Merged
Conversation
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.4.0→5.5.05.4.0→5.5.08.57.1→8.57.28.57.1→8.57.2Release Notes
apollographql/apollo-server (@apollo/server)
v5.5.0Compare Source
Minor Changes
#8191⚠️ SECURITY
ada1200Thanks @glasser! -@apollo/server/standalone:Apollo Server now rejects GraphQL
GETrequests which contain aContent-Typeheader other thanapplication/json(with optional parameters such as; charset=utf-8). Any other value is now rejected with a 415 status code.(GraphQL
GETrequests without aContent-Typeheader are still allowed, though they do still need to contain a non-emptyX-Apollo-Operation-NameorApollo-Require-Preflightheader to be processed if the default CSRF prevention feature is enabled.)This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.
This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty
Content-Typeheaders withGETrequests with types other thanapplication/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.See advisory GHSA-9q82-xgwf-vj6h for more details.
apollographql/apollo-server (@apollo/server-integration-testsuite)
v5.5.0Compare Source
Minor Changes
#8191⚠️ SECURITY
ada1200-@apollo/server/standalone:Apollo Server now rejects GraphQL
GETrequests which contain aContent-Typeheader other thanapplication/json(with optional parameters such as; charset=utf-8). Any other value is now rejected with a 415 status code.(GraphQL
GETrequests without aContent-Typeheader are still allowed, though they do still need to contain a non-emptyX-Apollo-Operation-NameorApollo-Require-Preflightheader to be processed if the default CSRF prevention feature is enabled.)This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.
This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty
Content-Typeheaders withGETrequests with types other thanapplication/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.See advisory GHSA-9q82-xgwf-vj6h for more details.
Patch Changes
ada1200]:typescript-eslint/typescript-eslint (@typescript-eslint/eslint-plugin)
v8.57.2Compare Source
🩹 Fixes
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
typescript-eslint/typescript-eslint (@typescript-eslint/parser)
v8.57.2Compare Source
This was a version bump only for parser to align it with other projects, there were no code changes.
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
Configuration
📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.