Skip to content

Comments

release: v2.12.0#8895

Merged
abernix merged 64 commits intomainfrom
2.12.0
Feb 24, 2026
Merged

release: v2.12.0#8895
abernix merged 64 commits intomainfrom
2.12.0

Conversation

@abernix
Copy link
Member

@abernix abernix commented Feb 18, 2026

Note
This particular PR must be true-merged to main.

  • This PR is only ready to review when it is marked as "Ready for Review". It represents the merge to the main branch of an upcoming release (version number in the title).
  • It will act as a staging branch until we are ready to finalize the release.
  • We may cut any number of alpha and release candidate (RC) versions off this branch prior to formalizing it.
  • This PR is primarily a merge commit, so reviewing every individual commit shown below is not necessary since those have been reviewed in their own PR. However, things important to review on this PR once it's marked "Ready for Review":
    • Does this PR target the right branch? (should be main)
    • Are the appropriate version bumps and release note edits in the end of the commit list (or within the last few commits). In other words, "Did the 'release prep' PR actually land on this branch?"
    • If those things look good, this PR is good to merge!

aaronArinder and others added 30 commits January 22, 2026 15:15
@aaronArinder
docs(metrics): router overhead unit clarification (#8818)
fe27b40
@DMallare
Adds note regarding graphs that are already self-hosted to migration …
018cbb9 
…guide (#8822)
@Jephuff @abernix
Pass variables to introspection (#8816)
a8dd266 
Co-authored-by: Jesse Rosenberger <git@jro.cc>
@rohan-b99
fix: always enforce and log operation limits with cached plans (#8810)
5dd5341
@rohan-b99
fix: ensure attributes under `telemetry.instrumentation.spans.http_cl…
87650a6 
…ient` are added to http_request span instead of subgraph_request (#8798)
@mabuyo
Docs: Graph Artifacts - refactoring pages to merge with existing cont…
93fd584 
…ent (#8801)
@abernix
Merge remote-tracking branch 'public/dev' into reconcile-v2.11.0
0182659
@DMallare
Update the date when serverless cloud routers are no longer available (
625fb57 
…#8834)
@the-gigi-apollo @the-gigi @bnjjj
updated response caching docs and addressed discrepancies (#8794)
1e6c210 
Co-authored-by: Gigi Sayfan <the.gigi@gmail.com>
Co-authored-by: Coenen Benjamin <benjamin.coenen@hotmail.com>
@abernix
Reconcile dev after merge to main for v2.11.0 (#8836)
b80ae58
@abernix
chore: Use correct GitHub tag for contributor (#8837)
c66eede
@aaronArinder
fix(docs): entity cache invalidation (#8838)
8bdc743
@robert113289
Add documentation and tests for dollar sign escaping in config (#8841)
ac4b4bb
@rohan-b99
Log warning instead of returning error when non-utf8 header passed th…
24bb24a 
…rough externalize_header_map (#8828)
@pragl
Clarifying discontinuation notice for cloud routers (#8842)
d1e2efb 
EOL of serverless plans remains Feb. 1, but a grace period until Feb. 15 has been implemented. This change clarifies the language of the discontinuation notice.
@dariuszkuc @sachindshinde
feat(composition): add DNF conjunction argument merge strategy (#8817)
71c9779 
Current merge policies for `@authenticated`, `@requiresScopes` and `@policy` were inconsistent.

If single subgraph declared a field with one of the directives then it would restrict access to this supergraph field regardless which subgraph would resolve this field (results in AND rule for any applied auth directive, i.e. `@authenticated` AND `@policy` is required to access this field). If the same auth directive (`@requiresScopes`/`@policy`) were applied across the subgraphs then the resulting supergraph field could be resolved by fullfilling either one of the subgraph requirements (resulting in OR rule, i.e. either `@policy` 1 or `@policy` 2 has to be true to access the field). While arguably this allowed for easier schema evolution, it did result in weakening the security requirements.

Since `@policy` and `@requiresScopes` values are represent boolean conditions in Disjunctive Normal Form, we can merge them conjunctively to get the final auth requirements, i.e.

```graphql
type T @authenticated {
  # requires scopes (A1 AND A2) OR A3
  secret: String @requiresScopes(scopes: [["A1", "A2"], ["A3"]])
}

type T {
  # requires scopes B1 OR B2
  secret: String @requiresScopes(scopes: [["B1"], ["B2"]]
}

type T @authenticated {
  secret: String @requiresScopes(
    scopes: [
      ["A1", "A2", "B1"],
      ["A1", "A2", "B2"],
      ["A3", "B1"],
      ["A3", "B2"]
    ])
}
```

This algorithm also deduplicates redundant requirements, e.g.

```graphql
type T {
  # requires A1 AND A2 scopes to access
  secret: String @requiresScopes(scopes: [["A1", "A2"]])
}

type T {
  # requires only A1 scope to access
  secret: String @requiresScopes(scopes: [["A1"]])
}

type T {
  # requires only A1 scope to access as A2 is redundant
  secret: String @requiresScopes(scopes: [["A1"]])
}
```

Partial backport of apollographql/federation#3321 and apollographql/federation#3343


Co-authored-by: Sachin D. Shinde <sachin@apollographql.com>
@sachindshinde
fix(composition): Don't skip optional args in witness operations for …
79a7ff8 
…satisfiability errors (#8847)

This PR updates satisfiability error messaging to align more with JS code to facilitate validation. Specifically, this PR updates witness operation generation logic to include optional arguments.
@SharkBaitDLS
Update documentation to match APM template changes (#8843)
3b69a79
@dariuszkuc
fix(composition): restrict usage of auth directives on interfaces (#8826
69a3c7d 
)

Restricts usage of `@authenticated`, `@policy` and `@requiresScopes` from being applied on interfaces, interface objects and their fields.

GraphQL spec currently does not define any interface inheritance rules and developers have to explicitly redefine all interface fields on their implementations. At runtime, GraphQL servers cannot return abstract types and always return concrete output types. Due to the above, applying auth directives on the interfaces may lead to unexpected runtime behavior as they won't have any effect at runtime.

Backport of apollographql/federation@faea2d1
@renovate
chore(deps): update rust crate tower-http to v0.6.8 (#8751)
2c315ec 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@briannafugate408
fix(composition): partial revert removing single element list to non-…
77530c5 
…list coercion (#8848)
@abernix @pragl
Merge duplicate coprocessor documentation (#8844)
966374e 
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: abernix <841294+abernix@users.noreply.github.com>
Co-authored-by: Jesse Rosenberger <git@jro.cc>
Co-authored-by: Parker <parker.ragland@apollographql.com>
@renovate
chore(deps): update ghcr.io/apollographql/ci-utility-docker-images/ap…
a85c96b 
…ollo-rust-builder docker tag to v0.28.0 (#8691)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@aaronArinder
fix(tests): split stdout/stderr into separate channels (#8839)
de08fc5
@aaronArinder
fix(compliance): bytes updated to 1.11.1 (#8857)
56b7ea8
@conwuegb
Fix Router's validation of ObjectValue variables (#8821)
a585bf9 
Correct validation to include validation of object fields and nested objects.
@mabuyo
Docs: Safelisting with PQ moving content (#8853)
a7ddd7c
@dariuszkuc
chore: update codeowners to reflect new team names (#8852)
357fdfd
@carodewig
fix: demand control actual costs should consider each subgraph fetch (#…
4bdd2ac 
…8827)
@briannafugate408
fix(composition): coerce enum values to String scalar (#8850)
ddc1897
rohan-b99 and others added 11 commits February 12, 2026 10:02
@rohan-b99
Prevent duplicate tags in router spans added by dynamic attributes (#…
83e974a 
…8865)
@andrewmcgivery @pragl
Coprocessor hook for connectors request/response stages (#8869)
faba864 
Co-authored-by: Parker <parker.ragland@apollographql.com>
@dariuszkuc
fix(composition): enforce transitive auth requirements (#8870)
8cf3121 
Adds new `validate_transitive_access_control_requirements_in_the_supergraph` post merge validation check to ensure that all fields that depends on data from other parts of the supergraph through `@requires` and/or `@fromContext` directives explicitly specify matching `@authenticated`, `@requiresScopes` and/or `@policy` auth requirements, e.g.

```graphql
type T @key(fields: "id") {
  id: ID!
  extra: String @external
  # we need explicit @authenticated as it is needed to access extra
  requiresExtra: String @requires(fields: "extra") @authenticated
}

type T @key(fields: "id") {
  id: ID!
  extra: String @authenticated
}
```

Port of apollographql/federation@99f2da2
@mergify @smyrick @abernix
Add config schema generation to the artifact publish (copy #8594) (#8609
bf1097f 
)

Co-authored-by: Shane Myrick <shane@apollographql.com>
Co-authored-by: Jesse Rosenberger <git@jro.cc>
Co-authored-by: Shane Myrick <mail@shanemyrick.com>
@briannafugate408
fix(composition): fix string-to-enum coercion and add test assertions (
359bdc6 
…#8887)
@phryneas
add github copilot setup steps (#8889)
33e0b8c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: phryneas <4282439+phryneas@users.noreply.github.com>
@jhrldev @abernix
add parser recursion and lexical token metrics (#8845)
05e91bf 
Co-authored-by: Jesse Rosenberger <git@jro.cc>
@morriswchris
listSize directive parsing improvements (#8893)
8acf05c
@mergify @theJC
@aaronArinder @DMallare @Jephuff @abernix @rohan-b99 @carodewig
TSH-18123: Enable UDS for coprocessor using HttpClientService (copy #…
564706b 
…8389) (#8825)

Co-authored-by: Jon Christiansen <467023+theJC@users.noreply.github.com>
Co-authored-by: Aaron Arinder <aaronarinder@gmail.com>
Co-authored-by: Danielle Mallare <dmallare7@gmail.com>
Co-authored-by: Jeffrey Burt <jeffrey.m.burt@gmail.com>
Co-authored-by: Jesse Rosenberger <git@jro.cc>
Co-authored-by: rohan-b99 <43239788+rohan-b99@users.noreply.github.com>
Co-authored-by: Caroline Rodewig <16093297+carodewig@users.noreply.github.com>
@carodewig @conwuegb
fix: support opt-out of strict variable validation (#8884)
2cc3dde 
Co-authored-by: Chidimma O <conwuegb@users.noreply.github.com>
@phryneas
adjust copilot setup (#8892)
2a585bd
@apollo-librarian
Copy link

apollo-librarian bot commented Feb 18, 2026
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 3 changed, 1 removed 
* graphos/routing/(latest)/observability/router-telemetry-otel/enabling-telemetry/selectors.mdx
* graphos/routing/(latest)/observability/router-telemetry-otel/enabling-telemetry/spans.mdx
* graphos/routing/(latest)/_sidebar.yaml
- graphos/routing/(latest)/performance/circuit-breaking.mdx

Build ID: ae0fb6a61bf541640c1ad76b
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/ae0fb6a61bf541640c1ad76b

⚠️ AI Style Review — 117 Issues Found

Summary

The documentation updates focus on aligning content with the style guide across several key areas: framing content around the reader's perspective by using second-person pronouns ("your", "you") and imperative verbs for instructions; adopting an authoritative, opinionated voice that prescribes "happy paths" and recommended configurations; and refining product and feature terminology by removing unnecessary articles before standalone names like "Apollo Router" and "coprocessor". Structural improvements include ensuring proper spacing around admonitions, consistently applying sentence case to headings, and using hyphens for unordered lists. Language was modernized for inclusivity (e.g., "allowlisting") and clarity, with technical formatting updates to use code font for environment variables, metrics, and symbols while maintaining plain text for version numbers. Additionally, grammatical refinements were made to enforce the Oxford comma, prefer active voice and present tense, and utilize common contractions for a more helpful, less robotic tone.

Duration: 5374ms
Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

@phryneas
feat: add redact_query_validation_errors supergraph config option (#…
da9cb43 
…8888)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: phryneas <4282439+phryneas@users.noreply.github.com>
abernix and others added 8 commits February 18, 2026 12:38
@abernix
prep release: v2.12.0-alpha.0
486ba96
@abernix
Revert "Add config schema generation to the artifact publish (copy #8594
55a1e4d 
)" (#8896)
@abernix
prep release: v2.12.0-rc.0
b71d519
@morriswchris
Support multiple listSize directives (#8872)
209d8a6
@abernix
Merge remote-tracking branch 'public/dev' into 2.12.0
c4eeeda
@abernix
prep release: v2.12.0-rc.1
7a77354
@abernix
Pre prep changeset review with Claude and Style guide
dc1fa3f 
Using:

    claude "Apply editorial to ALL files in @./.changesets/. Ensure they match recent patterns in @./CHANGELOG.md AND that they are in compliance with the @./.github/instructions/local-only-Writing\ Style\ Guide.instructions.md , particularly the section about changesets.  In general, style guide is more important than previous changelogs when considering edits."
@abernix
prep release: v2.12.0 (#8912)
997b28d
@abernix abernix marked this pull request as ready for review February 24, 2026 12:57
@abernix abernix requested a review from a team as a code owner February 24, 2026 12:57
@abernix abernix enabled auto-merge February 24, 2026 14:36
@abernix abernix disabled auto-merge February 24, 2026 14:36
@abernix abernix merged commit 48e385f into main Feb 24, 2026
15 checks passed
@abernix abernix deleted the 2.12.0 branch February 24, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohan-b99 rohan-b99 rohan-b99 approved these changes

Assignees

No one assigned

Labels

release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.