Drop support for Node.JS v14, v16, and v20.
The integration test suite no longer uses lib: ["dom"] to tell TypeScript to assume DOM-related symbols are in the global namespace. If your integration library's test suite relied on this behavior, you may need to add lib: ["dom"] to the compilerOptions section of your test suite's tsconfig.json.
Apollo Server v5 has very few breaking API changes. It is a small upgrade focused largely on adjusting which versions of Node.js and Express are supported.
Read our migration guide for more details on how to update your app.
graphql library older than v16.11.0. (Apollo Server 4 supports graphql v16.6.0 or later.) Upgrade graphql before upgrading Apollo Server.@apollo/server/express4, or you could import it from the separate package @as-integrations/express4. In Apollo Server 5, you must import it from the separate package. You can migrate your server to the new package before upgrading to Apollo Server 5. (You can also use @as-integrations/express5 for a middleware that works with Express 5.)fetch implementation for HTTP requests by default, instead of the node-fetch npm package. If your server uses an HTTP proxy to make HTTP requests, you need to configure it in a slightly different way. See the migration guide for details.startStandaloneServer no longer uses Express. This is mostly invisible, but it does set slightly fewer headers. If you rely on the fact that this server is based on Express, you should explicitly use the Express middleware.@defer and @stream (which requires using a pre-release version of graphql v17) now explicitly only works with version 17.0.0-alpha.2 of graphql. Note that this supports the same incremental delivery protocol implemented by Apollo Server 4, which is not the same protocol in the latest alpha version of graphql. As this support is experimental, we may switch over from "only alpha.2 is supported" to "only a newer alpha or final release is supported, with a different protocol" during the lifetime of Apollo Server 5.variables map for a variable declared in the operation as a String) with a 400 status code, indicating a client error. This is also the behavior of Apollo Server 3. Apollo Server 4 mistakenly responds to these requests with a 200 status code by default; we recommended the use of the status400ForVariableCoercionErrors: true option to restore the intended behavior. That option now defaults to true.precomputedNonce option to landing page plugins (which was only non-deprecated for 8 days) has been removed.There are a few other small changes in v5:
#8076 5b26558 Thanks @valters! - Fix some error logs to properly call logger.error or logger.warn with this set. This fixes errors or crashes from logger implementations that expect this to be set properly in their methods.
#7515 100233a Thanks @trevor-scheer! - ApolloServerPluginSubscriptionCallback now takes a fetcher argument, like the usage and schema reporting plugins. The default value is Node's built-in fetch.
Updated dependencies [100233a]:
#8070 0dee3c9 Thanks @glasser! - Provide dual-build CJS and ESM for @apollo/server-integration-testsuite.
We previously provided only a CJS build of this package, unlike @apollo/server
itself and the other helper packages that come with it. We may make all of
Apollo Server ESM-only in AS5; this is a step in that direction. Specifically,
only providing this package for CJS makes it challenging to run the tests in
ts-jest in some ESM-only setups, because the copy of @apollo/server fetched
directly in your ESM-based test may differ from the copy fetched indirectly via
@apollo/server-integration-testsuite, causing the "lockstep versioning" test
to fail.
Updated dependencies:
(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)
#8070 0dee3c9 Thanks @glasser! - Provide dual-build CJS and ESM for @apollo/server-integration-testsuite.
We previously provided only a CJS build of this package, unlike @apollo/server
itself and the other helper packages that come with it. We may make all of
Apollo Server ESM-only in AS5; this is a step in that direction. Specifically,
only providing this package for CJS makes it challenging to run the tests in
ts-jest in some ESM-only setups, because the copy of @apollo/server fetched
directly in your ESM-based test may differ from the copy fetched indirectly via
@apollo/server-integration-testsuite, causing the "lockstep versioning" test
to fail.
Updated dependencies []:
41f98d4]:
89e3f84 Thanks @clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.2550d9f Thanks @slagiewka! - Add return after sending 400 response in doubly escaped JSON parser middleware(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)
#7952 bb81b2c Thanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.
@apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.
However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.
However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.
#7952 bb81b2c Thanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.
@apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.
However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.
However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.
Updated dependencies [bb81b2c]:
#7916 4686454 Thanks @andrewmcgivery! - Add hideSchemaDetailsFromClientErrors option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.
Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation will be met with a validation error that includes a helpful "did you mean" as part of the error text.
For example, with this option set to true, an error would read Cannot query field "help" on type "Query". whereas with this option set to false it would read Cannot query field "help" on type "Query". Did you mean "hello"?.
We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.
To enable, set this option to true in your ApolloServer options:
const server = new ApolloServer({
typeDefs,
resolvers,
hideSchemaDetailsFromClientErrors: true,
});