chore(deps): update dependency apollographql/apollo-mcp-server to v1.10.0

[renovate]

This PR contains the following updates:

Package	Update	Change
apollographql/apollo-mcp-server	minor	1.9.0 → 1.10.0

---

Release Notes

apollographql/apollo-mcp-server (apollographql/apollo-mcp-server)

v1.10.0: 1.10.0 (2026-03-19)

Compare Source

Features

Add allow_anonymous_mcp_discovery setting to allow unauthenticated access to MCP discovery methods (e.g. tools/list) when oauth is enabled

Example:

transport:
  auth:
    allow_anonymous_mcp_discovery: true

Add discovery_headers option to auth config

Add discovery_headers option to auth config for attaching custom headers to OIDC discovery and JWKS requests. This is useful when upstream OAuth servers or WAFs require headers like User-Agent.

transport:
  type: streamable_http
  auth:
    servers:
      - https://auth.example.com
    resource: https://mcp.example.com
    scopes:
      - read
    discovery_headers:
      User-Agent: apollo-mcp-server

New Rhai-based extensibility

With this release, we're introducing our first extensibility to the MCP Server. This utilizes Rhai as the script engine and allows you to hook into the MCP Server lifecycle.

For this release, we've introduced a single lifecycle hook:

fn on_execute_graphql_operation(context){

}

From within this hook you can do a number of things including:

• Logging with print/debug
• Get/set the graphql endpoint with context.endpoint
• Get info about the incoming request with context.incoming_request.headers["authorization"]
• Get environment variables with Env::get("MY_VARIABLE")
• Sha256 hashes using Sha256::digest("my string")
• Get/set outgoing headers using context.headers["x-my-header"] = "hello"
• End requests early like throw ${ code: ErrorCode::INVALID_REQUEST, message: "I ended!" }
• JSON with JSON::stringify(obj) and JSON::parse(json_string)
• Regex operations like Regex::is_match("hello world", "hello"); and Regex::replace("foo bar foo", "foo", "baz"); and Regex::matches("abc 123 def 456", "\\d+");

We've got more hooks and functions that we're looking at introducing (E.g. on_startup hook, Http::get() method) but we'd love to hear feedback on what you'd like to see made available!

Implement Step-up Authorization Flow

Implements the step-up authorization flow from the MCP specification: when a client presents a valid token that lacks the scopes required for a specific operation, the server responds with HTTP 403 and a WWW-Authenticate: Bearer error="insufficient_scope", scope="..." header. The client can use this signal to re-authorize with elevated scopes and retry the request.

Fixes

Fix OTLP HTTP exporter failing to connect to HTTPS endpoints

When the workspace upgraded from reqwest 0.12 to 0.13, Cargo feature unification stopped applying the workspace's TLS features to the reqwest 0.12 still used internally by opentelemetry-otlp. This left the OTLP HTTP exporter's reqwest client with no TLS backend, causing "invalid URL, scheme is not http" errors when exporting to any https:// telemetry endpoint (e.g. Langfuse, New Relic). Adding the reqwest-rustls feature to opentelemetry-otlp restores TLS support for the internal reqwest 0.12 client.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.