Patch Changes

• Updated dependencies
  [dddc5f6]:
  • @​graphql-tools/utils@​10.10.2
  • @​graphql-tools/merge@​9.1.4

v10.0.27

Compare Source

Patch Changes

• Updated dependencies
  [fbb58b5]:
  • @​graphql-tools/utils@​10.10.1
  • @​graphql-tools/merge@​9.1.3

v10.0.26

Compare Source

Patch Changes

• Updated dependencies
  [fd105f4,
  fded91e,
  3b99a9b]:
  • @​graphql-tools/utils@​10.10.0
  • @​graphql-tools/merge@​9.1.2

v10.0.25

Compare Source

Patch Changes

• Updated dependencies
  [984d542,
  984d542,
  32d0457]:
  • @​graphql-tools/merge@​9.1.1
  • @​graphql-tools/utils@​10.9.1

apollographql/apollo-server (apollo-server-express)

v3.13.0

Compare Source

v3.12.1

Compare Source

expressjs/cors (cors)

v2.8.6

Compare Source

==================

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

graphql/graphql-js (graphql)

v16.12.0: 16.12.0

Compare Source

v16.12.0 (2025-11-01)

New Feature 🚀

• #​4482 Implement changes for executable descriptions (@​JoviDeCroock)
• #​4493 Backport schema coordinates (@​JoviDeCroock)

Bug Fix 🐞

• #​4392 Catch unhandled exception in abstract resolution (@​JoviDeCroock)

Docs 📝

28 PRs were merged

• #​4374 docs: testing graphQL servers (@​sarahxsanders)
• #​4376 docs: type generation for graphql servers (@​sarahxsanders)
• #​4380 docs: add guides for custom scalars (@​sarahxsanders)
• #​4381 docs: anatomy of a resolver (@​sarahxsanders)
• #​4382 docs: understanding graphql errors (@​sarahxsanders)
• #​4383 docs: N+1 problem and DataLoader (@​sarahxsanders)
• #​4391 docs: cursor-based pagination guide (@​sarahxsanders)
• #​4393 docs: add page on abstract types (@​sarahxsanders)
• #​4394 docs: editorial on abstract types page (@​benjie)
• #​4395 docs: editorial for recent documentation updates (@​benjie)
• #​4396 docs: add page on authorization strategies (@​sarahxsanders)
• #​4398 docs: update "going to production" guide (@​sarahxsanders)
• #​4399 Update mutations-and-input-types.mdx (@​roman-lakhnov)
• #​4400 Remove CJS from docs (@​JoviDeCroock)
• #​4401 docs: add guide on directives (@​sarahxsanders)
• #​4402 docs: add guide for operation complexity controls (@​sarahxsanders)
• #​4405 docs: add guide on nullability (@​sarahxsanders)
• #​4406 docs: add guide on subscriptions (@​sarahxsanders)
• #​4411 docs: add guide on caching strategies (@​sarahxsanders)
• #​4414 docs: guide on scaling your API (@​sarahxsanders)
• #​4416 Editorial for #​4405 (nullability) (@​benjie)
• #​4417 Indicate that field arguments should always be preferred over directives (@​benjie)
• #​4418 docs: trusted documents (@​benjie)
• #​4419 docs: cleanup and fixes (@​sarahxsanders)
• #​4436 Suggestions for federation links (@​Urigo)
• #​4444 Fix navigation (@​JoviDeCroock)
• #​4452 fix(docs/mutations-and-input-types.mdx): root being inside of SDL (@​alesculek)
• #​4473 docs: remove fourth permutation of the visit API (@​janmeier)

Polish 💅

• #​4453 Remove oneof validation from values of correct type (@​JoviDeCroock)

Internal 🏠

3 PRs were merged

• #​4390 Add the version support policy (@​benjie)
• #​4412 internal: use empty merge commit to clean up git diff from 16.x.x (@​yaacovCR)
• #​4479 updated location of ModelSim gitignore file (@​magicmark)

Committers: 9

• Aleš Culek(@​alesculek)
• Benjie(@​benjie)
• Jan Aagaard Meier(@​janmeier)
• Jovi De Croock(@​JoviDeCroock)
• Mark Larah(@​magicmark)
• null(@​roman-lakhnov)
• Sarah Sanders(@​sarahxsanders)
• Uri Goldshtein(@​Urigo)
• Yaacov Rydzinski (@​yaacovCR)

enisdenjo/graphql-ws (graphql-ws)

v5.16.2

Compare Source

Patch Changes

• #​611 6a5fde1 Thanks @​enisdenjo! - No more workspaces

  This version does not contain any code changes.

v5.16.1

Compare Source

Patch Changes

• #​607 a629ec7 Thanks @​enisdenjo! - Release with changesets

  This version does not contain any code changes.

v5.16.0

Compare Source

Bug Fixes

• server: Return all subscriptions regardless of the return invocation order (f442288)
• server: should not send error messages if socket closes before onSubscribe hooks resolves (db47a66), closes #​539

Features

• server: Close code and reason are optional (6ae6e6f), closes #​547

v5.15.0

Compare Source

Bug Fixes

• client: Use TerminatedCloseEvent class extending an Error for rejecting promises when terminating (74b4ceb), closes #​531
• server: Dispose of subscriptions on close even if added late to the subscriptions list (#​534) (e45d6b1), closes #​532

Features

• server: Add is retry flag to connect events (#​507) (9ad853f)

v5.14.3

Compare Source

Bug Fixes

• client: Use closures instead of bindings (with this) (812129d)
• remove package.json workspaces entry in release (63a831e), closes #​524

v5.14.2

Compare Source

Bug Fixes

• client: correct close code for Bad Gateway reason (#​512) (0438650)

v5.14.1

Compare Source

Bug Fixes

• server: Acknowledge connection before notifying the client to avoid race conditions with slow sends (#​506) (8cb82bd), closes #​501

v5.14.0

Compare Source

Features

• client: Async iterator for subscriptions (#​486) (fb4b967)

v5.13.1

Compare Source

Bug Fixes

• Remove unnecessary bun-types directives (e9a56f7), closes #​478

v5.13.0

Compare Source

Features

• server: Use Bun (#​476) (09c7893)
• server: Use Deno (#​477) (0ffd03b)

v5.12.1

Compare Source

Bug Fixes

• Add file extensions to imports/exports in ESM type definitions (48775be)

v5.12.0

Compare Source

Features

• Allow null payloads in messages (#​456) (eeb0265), closes #​455

v5.11.3

Compare Source

Bug Fixes

• ws,uWebSockets,@​fastify/websocket: Handle internal errors that are not instances of Error (#​442) (9884889), closes #​441

v5.11.2

Compare Source

Bug Fixes

• Reorder types paths in package.json for better import resolution (#​406) (37263c5)

v5.11.1

Compare Source

Bug Fixes

• server: Shouldn't send a complete message if client sent it (331fe47), closes #​403

v5.11.0

Compare Source

Features

• client: Provide subscribe payload in generateID (d0bc6e1), closes #​398

v5.10.2

Compare Source

Performance Improvements

• Easier message parser (d44c6f1)

v5.10.1

Compare Source

Bug Fixes

• client: Debounce close by lazyCloseTimeout (c332837), closes #​388

v5.10.0

Compare Source

Features

• server: Use @fastify/websocket (#​382) (dd755b0), closes #​381

v5.9.1

Compare Source

Bug Fixes

• Add types path to package.json exports (#​375) (9f394d7)

v5.9.0

Compare Source

Features

• Descriptive invalid message errors (b46379e), closes #​366

v5.8.2

Compare Source

Bug Fixes

• server: Should clean up subscription reservations on abrupt errors without relying on connection close (611c223)

v5.8.1

Compare Source

Bug Fixes

• client: isFatalConnectionProblem defaults to undefined for using shouldRetry (9d5c573)

v5.8.0

Compare Source

Features

• client: Deprecate isFatalConnectionProblem option in favour of shouldRetry (d8dcf21)

v5.7.0

Compare Source

Features

• client: Terminate the WebSocket abruptly and immediately (53ad515), closes #​290

v5.6.4

Compare Source

Bug Fixes

• Warn about subscriptions-transport-ws clients and provide migration link (e080739), closes #​339 #​325

v5.6.3

Compare Source

Bug Fixes

• client: Stop execution if connectionParams took too long and the server kicked the client off (1e94e45), closes #​331

v5.6.2

Compare Source

Bug Fixes

• server: handleProtocols accepts arrays too and gracefully rejects other types (98dec1a), closes #​318

v5.6.1

Compare Source

Bug Fixes

• server: Handle upgrade requests with multiple subprotocols and omit Sec-WebSocket-Protocol header if none supported (9bae064)

v5.6.0

Compare Source

Features

• TypeScript generic for connection init payload (connectionParams) (#​311) (e67cf80)

microsoft/TypeScript (typescript)

v5.9.3: TypeScript 5.9.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

v5.9.2: TypeScript 5.9

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

• npm

websockets/ws (ws)

v8.19.0

Compare Source

Features

• Added the closeTimeout option (#​2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (1998485).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.