fix(deps): update dependency apollo-server-express to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
apollo-server-express	2.25.2 -> 3.5.0

---

Release Notes

apollographql/apollo-server

v3.5.0

Compare Source

• Apollo Server now supports graphql@16. (There is a very small backwards incompatibility: ApolloError.originalError can no longer be null, matching the type of GraphQLError.originalError. Use undefined instead. If this causes challenges, let us know and we can try to adapt.) PR #​5857
  - apollo-server-core: Fix build error when building with @rollup/plugin-commonjs. PR #​5797
• apollo-server-plugin-response-cache: Add missing dependency on apollo-server-types (broken since v3.0.0). Issue #​5804 PR #​5816
• apollo-server-core: The default landing page plugins now take document, variables, and headers arguments which fill in default values if you click through to Explorer. PR #​5711
• apollo-server-core: Support for HTTP request batching can now be disabled by passing allowBatchedHttpRequests: false to new ApolloServer. PR #​5778 Issue #​5686

v3.4.1

Compare Source

• ⚠️ SECURITY apollo-server-core: Update default version of the GraphQL Playground React app loaded from the CDN to be @apollographql/graphql-playground-react@1.7.42. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with new ApolloServer({plugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: 'some version'})]}), you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you do not explicitly enable GraphQL Playground via the ApolloServerPluginLandingPageGraphQLPlayground plugin, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.

v3.4.0

Compare Source

• apollo-server-core: You can now specify your own DocumentStore (a KeyValueStore<DocumentNode>) for Apollo Server's cache of parsed and validated GraphQL operation abstract syntax trees via the new documentStore constructor option. This replaces the experimental_approximateDocumentStoreMiB option. You can replace new ApolloServer({experimental_approximateDocumentStoreMiB: approximateDocumentStoreMiB, ...moreOptions}) with:

  import { InMemoryLRUCache } from 'apollo-server-caching';
  import type { DocumentNode } from 'graphql';
  new ApolloServer({
    documentStore: new InMemoryLRUCache<DocumentNode>({
      maxSize: Math.pow(2, 20) * approximateDocumentStoreMiB,
      sizeCalculator: InMemoryLRUCache.jsonBytesSizeCalculator,
    }),
    ...moreOptions,
  })

  PR #​5644 Issue #​5634
• apollo-server-core: For ease of testing, you can specify the node environment via new ApolloServer({nodeEnv}) in addition to via the NODE_ENV environment variable. The environment variable is now only read during server startup (and in some error cases) rather than on every request. PR #​5657
• apollo-server-koa: The peer dependency on koa (added in v3.0.0) should be a ^ range dependency rather than depending on exactly one version, and it should not be automatically increased when new versions of koa are released. PR #​5759
• apollo-server-fastify: Export ApolloServerFastifyConfig and FastifyContext TypeScript types. PR #​5743
• apollo-server-core: Only generate the schema hash once on startup rather than twice. PR #​5757
• apollo-datasource-rest@3.3.0: When choosing whether or not to parse a response as JSON, treat any content-type ending in +json as JSON rather than just application/hal+json (in addition to application/json). PR #​5737
• apollo-server: You can now configure the health check URL path with the healthCheckPath constructor option, or disable serving health checks by passing null for this option. (This option is specific to the batteries-included apollo-server package; if you're using a framework integration package and want to serve a health check at a different path, just use your web framework directly.) PR #​5270 Issue #​3577
• apollo-server-azure-functions: This package now supports health checks like all of the other supported Apollo Server packages; they are on by default and can be customized with disableHealthCheck and onHealthCheck. [PR #​5003](https://github.com/apollographql/apollo-server/pull/50033) Issue #​4925
• Tests are no longer distributed inside published npm modules. PR #​5799 Issue #​5781

v3.3.0

Compare Source

• apollo-server-core: Error handling when a serverWillStop callback invoked by server.stop() (or gateway.stop()) throws is now consistent: the original call to server.stop() throws the error, and any concurrent and subsequent calls to server.stop() throw the same error. Prior to Apollo Server v2.22.0, the original call threw the error and the behavior of concurrent and subsequent calls was undefined (in practice, it would call shutdown handlers a second time). Apollo Server v2.22.0 intended to put these semantics into place where all three kinds of calls would throw, but due to bugs, the original call would return without error and concurrent calls would hang. (Subsequent calls would correctly throw the error.) In addition, errors thrown by the drainServer hook introduced in Apollo Server v3.2.0 are now handled in the same way. Issue #​5649 PR #​5653

v3.2.0

Compare Source

If you're using apollo-server-express or another framework integration, we highly recommend that you enable the new graceful shutdown feature after upgrading to 3.2.0. See the docs for ApolloServerPluginDrainHttpServer or the basic usage for your integration of choice.

• apollo-server-core: Previously, only the batteries-included apollo-server package supported a graceful shutdown. Now the integrations support it as well, if you tell your ApolloServer which HTTP server to drain with the new ApolloServerPluginDrainHttpServer plugin. This plugin implements a new drainServer plugin hook. For apollo-server-hapi you can use ApolloServerPluginStopHapiServer instead. PR #​5635
• apollo-server-core: Fix experimental_approximateDocumentStoreMiB option, which seems to have never worked before. PR #​5629
• apollo-server-core: Only register SIGINT and SIGTERM handlers once the server successfully starts up; trying to call stop on a server that hasn't successfully started had undefined behavior. By default, don't register the handlers in serverless integrations, which don't have the same lifecycle as non-serverless integrations (eg, there's no explicit start call); you can still explicitly set stopOnTerminationSignals to override this default. PR #​5639

v3.1.2

Compare Source

• apollo-server-core: Update versions of @graphql-tools/schema and @graphql-tools/utils from v7 to v8. While there is no change in behavior in these versions, a recently-released version of @graphql-tools/mock depends on them, and so without this change, you tpyically end up with two copies of them installed.

v3.1.1

Compare Source

• apollo-server-env: Update Headers.values() type to match what node-fetch actually does and what the Fetch spec says it should be, and what @types/node-fetch finally gets correct. PR #​5537

v3.1.0

Compare Source

• apollo-server-core: If a client does not provide a value or provides null for a variable declared to be non-null, this is now reported as an error with an extensions.code of BAD_USER_INPUT rather than INTERNAL_SERVER_ERROR. (This is similar to a change we made in v2.23.0 for variables that are sent as the wrong type.) PR #​5508 Issue #​5353
• apollo-server-core/apollo-server-plugin-base: Add support for schemaDidLoadOrUpdate event hooks, to be specified by the serverWillStart event hook. Plugins listening for this event will receive the API schema (and core schema for gateways) when the server's schema is initially loaded and when the server's schema is updated. For more information about this plugin event, see the plugin event reference documentation. PR #​5187
• apollo-server-core: Add support for schema reporting when using Apollo Gateway. At the time of this package's release, Apollo Studio does not yet support schema reporting from gateways, so you should not use this feature yet for gateways (unless instructed otherwise by Apollo staff or by the Studio docs). If you do enable schema reporting for a gateway, the version of @apollo/gateway must be at least 0.35.0 , or else start() will error. PR #​5187
• apollo-server-core: Support gateways without executors, to help with mocking gateways. Note that if you have a custom GatewayInterface implementation, Apollo Server will now honor the executor returned from load and will ignore the executor method on the gateway itself. See the PR for details. PR #​5539
• apollo-server-plugin-response-cache, apollo-server-plugin-operation-registry: Change how the default export from the package is set up to fix errors with some build tools. PR #​5542

v3.0.2

Compare Source

• apollo-server-types: TypeScript typings for info.cacheControl are now added to GraphQLResolveInfo as part of apollo-server-types rather than a nested file in apollo-server-core, and the field now has a named type, ResolveInfoCacheControl. PR #​5512
• apollo-server-micro: Like the other framework integrations, only serve landing pages from the GraphQL path (/graphql by default, configurable via the path option to createHandler). PR #​5516
• apollo-server-env: Remove polyfills of Object.values, Object.entries, and util.promisify which were only required for Node 6 support. Remove ValueOrPromise and WithRequired TypeScript types that are also provided by apollo-server-types. PR #​5515

v3.0.1

Compare Source

• apollo-server-core: The default maxAge (which defaults to 0) for a field should only be applied if no dynamic cache control hint is set. Specifically, if you call the (new in 3.0.0) function info.cacheControl.cacheHint.restrict({ maxAge: 60 }), it should set maxAge to 60 even if the default max age is lower. (This bug fix is the behavior that was intended for 3.0.0, and primarily affects the behavior of functions added in Apollo Server 3. This does mean that checking info.cacheControl.cacheHint now only shows explicitly-set maxAge and not the default, but this seems like it will be helpful since it lets you differentiate between the two similar circumstances.) PR #​5492
• apollo-server-lambda: Fix TypeScript types for context function. (In 3.0.0, the TS types for the context function were accidentally inherited from apollo-server-express instead of using the correct Lambda-specific types). PR #​5481
• apollo-server-lambda, apollo-server-cloud-functions: Make the default URL path for handling GraphQL be / (ie, handle all requests). This is similar to how these packages work in Apollo Server 2. After this change, apollo-server and the serverless integrations have a default URL path of / (or ignore the path entirely, in the case of apollo-server-azure-functions), and the framework integrations have a default URL path of /graphql. This is a backwards-incompatible change from 3.0.1 but minimizes the changes from Apollo Server 2 (and this AS3 change was not intended or documented). PR #​5497 Issue #​5462

v3.0.0

Compare Source

BREAKING CHANGES

Apollo Server 3 contains quite a few breaking changes. Read our migration guide for more details on how to update your app.

Bumped dependencies

The minimum versions of these dependencies have been bumped to provide an improved foundation for the development of future features.

• Dropped support for Node.js v6, v8 and v10. Apollo Server 3.x is being compiled to ES2020, which maps to Node.js 12+.
  • Note also that we only test Apollo Server on even-numbered versions of Node.js, and we only aim to support Node.js versions that are under long-term support from the Node.js Foundation.
• Dropped support for versions of the graphql library prior to 15.3.0.
• The mocks option of the ApolloServer constructor now uses @graphql-tools/mock v7 instead of graphql-tools v4, which causes some breaking changes.
  • For example, mock functions no longer receive arguments and cannot return Promises.
  • Note that some parts of the v7 migration guide suggest using the resolvers argument to addMocksToSchema. Apollo Server does not support this option, but you can call addMocksToSchema yourself and pass the result to the schema option of the ApolloServer constructor.

Removed functionality

Certain undersupported and underused Apollo Server features have been removed in favor of current or future methods for achieving similar functionality. Many of these features can be manually re-enabled, as listed below.

• Dropped built-in partial support for subscriptions via the subscriptions-transport-ws package.

  • This integration did not support many Apollo Server features, and subscriptions-transport-ws has not been actively maintained.
  • To re-enable subscriptions in Apollo Server 3 as they're supported in v2, see the migration guide.
  • We hope to provide more deeply integrated subscription support in a future release.

• Dropped built-in support for file uploads via the graphql-upload package.

  • To re-enable file uploads in Apollo Server 3 as they're supported in v2, see the migration guide.

• Dropped support for the graphql-extensions API (e.g., GraphQLExtensions, extensions) in favor of the Apollo Server plugins API.

• Dropped support for passing the schemaDirectives option to the ApolloServer constructor.

  • This option was passed directly to the graphql-tools function makeExecutableSchema. To continue using it, you can import makeExecutableSchema from @graphql-tools/schema and call it yourself:

    new ApolloServer({
      schema: makeExecutableSchema({
        typeDefs,
        resolvers,
        schemaDirectives
      })
    })
    

    Note that graphql-tools calls this feature "legacy" schema directives, and you might want to consider the newer schemaTransforms option instead.

• Removed the deprecated ApolloServer.schema field, which never worked with federated gateways.

  • To extract your schema from your server, you can make a plugin with serverWillStart or register onSchemaChange on your gateway.

• apollo-datasource-rest: We no longer officially support overriding the baseURL property with a getter, because TypeScript 4 does not allow you to do so.

• Removed the automatic addition of the @cacheControl directive to schemas.

  • This directive was added in some circumstances but not in others, which caused confusion.
  • If you use @cacheControl, you can define it in your schema as shown in the docs.

• Removed the tracing option passed to the ApolloServer constructor. The corresponding apollo-tracing package has been deprecated and is no longer being published.

  • This package implemented an inefficient JSON format for execution traces returned via the tracing GraphQL response extension. This format was only consumed by the deprecated engineproxy and GraphQL Playground.

  • If you rely on this trace format, the old version of apollo-tracing should still work:

    new ApolloServer({
      plugins: [
        require('apollo-tracing').plugin()
      ]
    });
    

• Removed a redundant mechanism for applying extensions to an ApolloError.

  • Applied extensions are now available only on error.extensions, and are not also available on error itself.
  • For details, see #​5294.
  • Relatedly, the ForbiddenError and AuthenticationError constructors now allow you to pass additional extensions.

• Removed the cacheControl option passed to the ApolloServer constructor.

  • By default, Apollo Server continues to calculate an overall cache policy for each operation and sets the Cache-Control HTTP header. However, this is now implemented directly inside apollo-server-core instead of inside a separate apollo-cache-control package (this package has been deprecated and is no longer being published).
  • Setting cache control options like defaultMaxAge is now done via the newly exported ApolloServerPluginCacheControl plugin, instead of as a top-level constructor option. This follows the same pattern as other built-in plugins like usage reporting.
  • The CacheHint and CacheScope types are now exported from apollo-server-types. The info.cacheControl.cacheHint object now has additional methods (replace, restrict, and policyIfCacheable), and its fields update when those methods or setCacheHint are called. These methods also exist on requestContext.overallCachePolicy, which is always defined and which should not be overwritten (use replace instead). There is also a new function info.cacheControl.cacheHintFromType available.
  • @cacheControl directives on type extensions are no longer ignored. Fields returning union types are now treated similarly to fields returning object and interface types (@cacheControl directives on the type are honored, the default maxAge is applied to them).
  • New feature: @cacheControl(inheritMaxAge: true) when applied to a composite type or a field returning a composite type means that the default maxAge is not applied to that field (unless it is a root field).

• Due to conflicts with same/similar globals provided by @types/supertest (which we use in our testing), some global TypeScript definitions have been removed from apollo-server-env including that of, e.g., fetch, RequestInfo, Headers, Request, Response, ResponseInit, and more. See the full list prior to removal here. Internally in the Apollo Server tests, for the time-being, we are relying on the same-named types from TypeScript's lib.dom.d.ts — e.g., its RequestInfo type definition. For more details, see PR #​5165.

• Top-level exports have changed. For example:

  • We no longer re-export the entirety of graphql-tools (including makeExecutableSchema) from all Apollo Server packages. To continue using them, install graphql-tools or one of its sub-packages yourself.
  • The Upload scalar is no longer exported as part of dropping built-in support for file uploads.

• Stopped publishing the deprecated apollo-server-testing package. This package is just a wrapper around server.executeOperation, which you can use directly.

• apollo-server-caching: The test suite helper works differently, and the TestableKeyValueCache interface is removed.

• The engine constructor option, ENGINE_API_KEY environment variable, and ENGINE_SCHEMA_TAG environment variables are no longer supported. Use the apollo constructor option, APOLLO_KEY environment variable, and APOLLO_GRAPH_VARIANT environment variable instead, as described in [the engine option migration guide from v2.18)[https://www.apollographql.com/docs/apollo-server/v2/migration-engine-plugins/].

• When you supply an Apollo API key via the APOLLO_KEY environment variable or new ApolloServer({apollo: {key}}), Apollo Server 3 no longer parses the key to guess your Studio graph ID. You must specify it yourself, either via the APOLLO_GRAPH_ID environment variable (or new ApolloServer({apollo: {graphId}})), or as a graph ref along with the variant (e.g., your-graph-id@your-graph-variant) in the APOLLO_GRAPH_REF environment variable (or new ApolloServer({apollo: {graphRef}})).

Modified functionality

• With one exception, all Apollo Server plugin methods (requestDidStart, didResolveOperation, etc.) are now async.
  • Previously, some of these methods were synchronous, others were async, and some were "sometimes-async" by returning a ValueOrPromise.
  • The exception is willResolveField, which remains synchronous. This method is called much more often than any other plugin method, and converting it to async might affect performance.
  • In a future release, willResolveField might become "sometimes-async" by returning a ValueOrPromise.
• Apollo Server now always fires the willSendResponse plugin lifecycle event after firing didEncounterError.
  • In certain error cases (mostly related to automated persisted queries), Apollo Server 2 skips firing willSendResponse.
• The executionDidStart event can no longer return a function as an "end hook". The "end hook" for this event now must be provided as an async function property called executionDidEnd on an object.
• Renamed the GraphQLService interface to GatewayInterface.
  • This interface is the type used to provide a federated gateway instance to Apollo Server. Its name has been changed to reduce ambiguity.
  • The previous name is still exported for backward compatibility purposes.
• Added support for serving a custom landing page at Apollo Server's base URL.
  • Plugins can define a new renderLandingPage hook that returns an HTML page to serve to browsers.
  • New plugins (ApolloServerPluginLandingPageProductionDefault and ApolloServerPluginLandingPageLocalDefault) are installed by default (the former when NODE_ENV is production, the latter otherwise) with instructions on how to communicate with the server, links to Apollo Sandbox, etc.
  • A new ApolloServerPluginLandingPageGraphQLPlayground plugin can be installed instead to continue to use GraphQL Playground instead. The playground option provided to the ApolloServer constructor has been removed; to customize GraphQL Playground you can provide an argument to the new playground plugin. By default, no GraphQL Playground settings are overridden, including the endpoint, which now defaults to window.location.href (with most query parameters removed). This means you typically don't have to manually configure the endpoint when using GraphQL Playground.
  • To disable all landing pages, install the new ApolloServerPluginLandingPageDisabled plugin.
  • Apollo Server packages no longer export defaultPlaygroundOptions, PlaygroundConfig, or PlaygroundRenderPageOptions.
• Bad request errors (invalid JSON, missing body, etc) are more consistent across integrations and consistently return 4xx status codes instead of sometimes returning 5xx status codes.
• Setting requestContext.response.http.status now affects successful GraphQL responses, not just errors.

Changes to Node.js framework integrations

• When using a non-serverless framework integration (Express, Fastify, Hapi, Koa, Micro, or Cloudflare), you now must call await server.start() before attaching the server to your framework.

  • This method was introduced in v2.22 but was optional prior to Apollo Server 3.
  • This requirement does not apply to the apollo-server library or to serverless framework integrations.

• apollo-server-express no longer officially supports using with the connect framework.

  • We have not actively removed any connect compatibility code, and we do still test that it works with connect. However, we reserve the right to break that compatibility without a major version bump of this package (we will certainly note in this changelog if we do so).

• apollo-server-lambda: This package is now implemented as a wrapper around apollo-server-express. createHandler's argument now has different options:

  • expressGetMiddlewareOptions, which includes options like cors and is passed through to apollo-server-express's getMiddleware
  • expressAppFromMiddleware, which lets you customize HTTP processing

  Also, the context function now receives an express: { req, res } option in addition to event and context

• apollo-server-lambda: The handler returned by createHandler can now only be called as an async function returning a Promise (it no longer optionally accepts a callback as the third argument).

  • All current Lambda Node runtimes support this invocation mode (so exports.handler = server.createHandler() will keep working without any changes).
  • If you've written your own handler that calls the handler returned by createHandler with a callback, you'll need to handle its Promise return value instead.

• apollo-server-lambda: Improved support for running behind an Application Load Balancer (ALB).

• apollo-server-fastify is now compatible with Fastify v3 instead of Fastify v2.

• apollo-server-hapi is now only tested with Hapi v20.1.2 and higher (the minimum version that supports Node 16).

• The non-serverless integrations now depend on their corresponding web frameworks via peer dependencies rather than direct dependencies.

• All integrations that allow CORS headers to be customized now default to access-control-allow-origin: *. This was already the case for apollo-server, Express, Fastify, and Hapi; it is now also the same for Koa (which previously reflected the request's origin), Lambda, Cloud Functions, and Azure Functions as well (which did not set CORS by default). Micro and CloudFlare do not have a built-in way of setting CORS headers.

v2.25.3

Compare Source

• ⚠️ SECURITY apollo-server-core: Update default version of the GraphQL Playground React app loaded from the CDN to be @apollographql/graphql-playground-react@1.7.42. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with new ApolloServer({playground: {version: 'some version'}}), you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you disable GraphQL Playground with new ApolloServer({playground: false}), this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.