chore(deps): update apollo graphql packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/server (source)	5.2.0 → 5.5.0
@apollo/subgraph (source)	2.12.1 → 2.13.3

---

Release Notes

apollographql/apollo-server (@​apollo/server)

v5.5.0

Compare Source

Minor Changes

• #​8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

v5.4.0

Compare Source

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
  Any other character set will be rejected with a 415 Unsupported Media Type error.
  Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8.
  Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now.
  In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
  For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

v5.3.0

Compare Source

Minor Changes

• #​8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },
  });

• #​8014 26320bc Thanks @​mo4islona! - Expose graphql validation options.

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    validationOptions: {
      maxErrors: 10,
    },
  });

apollographql/federation (@​apollo/subgraph)

v2.13.3

Compare Source

Patch Changes

• Updated dependencies [b5c17ffa73e2de49bd63182a84a7d5837c0ab2d5]:
  • @​apollo/federation-internals@​2.13.3

v2.13.2

Compare Source

Patch Changes

• Updated dependencies [84e9226b606b176ede097410f5ba35ba03d140ed]:
  • @​apollo/federation-internals@​2.13.2

v2.13.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.13.1

v2.13.0

Compare Source

Minor Changes

• Drop Node.js 14/16 support, require Node.js 18+ (#​3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, 523b13b715e75033f0bdbc176416e59ac01de8f0, ecbe182423313b3a94c185dee6b659573435b141, 4c64006b1604471940e20aa1aa46a0f75a6396df, 873577a2b7ae8ce507e0ca4377aed049e1a15075]:
  • @​apollo/federation-internals@​2.13.0

v2.12.3

Compare Source

Patch Changes

• Updated dependencies [4393ceca349aca68981362f210cca023ed3fb97b]:
  • @​apollo/federation-internals@​2.12.3

v2.12.2

Compare Source

Patch Changes

• Updated dependencies [238d9d71e831e4f3e8d8e334ad6952cc19c073b1]:
  • @​apollo/federation-internals@​2.12.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.