fix(deps): update apollo graphql packages to v2 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@apollo/subgraph (source)	0.6.1 -> 2.10.1					dependencies	major
ghcr.io/apollographql/router	v1.59.2 -> v2.1.1						major

---

Release Notes

apollographql/federation (@​apollo/subgraph)

v2.10.1

Compare Source

Patch Changes

• Updated dependencies [97d81b79c3da10175bdf92c2209039efe352de79]:
  • @​apollo/federation-internals@​2.10.1

v2.10.0

Compare Source

Patch Changes

• When resolving references, skip type resolution if the reference resolves to null. (#​3215)

• Updated dependencies [8927e315ab0e865ef3ff12320f265ee95588b899, 8927e315ab0e865ef3ff12320f265ee95588b899]:

  • @​apollo/federation-internals@​2.10.0

v2.9.3

Compare Source

Patch Changes

• Updated dependencies [cc4573471696ef78d04fa00c4cf8e5c50314ba9f, 062572b3253e8640b60a0bf58b83945094b76b6f, df5eb3cb0e2b4802fcd425ab9c23714de2707db3, 1c99cb0dcc6c639ac351210932623ab0bd6907e4]:
  • @​apollo/federation-internals@​2.9.3

v2.9.2

Compare Source

Patch Changes

• Updated dependencies [2192f355f50db33fe0807d16153f357696b9f190, 5ac01b534318105e904c1e6598070f753add3bb1]:
  • @​apollo/federation-internals@​2.9.2

v2.9.1

Compare Source

Patch Changes

• Updated dependencies [b8e4ab5352a4dfd262af49493fdd42e86e5e3d99, e6c05b6c96023aa3dec79889431f8217fcb3806d]:
  • @​apollo/federation-internals@​2.9.1

v2.9.0

Compare Source

Patch Changes

• Updated dependencies [02c2a34a62c3717a4885449172e404f19ebf66c9, 0ccfd937d4b4a576f890665ceebbd7986fac5d0c, e0a5075c0d12a0e2f7ef303b246e3216a139d3e0]:
  • @​apollo/federation-internals@​2.9.0

v2.8.5

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.8.5

v2.8.4

Compare Source

Patch Changes

• Add descriptions for federation directives (#​3095)

• Updated dependencies [5f4bb160d024678d6facd471c43c8ec61c86e701, 672aca7cbeb0a6a38586357a4e154f2dd91caa0c]:

  • @​apollo/federation-internals@​2.8.4

v2.8.3

Compare Source

Patch Changes

• Updated dependencies [50d648ccffb05591878de75dc5522914ed48698f, f753d55e9a49d11389ee4f8d7976533447e95ede, 3af790517d662f3bec9064c0bf243014c579e9cd]:
  • @​apollo/federation-internals@​2.8.3

v2.8.2

Compare Source

Patch Changes

• Updated dependencies [b2e5ab66f84688ec304cfcf2c6f749c86aded549]:
  • @​apollo/federation-internals@​2.8.2

v2.8.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.8.1

v2.8.0

Compare Source

Patch Changes

• Various set context bugfixes (#​3017)

• Updated dependencies [c4744da360235d8bb8270ea048f0e0fa5d03be1e, 8a936d741a0c05835ff2533714cf330d18209179]:

  • @​apollo/federation-internals@​2.8.0

v2.7.8

Compare Source

Patch Changes

• Triggering a clean 2.7.8 release now that harmonizer build has been fixed. (#​3010)

• Updated dependencies [2ad72802044310a528e8944f4538efe519424504]:

  • @​apollo/federation-internals@​2.7.8

v2.7.7

Compare Source

Patch Changes

• No logical changes since 2.7.5 or 2.7.6, but we fixed a bug in the release process, so we need to publish a new patch version (2.7.7). (#​2999)

• Updated dependencies [bee0b0828b4fb6a1d3172ac330560e2ab6c046bb]:

  • @​apollo/federation-internals@​2.7.7

v2.7.6

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.7.6

v2.7.5

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.7.5

v2.7.4

Compare Source

Patch Changes

• Updated dependencies [d80b7f0ca1456567a0866a32d2b2abf940598f77]:
  • @​apollo/federation-internals@​2.7.4

v2.7.3

Compare Source

Patch Changes

• Updated dependencies [ec04c50b4fb832bfd281ecf9c0c2dd7656431b96, a494631918156f0431ceace74281c076cf1d5d51]:
  • @​apollo/federation-internals@​2.7.3

v2.7.2

Compare Source

Patch Changes

• Updated dependencies [33b937b18d3c7ca6af14b904696b536399e597d1, 09cd3e55e810ee513127b7440f5b11af7540c9b0, d7189a86c27891af408d3d0184db6133d3342967]:
  • @​apollo/federation-internals@​2.7.2

v2.7.1

Compare Source

Patch Changes

• Updated dependencies [493f5acd16ad92adf99c963659cd40dc5eac1219]:
  • @​apollo/federation-internals@​2.7.1

v2.7.0

Compare Source

Minor Changes

• Implement progressive @override functionality (#​2911)

  The progressive @override feature brings a new argument to the @override directive: label: String. When a label is added to an @override application, the override becomes conditional, depending on parameters provided to the query planner (a set of which labels should be overridden). Note that this feature will be supported in router for enterprise users only.

  Out-of-the-box, the router will support a percentage-based use case for progressive @override. For example:

  type Query {
    hello: String @​override(from: "original", label: "percent(5)")
  }

  The above example will override the root hello field from the "original" subgraph 5% of the time.

  More complex use cases will be supported by the router via the use of coprocessors/rhai to resolve arbitrary labels to true/false values (i.e. via a feature flag service).

Patch Changes

• Updated dependencies [6ae42942b13dccd246ccc994faa2cb36cd62cb3c, 66833fb8d04c9376f6ed476fed6b1ca237f477b7, 931f87c6766c7439936df706727cbdc0cd6bcfd8]:
  • @​apollo/federation-internals@​2.7.0

v2.6.3

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.6.3

v2.6.2

Compare Source

Patch Changes

• Updated dependencies [7b5b836d15247c997712a47847f603aa5887312e, 74ca7dd617927a20d79b824851f7651ef3c40a4e]:
  • @​apollo/federation-internals@​2.6.2

v2.6.1

Compare Source

Patch Changes

• Updated dependencies [0d5ab01a]:
  • @​apollo/federation-internals@​2.6.1

v2.6.0

Compare Source

Patch Changes

• Updated dependencies [b18841be, e325b499]:
  • @​apollo/federation-internals@​2.6.0

v2.5.7

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.5.7

v2.5.6

Compare Source

Patch Changes

• Updated dependencies [c719214a]:
  • @​apollo/federation-internals@​2.5.6

v2.5.5

Compare Source

Patch Changes

• Fix specific case for requesting __typename on interface entity type (#​2775)

  In certain cases, when resolving a __typename on an interface entity (due to it actual being requested in the operation), that fetch group could previously be trimmed / treated as useless. At a glance, it appears to be a redundant step, i.e.:

  { ... on Product { __typename id }} => { ... on Product { __typename} }
  

  It's actually necessary to preserve this in the case that we're coming from an interface object to an (entity) interface so that we can resolve the concrete __typename correctly.

• Updated dependencies []:

  • @​apollo/federation-internals@​2.5.5

v2.5.4

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.5.4

v2.5.3

Compare Source

Patch Changes

• Updated dependencies [4b9a512b, c6e0e76d, 1add932c]:
  • @​apollo/federation-internals@​2.5.3

v2.5.2

Compare Source

Patch Changes

• Updated dependencies [35179f08]:
  • @​apollo/federation-internals@​2.5.2

v2.5.1

Compare Source

Patch Changes

• Updated dependencies [b9052fdd]:
  • @​apollo/federation-internals@​2.5.1

v2.5.0

Compare Source

Minor Changes

• Introduce the new @authenticated directive for composition (#​2644)

  Note that this directive will only be fully supported by the Apollo Router as a GraphOS Enterprise feature at runtime. Also note that composition of valid @authenticated directive applications will succeed, but the resulting supergraph will not be executable by the Gateway or an Apollo Router which doesn't have the GraphOS Enterprise entitlement.

  Users may now compose @authenticated applications from their subgraphs into a supergraph. This addition will support a future version of Apollo Router that enables authenticated access to specific types and fields via directive applications.

  The directive is defined as follows:

  directive @​authenticated on FIELD_DEFINITION | OBJECT | INTERFACE | SCALAR | ENUM

  In order to compose your @authenticated usages, you must update your subgraph's federation spec version to v2.5 and add the @authenticated import to your existing imports like so:

  @​link(url: "https://specs.apollo.dev/federation/v2.5", import: [..., "@​authenticated"])

Patch Changes

• Updated dependencies [fe1e3d7b, 6b18af50, 9396c0d6, 2b5796a9, 4f3c3b9e]:
  • @​apollo/federation-internals@​2.5.0

v2.4.13

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.4.13

v2.4.12

Compare Source

Patch Changes

• Updated dependencies [693c2433]:
  • @​apollo/federation-internals@​2.4.12

v2.4.11

Compare Source

Patch Changes

• Updated dependencies [a740e071]:
  • @​apollo/federation-internals@​2.4.11

v2.4.10

Compare Source

Patch Changes

• Updated dependencies [b6be9f96]:
  • @​apollo/federation-internals@​2.4.10

v2.4.9

Compare Source

Patch Changes

• Updated dependencies [7ac83456, d60349b3, 1bb7c512, 02eab3ac, fd4545c2]:
  • @​apollo/federation-internals@​2.4.9

v2.4.8

Compare Source

Patch Changes

• Updated dependencies [62e0d254, 7f1ef73e]:
  • @​apollo/federation-internals@​2.4.8

v2.4.7

Compare Source

Patch Changes

• Updated dependencies [2d44f346]:
  • @​apollo/federation-internals@​2.4.7

v2.4.6

Compare Source

Patch Changes

• Updated dependencies [5cd17e69, e136ad87]:
  • @​apollo/federation-internals@​2.4.6

v2.4.5

Compare Source

Patch Changes

• Supersedes v2.4.4 due to a publishing error with no dist/ folder (#​2583)

• Updated dependencies [c96e24c4]:

  • @​apollo/federation-internals@​2.4.5

v2.4.4

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.4.4

v2.4.3

Compare Source

Patch Changes

• Resolve Promise references before calling __resolveType on interface (#​2556)

  Since the introduction of entity interfaces, users could not return
  a Promise from __resolveReference while implementing a synchronous,
  custom __resolveType function. This change fixes/permits this use case.

  Additional background / implementation details:

  Returning a Promise from __resolveReference has historically never
  been an issue. However, with the introduction of entity interfaces, the
  calling of an interface's __resolveType function became a new concern.

  __resolveType functions expect a reference (and shouldn't be concerned
  with whether those references are wrapped in a Promise). In order to
  address this, we can await the reference before calling the
  __resolveType (this handles both the non-Promise and Promise case).

• Updated dependencies [f6a8c1ce]:

  • @​apollo/federation-internals@​2.4.3

v2.4.2

Compare Source

Patch Changes

• Updated dependencies [2c370508, 179b4602]:
  • @​apollo/federation-internals@​2.4.2

v2.4.1

Compare Source

Patch Changes

• Updated dependencies [b6be9f96]:
  • @​apollo/federation-internals@​2.4.10

v2.4.0

Compare Source

Patch Changes

• Optimises query plan generation for parts of queries that can statically be known to not cross across subgraphs (#​2449)

• Updated dependencies [260c357c, 7bc0f8e8, 1a555d98, cab383b2]:

  • @​apollo/federation-internals@​2.4.0

v2.3.6

Compare Source

Patch Changes

• Updated dependencies [98844fd5, 11f2d7c0, 2894a1ea]:
  • @​apollo/federation-internals@​2.3.6

v2.3.5

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.3.5

v2.3.4

Compare Source

Patch Changes

• Updated dependencies [6e2d24b5]:
  • @​apollo/federation-internals@​2.3.4

v2.3.3

Compare Source

Patch Changes

• Correctly attach provided subscription resolvers to the schema object (#​2388)

• Updated dependencies []:

  • @​apollo/federation-internals@​2.3.3

v2.3.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.3.2

v2.3.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​apollo/federation-internals@​2.3.1

This CHANGELOG pertains only to Apollo Federation packages in the 2.x range. The Federation v0.x equivalent for this package can be found here on the version-0.x branch of this repo.

v2.3.0

Compare Source

• @tag directive support for the SCHEMA location. This has been added to the 2.3 version of the federation spec, so to access this functionality you must bump your federation spec version to 2.3 by using @link(url: "https://specs.apollo.dev/federation/v2.3", ...) on your schema element. PR #​2314.

v2.2.3

Compare Source

v2.2.2

Compare Source

v2.2.1

Compare Source

v2.2.0

Compare Source

• Adds support for the 2.2 version of the federation spec (that is, @link(url: "https://specs.apollo.dev/federation/v2.2")), which:
• allows @shareable to be repeatable so it can be allowed on both a type definition and its extensions PR #​2175.
• Drop support for node12 PR #​2202

v2.1.4

Compare Source

v2.1.3

Compare Source

v2.1.2

Compare Source

v2.1.1

Compare Source

v2.1.0

Compare Source

• Update peer dependency graphql to ^16.5.0 to use GraphQLErrorOptions PR #​2060
• Remove dependency on apollo-server-types PR #​2037
• Expand support for Node.js v18 PR #​1884

v2.0.5

Compare Source

v2.0.4

Compare Source

v2.0.3

Compare Source

• Fix output of printSubgraphSchema method, ensuring it can be read back by composition and buildSubgraphSchema PR #​1831.
• Fix definition of @key to be repeatable PR #​1826.

v2.0.2

Compare Source

• Add __resolveType to _Entity union PR #​1773

v2.0.1

Compare Source

• Released in sync with other federation packages but no changes to this package.

v2.0.0

Compare Source

• Previous preview release promoted to general availability! Please see previous changelog entries for full info.

apollographql/router (ghcr.io/apollographql/router)

v2.1.1

Compare Source

🔒 Security

Certain query patterns may cause resource exhaustion

Corrects a set of denial-of-service (DOS) vulnerabilities that made it possible for an attacker to render router inoperable with certain simple query patterns due to uncontrolled resource consumption. All prior-released versions and configurations are vulnerable except those where persisted_queries.enabled, persisted_queries.safelist.enabled, and persisted_queries.safelist.require_id are all true.

See the associated GitHub Advisories GHSA-3j43-9v8v-cp3f, GHSA-84m6-5m72-45fp, GHSA-75m2-jhh5-j5g2, and GHSA-94hh-jmq8-2fgp, and the apollo-compiler GitHub Advisory GHSA-7mpv-9xg6-5r79 for more information.

By @​sachindshinde and @​goto-bus-stop.

v2.1.0

Compare Source

🚀 Features

Connectors: support for traffic shaping (PR #​6737)

Traffic shaping is now supported for connectors. To target a specific source, use the subgraph_name.source_name under the new connector.sources property of traffic_shaping. Settings under connector.all will apply to all connectors. deduplicate_query is not supported at this time.

Example config:

traffic_shaping:
  connector:
    all:
      timeout: 5s
    sources:
      connector-graph.random_person_api:
        global_rate_limit:
          capacity: 20
          interval: 1s
        experimental_http2: http2only
        timeout: 1s

By @​andrewmcgivery in https://github.com/apollographql/router/pull/6737

Connectors: Support TLS configuration (PR #​6995)

Connectors now supports TLS configuration for using custom certificate authorities and utilizing client certificate authentication.

tls:
  connector:
    sources:
      connector-graph.random_person_api:
        certificate_authorities: ${file.ca.crt}
        client_authentication:
          certificate_chain: ${file.client.crt}
          key: ${file.client.key}

By @​andrewmcgivery in https://github.com/apollographql/router/pull/6995

Update JWT handling (PR #​6930)

This PR updates JWT-handling in the AuthenticationPlugin;

• Users may now set a new config option config.authentication.router.jwt.on_error.
  • When set to the default Error, JWT-related errors will be returned to users (the current behavior).
  • When set to Continue, JWT errors will instead be ignored, and JWT claims will not be set in the request context.
• When JWTs are processed, whether processing succeeds or fails, the request context will contain a new variable apollo::authentication::jwt_status which notes the result of processing.

By @​Velfi in https://github.com/apollographql/router/pull/6930

Add batching.maximum_size configuration option to limit maximum client batch size (PR #​7005)

Add an optional maximum_size parameter to the batching configuration.

• When specified, the router will reject requests which contain more than maximum_size queries in the client batch.
• When unspecified, the router performs no size checking (the current behavior).

If the number of queries provided exceeds the maximum batch size, the entire batch fails with error code 422 (Unprocessable Content). For example:

{
  "errors": [
    {
      "message": "Invalid GraphQL request",
      "extensions": {
        "details": "Batch limits exceeded: you provided a batch with 3 entries, but the configured maximum router batch size is 2",
        "code": "BATCH_LIMIT_EXCEEDED"
      }
    }
  ]
}

By @​carodewig in https://github.com/apollographql/router/pull/7005

Introduce PQ manifest hot_reload option for local manifests (PR #​6987)

This change introduces a persisted_queries.hot_reload configuration option to allow the router to hot reload local PQ manifest changes.

If you configure local_manifests, you can set hot_reload to true to automatically reload manifest files whenever they change. This lets you update local manifest files without restarting the router.

persisted_queries:
  enabled: true
  local_manifests:
    - ./path/to/persisted-query-manifest.json
  hot_reload: true

Note: This change explicitly does not piggyback on the existing --hot-reload flag.

By @​trevor-scheer in https://github.com/apollographql/router/pull/6987

Add support to get/set URI scheme in Rhai (Issue #​6897)

This adds support to read and write the scheme from the request.uri.scheme/request.subgraph.uri.scheme functions in Rhai,
enabling the ability to switch between http and https for subgraph fetches. For example:

fn subgraph_service(service, subgraph){
    service.map_request(|request|{
        log_info(`${request.subgraph.uri.scheme}`);
        if request.subgraph.uri.scheme == {} {
            log_info("Scheme is not explicitly set");
        }
        request.subgraph.uri.scheme = "https"
        request.subgraph.uri.host = "api.apollographql.com";
        request.subgraph.uri.path = "/api/graphql";
        request.subgraph.uri.port = 1234;
        log_info(`${request.subgraph.uri}`);
    });
}

By @​starJammer in https://github.com/apollographql/router/pull/6906

Add router config validate subcommand (PR #​7016)

Adds new router config validate subcommand to allow validation of a router config file without fully starting up the Router.

./router config validate <path-to-config-file.yaml>

By @​andrewmcgivery in https://github.com/apollographql/router/pull/7016

Enable remote proxy downloads of the Router

This enables users without direct download access to specify a remote proxy mirror location for the GitHub download of
the Apollo Router releases.

By @​LongLiveCHIEF in https://github.com/apollographql/router/pull/6667

Add metric to measure cardinality overflow frequency (PR #​6998)

Adds a new counter metric, apollo.router.telemetry.metrics.cardinality_overflow, that is incremented when the cardinality overflow log from opentelemetry-rust occurs. This log means that a metric in a batch has reached a cardinality of > 2000 and that any excess attributes will be ignored.

By @​rregitsky in https://github.com/apollographql/router/pull/6998

Add metrics for value completion errors (PR #​6905)

When the router encounters a value completion error, it is not included in the GraphQL errors array, making it harder to observe. To surface this issue in a more obvious way, router now counts value completion error metrics via the metric instruments apollo.router.graphql.error and apollo.router.operations.error, distinguishable via the code attribute with value RESPONSE_VALIDATION_FAILED.

By @​timbotnik in https://github.com/apollographql/router/pull/6905

Add apollo.router.pipelines metrics (PR #​6967)

When the router reloads, either via schema change or config change, a new request pipeline is created.
Existing request pipelines are closed once their requests finish. However, this may not happen if there are ongoing long requests that do not finish, such as Subscriptions.

To enable debugging when request pipelines are being kept around, a new gauge metric has been added:

• apollo.router.pipelines - The number of request pipelines active in the router
  • schema.id - The Apollo Studio schema hash associated with the pipeline.
  • launch.id - The Apollo Studio launch id associated with the pipeline (optional).
  • config.hash - The hash of the configuration

By @​BrynCooke in https://github.com/apollographql/router/pull/6967

Add apollo.router.open_connections metric (PR #​7023)

To help users to diagnose when connections are keeping pipelines hanging around, the following metric has been added:

• apollo.router.open_connections - The number of request pipelines active in the router
  • schema.id - The Apollo Studio schema hash associated with the pipeline.
  • launch.id - The Apollo Studio launch id associated with the pipeline (optional).
  • config.hash - The hash of the configuration.
  • server.address - The address that the router is listening on.
  • server.port - The port that the router is listening on if not a unix socket.
  • http.connection.state - Either active or terminating.

You can use this metric to monitor when connections are open via long running requests or keepalive messages.

By @​bryncooke in https://github.com/apollographql/router/pull/7023

Add span events to error spans for connectors and demand control plugin (PR #​6727)

New span events have been added to trace spans which include errors. These span events include the GraphQL error code that relates to the error. So far, this only includes errors generated by connectors and the demand control plugin.

By @​bonnici in https://github.com/apollographql/router/pull/6727

Changes to experimental error metrics (PR #​6966)

In 2.0.0, an experimental metric telemetry.apollo.errors.experimental_otlp_error_metrics was introduced to track errors with additional attributes. A few related changes are included here:

• Sending these me

---

Configuration

📅 Schedule: Branch creation - "* 0-4,22-23 * * 1-5,* * * * 0,6" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.