Skip to content

Version Packages#8192

Merged
glasser merged 2 commits intomainfrom
changeset-release/main
Mar 24, 2026
Merged

Version Packages#8192
glasser merged 2 commits intomainfrom
changeset-release/main

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 24, 2026

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@apollo/server-integration-testsuite@5.5.0

Minor Changes

  • #8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

  • Updated dependencies [ada1200]:
    • @apollo/server@5.5.0

@apollo/server@5.5.0

Minor Changes

  • #8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

    Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

    (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

    This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

    If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

    This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

    See advisory GHSA-9q82-xgwf-vj6h for more details.

@apollo-librarian
Copy link
Copy Markdown

apollo-librarian bot commented Mar 24, 2026
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 3 changed, 0 removed 
* (developer-tools)/apollo-server/(latest)/integrations/building-integrations.md
* (developer-tools)/apollo-server/(latest)/security/cors.mdx
* (developer-tools)/apollo-server/(latest)/workflow/requests.md

Build ID: 2aec2ccd8a9d64f41f3f2bd2
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/2aec2ccd8a9d64f41f3f2bd2

✅ AI Style Review — No Changes Detected

No MDX files were changed in this pull request.

Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

@codesandbox-ci
Copy link
Copy Markdown

codesandbox-ci bot commented Mar 24, 2026
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

@glasser glasser merged commit 64c0e1b into main Mar 24, 2026
19 checks passed
@glasser glasser deleted the changeset-release/main branch March 24, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@glasser