build(deps): bump the npm_and_yarn group across 2 directories with 6 updates by dependabot[bot] · Pull Request #444 · launchdarkly/observability-sdk

dependabot · 2026-03-27T18:54:20Z

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@apollo/server	`4.13.0`	`5.5.0`
rollup	`4.57.1`	`4.59.0`
brace-expansion	`1.1.12`	`1.1.13`
handlebars	`4.7.8`	`4.7.9`
picomatch	`2.3.1`	`2.3.2`
yaml	`1.10.2`	`1.10.3`

Bumps the npm_and_yarn group with 1 update in the /sdk/highlight-apollo directory: @apollo/server.

Updates @apollo/server from 4.13.0 to 5.5.0

Release notes

Sourced from @apollo/server's releases.

@apollo/server-integration-testsuite@5.5.0

Minor Changes

#8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

Updated dependencies [ada1200]:

@apollo/server@5.5.0

@apollo/server@5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

@apollo/server-integration-testsuite@5.4.0

Patch Changes

Updated dependencies [d25a5bd]:

@apollo/server@5.4.0

@apollo/server@5.4.0

Minor Changes

d25a5bd Thanks @phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @apollo/server's changelog.

5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

d25a5bd Thanks @phryneas! - ⚠️ SECURITY @apollo/server/standalone:

The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

If you were not using startStandaloneServer, you were not affected by this vulnerability.

Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes
#8062 8e54e58 Thanks @cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)
const server = new ApolloServer({
  typeDefs,
  resolvers,
  executionOptions: {
    maxCoercionErrors: 50,
  },

... (truncated)

Commits

64c0e1b Version Packages (#8192)
ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
ad45d15 Version Packages (#8179)
d25a5bd Merge commit from fork
443e547 fix repository urls
28d6d47 Version Packages (#8172)
26320bc feat: Allow configuration of graphql validation options #8014
f2c16a7 bump dependency
8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
7be3686 Version Packages (#8163)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @apollo/server since your current version.

Updates rollup from 4.57.1 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

#6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@njg7194, @lukastaegert)

#6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@millerick, @lukastaegert)

#6260: fix(deps): update rust crate swc_compiler_base to v47 (@renovate[bot], @lukastaegert)

#6261: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#6262: Avoid unnecessary cloning of the code string (@lukastaegert)

#6263: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6265: chore(deps): lock file maintenance (@renovate[bot])

#6267: fix(deps): update minor/patch updates (@renovate[bot])

#6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@renovate[bot], @lukastaegert)

#6269: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6270: chore(deps): lock file maintenance (@renovate[bot])

#6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@lukastaegert)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

#6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@njg7194, @lukastaegert)

#6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@millerick, @lukastaegert)

#6260: fix(deps): update rust crate swc_compiler_base to v47 (@renovate[bot], @lukastaegert)

#6261: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#6262: Avoid unnecessary cloning of the code string (@lukastaegert)

#6263: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6265: chore(deps): lock file maintenance (@renovate[bot])

#6267: fix(deps): update minor/patch updates (@renovate[bot])

#6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@renovate[bot], @lukastaegert)

#6269: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6270: chore(deps): lock file maintenance (@renovate[bot])

#6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@lukastaegert)

Commits

ae84695 4.59.0
b39616e Update audit-resolve
c60770d Validate bundle stays within output dir (#6275)
33f39c1 4.58.0
b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
7f00689 Extend agent instructions
e7b2b85 chore(deps): lock file maintenance (#6270)
2aa5da9 fix(deps): update minor/patch updates (#6267)
4319837 chore(deps): update dependency lru-cache to v11 (#6269)
c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
Additional commits viewable in compare view

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

6c353ca 1.1.13
7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
See full diff in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

GHSA-2w6w-674q-4c4q

GHSA-3mfm-83xf-c92r

GHSA-xhpv-hc6g-r9c6

GHSA-xjpj-3mr7-gcpf

GHSA-9cx6-37pm-9jff

GHSA-2qvq-rjwj-gvw9

GHSA-7rx3-28cr-v5wh

GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

Commits

Commits

dce542c v4.7.9
8a41389 Update release notes
68d8df5 Fix security issues
b2a0831 Fix browser tests
9f98c16 Fix release script
45443b4 Revert "Improve partial indenting performance"
8841a5f Fix CI errors with linting
e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
e914d60 Improve rendering performance
7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Updates yaml from 1.10.2 to 1.10.3

Commits

cfe8f04 1.10.3
7abcf45 fix: Catch stack overflow during CST composition
a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
a5e83b0 style: Apply updates Prettier rules
b8ddca0 chore: Refresh lockfile
395f892 ci: Use a different (working) submodule checkout
6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
See full diff in compare view

Updates @apollo/server from 4.13.0 to 5.5.0

Release notes

Sourced from @apollo/server's releases.

@apollo/server-integration-testsuite@5.5.0

Minor Changes

#8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

Updated dependencies [ada1200]:

@apollo/server@5.5.0

@apollo/server@5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

@apollo/server-integration-testsuite@5.4.0

Patch Changes

Updated dependencies [d25a5bd]:

@apollo/server@5.4.0

@apollo/server@5.4.0

Minor Changes

d25a5bd Thanks @phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @apollo/server's changelog.

5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

d25a5bd Thanks @phryneas! - ⚠️ SECURITY @apollo/server/standalone:

The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

If you were not using startStandaloneServer, you were not affected by this vulnerability.

Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes
#8062 8e54e58 Thanks @cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)
const server = new ApolloServer({
  typeDefs,
  resolvers,
  executionOptions: {
    maxCoercionErrors: 50,
  },

... (truncated)

Commits

64c0e1b Version Packages (#8192)
ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
ad45d15 Version Packages (#8179)
d25a5bd Merge commit from fork
443e547 fix repository urls
28d6d47 Version Packages (#8172)
26320bc feat: Allow configuration of graphql validation options #8014
f2c16a7 bump dependency
8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
7be3686 Version Packages (#8163)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @apollo/server since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Dependency-only changes, but includes a major @apollo/server upgrade (v4→v5) that can alter runtime GraphQL server behavior and request handling; Rollup upgrades may also affect build output.

Overview
Updates several SDK package dev dependencies to newer versions, primarily bumping rollup to ^4.59.0 in the Node/Next/LaunchDarkly packages.

Upgrades sdk/highlight-apollo to @apollo/server@^5.5.0 (major version), and refreshes yarn.lock with the new Apollo dependency graph plus minor/patch bumps like brace-expansion, handlebars, picomatch, and yaml.

^{Written by Cursor Bugbot for commit 7d998a1. This will update automatically on new commits. Configure here.}

…updates Bumps the npm_and_yarn group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) | `4.13.0` | `5.5.0` | | [rollup](https://github.com/rollup/rollup) | `4.57.1` | `4.59.0` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.13` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` | Bumps the npm_and_yarn group with 1 update in the /sdk/highlight-apollo directory: [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server). Updates `@apollo/server` from 4.13.0 to 5.5.0 - [Release notes](https://github.com/apollographql/apollo-server/releases) - [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md) - [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.0/packages/server) Updates `rollup` from 4.57.1 to 4.59.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.1...v4.59.0) Updates `brace-expansion` from 1.1.12 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13) Updates `handlebars` from 4.7.8 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `yaml` from 1.10.2 to 1.10.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v1.10.2...v1.10.3) Updates `@apollo/server` from 4.13.0 to 5.5.0 - [Release notes](https://github.com/apollographql/apollo-server/releases) - [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md) - [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.0/packages/server) --- updated-dependencies: - dependency-name: "@apollo/server" dependency-version: 5.5.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 1.10.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@apollo/server" dependency-version: 5.5.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

cursor · 2026-03-27T18:57:12Z

sdk/highlight-apollo/package.json

 	},
 	"dependencies": {
-		"@apollo/server": "^4.13.0",
+		"@apollo/server": "^5.5.0",


Major version bump of @apollo/server breaks published package consumers

High Severity

The @apollo/server dependency in @highlight-run/apollo is bumped from v4 to v5 — a major version change — without a corresponding major version bump of the published package itself (currently 3.4.49). Since @apollo/server is listed in dependencies (not peerDependencies), consumers using Apollo Server v4 will now get a conflicting v5 installed transitively. This causes TypeScript type incompatibilities (the ApolloServerPlugin type from v5 won't match the v4 ApolloServer constructor's expectations) and introduces stricter runtime requirements (Node.js v20+, graphql@^16.11.0) that consumers may not satisfy. This is a semver-breaking change to a published npm package being shipped as a patch-level update.

dependabot · 2026-03-27T21:19:27Z

Superseded by #445.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 27, 2026

dependabot bot requested a review from a team as a code owner March 27, 2026 18:54

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 27, 2026

dependabot bot mentioned this pull request Mar 27, 2026

build(deps): bump the npm_and_yarn group across 2 directories with 5 updates #440

Closed

cursor bot reviewed Mar 27, 2026

View reviewed changes

dependabot bot closed this Mar 27, 2026

dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-1a2d64cb11 branch March 27, 2026 21:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 2 directories with 6 updates#444

build(deps): bump the npm_and_yarn group across 2 directories with 6 updates#444
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-1a2d64cb11

dependabot bot commented on behalf of github Mar 27, 2026 •

edited by cursor bot

Loading

Uh oh!

cursor bot left a comment

Uh oh!

cursor bot Mar 27, 2026

Uh oh!

dependabot bot commented on behalf of github Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 27, 2026 • edited by cursor bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

Patch Changes

@​apollo/server@​5.5.0

Minor Changes

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

@​apollo/server@​5.4.0

Minor Changes

5.5.0

Minor Changes

5.4.0

Minor Changes

5.3.0

Minor Changes

v4.59.0

4.59.0

Features

Pull Requests

v4.58.0

4.58.0

Features

Pull Requests

4.59.0

Features

Pull Requests

4.58.0

Features

Pull Requests

v4.7.9

v4.7.9 - March 26th, 2026

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

Patch Changes

@​apollo/server@​5.5.0

Minor Changes

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

@​apollo/server@​5.4.0

Minor Changes

5.5.0

Minor Changes

5.4.0

Minor Changes

5.3.0

Minor Changes

Uh oh!

cursor bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor bot Mar 27, 2026

Choose a reason for hiding this comment

Major version bump of @apollo/server breaks published package consumers

Uh oh!

dependabot bot commented on behalf of github Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Mar 27, 2026 •

edited by cursor bot

Loading

`@apollo/server-integration-testsuite@5`.5.0

`@apollo/server@5`.5.0

`@apollo/server-integration-testsuite@5`.4.0

`@apollo/server@5`.4.0

`@apollo/server-integration-testsuite@5`.5.0

`@apollo/server@5`.5.0

`@apollo/server-integration-testsuite@5`.4.0

`@apollo/server@5`.4.0

Major version bump of `@apollo/server` breaks published package consumers