Bump apollo-server-express from 2.25.2 to 3.6.7

[dependabot[bot]]

Bumps apollo-server-express from 2.25.2 to 3.6.7.

Changelog

Sourced from apollo-server-express's changelog.

v3.6.7

• apollo-server-core: Update @apollographql/apollo-tools dependency to the latest version which now properly lists its peer dependencies. This fixes a problem with using Yarn3 PnP [PR #6273](apollographql/apollo-server#6273)

v3.6.6

• ⚠️ SECURITY apollo-server-core: Apollo Server 3.4.0 introduced a new documentStore constructor option (replacing the experimental_approximateDocumentStoreMiB option) which allows you to customize an internal cache used by ApolloServer to memoize the results of parsing and validating GraphQL operations. When this option was combined with the gateway option, it was possible for Apollo Server to attempt to execute invalid GraphQL operations. Specifically, if a server processed an operation and then its schema was updated with a change that made that operation no longer valid, the server could still attempt to execute the operation again without re-validating it against the new schema. The problem only lasts until the server is restarted. This release changes the semantics of the documentStore option so that a different key prefix is used each time the schema is updated. (As a side effect, you no longer have to be careful to avoid sharing a documentStore between multiple ApolloServer objects.) This update is highly recommended for any users that specify both documentStore and gateway in new ApolloServer().

v3.6.5

• apollo-server-plugin-usage-reporting: Stop distributing unnecessary generated/reports.proto file. Count executable operations. [PR #6239](apollographql/apollo-server#6239)

v3.6.4

• apollo-server-core: Fixes a regression in v3.6.0 where usage reporting would never send traces for unexecutable operations (parse errors, validation errors, and unknown operation name errors). While "traces" for these operations won't actually contain an execution tree, they can contain interesting errors. [Issue #6193](apollographql/apollo-server#6193) [PR #6194](apollographql/apollo-server#6194)

v3.6.3

• apollo-server-core: The inline trace plugin will now include the full query plan and subgraph traces if manually installed in an Apollo Gateway. (Previously, you technically could install this plugin in a Gateway but it would not have any real trace data.) This is recommended for development use only and not in production servers. [PR #6017](apollographql/apollo-server#6017)
• apollo-server-core: The default landing page plugins now take an includeCookies option which allows you to specify that Explorer should send cookies to your server. [PR #6014](apollographql/apollo-server#6014)
• apollo-server-core: Apollo Server has a heuristic added in v2.23.0 and improved in v3.1.0 which tries to detect execution errors that come from the graphql-js variable value validation phase and report them with an extensions.code of BAD_USER_INPUT rather than INTERNAL_SERVER_ERROR. In this release, the heuristic is improved to include some cases including variables that are non-null lists. [PR #6066](apollographql/apollo-server#6066)

v3.6.2

• ⚠️ SECURITY apollo-server-env: Update dependency on node-fetch to require v2.6.7 rather than v2.6.1. This includes the fix to CVE-2022-0235, a vulnerability where credentials sent along with a request could be sent to a different origin if the fetched URL responds with an attacker-controlled HTTP redirect. This is the default fetcher used by apollo-datasource-rest, usage reporting, schema reporting, and @apollo/gateway in versions prior to v0.46.0. We do not believe that the way that this is used by usage reporting or schema reporting is vulnerable to the exploit, but if you use apollo-datasource-rest in such a way that the servers you talk to might serve a surprising redirect, this upgrade would be helpful. Note that to ensure you're using the appropriate version of apollo-server-env with apollo-datasource-rest, you need to be using v3.5.1 of that package. (We plan to separate the release process of apollo-datasource-rest from Apollo Server soon so that it can have a more reasonable changelog.) If upgrading to this version is challenging, you can also work around this by ensuring that node-fetch@2.6.7 is the version used in your project, or by specifying a fetcher explicitly to your older Gateway, REST datasource, etc.
• apollo-server-core: The typeDefs, resolvers, and parseOptions constructor arguments are passed directly through to makeExecutableSchema from @graphql-tools/schema if provided. Now their TypeScript type definitions come directly from that package so that any types accepted by that package can be provided. [PR #5978](apollographql/apollo-server#5978)
• apollo-server-fastify: Drop dependency on fast-json-stringify. [PR #5988](apollographql/apollo-server#5988)
• apollo-server-azure-functions: Update TypeScript types package @azure/functions from v1 to v3 and change it to a dev dependency. (We were advised to change it to a dev dependency by the authors of the package; if this turns out to be problematic we can revert this part of the change. They also do not believe this is a backwards-incompatible change despite the major version bump; this package does a major version bump when the underlying Azure Functions runtime has a major version bump.) [PR #5919](apollographql/apollo-server#5919)

v3.6.1

• Correctly remove dependency on apollo-graphql as intended in v3.6.0. [Issue #5981](apollographql/apollo-server#5981) [PR #5981](apollographql/apollo-server#5981)

v3.6.0

• apollo-server-core: Studio usage reporting now reports "referenced operations" for fields in addition to "field executions", which can be seen on the Studio Fields page. This new statistic provides visibility into uses of fields that are not executed. It is also more efficient to generate and (for Apollo Gateways) does not require subgraphs to support federated tracing. Additionally, the new fieldLevelInstrumentation option to ApolloServerPluginUsageReporting allows you to disable field-level tracing on a per-operation basis, and to report weights for operations to allow for estimates of the field execution count even when not all operations are instrumented. Note that the semantics of the requestContext.metrics.captureTraces field have changed. See the Studio Fields page docs and the fieldLevelInstrumentation docs for more details. [Issue #5708](apollographql/apollo-server#5708) [PR #5956](apollographql/apollo-server#5956) [PR #5963](apollographql/apollo-server#5963)
• apollo-server-core: Usage reporting no longer sends a "client reference ID" to Apollo Studio (along with the client name and client version). This little-used feature has not been documented since 2019 and is currently entirely ignored by Apollo Studio. This is technically incompatible as the interface ClientInfo no longer has the field clientReferenceId; if you were one of the few users who explicitly set this field and you get a TypeScript compilation failure upon upgrading to v3.6.0, just stop using the field. [PR #5890](apollographql/apollo-server#5890)
• apollo-server-core: Remove dependency on apollo-graphql package (by inlining the code which generates usage reporting signatures). That package has not yet been published with a graphql@16 peer dependency, so Apollo Server v3.5 did not fully support graphql@16 without overriding peer dependencies. [Issue #5941](apollographql/apollo-server#5941) [PR #5955](apollographql/apollo-server#5955)

v3.5.0

• Apollo Server now supports graphql@16. (There is a very small backwards incompatibility: ApolloError.originalError can no longer be null, matching the type of GraphQLError.originalError. Use undefined instead. If this causes challenges, let us know and we can try to adapt.) [PR #5857](apollographql/apollo-server#5857) - apollo-server-core: Fix build error when building with @rollup/plugin-commonjs. [PR #5797](apollographql/apollo-server#5797)
• apollo-server-plugin-response-cache: Add missing dependency on apollo-server-types (broken since v3.0.0). [Issue #5804](apollographql/apollo-server#5804) [PR #5816](apollographql/apollo-server#5816)
• apollo-server-core: The default landing page plugins now take document, variables, and headers arguments which fill in default values if you click through to Explorer. [PR #5711](apollographql/apollo-server#5711)
• apollo-server-core: Support for HTTP request batching can now be disabled by passing allowBatchedHttpRequests: false to new ApolloServer. [PR #5778](apollographql/apollo-server#5778) [Issue #5686](apollographql/apollo-server#5686)

v3.4.1

• ⚠️ SECURITY apollo-server-core: Update default version of the GraphQL Playground React app loaded from the CDN to be @apollographql/graphql-playground-react@1.7.42. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app with new ApolloServer({plugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: 'some version'})]}), you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you do not explicitly enable GraphQL Playground via the ApolloServerPluginLandingPageGraphQLPlayground plugin, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.

... (truncated)

Commits

• 7678672 Release
• 1ca3669 Release
• c3deb0d Release
• dfa9fef Release
• 289acad Release
• 022184a Release
• 12e6df6 chore(deps): update all non-major dependencies (#5998)
• 0d000e0 Spell-checking with cspell (#5989)
• f3fc7d1 Release
• 06dd117 Merge pull request #5960 from apollographql/release-3.6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @fredli74.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[fredli74]

@dependabot squash and merge

[dependabot[bot]]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

[fredli74]

@dependabot squash and merge

[fredli74]

@dependabot squash and merge

[fredli74]

@dependabot squash and merge

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.