Update all non-major dependencies #218

renovate · 2025-10-11T16:38:58Z

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/composition (source)	`2.11.3` -> `2.12.0`
@apollo/gateway (source)	`2.11.3` -> `2.12.0`
@apollo/server (source)	`5.0.0` -> `5.1.0`
@apollo/subgraph (source)	`2.11.3` -> `2.12.0`
@types/express (source)	`5.0.3` -> `5.0.5`
@types/yargs (source)	`17.0.33` -> `17.0.34`
graphql	`16.11.0` -> `16.12.0`
graphql-yoga (source)	`5.16.0` -> `5.16.2`
wait-on	`9.0.1` -> `9.0.3`
wgc	`0.94.0` -> `0.94.5`

Release Notes

apollographql/federation (@apollo/composition)

`v2.12.0`

Compare Source

Minor Changes

Federation 2.12 and Connect 0.3 (#3276)
Added isSuccess argument to @connect and @source (#3294)
Fixes a bug where composition may not generate a satisfiability error for an unsatisfiable @shareable mutation field. (#3305) (#3305)
Automatically propagate authorization requirements from implementing type to interface in the supergraph. (#3321)

Authorization requirements now automatically propagate from implementing types to interfaces during composition. Direct auth specifications on interfaces are no longer allowed. Interface access requires satisfying ALL implementing types' requirements (AND rule), with these requirements included in the supergraph for backward compatibility with older routers.

Fix transitive auth requirements on @requires and @fromcontext (#3321)

Adds new postMergeValidation check to ensure that all fields that depends on data from other parts of the supergraph through @requires and/or @fromContext directives explicitly specify matching @authenticated, @requiresScopes and/or @policy auth requirements, e.g.

type T @&#8203;key(fields: "id") {
  id: ID!
  extra: String @&#8203;external
  # we need explicit `@authenticated` as it is needed to access extra
  requiresExtra: String @&#8203;requires(fields: "extra") @&#8203;authenticated
}

type T @&#8203;key(fields: "id") {
  id: ID!
  extra: String @&#8203;authenticated
}

Adding new CompositionOption maxValidationSubgraphPaths. This value represents the maximum number of SubgraphPathInfo objects that may exist in a ValidationTraversal when checking for satisfiability. Setting this value can help composition error before running out of memory. Default is 1,000,000. (#3275)
Restrict usage of auth directives on interfaces (#3321)

Restricts usage of @authenticated, @policy and @requiresScopes from being applied on interfaces, interface objects and their fields.

GraphQL spec currently does not define any interface inheritance rules and developers have to explicitly redefine all interface fields on their implementations. At runtime, GraphQL servers cannot return abstract types and always return concrete output types. Due to the above, applying auth directives on the interfaces may lead to unexpected runtime behavior as they won't have any effect at runtime.

Stricter merge rules for @requiresScopes and @policy (#3321)

Current merge policies for @authenticated, @requiresScopes and @policy were inconsistent.

If a shared field uses the same authorization directives across subgraphs, composition merges them using OR logic. However, if a shared field uses different authorization directives across subgraphs composition merges them using AND logic. This simplified schema evolution, but weakened security requirements. Therefore, the behavior has been changed to always apply AND logic to authorization directives applied to the same field across subgraphs.

Since @policy and @requiresScopes values represent boolean conditions in Disjunctive Normal Form, we can merge them conjunctively to get the final auth requirements. For example:

# subgraph A
type T @&#8203;authenticated {
  # requires scopes (A1 AND A2) OR A3
  secret: String @&#8203;requiresScopes(scopes: [["A1", "A2"], ["A3"]])
}

# subgraph B
type T {
  # requires scopes B1 OR B2
  secret: String @&#8203;requiresScopes(scopes: [["B1"], ["B2"]]
}

# composed supergraph
type T @&#8203;authenticated {
  secret: String @&#8203;requiresScopes(
    scopes: [
      ["A1", "A2", "B1"],
      ["A1", "A2", "B2"],
      ["A3", "B1"],
      ["A3", "B2"]
    ])
}

This algorithm also deduplicates redundant requirements, e.g.

# subgraph A
type T {
  # requires A1 AND A2 scopes to access
  secret: String @&#8203;requiresScopes(scopes: [["A1", "A2"]])
}

# subgraph B
type T {
  # requires only A1 scope to access
  secret: String @&#8203;requiresScopes(scopes: [["A1"]])
}

# composed supergraph
type T {
  # requires only A1 scope to access as A2 is redundant
  secret: String @&#8203;requiresScopes(scopes: [["A1"]])
}

Fixed handling @requires dependency on fields returned by @interfaceObject (#3318)

Depending on the merge order of the types, we could fail composition if a type that @requires data from an @interfaceObject is merged before the interface. Updated merge logic to use explicit merge order of scalars, input objects, interfaces, and finally objects.
Added preview @cacheTag directive support (#3274)

Patch Changes

Updated dependencies [3e2b0a8569a9fe46726182887ed0b4bfc0b52468, bb4614d338ae03bac51a5fc2439590f172c4e54d, 99f2da21de88f9ad9a32ee7ed64b2d4a92887b40, 468f27842608f4e390cfc88bc7e6b4b0945f95ff, 3fd5157b309f1d3439b2d87c67b0601fb246d04c, b734ea04d118db09cf6077fdd968c8f04a96327a, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, e7e67579908d5cd2fa6fe558228dffe4808cd98d, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, faea2d1174d80593264f2227cfde9a2ba1a59b96, 97b9d2edfcfeed99124f9e115f992cbef3804682, f6af504f1ba8283fd00af0d6e3c9c1a665d62736, a595235d3cf8f67611efd8395332b64d067b5f1f]:
- @apollo/query-graphs@2.12.0
- @apollo/federation-internals@2.12.0

`v2.11.4`

Compare Source

Patch Changes

Automatically propagate authorization requirements from implementing type to interface in the supergraph. (#3325)

Authorization requirements now automatically propagate from implementing types to interfaces during composition. Direct auth specifications on interfaces are no longer allowed. Interface access requires satisfying ALL implementing types' requirements (AND rule), with these requirements included in the supergraph for backward compatibility with older routers.

Fix transitive auth requirements on @requires and @fromcontext (#3325)

Adds new postMergeValidation check to ensure that all fields that depends on data from other parts of the supergraph through @requires and/or @fromContext directives explicitly specify matching @authenticated, @requiresScopes and/or @policy auth requirements, e.g.

type T @&#8203;key(fields: "id") {
  id: ID!
  extra: String @&#8203;external
  # we need explicit `@authenticated` as it is needed to access extra
  requiresExtra: String @&#8203;requires(fields: "extra") @&#8203;authenticated
}

type T @&#8203;key(fields: "id") {
  id: ID!
  extra: String @&#8203;authenticated
}

Restrict usage of auth directives on interfaces (#3325)

Restricts usage of @authenticated, @policy and @requiresScopes from being applied on interfaces, interface objects and their fields.

GraphQL spec currently does not define any interface inheritance rules and developers have to explicitly redefine all interface fields on their implementations. At runtime, GraphQL servers cannot return abstract types and always return concrete output types. Due to the above, applying auth directives on the interfaces may lead to unexpected runtime behavior as they won't have any effect at runtime.

Stricter merge rules for @requiresScopes and @policy (#3325)

Current merge policies for @authenticated, @requiresScopes and @policy were inconsistent.

If a shared field uses the same authorization directives across subgraphs, composition merges them using OR logic. However, if a shared field uses different authorization directives across subgraphs composition merges them using AND logic. This simplified schema evolution, but weakened security requirements. Therefore, the behavior has been changed to always apply AND logic to authorization directives applied to the same field across subgraphs.

Since @policy and @requiresScopes values represent boolean conditions in Disjunctive Normal Form, we can merge them conjunctively to get the final auth requirements. For example:

# subgraph A
type T @&#8203;authenticated {
  # requires scopes (A1 AND A2) OR A3
  secret: String @&#8203;requiresScopes(scopes: [["A1", "A2"], ["A3"]])
}

# subgraph B
type T {
  # requires scopes B1 OR B2
  secret: String @&#8203;requiresScopes(scopes: [["B1"], ["B2"]]
}

# composed supergraph
type T @&#8203;authenticated {
  secret: String @&#8203;requiresScopes(
    scopes: [
      ["A1", "A2", "B1"],
      ["A1", "A2", "B2"],
      ["A3", "B1"],
      ["A3", "B2"]
    ])
}

This algorithm also deduplicates redundant requirements, e.g.

# subgraph A
type T {
  # requires A1 AND A2 scopes to access
  secret: String @&#8203;requiresScopes(scopes: [["A1", "A2"]])
}

# subgraph B
type T {
  # requires only A1 scope to access
  secret: String @&#8203;requiresScopes(scopes: [["A1"]])
}

# composed supergraph
type T {
  # requires only A1 scope to access as A2 is redundant
  secret: String @&#8203;requiresScopes(scopes: [["A1"]])
}

Updated dependencies [d221ac04c3ee00a3c7a671d9d56e2cfa36943b49, 7730c03e128be6754b9e40c086d5cb5c4685ac66, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, 6adbf7e86927de969aedab665b6a3a8dbf3a6095, 2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:
- @apollo/federation-internals@2.11.4
- @apollo/query-graphs@2.11.4

apollographql/federation (@apollo/gateway)

`v2.12.0`

Compare Source

Minor Changes

Federation 2.12 and Connect 0.3 (#3276)

apollographql/apollo-server (@apollo/server)

`v5.1.0`

Compare Source

Minor Changes

#8148 80a1a1a Thanks @jerelmiller! - Apollo Server now supports the incremental delivery protocol (@defer and @stream) that ships with [email protected]. To use the current protocol, clients must send the Accept header with a value of multipart/mixed; incrementalSpec=v0.2.

Upgrading to 5.1 will depend on what version of graphql you have installed and whether you already support the incremental delivery protocol.

apollographql/federation (@apollo/subgraph)

`v2.12.0`

Compare Source

Minor Changes

Federation 2.12 and Connect 0.3 (#3276)

Patch Changes

When a GraphQLScalarType resolver is provided to buildSubgraphSchema(), omitted configuration options in the GraphQLScalarType no longer cause the corresponding properties in the GraphQL document/AST to be cleared. To explicitly clear these properties, use null for the configuration option instead. (#3287)
Updated dependencies [3e2b0a8569a9fe46726182887ed0b4bfc0b52468, bb4614d338ae03bac51a5fc2439590f172c4e54d, 99f2da21de88f9ad9a32ee7ed64b2d4a92887b40, 468f27842608f4e390cfc88bc7e6b4b0945f95ff, 3fd5157b309f1d3439b2d87c67b0601fb246d04c, b734ea04d118db09cf6077fdd968c8f04a96327a, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, e7e67579908d5cd2fa6fe558228dffe4808cd98d, faea2d1174d80593264f2227cfde9a2ba1a59b96, 97b9d2edfcfeed99124f9e115f992cbef3804682, f6af504f1ba8283fd00af0d6e3c9c1a665d62736, a595235d3cf8f67611efd8395332b64d067b5f1f]:
- @apollo/federation-internals@2.12.0

`v2.11.4`

Compare Source

Patch Changes

Updated dependencies [d221ac04c3ee00a3c7a671d9d56e2cfa36943b49, 7730c03e128be6754b9e40c086d5cb5c4685ac66, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, 6adbf7e86927de969aedab665b6a3a8dbf3a6095, 2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:
- @apollo/federation-internals@2.11.4

graphql/graphql-js (graphql)

`v16.12.0`: 16.12.0

Compare Source

v16.12.0 (2025-11-01)

New Feature 🚀

#4482 Implement changes for executable descriptions (@JoviDeCroock)
#4493 Backport schema coordinates (@JoviDeCroock)

Bug Fix 🐞

#4392 Catch unhandled exception in abstract resolution (@JoviDeCroock)

Docs 📝

28 PRs were merged

#4374 docs: testing graphQL servers (@sarahxsanders)
#4376 docs: type generation for graphql servers (@sarahxsanders)
#4380 docs: add guides for custom scalars (@sarahxsanders)
#4381 docs: anatomy of a resolver (@sarahxsanders)
#4382 docs: understanding graphql errors (@sarahxsanders)
#4383 docs: N+1 problem and DataLoader (@sarahxsanders)
#4391 docs: cursor-based pagination guide (@sarahxsanders)
#4393 docs: add page on abstract types (@sarahxsanders)
#4394 docs: editorial on abstract types page (@benjie)
#4395 docs: editorial for recent documentation updates (@benjie)
#4396 docs: add page on authorization strategies (@sarahxsanders)
#4398 docs: update "going to production" guide (@sarahxsanders)
#4399 Update mutations-and-input-types.mdx (@roman-lakhnov)
#4400 Remove CJS from docs (@JoviDeCroock)
#4401 docs: add guide on directives (@sarahxsanders)
#4402 docs: add guide for operation complexity controls (@sarahxsanders)
#4405 docs: add guide on nullability (@sarahxsanders)
#4406 docs: add guide on subscriptions (@sarahxsanders)
#4411 docs: add guide on caching strategies (@sarahxsanders)
#4414 docs: guide on scaling your API (@sarahxsanders)
#4416 Editorial for #4405 (nullability) (@benjie)
#4417 Indicate that field arguments should always be preferred over directives (@benjie)
#4418 docs: trusted documents (@benjie)
#4419 docs: cleanup and fixes (@sarahxsanders)
#4436 Suggestions for federation links (@Urigo)
#4444 Fix navigation (@JoviDeCroock)
#4452 fix(docs/mutations-and-input-types.mdx): root being inside of SDL (@alesculek)
#4473 docs: remove fourth permutation of the visit API (@janmeier)

Polish 💅

#4453 Remove oneof validation from values of correct type (@JoviDeCroock)

Internal 🏠

3 PRs were merged

#4390 Add the version support policy (@benjie)
#4412 internal: use empty merge commit to clean up git diff from 16.x.x (@yaacovCR)
#4479 updated location of ModelSim gitignore file (@magicmark)

Committers: 9

Aleš Culek(@alesculek)
Benjie(@benjie)
Jan Aagaard Meier(@janmeier)
Jovi De Croock(@JoviDeCroock)
Mark Larah(@magicmark)
null(@roman-lakhnov)
Sarah Sanders(@sarahxsanders)
Uri Goldshtein(@Urigo)
Yaacov Rydzinski (@yaacovCR)

graphql-hive/graphql-yoga (graphql-yoga)

`v5.16.2`

Compare Source

Patch Changes

#4270
ba38629
Thanks @ardatan! - Fixes the bug where the error masking incorrectly
sets http.unexpected instead of just unexpected.
```
{
  "extensions": {
-    "http": {
      "unexpected": true
-    }
  }
}
```

`v5.16.1`

Compare Source

Patch Changes

#4263
6f83cea
Thanks @ardatan! - dependencies updates:
- Updated dependency
  @whatwg-node/server@^0.10.14 ↗︎
  (from ^0.10.5, in dependencies)
#4264
e1f52b6
Thanks @renovate! - dependencies updates:
- Removed dependency dset@^3.1.4 ↗︎ (from
  dependencies)
#4263
6f83cea
Thanks @ardatan! - Update GraphiQL dependencies

jeffbski/wait-on (wait-on)

`v9.0.3`

Compare Source

Update to jsdoc. Thanks @westonruter

Minor dependencies updated: eslint, mocha, axios

`v9.0.2`

Compare Source

Replaced unmaintained expect-legacy package with chai. Thanks @bdkopen

wundergraph/cosmo (wgc)