chore(deps): update apollo graphql packages to v2.13.3

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/gateway (source)	2.10.5 → 2.13.3
@apollo/subgraph (source)	2.2.3 → 2.13.3
@apollo/subgraph (source)	2.11.2 → 2.13.3

---

Release Notes

apollographql/federation (@​apollo/gateway)

v2.13.3

Compare Source

Patch Changes

• Updated dependencies [b5c17ffa73e2de49bd63182a84a7d5837c0ab2d5]:
  • @​apollo/composition@​2.13.3
  • @​apollo/federation-internals@​2.13.3
  • @​apollo/query-planner@​2.13.3

v2.13.2

Compare Source

Patch Changes

• Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain. (#​3396)

  See the associated GitHub Advisories GHSA-pfjj-6f4p-rvmh for more information.

• Updated dependencies [84e9226b606b176ede097410f5ba35ba03d140ed]:

  • @​apollo/query-planner@​2.13.2
  • @​apollo/federation-internals@​2.13.2
  • @​apollo/composition@​2.13.2

v2.13.1

Compare Source

Patch Changes

• Allow bumping make-fetch-happen dependency to v15. (#​3374)

  This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.

  The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.

  There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:

  this changes the underlying http agents to those provided by @​npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.

  As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.

  We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.

  Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.

  The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.

• Updated dependencies []:

  • @​apollo/composition@​2.13.1
  • @​apollo/federation-internals@​2.13.1
  • @​apollo/query-planner@​2.13.1

v2.13.0

Compare Source

Minor Changes

• Drop Node.js 14/16 support, require Node.js 18+ (#​3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, 523b13b715e75033f0bdbc176416e59ac01de8f0, ecbe182423313b3a94c185dee6b659573435b141, 4c64006b1604471940e20aa1aa46a0f75a6396df, 873577a2b7ae8ce507e0ca4377aed049e1a15075]:
  • @​apollo/query-planner@​2.13.0
  • @​apollo/composition@​2.13.0
  • @​apollo/federation-internals@​2.13.0

v2.12.3

Compare Source

Patch Changes

• Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain. (#​3397)

  See the associated GitHub Advisories GHSA-pfjj-6f4p-rvmh for more information.

• Updated dependencies [4393ceca349aca68981362f210cca023ed3fb97b]:

  • @​apollo/query-planner@​2.12.3
  • @​apollo/federation-internals@​2.12.3
  • @​apollo/composition@​2.12.3

v2.12.2

Compare Source

Patch Changes

• Updated dependencies [238d9d71e831e4f3e8d8e334ad6952cc19c073b1]:
  • @​apollo/federation-internals@​2.12.2
  • @​apollo/composition@​2.12.2
  • @​apollo/query-planner@​2.12.2

v2.12.1

Compare Source

Patch Changes

• Updated dependencies [b19431e4a92206703e29aba859a5fc7574b9ef8b, 09e596e6a0c753071ca822e84f525d73ada395cf, ac1ed2946c48e0fef4b413b192d8c5fbdb2370ae]:
  • @​apollo/composition@​2.12.1
  • @​apollo/federation-internals@​2.12.1
  • @​apollo/query-planner@​2.12.1

v2.12.0

Compare Source

Minor Changes

• Federation 2.12 and Connect 0.3 (#​3276)

Patch Changes

• Updated dependencies [3e2b0a8569a9fe46726182887ed0b4bfc0b52468, bb4614d338ae03bac51a5fc2439590f172c4e54d, 99f2da21de88f9ad9a32ee7ed64b2d4a92887b40, 468f27842608f4e390cfc88bc7e6b4b0945f95ff, 3fd5157b309f1d3439b2d87c67b0601fb246d04c, b734ea04d118db09cf6077fdd968c8f04a96327a, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, e7e67579908d5cd2fa6fe558228dffe4808cd98d, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, faea2d1174d80593264f2227cfde9a2ba1a59b96, 0dbc7cc72ffacf324231e9ccb2de4189f6bf3289, 97b9d2edfcfeed99124f9e115f992cbef3804682, f6af504f1ba8283fd00af0d6e3c9c1a665d62736, bc07e979b9fd24c9b94740b170f11023fe99ba1e, a595235d3cf8f67611efd8395332b64d067b5f1f, 9cbdcb53f859c877a476e2725faa4cb205506f57]:
  • @​apollo/query-planner@​2.12.0
  • @​apollo/composition@​2.12.0
  • @​apollo/federation-internals@​2.12.0

v2.11.6

Compare Source

Patch Changes

• Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain. (#​3398)

  See the associated GitHub Advisories GHSA-pfjj-6f4p-rvmh for more information.

• Updated dependencies [73ae202f72a31b9f63e779c535d7ecb059ff908a]:

  • @​apollo/query-planner@​2.11.6
  • @​apollo/federation-internals@​2.11.6
  • @​apollo/composition@​2.11.6

v2.11.5

Compare Source

Patch Changes

• Updated dependencies [5ee4d966487e714ae6bc6445bf53d75ccbbaf6ae, e1c58611c3c996b4fff98a54e49f00549ff2115d, 3e2d1fd315db54a089fedf131cfaa27792bdd049]:
  • @​apollo/composition@​2.11.5
  • @​apollo/federation-internals@​2.11.5
  • @​apollo/query-planner@​2.11.5

v2.11.4

Compare Source

Patch Changes

• Updated dependencies [d221ac04c3ee00a3c7a671d9d56e2cfa36943b49, 7730c03e128be6754b9e40c086d5cb5c4685ac66, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, 6adbf7e86927de969aedab665b6a3a8dbf3a6095, 2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:
  • @​apollo/composition@​2.11.4
  • @​apollo/federation-internals@​2.11.4
  • @​apollo/query-planner@​2.11.4

v2.11.3

Compare Source

Patch Changes

• Updated dependencies [4faa114215200daf7ad7518be8e50071fcde783c, 8c7a2cd655ad3060e9f5c3b106cfbdb59251701c]:
  • @​apollo/query-planner@​2.11.3
  • @​apollo/federation-internals@​2.11.3
  • @​apollo/composition@​2.11.3

v2.11.2

Compare Source

Patch Changes

• Updated dependencies [28c08bef6e691aefc6ed07c0e7057f9cd803b317, 28c08bef6e691aefc6ed07c0e7057f9cd803b317]:
  • @​apollo/federation-internals@​2.11.2
  • @​apollo/composition@​2.11.2
  • @​apollo/query-planner@​2.11.2

v2.11.1

Compare Source

Patch Changes

• Updated dependencies [7799ad1717becf15fb0e82f89619f2ec8a24b4d4, b26794c5724ef23d1f0fd45a40aee3d301557489, 51bed5be49d8e87adae59f568315c9e3488a91e0]:
  • @​apollo/federation-internals@​2.11.1
  • @​apollo/composition@​2.11.1
  • @​apollo/query-planner@​2.11.1

v2.11.0

Compare Source

Minor Changes

• Adds connect spec v0.2, available for use with Apollo Router 2.3.0 or greater. (#​3262)

Patch Changes

• Corrects a set of denial-of-service (DOS) vulnerabilities that made it possible for an attacker to render gateway inoperable with certain simple query patterns due to uncontrolled resource consumption. All prior-released versions and configurations are vulnerable. (#​3238)

  See the associated GitHub Advisories GHSA-q2f9-x4p4-7xmh and GHSA-p2q6-pwh5-m6jr for more information.

• Updated dependencies [1462c91879d41884c0a7e60551d8dd0d67c832d3, 9614b26e5a17cbf1f6aaf08f6fcb1c95eb12592d, 9614b26e5a17cbf1f6aaf08f6fcb1c95eb12592d]:

  • @​apollo/query-planner@​2.11.0
  • @​apollo/federation-internals@​2.11.0
  • @​apollo/composition@​2.11.0

apollographql/federation (@​apollo/subgraph)

v2.13.3

Compare Source

Patch Changes

• Updated dependencies [b5c17ffa73e2de49bd63182a84a7d5837c0ab2d5]:
  • @​apollo/federation-internals@​2.13.3

v2.13.2

Compare Source

Patch Changes

• Updated dependencies [84e9226b606b176ede097410f5ba35ba03d140ed]:
  • @​apollo/federation-internals@​2.13.2

v2.13.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.13.1

v2.13.0

Compare Source

Minor Changes

• Drop Node.js 14/16 support, require Node.js 18+ (#​3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, 523b13b715e75033f0bdbc176416e59ac01de8f0, ecbe182423313b3a94c185dee6b659573435b141, 4c64006b1604471940e20aa1aa46a0f75a6396df, 873577a2b7ae8ce507e0ca4377aed049e1a15075]:
  • @​apollo/federation-internals@​2.13.0

v2.12.3

Compare Source

Patch Changes

• Updated dependencies [4393ceca349aca68981362f210cca023ed3fb97b]:
  • @​apollo/federation-internals@​2.12.3

v2.12.2

Compare Source

Patch Changes

• Updated dependencies [238d9d71e831e4f3e8d8e334ad6952cc19c073b1]:
  • @​apollo/federation-internals@​2.12.2

v2.12.1

Compare Source

Patch Changes

• Updated dependencies [09e596e6a0c753071ca822e84f525d73ada395cf, ac1ed2946c48e0fef4b413b192d8c5fbdb2370ae]:
  • @​apollo/federation-internals@​2.12.1

v2.12.0

Compare Source

Minor Changes

• Federation 2.12 and Connect 0.3 (#​3276)

Patch Changes

• When a GraphQLScalarType resolver is provided to buildSubgraphSchema(), omitted configuration options in the GraphQLScalarType no longer cause the corresponding properties in the GraphQL document/AST to be cleared. To explicitly clear these properties, use null for the configuration option instead. (#​3287)

• Updated dependencies [3e2b0a8569a9fe46726182887ed0b4bfc0b52468, bb4614d338ae03bac51a5fc2439590f172c4e54d, 99f2da21de88f9ad9a32ee7ed64b2d4a92887b40, 468f27842608f4e390cfc88bc7e6b4b0945f95ff, 3fd5157b309f1d3439b2d87c67b0601fb246d04c, b734ea04d118db09cf6077fdd968c8f04a96327a, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, e7e67579908d5cd2fa6fe558228dffe4808cd98d, faea2d1174d80593264f2227cfde9a2ba1a59b96, 97b9d2edfcfeed99124f9e115f992cbef3804682, f6af504f1ba8283fd00af0d6e3c9c1a665d62736, a595235d3cf8f67611efd8395332b64d067b5f1f]:

  • @​apollo/federation-internals@​2.12.0

v2.11.6

Compare Source

Patch Changes

• Updated dependencies [73ae202f72a31b9f63e779c535d7ecb059ff908a]:
  • @​apollo/federation-internals@​2.11.6

v2.11.5

Compare Source

Patch Changes

• Updated dependencies [e1c58611c3c996b4fff98a54e49f00549ff2115d, 3e2d1fd315db54a089fedf131cfaa27792bdd049]:
  • @​apollo/federation-internals@​2.11.5

v2.11.4

Compare Source

Patch Changes

• Updated dependencies [d221ac04c3ee00a3c7a671d9d56e2cfa36943b49, 7730c03e128be6754b9e40c086d5cb5c4685ac66, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, 6adbf7e86927de969aedab665b6a3a8dbf3a6095, 2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:
  • @​apollo/federation-internals@​2.11.4

v2.11.3

Compare Source

Patch Changes

• When a GraphQLScalarType resolver is provided to buildSubgraphSchema(), omitted configuration options in the GraphQLScalarType no longer cause the corresponding properties in the GraphQL document/AST to be cleared. To explicitly clear these properties, use null for the configuration option instead. (#​3285) (#​3285)

• Updated dependencies [8c7a2cd655ad3060e9f5c3b106cfbdb59251701c]:

  • @​apollo/federation-internals@​2.11.3

v2.11.2

Compare Source

Patch Changes

• Revert change to @​composeDirective definition to specify nullable argument value. (#​3283)

  We cannot fix the definition as that would break customers using older versions of subgraph-js. Our validations are already verifying that the values are specified.

• Updated dependencies [28c08bef6e691aefc6ed07c0e7057f9cd803b317]:

  • @​apollo/federation-internals@​2.11.2

v2.11.1

Compare Source

Patch Changes

• Updated dependencies [7799ad1717becf15fb0e82f89619f2ec8a24b4d4, b26794c5724ef23d1f0fd45a40aee3d301557489]:
  • @​apollo/federation-internals@​2.11.1

v2.11.0

Compare Source

Minor Changes

• Adds connect spec v0.2, available for use with Apollo Router 2.3.0 or greater. (#​3262)

Patch Changes

• Updated dependencies [1462c91879d41884c0a7e60551d8dd0d67c832d3, 9614b26e5a17cbf1f6aaf08f6fcb1c95eb12592d]:
  • @​apollo/federation-internals@​2.11.0

v2.10.5

Compare Source

Patch Changes

• Updated dependencies [1ce248dcb2c297cab185dde08347710f8ceda3e3]:
  • @​apollo/federation-internals@​2.10.5

v2.10.4

Compare Source

Patch Changes

• Updated dependencies [20c75d1d60a48fc289d88c8d29652f1afc7553e4]:
  • @​apollo/federation-internals@​2.10.4

v2.10.3

Compare Source

Patch Changes

• Updated dependencies [2b88aec38d5bacb6ec815d885fdac47ef415124a, 18a9cfaf533602bb37fdf22962539ce0eae948c8, 9c0aaa0874c98ae8ce0cc38cad7f6f25d2c29635, f94e7b35c43ed64c67ff25c7aeb86ec0dd73370a]:
  • @​apollo/federation-internals@​2.10.3

v2.10.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.10.2

v2.10.1

Compare Source

Patch Changes

• Updated dependencies [97d81b79c3da10175bdf92c2209039efe352de79]:
  • @​apollo/federation-internals@​2.10.1

v2.10.0

Compare Source

Patch Changes

• When resolving references, skip type resolution if the reference resolves to null. (#​3215)

• Updated dependencies [8927e315ab0e865ef3ff12320f265ee95588b899, 8927e315ab0e865ef3ff12320f265ee95588b899]:

  • @​apollo/federation-internals@​2.10.0

v2.9.6

Compare Source

Patch Changes

• Updated dependencies [b51586d4a5c891f8832e78f8415d798282567831]:
  • @​apollo/federation-internals@​2.9.6

v2.9.5

Compare Source

Patch Changes

• Updated dependencies [0d8fca1c8cc375bb8486f11f339984b69267417d]:
  • @​apollo/federation-internals@​2.9.5

v2.9.4

Compare Source

Patch Changes

• Updated dependencies [22686d640b1e48f6a9aa07e538464db95b536792, 22686d640b1e48f6a9aa07e538464db95b536792, 22686d640b1e48f6a9aa07e538464db95b536792, 22686d640b1e48f6a9aa07e538464db95b536792]:
  • @​apollo/federation-internals@​2.9.4

v2.9.3

Compare Source

Patch Changes

• Updated dependencies [cc4573471696ef78d04fa00c4cf8e5c50314ba9f, 062572b3253e8640b60a0bf58b83945094b76b6f, df5eb3cb0e2b4802fcd425ab9c23714de2707db3, 1c99cb0dcc6c639ac351210932623ab0bd6907e4]:
  • @​apollo/federation-internals@​2.9.3

v2.9.2

Compare Source

Patch Changes

• Updated dependencies [2192f355f50db33fe0807d16153f357696b9f190, 5ac01b534318105e904c1e6598070f753add3bb1]:
  • @​apollo/federation-internals@​2.9.2

v2.9.1

Compare Source

Patch Changes

• Updated dependencies [b8e4ab5352a4dfd262af49493fdd42e86e5e3d99, e6c05b6c96023aa3dec79889431f8217fcb3806d]:
  • @​apollo/federation-internals@​2.9.1

v2.9.0

Compare Source

Patch Changes

• Updated dependencies [02c2a34a62c3717a4885449172e404f19ebf66c9, 0ccfd937d4b4a576f890665ceebbd7986fac5d0c, e0a5075c0d12a0e2f7ef303b246e3216a139d3e0]:
  • @​apollo/federation-internals@​2.9.0

v2.8.5

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.8.5

v2.8.4

Compare Source

Patch Changes

• Add descriptions for federation directives (#​3095)

• Updated dependencies [5f4bb160d024678d6facd471c43c8ec61c86e701, 672aca7cbeb0a6a38586357a4e154f2dd91caa0c]:

  • @​apollo/federation-internals@​2.8.4

v2.8.3

Compare Source

Patch Changes

• Updated dependencies [50d648ccffb05591878de75dc5522914ed48698f, f753d55e9a49d11389ee4f8d7976533447e95ede, 3af790517d662f3bec9064c0bf243014c579e9cd]:
  • @​apollo/federation-internals@​2.8.3

v2.8.2

Compare Source

Patch Changes

• Updated dependencies [b2e5ab66f84688ec304cfcf2c6f749c86aded549]:
  • @​apollo/federation-internals@​2.8.2

v2.8.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.8.1

v2.8.0

Compare Source

Patch Changes

• Various set context bugfixes (#​3017)

• Updated dependencies [c4744da360235d8bb8270ea048f0e0fa5d03be1e, 8a936d741a0c05835ff2533714cf330d18209179]:

  • @​apollo/federation-internals@​2.8.0

v2.7.8

Compare Source

Patch Changes

• Triggering a clean 2.7.8 release now that harmonizer build has been fixed. (#​3010)

• Updated dependencies [2ad72802044310a528e8944f4538efe519424504]:

  • @​apollo/federation-internals@​2.7.8

v2.7.7

Compare Source

Patch Changes

• No logical changes since 2.7.5 or 2.7.6, but we fixed a bug in the release process, so we need to publish a new patch version (2.7.7). (#​2999)

• Updated dependencies [bee0b0828b4fb6a1d3172ac330560e2ab6c046bb]:

  • @​apollo/federation-internals@​2.7.7

v2.7.6

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.7.6

v2.7.5

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.7.5

v2.7.4

Compare Source

Patch Changes

• Updated dependencies [d80b7f0ca1456567a0866a32d2b2abf940598f77]:
  • @​apollo/federation-internals@​2.7.4

v2.7.3

Compare Source

Patch Changes

• Updated dependencies [ec04c50b4fb832bfd281ecf9c0c2dd7656431b96, a494631918156f0431ceace74281c076cf1d5d51]:
  • @​apollo/federation-internals@​2.7.3

v2.7.2

Compare Source

Patch Changes

• Updated dependencies [33b937b18d3c7ca6af14b904696b536399e597d1, 09cd3e55e810ee513127b7440f5b11af7540c9b0, d7189a86c27891af408d3d0184db6133d3342967]:
  • @​apollo/federation-internals@​2.7.2

v2.7.1

Compare Source

Patch Changes

• Updated dependencies [493f5acd16ad92adf99c963659cd40dc5eac1219]:
  • @​apollo/federation-internals@​2.7.1

v2.7.0

Compare Source

Minor Changes

• Implement progressive @override functionality (#​2911)

  The progressive @override feature brings a new argument to the @override directive: label: String. When a label is added to an @override application, the override becomes conditional, depending on parameters provided to the query planner (a set of which labels should be overridden). Note that this feature will be supported in router for enterprise users only.

  Out-of-the-box, the router will support a percentage-based use case for progressive @override. For example:

  type Query {
    hello: String @​override(from: "original", label: "percent(5)")
  }

  The above example will override the root hello field from the "original" subgraph 5% of the time.

  More complex use cases will be supported by the router via the use of coprocessors/rhai to resolve arbitrary labels to true/false values (i.e. via a feature flag service).

Patch Changes

• Updated dependencies [6ae42942b13dccd246ccc994faa2cb36cd62cb3c, 66833fb8d04c9376f6ed476fed6b1ca237f477b7, 931f87c6766c7439936df706727cbdc0cd6bcfd8]:
  • @​apollo/federation-internals@​2.7.0

v2.6.3

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.6.3

v2.6.2

Compare Source

Patch Changes

• Updated dependencies [7b5b836d15247c997712a47847f603aa5887312e, 74ca7dd617927a20d79b824851f7651ef3c40a4e]:
  • @​apollo/federation-internals@​2.6.2

v2.6.1

Compare Source

Patch Changes

• Updated dependencies [0d5ab01a]:
  • @​apollo/federation-internals@​2.6.1

v2.6.0

Compare Source

Patch Changes

• Updated dependencies [b18841be, [e325b499](https://redirect.github.com/apollographql/feder

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[kamilmysliwiec]

apollographql/federation#2375

[erikwrede]

@kamilmysliwiec this PR is not a full depdendency upgrade as it still uses the old deprecated & replaced apollo-link-ws lib and deprecated test classes. Please reconsider using my PR (#2916) or merging it into this instead. I made sure to include the new libraries recommended by apollo.

[MrChrisRodriguez]

@kamilmysliwiec is there anything anyone can do to help get this across the finish line?

[sutt0n]

@kamilmysliwiec apollographql/federation#2375 (comment)

It seems there can be some kind of workaround here... Although, I would suspect this may introduce a breaking change to this repo. 🤔