The version headers in this history reflect the versions of Apollo Server itself. Versions of other packages (e.g., those which are not actual HTTP integrations; packages not prefixed with "apollo-server
", or just supporting packages) may use different versions.
🆕 Please Note!: 🆕 The @apollo/federation
and @apollo/gateway
packages now live in the apollographql/federation
repository.
⚠️ SECURITY: The cache control plugin no longer sets thecache-control
HTTP response header if the operation is part of a batched HTTP request. Previously, it would set the header to a value describing the cache policy of only one of the operations in the request, which could lead to data being unintentionally cached by proxies or clients. This bug was introduced in v3.0.0 and this fix restores the behavior of Apollo Server 2. (In Apollo Server 4 (specifically,@apollo/[email protected]
or newer), the features work properly together, setting the header based on the combined cache policy of all operations.) This could theoretically have led to data tagged as uncacheable being cached and potentially served to different users. More details are available at the security advisory.apollo-server-core
: New fieldGraphQLRequestContext.requestIsBatched
available to plugins.
apollo-server-core
: Manage memory more efficiently in the usage reporting plugin by allowing large objects to be garbage collected more quickly. PR #7106apollo-server-core
: The usage reporting plugin now defaults to a 30 second timeout for each attempt to send reports to Apollo Server instead of no timeout; the timeout can be adjusted with the newrequestTimeoutMs
option toApolloServerPluginUsageReporting
. (Apollo's servers already enforced a 30 second timeout, so this is unlikely to break any existing use cases.) PR #7106
apollo-server-core
: Fix memory leak in usage reporting plugin. Issue #6983 [PR #6999](https://github.com/apollographql/apollo-server/[Issue #6983](#6983)
apollo-server-fastify
: Usereturn reply.send
in handlers to match the pattern encouraged by Fastify 4 (althoughapollo-server-fastify@3
only works with Fastify 3). PR #6798[email protected]
: Add optionmemoizeGetRequests
to disable GET cache PR #6650 and PR #6834
⚠️ SECURITY: The default landing page contained HTML to display a samplecurl
command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser fromwindow.location.href
. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript. In this release, the fallback page does not display acurl
command. More details are available at the security advisory.- Improve error message when both a graph ref and a graph variant are specified. PR #6709
- Fix the TypeScript declaration of the
fieldLevelInstrumentation
option toApolloServerPluginUsageReporting
to show that the function may return a number in addition to a boolean. This now matches the implementation and docs. PR #6763
- Add
document
,variables
,headers
as an option in theApolloServerPluginLandingPageLocalDefault
plugins. The embedded version of Apollo Sandbox can now use these options as an initial state. PR #6628 - Add
generateCacheKey
toApolloServerPluginResponseCache
to allow for custom cache keys. PR #6655
⚠️ SECURITYapollo-server-core
: The default configuration of Apollo Server is vulnerable to denial of service attacks via memory exhaustion. If you do not currently specify thecache
option tonew ApolloServer()
, we strongly recommend you specifycache: 'bounded'
, which replaces the default in-memory unbounded cache with a 30MB in-memory cache, or disable automatic persisted queries withpersistedQueries: false
. Apollo Server now logs a warning in production if you do not configure the cache or disable APQs. See the docs for more details.- The
apollo-server-caching
package is no longer published. The TypeScript typesKeyValueCache
andKeyValueCacheSetOptions
and the classesPrefixingKeyValueCache
andInMemoryLRUCache
can be imported from@apollo/utils.keyvaluecache
instead. The first three exports are identical;InMemoryLRUCache
is based onlru-cache
v7 instead of v6, and no longer supports creating unbounded caches (which was the default behavior forapollo-server-caching
'sInMemoryLRUCache
). PR #6522 - The
apollo-server-cache-redis
andapollo-server-cache-memcached
packages are no longer published (though previous versions continue to work). We recommend that users of these packages migrate to@apollo/utils.keyvadapter
, which lets you connect to Redis, Memcached, or any other backend supported by the Keyv project. See the new cache backend docs for more details. PR #6541 - Avoid unhandled rejection errors if the end hook from a
parsingDidStart
plugin method rejects. Issue #6567 PR #6559
apollo-server-core
: Fix usage reporting plugin "willResolveField called after stopTiming!" error caused by a race condition related to null bubbling. Issue #4472 PR #6398
- This is a patch release strictly for republishing over what appears to be a hiccup in NPMs service. Issue #6469
- Add
embed
as an option in theApolloServerPluginLandingPageLocalDefault
andApolloServerPluginLandingPageProductionDefault
plugins. If you pass theembed
option toApolloServerPluginLandingPageLocalDefault
, the Apollo Studio Sandbox will be embedded on your Apollo Server endpoint. If you pass theembed
option toApolloServerPluginLandingPageProductionDefault
, the Apollo Studio embedded Explorer will be embedded on your Apollo Server endpoint. In both cases, users can use the embedded app to run GraphQL operations without any special CORS setup. - Add a few missing dependencies to packages. PR #6393
- Factor out some usage reporting code to a shared package in the
apollo-utils
repository. Should not be a visible change. PR #6449
⚠️ SECURITYapollo-server-core
: Apollo Server now includes protection against CSRF and XS-Search attacks. We highly recommend enabling this feature by passingcsrfPrevention: true
tonew ApolloServer()
. If you rely on the ability to execute GraphQL operations via HTTPGET
requests using a client other than Apollo Client Web, Apollo iOS, or Apollo Kotlin (formerly Apollo Android), you may need to first change the configuration of that client. See the CSRF prevention docs for more details. This vulnerability was reported by Jeffrey Hofmann; the feature was designed with advice from Luca Carettoni of Doyensec.
apollo-server-fastify
: This package now depends on the@fastify/accepts
and@fastify/cors
packages rather than their older deprecated namesfastify-accepts
andfastify-cors
. There is no behavior change (except that you will no longer see deprecation messages). PR #6366apollo-server-types
: TheLogger
TypeScript interface is now re-exported from the new@apollo/utils.logger
package instead of defined directly in this package; other packages import it from the new package. There should be no observable change. PR #6229
apollo-server-core
: Update@apollographql/apollo-tools
dependency to the latest version which now properly lists its peer dependencies. This fixes a problem with using Yarn3 PnP PR #6273
⚠️ SECURITYapollo-server-core
: Apollo Server 3.4.0 introduced a newdocumentStore
constructor option (replacing theexperimental_approximateDocumentStoreMiB
option) which allows you to customize an internal cache used by ApolloServer to memoize the results of parsing and validating GraphQL operations. When this option was combined with thegateway
option, it was possible for Apollo Server to attempt to execute invalid GraphQL operations. Specifically, if a server processed an operation and then its schema was updated with a change that made that operation no longer valid, the server could still attempt to execute the operation again without re-validating it against the new schema. The problem only lasts until the server is restarted. This release changes the semantics of thedocumentStore
option so that a different key prefix is used each time the schema is updated. (As a side effect, you no longer have to be careful to avoid sharing adocumentStore
between multipleApolloServer
objects.) This update is highly recommended for any users that specify bothdocumentStore
andgateway
innew ApolloServer()
.
apollo-server-plugin-usage-reporting
: Stop distributing unnecessarygenerated/reports.proto
file. Count executable operations. PR #6239
apollo-server-core
: Fixes a regression in v3.6.0 where usage reporting would never send traces for unexecutable operations (parse errors, validation errors, and unknown operation name errors). While "traces" for these operations won't actually contain an execution tree, they can contain interesting errors. Issue #6193 PR #6194
apollo-server-core
: The inline trace plugin will now include the full query plan and subgraph traces if manually installed in an Apollo Gateway. (Previously, you technically could install this plugin in a Gateway but it would not have any real trace data.) This is recommended for development use only and not in production servers. PR #6017apollo-server-core
: The default landing page plugins now take anincludeCookies
option which allows you to specify that Explorer should send cookies to your server. PR #6014apollo-server-core
: Apollo Server has a heuristic added in v2.23.0 and improved in v3.1.0 which tries to detect execution errors that come from thegraphql-js
variable value validation phase and report them with anextensions.code
ofBAD_USER_INPUT
rather thanINTERNAL_SERVER_ERROR
. In this release, the heuristic is improved to include some cases including variables that are non-null lists. PR #6066
⚠️ SECURITYapollo-server-env
: Update dependency onnode-fetch
to require v2.6.7 rather than v2.6.1. This includes the fix to CVE-2022-0235, a vulnerability where credentials sent along with a request could be sent to a different origin if the fetched URL responds with an attacker-controlled HTTP redirect. This is the default fetcher used byapollo-datasource-rest
, usage reporting, schema reporting, and@apollo/gateway
in versions prior to v0.46.0. We do not believe that the way that this is used by usage reporting or schema reporting is vulnerable to the exploit, but if you useapollo-datasource-rest
in such a way that the servers you talk to might serve a surprising redirect, this upgrade would be helpful. Note that to ensure you're using the appropriate version ofapollo-server-env
withapollo-datasource-rest
, you need to be using v3.5.1 of that package. (We plan to separate the release process ofapollo-datasource-rest
from Apollo Server soon so that it can have a more reasonable changelog.) If upgrading to this version is challenging, you can also work around this by ensuring that[email protected]
is the version used in your project, or by specifying afetcher
explicitly to your older Gateway, REST datasource, etc.apollo-server-core
: ThetypeDefs
,resolvers
, andparseOptions
constructor arguments are passed directly through tomakeExecutableSchema
from@graphql-tools/schema
if provided. Now their TypeScript type definitions come directly from that package so that any types accepted by that package can be provided. PR #5978apollo-server-fastify
: Drop dependency onfast-json-stringify
. PR #5988apollo-server-azure-functions
: Update TypeScript types package@azure/functions
from v1 to v3 and change it to a dev dependency. (We were advised to change it to a dev dependency by the authors of the package; if this turns out to be problematic we can revert this part of the change. They also do not believe this is a backwards-incompatible change despite the major version bump; this package does a major version bump when the underlying Azure Functions runtime has a major version bump.) PR #5919
- Correctly remove dependency on
apollo-graphql
as intended in v3.6.0. Issue #5981 PR #5981
apollo-server-core
: Studio usage reporting now reports "referenced operations" for fields in addition to "field executions", which can be seen on the Studio Fields page. This new statistic provides visibility into uses of fields that are not executed. It is also more efficient to generate and (for Apollo Gateways) does not require subgraphs to support federated tracing. Additionally, the newfieldLevelInstrumentation
option toApolloServerPluginUsageReporting
allows you to disable field-level tracing on a per-operation basis, and to report weights for operations to allow for estimates of the field execution count even when not all operations are instrumented. Note that the semantics of therequestContext.metrics.captureTraces
field have changed. See the Studio Fields page docs and thefieldLevelInstrumentation
docs for more details. Issue #5708 PR #5956 PR #5963apollo-server-core
: Usage reporting no longer sends a "client reference ID" to Apollo Studio (along with the client name and client version). This little-used feature has not been documented since 2019 and is currently entirely ignored by Apollo Studio. This is technically incompatible as the interfaceClientInfo
no longer has the fieldclientReferenceId
; if you were one of the few users who explicitly set this field and you get a TypeScript compilation failure upon upgrading to v3.6.0, just stop using the field. PR #5890apollo-server-core
: Remove dependency onapollo-graphql
package (by inlining the code which generates usage reporting signatures). That package has not yet been published with agraphql@16
peer dependency, so Apollo Server v3.5 did not fully supportgraphql@16
without overriding peer dependencies. Issue #5941 PR #5955
- Apollo Server now supports
graphql@16
. (There is a very small backwards incompatibility:ApolloError.originalError
can no longer benull
, matching the type ofGraphQLError.originalError
. Useundefined
instead. If this causes challenges, let us know and we can try to adapt.) PR #5857 -apollo-server-core
: Fix build error when building with@rollup/plugin-commonjs
. PR #5797 apollo-server-plugin-response-cache
: Add missing dependency onapollo-server-types
(broken since v3.0.0). Issue #5804 PR #5816apollo-server-core
: The default landing page plugins now takedocument
,variables
, andheaders
arguments which fill in default values if you click through to Explorer. PR #5711apollo-server-core
: Support for HTTP request batching can now be disabled by passingallowBatchedHttpRequests: false
tonew ApolloServer
. PR #5778 Issue #5686
⚠️ SECURITYapollo-server-core
: Update default version of the GraphQL Playground React app loaded from the CDN to be@apollographql/[email protected]
. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app withnew ApolloServer({plugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: 'some version'})]})
, you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you do not explicitly enable GraphQL Playground via theApolloServerPluginLandingPageGraphQLPlayground
plugin, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.
apollo-server-core
: You can now specify your ownDocumentStore
(aKeyValueStore<DocumentNode>
) for Apollo Server's cache of parsed and validated GraphQL operation abstract syntax trees via the newdocumentStore
constructor option. This replaces theexperimental_approximateDocumentStoreMiB
option. You can replacenew ApolloServer({experimental_approximateDocumentStoreMiB: approximateDocumentStoreMiB, ...moreOptions})
with:PR #5644 Issue #5634import { InMemoryLRUCache } from 'apollo-server-caching'; import type { DocumentNode } from 'graphql'; new ApolloServer({ documentStore: new InMemoryLRUCache<DocumentNode>({ maxSize: Math.pow(2, 20) * approximateDocumentStoreMiB, sizeCalculator: InMemoryLRUCache.sizeCalculator, }), ...moreOptions, })
apollo-server-core
: For ease of testing, you can specify the node environment vianew ApolloServer({nodeEnv})
in addition to via theNODE_ENV
environment variable. The environment variable is now only read during server startup (and in some error cases) rather than on every request. PR #5657apollo-server-koa
: The peer dependency onkoa
(added in v3.0.0) should be a^
range dependency rather than depending on exactly one version, and it should not be automatically increased when new versions ofkoa
are released. PR #5759apollo-server-fastify
: ExportApolloServerFastifyConfig
andFastifyContext
TypeScript types. PR #5743apollo-server-core
: Only generate the schema hash once on startup rather than twice. PR #5757[email protected]
: When choosing whether or not to parse a response as JSON, treat anycontent-type
ending in+json
as JSON rather than justapplication/hal+json
(in addition toapplication/json
). PR #5737apollo-server
: You can now configure the health check URL path with thehealthCheckPath
constructor option, or disable serving health checks by passingnull
for this option. (This option is specific to the batteries-includedapollo-server
package; if you're using a framework integration package and want to serve a health check at a different path, just use your web framework directly.) PR #5270 Issue #3577apollo-server-azure-functions
: This package now supports health checks like all of the other supported Apollo Server packages; they are on by default and can be customized withdisableHealthCheck
andonHealthCheck
. [PR #5003](https:// github.com//pull/5003) Issue #4925- Tests are no longer distributed inside published npm modules. PR #5799 Issue #5781
apollo-server-core
: Error handling when aserverWillStop
callback invoked byserver.stop()
(orgateway.stop()
) throws is now consistent: the original call toserver.stop()
throws the error, and any concurrent and subsequent calls toserver.stop()
throw the same error. Prior to Apollo Server v2.22.0, the original call threw the error and the behavior of concurrent and subsequent calls was undefined (in practice, it would call shutdown handlers a second time). Apollo Server v2.22.0 intended to put these semantics into place where all three kinds of calls would throw, but due to bugs, the original call would return without error and concurrent calls would hang. (Subsequent calls would correctly throw the error.) In addition, errors thrown by thedrainServer
hook introduced in Apollo Server v3.2.0 are now handled in the same way. Issue #5649 PR #5653
If you're using apollo-server-express
or another framework integration, we highly recommend that you enable the new graceful shutdown feature after upgrading to 3.2.0. See the docs for ApolloServerPluginDrainHttpServer
or the basic usage for your integration of choice.
apollo-server-core
: Previously, only the batteries-includedapollo-server
package supported a graceful shutdown. Now the integrations support it as well, if you tell yourApolloServer
which HTTP server to drain with the newApolloServerPluginDrainHttpServer
plugin. This plugin implements a newdrainServer
plugin hook. Forapollo-server-hapi
you can useApolloServerPluginStopHapiServer
instead. PR #5635apollo-server-core
: Fixexperimental_approximateDocumentStoreMiB
option, which seems to have never worked before. PR #5629apollo-server-core
: Only registerSIGINT
andSIGTERM
handlers once the server successfully starts up; trying to callstop
on a server that hasn't successfully started had undefined behavior. By default, don't register the handlers in serverless integrations, which don't have the same lifecycle as non-serverless integrations (eg, there's no explicitstart
call); you can still explicitly setstopOnTerminationSignals
to override this default. PR #5639
apollo-server-core
: Update versions of@graphql-tools/schema
and@graphql-tools/utils
from v7 to v8. While there is no change in behavior in these versions, a recently-released version of@graphql-tools/mock
depends on them, and so without this change, you typically end up with two copies of them installed.
apollo-server-env
: UpdateHeaders.values()
type to match whatnode-fetch
actually does and what the Fetch spec says it should be, and what@types/node-fetch
finally gets correct. PR #5537
apollo-server-core
: If a client does not provide a value or provides null for a variable declared to be non-null, this is now reported as an error with anextensions.code
ofBAD_USER_INPUT
rather thanINTERNAL_SERVER_ERROR
. (This is similar to a change we made in v2.23.0 for variables that are sent as the wrong type.) PR #5508 Issue #5353apollo-server-core
/apollo-server-plugin-base
: Add support forschemaDidLoadOrUpdate
event hooks, to be specified by theserverWillStart
event hook. Plugins listening for this event will receive the API schema (and core schema for gateways) when the server's schema is initially loaded and when the server's schema is updated. For more information about this plugin event, see the plugin event reference documentation. PR #5187apollo-server-core
: Add support for schema reporting when using Apollo Gateway. At the time of this package's release, Apollo Studio does not yet support schema reporting from gateways, so you should not use this feature yet for gateways (unless instructed otherwise by Apollo staff or by the Studio docs). If you do enable schema reporting for a gateway, the version of@apollo/gateway
must be at least0.35.0
, or elsestart()
will error. PR #5187apollo-server-core
: Support gateways without executors, to help with mocking gateways. Note that if you have a customGatewayInterface
implementation, Apollo Server will now honor theexecutor
returned fromload
and will ignore theexecutor
method on the gateway itself. See the PR for details. PR #5539apollo-server-plugin-response-cache
,apollo-server-plugin-operation-registry
: Change how the default export from the package is set up to fix errors with some build tools. PR #5542
apollo-server-types
: TypeScript typings forinfo.cacheControl
are now added toGraphQLResolveInfo
as part ofapollo-server-types
rather than a nested file inapollo-server-core
, and the field now has a named type,ResolveInfoCacheControl
. PR #5512apollo-server-micro
: Like the other framework integrations, only serve landing pages from the GraphQL path (/graphql
by default, configurable via thepath
option tocreateHandler
). PR #5516apollo-server-env
: Remove polyfills ofObject.values
,Object.entries
, andutil.promisify
which were only required for Node 6 support. RemoveValueOrPromise
andWithRequired
TypeScript types that are also provided byapollo-server-types
. PR #5515
apollo-server-core
: The defaultmaxAge
(which defaults to 0) for a field should only be applied if no dynamic cache control hint is set. Specifically, if you call the (new in 3.0.0) functioninfo.cacheControl.cacheHint.restrict({ maxAge: 60 })
, it should setmaxAge
to 60 even if the default max age is lower. (This bug fix is the behavior that was intended for 3.0.0, and primarily affects the behavior of functions added in Apollo Server 3. This does mean that checkinginfo.cacheControl.cacheHint
now only shows explicitly-setmaxAge
and not the default, but this seems like it will be helpful since it lets you differentiate between the two similar circumstances.) PR #5492apollo-server-lambda
: Fix TypeScript types forcontext
function. (In 3.0.0, the TS types for thecontext
function were accidentally inherited fromapollo-server-express
instead of using the correct Lambda-specific types). PR #5481apollo-server-lambda
,apollo-server-cloud-functions
: Make the default URL path for handling GraphQL be/
(ie, handle all requests). This is similar to how these packages work in Apollo Server 2. After this change,apollo-server
and the serverless integrations have a default URL path of/
(or ignore the path entirely, in the case ofapollo-server-azure-functions
), and the framework integrations have a default URL path of/graphql
. This is a backwards-incompatible change from 3.0.1 but minimizes the changes from Apollo Server 2 (and this AS3 change was not intended or documented). PR #5497 Issue #5462
Apollo Server 3 contains quite a few breaking changes. Read our migration guide for more details on how to update your app.
The minimum versions of these dependencies have been bumped to provide an improved foundation for the development of future features.
- Dropped support for Node.js v6, v8 and v10. Apollo Server 3.x is being compiled to ES2020, which maps to Node.js 12+.
- Note also that we only test Apollo Server on even-numbered versions of Node.js, and we only aim to support Node.js versions that are under long-term support from the Node.js Foundation.
- Dropped support for versions of the
graphql
library prior to15.3.0
. - The
mocks
option of theApolloServer
constructor now uses@graphql-tools/mock
v7 instead ofgraphql-tools
v4, which causes some breaking changes.- For example, mock functions no longer receive arguments and cannot return
Promise
s. - Note that some parts of the v7 migration guide suggest using the
resolvers
argument toaddMocksToSchema
. Apollo Server does not support this option, but you can calladdMocksToSchema
yourself and pass the result to theschema
option of theApolloServer
constructor.
- For example, mock functions no longer receive arguments and cannot return
Certain undersupported and underused Apollo Server features have been removed in favor of current or future methods for achieving similar functionality. Many of these features can be manually re-enabled, as listed below.
-
Dropped built-in partial support for subscriptions via the
subscriptions-transport-ws
package.- This integration did not support many Apollo Server features, and
subscriptions-transport-ws
has not been actively maintained. - To re-enable subscriptions in Apollo Server 3 as they're supported in v2, see the migration guide.
- We hope to provide more deeply integrated subscription support in a future release.
- This integration did not support many Apollo Server features, and
-
Dropped built-in support for file uploads via the
graphql-upload
package.- To re-enable file uploads in Apollo Server 3 as they're supported in v2, see the migration guide.
-
Dropped support for the
graphql-extensions
API (e.g.,GraphQLExtensions
,extensions
) in favor of the Apollo Server plugins API. -
Dropped support for passing the
schemaDirectives
option to theApolloServer
constructor.-
This option was passed directly to the
graphql-tools
functionmakeExecutableSchema
. To continue using it, you can importmakeExecutableSchema
from@graphql-tools/schema
and call it yourself:new ApolloServer({ schema: makeExecutableSchema({ typeDefs, resolvers, schemaDirectives }) })
Note that
graphql-tools
calls this feature "legacy" schema directives, and you might want to consider the newerschemaTransforms
option instead.
-
-
Removed the deprecated
ApolloServer.schema
field, which never worked with federated gateways.- To extract your schema from your server, you can make a plugin with
serverWillStart
or registeronSchemaChange
on your gateway.
- To extract your schema from your server, you can make a plugin with
-
apollo-datasource-rest
: We no longer officially support overriding thebaseURL
property with a getter, because TypeScript 4 does not allow you to do so. -
Removed the automatic addition of the
@cacheControl
directive to schemas.- This directive was added in some circumstances but not in others, which caused confusion.
- If you use
@cacheControl
, you can define it in your schema as shown in the docs.
-
Removed the
tracing
option passed to theApolloServer
constructor. The correspondingapollo-tracing
package has been deprecated and is no longer being published.-
This package implemented an inefficient JSON format for execution traces returned via the
tracing
GraphQL response extension. This format was only consumed by the deprecatedengineproxy
and GraphQL Playground. -
If you rely on this trace format, the old version of
apollo-tracing
should still work:new ApolloServer({ plugins: [ require('apollo-tracing').plugin() ] });
-
-
Removed a redundant mechanism for applying extensions to an
ApolloError
.- Applied extensions are now available only on
error.extensions
, and are not also available onerror
itself. - For details, see #5294.
- Relatedly, the
ForbiddenError
andAuthenticationError
constructors now allow you to pass additional extensions.
- Applied extensions are now available only on
-
Removed the
cacheControl
option passed to theApolloServer
constructor.- By default, Apollo Server continues to calculate an overall cache policy for each operation and sets the
Cache-Control
HTTP header. However, this is now implemented directly insideapollo-server-core
instead of inside a separateapollo-cache-control
package (this package has been deprecated and is no longer being published). - Setting cache control options like
defaultMaxAge
is now done via the newly exportedApolloServerPluginCacheControl
plugin, instead of as a top-level constructor option. This follows the same pattern as other built-in plugins like usage reporting. - The
CacheHint
andCacheScope
types are now exported fromapollo-server-types
. Theinfo.cacheControl.cacheHint
object now has additional methods (replace
,restrict
, andpolicyIfCacheable
), and its fields update when those methods orsetCacheHint
are called. These methods also exist onrequestContext.overallCachePolicy
, which is always defined and which should not be overwritten (usereplace
instead). There is also a new functioninfo.cacheControl.cacheHintFromType
available. @cacheControl
directives on type extensions are no longer ignored. Fields returning union types are now treated similarly to fields returning object and interface types (@cacheControl
directives on the type are honored, the defaultmaxAge
is applied to them).- New feature:
@cacheControl(inheritMaxAge: true)
when applied to a composite type or a field returning a composite type means that the defaultmaxAge
is not applied to that field (unless it is a root field).
- By default, Apollo Server continues to calculate an overall cache policy for each operation and sets the
-
Due to conflicts with same/similar globals provided by
@types/supertest
(which we use in our testing), some global TypeScript definitions have been removed fromapollo-server-env
including that of, e.g.,fetch
,RequestInfo
,Headers
,Request
,Response
,ResponseInit
, and more. See the full list prior to removal here. Internally in the Apollo Server tests, for the time-being, we are relying on the same-named types from TypeScript'slib.dom.d.ts
— e.g., itsRequestInfo
type definition. For more details, see PR #5165. -
Top-level exports have changed. For example:
- We no longer re-export the entirety of
graphql-tools
(includingmakeExecutableSchema
) from all Apollo Server packages. To continue using them, installgraphql-tools
or one of its sub-packages yourself. - The
Upload
scalar is no longer exported as part of dropping built-in support for file uploads.
- We no longer re-export the entirety of
-
Stopped publishing the deprecated
apollo-server-testing
package. This package is just a wrapper aroundserver.executeOperation
, which you can use directly. -
apollo-server-caching
: The test suite helper works differently, and theTestableKeyValueCache
interface is removed. -
The
engine
constructor option,ENGINE_API_KEY
environment variable, andENGINE_SCHEMA_TAG
environment variables are no longer supported. Use theapollo
constructor option,APOLLO_KEY
environment variable, andAPOLLO_GRAPH_VARIANT
environment variable instead, as described in [theengine
option migration guide from v2.18)[https://www.apollographql.com/docs/apollo-server/v2/migration-engine-plugins/]. -
When you supply an Apollo API key via the
APOLLO_KEY
environment variable ornew ApolloServer({apollo: {key}})
, Apollo Server 3 no longer parses the key to guess your Studio graph ID. You must specify it yourself, either via theAPOLLO_GRAPH_ID
environment variable (ornew ApolloServer({apollo: {graphId}})
), or as a graph ref along with the variant (e.g.,your-graph-id@your-graph-variant
) in theAPOLLO_GRAPH_REF
environment variable (ornew ApolloServer({apollo: {graphRef}})
).
- With one exception, all Apollo Server plugin methods (
requestDidStart
,didResolveOperation
, etc.) are nowasync
.- Previously, some of these methods were synchronous, others were
async
, and some were "sometimes-async
" by returning aValueOrPromise
. - The exception is
willResolveField
, which remains synchronous. This method is called much more often than any other plugin method, and converting it toasync
might affect performance. - In a future release,
willResolveField
might become "sometimes-async
" by returning aValueOrPromise
.
- Previously, some of these methods were synchronous, others were
- Apollo Server now always fires the
willSendResponse
plugin lifecycle event after firingdidEncounterError
.- In certain error cases (mostly related to automated persisted queries), Apollo Server 2 skips firing
willSendResponse
.
- In certain error cases (mostly related to automated persisted queries), Apollo Server 2 skips firing
- The
executionDidStart
event can no longer return a function as an "end hook". The "end hook" for this event now must be provided as an async function property calledexecutionDidEnd
on an object. - Renamed the
GraphQLService
interface toGatewayInterface
.- This interface is the type used to provide a federated gateway instance to Apollo Server. Its name has been changed to reduce ambiguity.
- The previous name is still exported for backward compatibility purposes.
- Added support for serving a custom landing page at Apollo Server's base URL.
- Plugins can define a new
renderLandingPage
hook that returns an HTML page to serve to browsers. - New plugins (
ApolloServerPluginLandingPageProductionDefault
andApolloServerPluginLandingPageLocalDefault
) are installed by default (the former whenNODE_ENV
isproduction
, the latter otherwise) with instructions on how to communicate with the server, links to Apollo Sandbox, etc. - A new
ApolloServerPluginLandingPageGraphQLPlayground
plugin can be installed instead to continue to use GraphQL Playground instead. Theplayground
option provided to theApolloServer
constructor has been removed; to customize GraphQL Playground you can provide an argument to the new playground plugin. By default, no GraphQL Playground settings are overridden, including the endpoint, which now defaults towindow.location.href
(with most query parameters removed). This means you typically don't have to manually configure the endpoint when using GraphQL Playground. - To disable all landing pages, install the new
ApolloServerPluginLandingPageDisabled
plugin. - Apollo Server packages no longer export
defaultPlaygroundOptions
,PlaygroundConfig
, orPlaygroundRenderPageOptions
.
- Plugins can define a new
- Bad request errors (invalid JSON, missing body, etc) are more consistent across integrations and consistently return 4xx status codes instead of sometimes returning 5xx status codes.
- Setting
requestContext.response.http.status
now affects successful GraphQL responses, not just errors.
-
When using a non-serverless framework integration (Express, Fastify, Hapi, Koa, Micro, or Cloudflare), you now must call
await server.start()
before attaching the server to your framework.- This method was introduced in v2.22 but was optional prior to Apollo Server 3.
- This requirement does not apply to the
apollo-server
library or to serverless framework integrations.
-
apollo-server-express
no longer officially supports using with theconnect
framework.- We have not actively removed any
connect
compatibility code, and we do still test that it works withconnect
. However, we reserve the right to break that compatibility without a major version bump of this package (we will certainly note in this changelog if we do so).
- We have not actively removed any
-
apollo-server-lambda
: This package is now implemented as a wrapper aroundapollo-server-express
.createHandler
's argument now has different options:expressGetMiddlewareOptions
, which includes options likecors
and is passed through toapollo-server-express
'sgetMiddleware
expressAppFromMiddleware
, which lets you customize HTTP processing
Also, the
context
function now receives anexpress: { req, res }
option in addition toevent
andcontext
-
apollo-server-lambda
: The handler returned bycreateHandler
can now only be called as an async function returning aPromise
(it no longer optionally accepts a callback as the third argument).- All current Lambda Node runtimes support this invocation mode (so
exports.handler = server.createHandler()
will keep working without any changes). - If you've written your own handler that calls the handler returned by
createHandler
with a callback, you'll need to handle itsPromise
return value instead.
- All current Lambda Node runtimes support this invocation mode (so
-
apollo-server-lambda
: Improved support for running behind an Application Load Balancer (ALB). -
apollo-server-fastify
is now compatible with Fastify v3 instead of Fastify v2. -
apollo-server-hapi
is now only tested with Hapi v20.1.2 and higher (the minimum version that supports Node 16). -
The non-serverless integrations now depend on their corresponding web frameworks via peer dependencies rather than direct dependencies.
-
All integrations that allow CORS headers to be customized now default to
access-control-allow-origin: *
. This was already the case forapollo-server
, Express, Fastify, and Hapi; it is now also the same for Koa (which previously reflected the request's origin), Lambda, Cloud Functions, and Azure Functions as well (which did not set CORS by default). Micro and CloudFlare do not have a built-in way of setting CORS headers.
⚠️ SECURITYapollo-server-core
: Update default version of the GraphQL Playground React app loaded from the CDN to be@apollographql/[email protected]
. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app withnew ApolloServer({playground: {version: 'some version'}})
, you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you disable GraphQL Playground withnew ApolloServer({playground: false})
, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.
apollo-server-express
: Update dependencies on@types/express
and@types/express-serve-static-core
. PR #5352
apollo-server-core
,apollo-server-express
: Upgradesubscriptions-transport-ws
dependency and remove unneeded runtime dependency onws
. This should enable you to install Apollo Server without depending on versions ofws
vulnerable to CVE-2021-32640. Note that the superficial integration of the unmaintainedsubscriptions-transport-ws
package will be removed in Apollo Server 3; you can also avoid this vulnerability by disabling the built-in subscription support withnew ApolloServer({subscriptions: false})
and using a maintained package such asgraphql-ws
instead. (Instead of taking this upgrade, you can also upgradews
to5.2.3
, which was just released.)
apollo-server-core
: You may now specify your Studio graph as a graph ref (id@variant
) via theAPOLLO_GRAPH_REF
environment variable ornew ApolloServer({apollo: {graphRef}})
instead of specifying graph ID and graph variant separately. Theapollo
object passed to pluginserverWillStart
and to gatewayload
now contains agraphRef
field.apollo-server-core
: Fix a race condition where schema reporting could lead to a delay at process shutdown. PR #5222apollo-server-core
: Allow the Fetch API implementation to be overridden for the schema reporting and usage reporting plugins via a newfetcher
option. PR #5179apollo-server-core
: Theserver.executeOperation
method (designed for testing) can now take itsquery
as aDocumentNode
(eg, agql
-tagged string) in addition to as a string. (This matches the behavior of theapollo-server-testing
createTestClient
function which is now deprecated.) We now recommend this method instead ofapollo-server-testing
in our docs. Issue #4952apollo-server-testing
: Replace README with a deprecation notice explaining how to useserver.executeOperation
instead. Issue #4952
apollo-server-core
: Fix a typo that could lead to TypeScript compilation when combined with a recent version of@types/node
. (This bug had no runtime effect.) PR #5149
apollo-server-core
: Apollo Studio usage reporting uses a more efficient format which sends fewer detailed traces to Apollo's server. This change should not have a major effect on the experience of using Apollo Studio. This also fixes a bug in all prior versions where all operations were reported to Studio as "uncached". PR #4142
apollo-server-core
: Add optional argument toApolloServer.executeOperation
allowing the caller to manually specify an argument to theconfig
function analogous to that provided by integration packages. PR #4166 Issue #2886[email protected]
: NewBaseRedisCache
class which takes anioredis
-compatible Redis client as an argument. The existing classesRedisCache
andRedisClusterCache
(which pass their arguments toioredis
constructors) are now implemented in terms of this class. This allows you to use any of theioredis
constructor forms rather than just the ones recognized by our classes. This also fixes a long-standing bug where the Redis cache implementations returned a number fromdelete()
; it now returns a number, matching what theKeyValueCache
interface and the TypeScript types expect. PR #5034 PR #5088 Issue #4870 Issue #5006apollo-server-core
: Fix type forformatResponse
function. It never is called with anull
argument, and is allowed to returnnull
. Issue #5009 PR #5089apollo-server-lambda
: Fix regression in v2.21.2 where thrown errors were replaced by throwing the JS Error class itself. PR #5085apollo-server-core
: If a client sends a variable of the wrong type, this is now reported as an error with anextensions.code
ofBAD_USER_INPUT
rather thanINTERNAL_SERVER_ERROR
. PR #5091 Issue #3498apollo-server-lambda
: Explicitly support API GatewaypayloadFormatVersion
2.0. Previously some codepaths did appropriate checks to partially support 2.0 and other codepaths could lead to errors likeevent.path.endsWith is not a function
(especially since v2.21.1). Note that this changes the TypeScript typing of theonHealthCheck
callback passed tocreateHandler
to indicate that it can receive either type of event. If you are using TypeScript and care about having a precise typing for the argument to youronHealthCheck
callback, you should determine which payload format you want to support and writenew ApolloServer<APIGatewayProxyEvent>(...)
ornew ApolloServer<APIGatewayProxyEventV2>(...)
(importing these types fromaws-lambda
), or differentiate between the two formats by checking to see if'path' in event
. Issue #5084 Issue #5016
apollo-server-core
: Fix a regression in v2.22.0 where combiningapollo-server-core
v2.22 with an older version of an integration package could lead to startup errors likecalled start() with surprising state invoking serverWillStart
. The fix involves changing the semantics of the protectedwillStart
method (which is left in only for backwards compatibility). Issue #5065 Issue #5066 PR #5073
apollo-server-core
: Fix a regression in v2.22.0 where startup errors could be thrown as part of the GraphQL response instead of redacted in one edge case. PR #5064
- Improve startup error handling by ensuring that your server has loaded its schema and executed its
serverWillStart
handlers successfully before starting an HTTP server. If you're using theapollo-server
package, no code changes are necessary. If you're using an integration such asapollo-server-express
that is not a "serverless framework", you can insertawait server.start()
betweenserver = new ApolloServer()
andserver.applyMiddleware
. (If you don't callserver.start()
yourself, your server will still work, but the previous behavior of starting a web server that may fail to load its schema still applies.) The serverless framework integrations (Lambda, Azure Functions, and Cloud Functions) do not support this functionality. While the protected methodwillStart
still exists for backwards compatibility, you should replace calls to it withstart
or the new protected methodensureStarting
. PR #4981
apollo-server-core
: TheSIGINT
andSIGTERM
signal handlers installed by default (when not disabled bystopOnTerminationSignals: false
) now stay active (preventing process termination) while the server shuts down, instead of letting a second signal terminate the process. The handlers still re-signal the process afterthis.stop()
concludes. Also, ifthis.stop()
throws, the signal handlers will now log and exit 1 instead of throwing an uncaught exception. Issue #4931apollo-server-lambda
: Refactor the handler returned byserver.createHandler
so that if it is not passed a callback, it acts as an async handler instead of a non-async handler. This means you can wrap it in your own async handler without having to create a callback, and makes the code more maintainable. Issue #1989 PR #5004
apollo-server-lambda
: TheonHealthCheck
option did not previously work. Additionally, health checks (withonHealthCheck
or without) didn't work in all Lambda contexts, such as behind Custom Domains; the path check is now more flexible. Issue #3999 PR #4969 Issue #4891 PR #4892- The
debug
option tonew ApolloServer
(which adds stack traces to errors) now affects errors that come from requests executed withserver.executeOperation
(and its wrapperapollo-server-testing
), instead of just errors that come from requests executed over HTTP. Issue #4107 PR #4948 - Bump version of
@apollographql/graphql-playground-html
to v1.6.27 and@apollographql/graphql-playground-react
to v1.7.39 to resolve incorrectly rendered CDN URL when Playgroundversion
wasfalse
-y. PR #4932 PR #4955 Issue #4937
- Apollo Server can now be installed with
graphql@15
without causing peer dependency errors or warnings. (Apollo Server has a file upload feature which was implemented as a wrapper around thegraphql-upload
package. We have been unable to upgrade our dependency on that package due to backwards-incompatible changes in later versions, and the version we were stuck on did not allowgraphql@15
as a peer dependency. We have now switched to a fork of that old version called@apollographql/graphql-upload-8-fork
that allowsgraphql@15
.) Also bump thegraphql-tools
dependency from 4.0.0 to 4.0.8 forgraphql@15
support. Issue #4865
apollo-server
: Previously,ApolloServer.stop()
functioned likenet.Server.close()
in that it did not close idle connections or close active connections after a grace period. This meant that trying toawait ApolloServer.stop()
could hang indefinitely if there are open connections. Now, this method closes idle connections, and closes active connections after 10 seconds. The grace period can be adjusted by passing the newstopGracePeriodMillis
option tonew ApolloServer
, or disabled by passingInfinity
(though it will still close idle connections). Note that this only applies to the "batteries-included"ApolloServer
in theapollo-server
package with its own built-in Express and HTTP servers. PR #4908 Issue #4097apollo-server-core
: When used withApolloGateway
,ApolloServer.stop
now invokesApolloGateway.stop
. (This makes sense becauseApolloServer
already invokesApolloGateway.load
which is what starts the behavior stopped byApolloGateway.stop
.) Note that@apollo/gateway
0.23 will expect to be stopped in order for natural program shutdown to occur. PR #4907 Issue #4428apollo-server-core
: Avoid instrumenting schemas for the oldgraphql-extensions
library unless extensions are provided. PR #4893 Issue #4889[email protected]
: TheshouldReadFromCache
andshouldWriteToCache
hooks were always documented as returningValueOrPromise<boolean>
(ie, that they could be either sync or async), but they actually only worked if they returned a bool. Now they can be either sync or async as intended. PR #4890 Issue #4886[email protected]
: TheRESTDataSource.trace
method is nowprotected
instead ofprivate
to allow more control over logging and metrics. PR #3940
apollo-server-express
: types: ExportExpressContext
from main module. PR #4821 Issue #3699apollo-server-env
: types: The first parameter tofetch
is now marked as required, as intended and in accordance with the Fetch API specification. PR #4822 Issue #4741apollo-server-core
: Updategraphql-tag
package tolatest
, now with itsgraphql-js
peerDependencies
expanded to include^15.0.0
PR #4833
apollo-server-core
: ThedebugPrintReports
option toApolloServerPluginUsageReporting
now prints traces as well. PR #4805
apollo-server-testing
: types: Allow genericvariables
usage ofquery
andmutate
functions. PR #4383apollo-server-express
: Export theGetMiddlewareOptions
type. PR #4599apollo-server-lambda
: Fix file uploads - ignore base64 decoding for multipart queries. PR #4506apollo-server-core
: Do not send operation documents that cannot be executed to Apollo Studio. Instead, information about these operations will be combined into one "operation" for parse failures, one for validation failures, and one for unknown operation names.
apollo-server-core
: Explicitly includelru-cache
dependency inapollo-server-core
's dependencies. PR #4600
-
apollo-server-core
: Fix support for legacy optionengine: {logger}
, broken in v2.18.0. PR #4588 -
apollo-server-plugin-base
: TheApolloServerPlugin
TypeScript type does not need to extendAnyFunctionMap
, which was an unnecessary change in v2.18.0. PR #4588 -
apollo-server-core
: Improve a usage reporting error which occurs when you use Apollo Server in an unsupported way. PR #4588 -
apollo-server-core
: Fix typo in error message for unparsable/invalid schemas provided viaoverrideReportedSchema
. PR #4581
-
apollo-server-core
: When Apollo Server is configured with an Apollo API key, the URLs it uses to connect to Apollo's servers have changed. If the environment in which you run your servers requires you to explicitly allow connections by domain, you will need to add the new domain names. Usage reporting previously connected to https://engine-report.apollodata.com/ and now connects to https://usage-reporting.api.apollographql.com/; schema reporting previously connected to https://edge-server-reporting.api.apollographql.com/ and now connects to https://schema-reporting.api.apollographql.com/ . PR #4453 -
Apollo Server's support for communicating with Apollo’s commercial products has been refactored into three separate plugins exported from
apollo-server-core
(for usage reporting, schema reporting, and inline tracing), configured using the standardplugins
option. Theengine
option continues to work for backwards compatibility in the 2.x series; support forengine
will be deprecated in Apollo Server 3.x. Full details are available in the migration guide. PR #4453 -
To consistently support tracing, inline tracing is enabled by default on federated implementing services, even when an Apollo API key is provided. Previously it was not enabled when an API key was provided. You can disable it with
ApolloServerPluginInlineTraceDisabled
. PR #4453 -
The
apollo-engine-reporting
npm package has been obsoleted and will no longer receive updates. PR #4453 -
The
apollo-engine-reporting-protobuf
package has been renamed toapollo-reporting-protobuf
. No new versions of the old package will be published. PR #4453 -
Implementations of
ApolloServer
for serverless frameworks such as Lambda now override theserverlessFramework()
method to return true. We have changed our own integrations, but other implementations that extendApolloServer
which need this behavior should do the same. Support forengine.sendReportsImmediately
will be dropped in Apollo Server 3.x. PR #4453 -
The
GraphQLServiceContext
type passed to the plugin serverWillStart method now containsapollo
andserverlessFramework
values. PR #4453 -
apollo-server-core
/apollo-server-plugin-base
: The request pipeline plugin API now supports aserverWillStop
lifecycle hook. PR #4453 -
apollo-server-core
: Previously, the usage reporting functionality registered one-shot handlers for theSIGINT
andSIGTERM
signals, which it used to send one final usage report before re-sending the signal to itself to continue shutdown. These signals handlers were installed by default if you enabled usage or schema reporting, and could be disabled by passingengine.handleSignals: false
. Now, termination signal handling is the responsibility of Apollo Server as a whole rather than something specific to usage reporting. Apollo Server itself now registers these one-shot signal handlers, which triggerApolloServer.stop()
. This allows any plugin that implements the newserverWillStop
callback to hook into shutdown logic, not just the usage reporting code. Similarly to before, these signal handlers are registered by default but can be disabled by via an option. We've changed the option name tostopOnTerminationSignals: false
as it is more explicit about the behavior. PR #4453 -
apollo-server-core
: The default logger implementation (if you don't specify your ownlogger
or specifydebug
) now logs at the INFO level instead of the WARN level. The main effect is on a few built-in plugins which log one INFO message at startup; if a custom plugin logs at the INFO level then those messages will be visible by default as well. PR #4453 -
apollo-server-core
: Parse and validate any schema passed viaoverrideReportedSchema
to the schema reporting plugin, and throw accordingly on unparsable or invalid schemas. -
Using Apollo Server from TypeScript now requires TypeScript 3.8 due to the use of the
import type
andexport type
directives. (If this proves to be a major problem we can revert this choice, but it makes it easier for us to ensure that certain large dependencies are only loaded when needed.) PR #4453 -
Updated
@apollographql/graphql-playground-react
to 1.7.33 to include an upstream fix. PR #4550
- subscriptions: Fix bug which prevented
installSubscriptionHandlers
from accepting awebsocket.Server
(as intended in PR #1966) and also added support for otherhttp.Server
variations (e.g., Tls). Issue #4198 PR #4200
- This release only includes patch updates to dependencies.
apollo-server-fastify
: Pass Fastify'srequest
andreply
objects into thecontext
function, which previously had been receiving nothing. Issue #3156 [PR #3895(#3895)apollo-server-lambda
: Automatically decode payloads which are Base64-encoded when theisBase64Encoded
boolean is present on Lambdaevent
payloads. PR #4311
- The default branch of the repository has been changed to
main
. As this changed a number of references in the repository'spackage.json
andREADME.md
files (e.g., for badges, links, etc.), this necessitates a release to publish those changes to npm. PR #4302
apollo-engine-reporting
: Added areportTiming
API to allow trace reporting to be enabled or disabled on a per request basis. The option takes either a boolean or a predicate function that takes aGraphQLRequestContextDidResolveOperation
orGraphQLRequestContextDidEncounterErrors
and returns a boolean. If the boolean is false the request will not be instrumented for tracing and no trace will be sent to Apollo Graph Manager. The default istrue
so all traces will get instrumented and sent, which is the same as the previous default behavior. PR #3918apollo-engine-reporting
: RemovedGraphQLServerOptions.reporting
. It isn't known whether a trace will be reported at the beginning of the request because of the above change. We believe this field was only used internally within Apollo Server; let us know if this is a problem and we can suggest alternatives. Additionally, the fieldrequestContext.metrics.captureTraces
is now initialized later in the request pipeline. PR #3918apollo-engine-reporting
: Make Apollo Server throw if schema reporting is enabled for a gateway or federated service. PR #4246apollo-engine-reporting
: Remove theexperimental_
prefix from schema reporting options, and specifically renameexperimental_schemaReporting
option name toreportSchema
. (The old option names remain functional, but are deprecated.) PR #4236
apollo-engine-reporting
: Make Apollo Server throw if schema reporting is enabled for a gateway or federated service. PR #4246
apollo-engine-reporting
: Add environment variableAPOLLO_SCHEMA_REPORTING
that can enable schema reporting. Ifexperimental__schemaReporting
is set it will override the environment variable. PR #4206apollo-engine-reporting
: The schema reporting URL has been changed to use the new dedicated sub-domainhttps://edge-server-reporting.api.apollographql.com
. PR #4232apollo-server-core
: Though Apollo Server is not affected due to the way it is integrated, in response to an upstream security advisory for GraphQL Playground we have published the same patch on our@apollographql/graphql-playground-html
fork and bumped Apollo Server to use it. Again, this was done out of an abundance of caution since the way that Apollo Server utilizesrenderPlaygroundPage
is not vulnerable as it does not allow per-request Playground configuration that could allow interpolation of user-input. PR #4231
- This release only includes patch updates to dependencies.
Note: This release is is related to a GitHub Security Advisory published by the Apollo Server team. Please read the attached advisory to understand the impact.
⚠️ SECURITY: Pass all schema validation rules to the subscription server, including validation rules that restrict introspection when introspection is meant to be disabled. Read the full GitHub Security Advisory for details.
apollo-server-testing
: Ensure that user-provided context is cloned when usingcreateTestClient
, per the instructions in the integration testing section of the Apollo Server documentation. Issue #4170 PR #4175
-
apollo-server-core
/apollo-server-plugin-base
: Add support forwillResolveField
and corresponding end-handler withinexecutionDidStart
. This brings the remaining bit of functionality that was previously only available fromgraphql-extensions
to the new plugin API. Thegraphql-extensions
API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #3988 -
apollo-server-core
: Deprecategraphql-extensions
. All internal usages of thegraphql-extensions
API have been migrated to the request pipeline plugin API. For any implementor-suppliedextensions
, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #4135 -
apollo-engine-reporting
: Currently only for non-federated graphs. Added an experimental schema reporting option,experimental_schemaReporting
, for Apollo Graph Manager users. During this experiment, we'd appreciate testing and feedback from current and new users of the schema registry!Prior to the introduction of this feature, the only way to get schemas into the schema registry in Apollo Graph Manager was to use the CLI and run
apollo schema:push
. Apollo schema reporting protocol is a new specification for GraphQL servers to automatically report schemas to the Apollo Graph Manager schema registry.To enable schema reporting, provide a Graph Manager API key (available free from Apollo Graph Manager) in the
APOLLO_KEY
environment variable and set theexperimental_schemaReporting
option totrue
in the Apollo Server constructor options, like so:const server = new ApolloServer({ typeDefs, resolvers, engine: { experimental_schemaReporting: true, /* Other existing options can remain the same. */ }, });
When enabled, a schema reporter is initiated by the
apollo-engine-reporting
agent. It will loop until theApolloServer
instance is stopped, periodically calling back to Apollo Graph Manager to send information. The life-cycle of this reporter is managed by the agent.For more details on the implementation of this new protocol, see the PR which introduced it to Apollo Server and the preview documentation.
-
apollo-engine-reporting
: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated)graphql-extensions
API to the new request pipelineplugins
API. PR #3998This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:
- The federated tracing plugin's
ftv1
response onextensions
(which is present on the response from an implementing service to the gateway) is now placed on theextensions
after theformatResponse
hook. Anyone leveraging theextensions
.ftv1
data from theformatResponse
hook will find that it is no longer present at that phase.
- The federated tracing plugin's
-
apollo-tracing
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3991 -
apollo-cache-control
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3997
- Allow passing a
WebSocket.Server
toApolloServer.installSubscriptionHandlers
. PR #2314 apollo-server-lambda
: Support file uploads on AWS Lambda Issue #1419 Issue #1703 PR #3926apollo-engine-reporting
: Fix inadvertent conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #3986apollo-engine-reporting
: Deprecate theENGINE_API_KEY
environment variable in favor of its new name,APOLLO_KEY
. Continued use ofENGINE_API_KEY
will result in deprecation warnings and support for it will be removed in a future major version. #3923apollo-engine-reporting
: Deprecated theAPOLLO_SCHEMA_TAG
environment variable in favor of its new name,APOLLO_GRAPH_VARIANT
. Similarly, within theengine
configuration object, theschemaTag
property has been renamedgraphVariant
. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #3855apollo-engine-reporting-protobuf
: (This is a breaking change only if you directly depend onapollo-engine-reporting-protobuf
.) Drop legacy fields that were never used byapollo-engine-reporting
. Added new fieldsStatsContext
to allowapollo-server
to send summary stats instead of full traces, and renamedFullTracesReport
toReport
andTraces
toTracesAndStats
since reports now can include stats as well as traces.
apollo-server-core
: Support providing a custom logger implementation (e.g.winston
,bunyan
, etc.) to capture server console messages. Though there has historically been limited output from Apollo Server, some messages are important to capture in the larger context of production logging facilities or can benefit from using more advanced structure, like JSON-based logging. This also introduces alogger
property to theGraphQLRequestContext
that is exposed to plugins, making it possible for plugins to leverage the same server-level logger, and allowing implementors to create request-specific log contexts, if desired. When not provided, these will still output toconsole
. PR #3894apollo-server-core
: When operating in gateway mode using thegateway
property of the Apollo Server constructor options, the failure to initialize a schema during initial start-up, e.g. connectivity problems, will no longer result in the federated executor from being assigned when the schema eventually becomes available. This precludes a state where the gateway may never become available to serve federated requests, even when failure conditions are no longer present. PR #3811apollo-server-core
: Prevent a condition which prefixed an error message on each request when the initial gateway initialization resulted in a Promise-rejection which was memoized and re-prepended withInvalid options provided to ApolloServer:
on each request. PR #3811apollo-server-express
: Disable the automatic inclusion of thex-powered-by: express
header. PR #3821apollo-engine-reporting
: Avoid creating new arrays when building trace trees. PR #3479apollo-server-core
: Bumpgraphql
peerDependencies
range to include^15.0.0
. PR #3944
- The range of accepted
peerDependencies
versions forgraphql
has been widened to includegraphql@^15.0.0-rc.2
so as to accommodate the latest release-candidate of thegraphql@15
package, and an intention to support it when it is finally released on thelatest
npm tag. While this change will subdue peer dependency warnings for Apollo Server packages, many dependencies from outside of this repository will continue to raise similar warnings until those packages ownpeerDependencies
are updated. It is unlikely that all of those packages will update their ranges prior to the final version ofgraphql@15
being released, but if everything is working as expected, the warnings can be safely ignored. PR #3825
apollo-server-core
: Update GraphQL Playground to latest version to remove a rogue curly-brace appearing in the top-right corner of the interface under certain conditions. PR #3702 Playground PRapollo-server-core
: Typings: Allow thecache
property insidepersistedQueries
to be optional. This was already optional at runtime where it defaults to the top-level global cache when unspecified, but with the introduction of thettl
property, it now makes sense that one may be provided without the other. #3671
apollo-server-express
: SupportCorsOptionsDelegate
type oncors
parameter toapplyMiddleware
, to align with the supported type of the underlyingcors
middleware itself. #3613apollo-server-core
: Allow asynchronous initialization of datasources: theinitialize
method on datasources may now return a Promise, which will be settled before any resolvers are called. #3639apollo-server-core
: experimental: Allow configuration of the parsed/validated document store by introducing anexperimental_approximateDocumentStoreMiB
property to theApolloServer
constructor options which overrides the default cache size of 30MiB. #3755
apollo-server-core
: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #3662
apollo-engine-reporting
: Fix regression introduced by #3614 which causedPersistedQueryNotFoundError
,PersistedQueryNotSupportedError
andInvalidGraphQLRequestError
errors to be triggered before therequestDidStart
handler triggeredtreeBuilder
'sstartTiming
method. This fix preserves the existing behavior by special-casing these specific errors. #3638 fixes #3627apollo-server-cloud-functions
: Transmit CORS headers onOPTIONS
request. #3557apollo-server-caching
: De-compose options interface forKeyValueCache.prototype.set
to accommodate better TSDoc annotations for its properties (e.g. to specify thatttl
is defined in seconds). #3619apollo-server-core
,apollo-server-caching
: Introduce attl
property, specified in seconds, on the options for automated persisted queries (APQ) which applies specific TTL settings to the cacheset
s during APQ registration. Previously, all APQ cache records were set to 300 seconds. Additionally, this adds support (to the underlyingapollo-server-caching
mechanisms) for a time-to-live (TTL) value ofnull
which, when supported by the cache implementation, skips the assignment of a TTL value altogether. This allows the cache's controller to determine when eviction happens (e.g. cache forever, and purge least recently used when the cache is full), which may be desireable for network cache stores (e.g. Memcached, Redis). #3623apollo-server-core
: Upgrade TS to 3.7.3 #3618
apollo-server-core
: Ensure that plugin'sdidEncounterErrors
hooks are invoked for known automated persisted query (APQ) errors. #3614apollo-server-plugin-base
: MoveTContext
generic fromrequestDidStart
method toApolloServerPlugin
Interface. #3525
@apollo/gateway
: Add@types/node-fetch
as a regular dependency to avoid missing dependency for TypeScript consumers. #3546 fixes #3471apollo-engine-reporting
: Declare acceptablegraphql
versions ranges inpeerDependencies
rather than allowing it to occur implicitly (and less ideally) via its consumers (e.g. mostapollo-server-*
packages). #3496
- Reinstate #3530 via #3539 - after a patch release of the
@apollo/protobufjs
fork, the build issue for consumers should be resolved.
- Revert #3530 via #3535- the introduction of the
@apollo/protobufjs
fork is causing TS errors in consumer projects. Reverting this change for now, and will reintroduce it after the issue is resolved within the forked package.
apollo-engine-reporting
: Swap usage ofprotobufjs
for a newly published fork located at@apollo/protobufjs
. This is to account for the relative uncertainty into the continued on-going maintenance of the officialprotobuf.js
project. This should immediately resolve a bug that affectedLong
types inapollo-engine-reporting
and other non-Apollo projects that rely onprotobuf.js
'sLong
type. #3530
apollo-server-core
: Don't try parsingvariables
andextensions
as JSON if they are defined but empty strings. #3501apollo-server-lambda
: IntroduceonHealthCheck
oncreateHandler
in the same fashion as implemented in other integrations. #3458apollo-server-core
: Usegraphql
'sisSchema
to more defensively check the user-specified schema's type at runtime and prevent unexpected errors. #3462
apollo-server-core
: Provide accurate type forformatResponse
rather than genericFunction
type. #3431apollo-server-core
: Pass complete request context toformatResponse
, rather than justcontext
. #3431
apollo-server-errors
: FixApolloError
bug andGraphQLError
spec compliance #3408
@apollo/gateway
,@apollo/federation
,apollo-engine-reporting
: Updateapollo-graphql
dependency to bring inapollo-tooling
's #1551 which resolve runtime errors when its source is minified. While this fixes a particular minification bug when Apollo Server packages are minified, we do not recommend minification of server code in most cases. #3387 fixes #3335apollo-server-koa
: Correctly declare dependency onkoa-compose
. #3356apollo-server-core
: Preserve anyextensions
that have been placed on the response when pre-execution errors occur. #3394
apollo-server-express
: Add direct dependency onexpress
to allow for usage ofexpress.Router
forgetMiddleware
functionality (from #2435). Previously, unlike other server integration packages,apollo-server-express
did not directly needexpress
as a dependency since it only relied onexpress
for TypeScript typings. #3239 fixes #3238apollo-server-lambda
: Add@types/aws-lambda
as a direct dependency toapollo-server-express
to allow usage of its typings without needing to separately install it. #3242 fixes #2351
apollo-server-koa
: Drop support for Node.js v6 within the Apollo Server Koa integration in order to updatekoa-bodyparser
dependency fromv3.0.0
tov4.2.1
. #3229 fixes #3050apollo-server-express
: Use explicit return type for newgetMiddleware
method. #3230 (hopefully) fixes #3222
apollo-server-core
: MakeformatError
available to subscriptions in the same spirit as the existingformatResponse
. #2942apollo-engine-reporting
: The behavior of theengine.maxAttempts
parameter previously did not match its documentation. It is documented as being the max number of attempts including the initial attempt, but until this release it was actually the number of retries excluding the initial attempt. The behavior has been changed to match the documentation (and the literal reading of the option name). #3218apollo-engine-reporting
: When sending the report fails with a server-side 5xx error, include the full error from the server in the logs. #3218apollo-server-core
: Fix regression which prevented the resizing of the schema panel in GraphQL Playground. #3224 and upstream
apollo-server-express
,apollo-server-koa
: A newgetMiddleware
method has been introduced, which accepts the same parameters asapplyMiddleware
with the exception of theapp
property. This allows implementors to obtain the middleware directly and "use
" it within an existingapp
. In the near-term, this should ease some of the pain points with the previous technique. Longer-term, we are exploring what we consider to be a much more natural approach by introducing an "HTTP transport" in Apollo Server 3.x. See this proposal issue for more information. #2435@apollo/federation
:buildFederatedSchema
'stypeDefs
parameter now accepts arrays ofDocumentNode
s (i.e. type definitions wrapped ingql
) andresolvers
to make the migration from a single service into a federated service easier for teams previously utilizing this pattern. #3188
apollo-server-koa
: Update dependency koa to v2.8.1. PR #3175apollo-server-express
: Update types exported by the ASE package. PR #3173 PR #3172
apollo-engine-reporting
: Fix reporting errors which have non-arraypath
fields (eg, non-GraphQLError errors). PR #3112apollo-engine-reporting
: Add missingapollo-server-caching
dependency. PR #3054apollo-server-hapi
: Revert switch fromaccept
andboom
which took place in v2.8.0. PR #3089@apollo/gateway
: Change thesetInterval
timer, which is used to continuously check for updates to a federated graph from the Apollo Graph Manager, to be anunref
'd timer. Without this change, the server wouldn't terminate properly once polling had started since the event-loop would continue to have unprocessed events on it. PR #3105- Switch to using community
@types/graphql-upload
types. apollo-server-fastify
: Change the typing of the HTTPresponse
fromOutgoingMessage
toServerResponse
. Commitapollo-server-hapi
: Pass theraw
request and response objects tographql-upload
sprocessRequest
method to align on the same TypeScript types. Commit
@apollo/federation
: Add support for "value types", which are type definitions which live on multiple services' types, inputs, unions or interfaces. These common types must be identical by name, kind and field across all services. PR #3063apollo-server-express
: Use the Expresssend
method, rather than callingnet.Socket.prototype.end
. PR #2842apollo-server-hapi
: Update internal dependencies to use scoped packages@hapi/accept
and@hapi/boom
, in place ofaccept
andboom
respectively. PR #3089
apollo-engine-reporting
: Fix reporting errors from backend. (The support for federated metrics introduced in v2.7.0 did not properly handle GraphQL errors from the backend; all users of federated metrics should upgrade to this version.) PR #3056 Issue #3052apollo-engine-reporting
: Clean upSIGINT
andSIGTERM
handlers whenEngineReportingAgent
is stopped; fixes 'Possible EventEmitter memory leak detected' log. PR #3090
apollo-engine-reporting
: If an error is thrown by a custom variable transform function passed into the reporting optionsendVariableValues: { transform: ... }
, all variable values will be replaced with the string[PREDICATE_FUNCTION_ERROR]
.apollo-server-express
: Typing fix for theconnection
property, which was missing from theExpressContext
interface. PR #2959@apollo/gateway
: Ensure execution of correct document within multi-operation documents by including theoperationName
in the cache key used when caching query plans used in federated execution. PR #3084
-
apollo-engine-reporting
: Behavior change: By default, send no GraphQL variable values to Apollo's servers instead of sending all variable values. Adding the new EngineReportingOptionsendVariableValues
to send some or all variable values, possibly after transforming them. This replaces theprivateVariables
option, which is now deprecated. PR #2931To maintain the previous behavior of transmitting all GraphQL variable values, unfiltered, to Apollo Engine, configure
engine
.sendVariableValues
as follows:engine: { sendVariableValues: { all: true } }
-
apollo-engine-reporting
: Behavior change: By default, send no GraphQL request headers and values to Apollo's servers instead of sending all. Adding the new EngineReportingOptionsendHeaders
to send some or all header values. This replaces theprivateHeaders
option, which is now deprecated. PR #2931To maintain the previous behavior of transmitting all GraphQL request headers and values, configure
engine
.sendHeaders
as following:engine: { sendHeaders: { all: true } }
-
apollo-engine-reporting
: Behavior change: If the error returned from theengine.rewriteError
hook has anextensions
property, that property will be used instead of the original error's extensions. Document that changes to most otherGraphQLError
fields byengine.rewriteError
are ignored. PR #2932 -
apollo-engine-reporting
: Behavior change: Theengine.maskErrorDetails
option, deprecated byengine.rewriteError
in v2.5.0, now behaves a bit more like the new option: while all error messages will be redacted, they will still show up on the appropriate nodes in a trace. PR #2932 -
apollo-server-core
,@apollo/gateway
: Introduced managed federation support. For more information on managed federation, see the blog post or jump to the documentation for managed federation. -
@apollo/[email protected]
: Don't print a warning about an unspecified "graph variant" (previously, and in many ways still, known as "schema tag") every few seconds. We do highly recommend specifying one when using the Apollo Platform features though! PR #3043 -
graphql-playground
: Update to resolve incorrect background color on tabs when using thelight
theme. PR #2989 Issue #2979 -
graphql-playground
: Fix "Query Planner" and "Tracing" panels which were off the edge of the viewport. -
apollo-server-plugin-base
: FixGraphQLRequestListener
type definitions to allowreturn void
. PR #2368
apollo-server-core
: Guard against undefined property access inisDirectiveDefined
which resulted in "Cannot read property 'some' of undefined" error. PR #2924 Issue #2921
apollo-server-core
: Avoid duplicatecacheControl
directives being added viaisDirectiveDefined
, re-landing the implementation reverted in v2.6.1 which first surfaced in v2.6.0. PR #2762 Reversion PR #2754 Original PR #2428apollo-server-testing
: Add TypeScript types forapollo-server-testing
client. PR #2871apollo-server-plugin-response-cache
: Fix undefined property access attempt which occurred when an incomplete operation was received. PR #2792 Issue #2745
apollo-engine-reporting
: Simplify the technique for capturingoperationName
. PR #2899apollo-server-core
: Fix regression in 2.6.0 which causedengine: false
not to disable Engine when theENGINE_API_KEY
environment variable was set. PR #2850@apollo/federation
: Introduced aREADME.md
. PR #2883@apollo/gateway
: Introduced aREADME.md
. PR #2883
@apollo/gateway
: Passcontext
through to thegraphql
command inLocalGraphQLDataSource
'sprocess
method. PR #2821@apollo/gateway
: Fix gateway not sending needed variables for subqueries not at the root level. PR #2867@apollo/federation
: Allow matching enums/scalars in separate services and validate that enums have matching values. PR #2829.@apollo/federation
: Strip@external
fields from interface extensions. PR #2848@apollo/federation
: Add support for list type keys in federation. PR #2841@apollo/federation
: Deduplicate variable definitions for sub-queries. PR #2840
apollo-engine-reporting
: SetforbiddenOperation
andregisteredOperation
later in the request lifecycle. PR #2828apollo-server-core
: AddqueryHash
toGraphQLExecutor
for federation. PR #2822@apollo/federation
: Preserve descriptions from SDL of federated services. PR #2830
apollo-engine-reporting-protobuf
: Update protobuf to includeforbiddenOperations
andregisteredOperations
. PR #2768apollo-server-core
: AddforbiddenOperation
andregisteredOperation
toGraphQLRequestMetrics
type. PR #2768apollo-engine-reporting
: SetforbiddenOperation
andregisteredOperation
on trace if the field is true onrequestContext.metrics
. PR #2768apollo-server-lambda
: RemoveObject.fromEntries
usage. PR #2787
- Revert: Don't add
cacheControl
directive if one has already been defined. Presently, although the TypeScript don't suggest it, passing aString
astypeDefs
toApolloServer
is supported and this would be a breaking change for non-TypeScript users. PR #2428
apollo-server-core
: Introduce newdidEncounterErrors
life-cycle hook which has access to unformattederrors
property on therequestContext
, which is the first positional parameter that this new request life-cycle receives. PR #2719apollo-server-core
: Allow request pipeline life-cycle hooks (i.e. plugins) to modify the response'shttp.status
code (an integer) in the event of an error. When combined with the newdidEncounterErrors
life-cycle hook (see above), this will allow modifying the HTTP status code in the event of an error. PR #2714apollo-server-lambda
: SetcallbackWaitsForEmptyEventLoop
tofalse
forOPTIONS
requests to return as soon as thecallback
is triggered instead of waiting for the event loop to empty. PR #2638apollo-server
: SupportonHealthCheck
in theApolloServer
constructor in the same way ascors
is supported. This contrasts with the-express
,-hapi
, etc. variations which accept this parameter via theirapplyMiddleware
methods and will remain as-is. PR #2672- core: Expose SHA-512 hex hash digest of the Engine API key to plugins, when available, as
engine.apiKeyHash
. PR #2685 PR #2736 apollo-datasource-rest
: If anotherContent-type
is already set on the response, don't overwrite it withapplication/json
, allowing the user's initialContent-type
to prevail. PR #2520- Don't add
cacheControl
directive if one has already been defined. PR #2428 apollo-cache-control
: Do not respond withCache-control
headers if the HTTP response containserrors
. PR #2715apollo-server-core
: Skip loadingutil.promisify
,Array.flat
,Array.flatMap
, andObject.fromEntries
polyfills, none of which are needed in Node 12+. PR #2278 PR #5244apollo-server-core
: Lazy loadsubscriptions-transport-ws
in core PR #2278apollo-server-cache-redis
: BREAKING FOR USERS OFapollo-server-cache-redis
(This is a package that must be updated separately but shares the sameCHANGELOG.md
with Apollo Server itself.) A new major version of this package has been published and updated to support Redis Standalone, Cluster and Sentinel modes. This is a breaking change since it is now based onioredis
instead ofnode_redis
. Although this update is compatible with the most common uses ofapollo-server-cache-redis
, please check the options supported byioredis
while updating to this version. The constructor options are passed directly fromRedisCache
to the new Redis adapter. The pre-1.0 versions should continue to work with Apollo Server without modification. PR #1770
- Upgrade GraphQL Playground to the latest upstream release. This release also includes a new "Query Plan" panel for displaying the query planning results when running the Apollo Gateway.
- New plugin package
apollo-server-plugin-response-cache
implementing a full query response cache based onapollo-cache-control
hints. The implementation added a few hooks and context fields; see the PR for details. There is a slight change tocacheControl
object: previously,cacheControl.stripFormattedExtensions
defaulted to false if you did not provide acacheControl
option object, but defaulted to true if you provided (eg)cacheControl: {defaultMaxAge: 10}
. NowstripFormattedExtensions
defaults to false unless explicitly provided astrue
, or if you use the legacy booleancacheControl: true
. For more information, read the documentation. PR #2437 - Add
rewriteError
option toEngineReportingOptions
(i.e. theengine
property of theApolloServer
constructor). When defined as afunction
, it will receive anerr
property as its first argument which can be used to manipulate (e.g. redaction) an error prior to sending it to Apollo Engine by modifying, e.g., itsmessage
property. The error can also be suppressed from reporting entirely by returning an explicitnull
value. For more information, read the documentation and theEngineReportingOptions
API reference.maskErrorDetails
is now deprecated. PR #1639 apollo-server-azure-functions
: Support@azure/functions
to enable Apollo Server Typescript development in Azure Functions. PR #2487- Allow
GraphQLRequestListener
callbacks in plugins to depend onthis
. PR #2470 apollo-server-testing
: Addvariables
andoperationName
toQuery
andMutation
types. PR #2307 Issue #2172
- Add
cache-control: no-cache
header to bothPersistedQueryNotSupportedError
andPersistedQueryNotFoundError
responses as these should never be cached. PR #2452 apollo-datasource-rest
: Don't attempt to parse "204 No Content" responses as JSON. PR #2446apollo-server-express
: Fix Playground URL when Apollo Server is mounted inside of another Express app by utilizingreq.originalUrl
. PR #2451apollo-datasource-rest
: Correctly allow a TTL value of0
to represent "not-cacheable". PR #2588apollo-datasource-rest
: FixInvalid argument
in IE11, whenthis.headers
isundefined
. PR #2607
- No functional changes in this version. The patch version has been bumped to fix the
README.md
displayed on the npm package forapollo-server
as a result of a broken publish. Apologies for the additional noise!
- Fix typings which incorrectly included
cors
as part of the constructor options forapollo-server-express
(it should be defined viaapplyMiddleware
) but, conversely, inadvertently omitted the perfectly validcors
option from theapollo-server
constructor (whereapplyMiddleware
is not used/available). PR #2373 Issue #1882
- Allow Node.js-like runtimes to identify as Node.js as well. PR #2357 Issue #2356
apollo-server-express
: ExportExpressContext
PR #2352
- Fix typing for ContextFunction incorrectly requiring the context object the function produces to match the parameters of the function PR #2350
apollo-server-lambda
: Fix typings which triggered "Module has no default export" errors. PR #2230apollo-server-koa
: Support OPTIONS requests PR #2288- Add
req
andres
typings to theContextFunction
argument for apollo-server and apollo-server-express. UpdateContextFunction
return type to allow returning a value synchronously. PR #2330 - Type the
formatError
function to accept an GraphQLError as an argument and return a GraphQLFormattedError PR #2343
apollo-server-fastify
is now on Apollo Server and lives within theapollo-server
repository. This is being introduced in a patch version, however it's a major version bump from the last timeapollo-server-fastify
was published under1.0.2
. PR #1971- Move
apollo-graphql
package to theapollo-tooling
repository PR #2316
- Fix inaccurate total duration in apollo-tracing PR #2298
- Avoid importing entire
crypto
dependency tree if not in Node.js. PR #2304 - Allow passing
parseOptions
toApolloServerBase
constructor. PR #2289 - Rename
azureFunctions.d.ts
toazureFunctions.ts
. PR #2287 - Require
apollo-engine-reporting
only ifEngineReportingAgent
used. PR #2305
- Implement an in-memory cache store to save parsed and validated documents and provide performance benefits for repeat executions of the same document. PR #2111 (
>=2.4.0-alpha.0
) - Fix: Serialize arrays as JSON on fetch in
RESTDataSource
. PR #2219 - Fix: The
privateHeaders
configuration forapollo-engine-reporting
now allows headers to be specified using any case and lower-cases them prior to comparison. PR #2276 - Fix broken
apollo-server-azure-functions
TypeScript definitions. PR #2287
apollo-server
(only): Stop double-invocation ofserverWillStart
life-cycle event. (More specific integrations - e.g. Express, Koa, Hapi, etc. - were unaffected.) PR #2239- Avoid traversing
graphql-upload
module tree in run-time environments which aren't Node.js. PR #2235
-
Switch from
json-stable-stringify
tofast-json-stable-stringify
. PR #2065 -
Fix cache hints of
maxAge: 0
to mean "uncacheable". #2197 -
Apply
defaultMaxAge
to scalar fields on the root object. #2210 -
Don't write to the persisted query cache until execution will begin. PR #2227
-
apollo-server-azure-functions
: Added Azure Functions documentation and deployment examples PR #2131, Issue #2092
- Provide types for
graphql-upload
in a location where they can be accessed by TypeScript consumers ofapollo-server
packages. ccf935f9 Issue #2092
-
BREAKING FOR NODE.JS <= 8.5.0 ONLY: To continue using Apollo Server 2.x in versions of Node.js prior to v8.5.0, file uploads must be disabled by setting
uploads: false
on theApolloServer
constructor options. Without explicitly disabling file-uploads, the server willthrow
at launch (with instructions and a link to our documentation).This early deprecation is due to changes in the third-party
graphql-upload
package which Apollo Server utilizes to implement out-of-the-box file upload functionality. While, in general, Apollo Server 2.x aims to support all Node.js versions which were under an LTS policy at the time of its release, we felt this required an exception. Bythrow
-ing whenuploads
is not explicitly set tofalse
, we aim to make it clear immediately (rather than surprisingly) that this deprecation has taken effect.While Node.js 6.x is covered by a Long Term Support agreement by the Node.js Foundation until April 2019, there are substantial performance (e.g. V8 improvements) and language changes (e.g. "modern" ECMAScript support) offered by newer Node.js engines (e.g. 8.x, 10.x). We encourage all users of Apollo Server to update to newer LTS versions of Node.js prior to the "end-of-life" dates for their current server version.
We intend to drop support for Node.js 6.x in the next major version of Apollo Server.
For more information, see PR #2054 and our documentation.
apollo-engine-reporting
: When multiple instances ofapollo-engine-reporting
are loaded (an uncommon edge case), ensure thatencodedTraces
are handled only once rather than once per loaded instance. PR #2040
apollo-server-micro
: Set theContent-type
totext/html
for GraphQL Playground. PR #2026
- Follow-up on the update to
graphql-playground-html
in previous release by also bumping the minor version of thegraphql-playground-react
dependency to1.7.10
— which is the version requested from the from the CDN bundle bygraphql-playground-html
. PR #2037
- Fix GraphQL Playground documentation scrolling bug in Safari by updating to latest (rebased) fork of
graphql-playground-html
. PR #2037
- When
generateClientInfo
is not used to define the client name, client version and client reference ID, Apollo Server will now default to the values present in the HTTP headers of the request (apollographql-client-name
,apollographql-client-reference-id
andapollographql-client-version
respectively). As a last resort, when those headers are not set, the query extensions'clientInfo
values will be used. PR #1960
- Fixed TypeScript 2.2 compatibility via updated
apollo-tooling
dependency. Issue #195126d6c739
- Throw a more specific error when asynchronous introspection query behavior is detected. PR #1955
- Added support for an array of
modules
on theApolloServer
constructor options. Each element of themodules
can point to a module which exportstypeDefs
andresolvers
. These modules can be used in lieu of, or in combination with, directly specifyingschema
ortypeDefs
/resolvers
on the constructor options. This provides greater modularity and improved organization for logic which might be limited to a specific service.8f6481e6
. - Added
resolveObject
support to query execution.bb67584
. - Fix broken
apollo-server-cloud-functions
in 2.2.0 caused by missing TypeScript project references which resulted in the package not being published to npm in compiled form. PR #1948
- New request pipeline, including support for plugins which can implement lifecycle hooks at various stages of a request. PR #1795.
- Introduce new
apollo-server-testing
utilities. PR #1909 - Fix mocks configuration to allow disabling of mocks by using
mocks: false
, even ifmockEntireSchema
istrue
. PR #1835 - Update
graphql-playground-html
to 1.7.8. PR #1855 - Bring back Azure functions support Issue #1752 PR #1753
- Allow an optional function to resolve the
rootValue
, passing theDocumentNode
AST to determine the value. PR #1555 - Follow-up on the work in PR #1516 to also fix missing insertion cursor/caret when a custom GraphQL configuration is specified which doesn't specify its own
cursorShape
property. PR #1607 - Azure functions support Issue #1752 PR #1753 PR #1948
- Allow JSON parsing in
RESTDataSource
of Content Typeapplication/hal+json
. PR #185 - Add support for a
requestAgent
configuration parameter within theengine
configuration. This can be utilized when a proxy is necessary to transmit tracing and metrics data to Apollo Engine. It accepts either anhttp.Agent
orhttps.Agent
and behaves the same as theagent
parameter to Node.js'http.request
. PR #1879 - Allow an optional parameter to the
RESTDataSource
constructor which takes anode-fetch
-compatiblefetch
implementation that will be used for HTTP calls instead of the default fetch. PR #1807
- Updated the google-cloud-functions package to handle null paths PR #1674
- Update link inside Authentication Docs PR #1682
- Fix making sure all headers are getting reported to Engine properly when using
privateHeaders
PR #1689 - (experimental, subject to change/removal) Provide ability to specify client info in traces #1631
- Reporting: Catch Error if JSON.Stringify Fails for Engine Trace PR #1668
- Core: Allow context to be passed to all GraphQLExtension methods. PR #1547
- Fix #1581
apollo-server-micro
top level error response #1619 - Switch
ApolloServerBase.schema
from private access to protected access. #1610 - Add toggle for including error messages in reports #1615
- Fix
apollo-server-cloud-functions
tests #1611
- Update
graphql-playground-html
to 1.7.4 #1586 - Add support for
graphql-js
v14 by augmenting typeDefs with the@cacheControl
directive so SDL validation doesn't fail #1595 - Add
node-fetch
extensions typing toRequestInit
#1602
- Google Cloud Function support #1402 #1446
- Switch to a fork of
apollo-upload-server
to fix missingcore-js
dependency. #1556
- apollo-server: Release due to failed build and install
- apollo-server: failed publish
- pass payload into context function for subscriptions #1513
- Add option to mock the entire schema(i.e. sets preserveResolvers) PR #1546
- Release with Lerna 3 due
- Hapi: Allow additional route options to be passed to Hapi.js plugin. PR #1384
- express, koa: remove next after playground #1436
- Hapi: Pass the response toolkit to the context function. #1407
- update apollo-engine-reporting-protobuf to non-beta #1429
- playground would use its own settings as default #1516
- Lambda: Look in event.path first when picking endpoint for GraphQL Playground #1527
- Fix to allow enabling GraphQL Playground in production with custom config #1495
- This version failed to publish fully/correctly and should not be used.
- This version failed to publish fully/correctly and should not be used.
- export GraphQLUpload from integrations #1322
- add
cors
to vanilla #1335 - export
bodyParser.Options
to koa #1334 - add and use playground in ApolloServer constructor #1297
- breaking: remove calculate headers as function #1337
- breaking: remove
formatParams
#1331
- enable engine reporting from lambda #1313
- remove flattening of errors #1288
- dynamic url in datasource (#1277)
- BREAKING: errors are passed to user extensions, then engine reporting, and finally
formatError
(#1272) formatError
only called once on validation errors (#1272)- BREAKING: apollo-server-env does place types in global namespace (#1259)
- export Request from apollo-datasource-rest and graphql-extensions (53d7a75 c525818)
- Use scoped graphql-playground and centralize version (8ea36d8, 84233d2)
- fix dependencies + exports (#1257)
- fix data source + context cloning (7e35305)
- use fetch instead of Node request for engine-reporting (#1274)
- fix formatError to keep prototype of Error (#1235)
- Add trailing slash to data source
- allow body passed to data source
- new apollo-engine-reporting agent
- Missing apollo-upload-server dependency (#1221)
- encode trace report over each request in apollo-engine-reporting
- BREAKING: remove logFunction (71a403d), see this commit for an implementation
- move upload option to constructor (#1204)
- fixed hapi gui bugs (#1211)
- remove requirement for exModuleInterop (#1210)
- change BadUserInputError to UserInputError (#1208)
- add cache-control headers for CDN integration (#1138)
- Lambda support (thanks to @adnsio, @bwlt, and @gragio #1138)
Data sources
- Breaking:
registerServer
changed toserver.applyMiddleware
(3279991) - Breaking: subscriptions enabled with
installSubscriptionHandlers
- Add Data Sources (#1163)
- Bug fix to allow async context (#1129)
- logFunction is now an extension (#1128)
- Allow user defined extensions and include engine reporting (#1105)
- remove registerServer configuration from
apollo-server
's listen (#1090) - move health check into variants (#1086)
- Add file uploads, breaking requires removing
scalar Upload
from the typeDefs (#1071) - Add reporting to Engine as apollo-engine-reporting (#1105)
- Allow users to define extensions (#1105)
ListenOptions:
-
engine
->engineProxy
-
port
,host
, and other http options moved underhttp
key (#1080) -
subscriptions
moved toserver.listen
(#1059) -
Add mocks to server constructor (#1017)
-
Add
bodyParserConfig
parameter toregisterServer
in apollo-server (#1059) commit -
Remove tests and guaranteed support for Node 4 PR #1024
-
Cleanup docs PR #1233
- [Issue #626] Integrate apollo-fastify plugin. PR #1013
- add hapi 16 next() invocation PR #743
- Add skipValidation option PR #839
apollo-server-module-graphiql
: adds an option to the constructor to disable url rewriting when editing a query PR #1047- Upgrade
subscription-transport-ws
to 0.9.9 for GraphiQL
- Recognize requests with Apollo Persisted Queries and return
PersistedQueryNotSupported
to the client instead of a confusing error. PR #982
apollo-server-adonis
: TheContent-type
of an operation response will now be correctly set toapplication/json
. PR #842 PR #910apollo-server-azure-functions
: Fix non-functional Azure Functions implementation and update examples in Azure Functions'README.md
. PR #753 Issue #684- Fix
TypeError
on GET requests with missingquery
parameter. PR #964 - The typing on the context of
GraphQLServerOptions
now matches the equivalent type used bygraphql-tools
. PR #919 - Middleware handlers now used named (rather than anonymous) functions to enable easier identification during debugging/profiling. PR #827
- The
npm-check-updates
package has been removed as a "dev dependency" which was resulting in an older version ofnpm
being used during testing. PR #959 - The typing on
HttpQueryRequest
'squery
attribute now enforces that its object properties' keys beString
s. PR #834 - TypeScript types have been updated via updates to
@types/node
,@types/connect
,@types/koa
and@types/aws-lambda
.
- Upgrade to
[email protected]
and allow you to specify options to it (such as the newdefaultMaxAge
) by passingcacheControl: {defaultMaxAge: 5}
instead ofcacheControl: true
.
- Updated peer dependencies to support
[email protected]
. apollo-server-express
: TheGraphQLOptions
type is now exported fromapollo-server-express
in order to facilitate type checking when utilizinggraphqlExpress
,graphiqlExpress
,graphqlConnect
andgraphiqlConnect
. PR #871- Update GraphiQL version to 0.11.11. PR #914
- Updated peer dependencies and tests to support
[email protected]
. - Fix issue where the core
runQuery
method broke the ability to use the Nodeasync_hooks
feature's call stack. PR #733 - Hoist declarations of rarely used functions out of
doRunQuery
to improve performance. PR# 821
- Fixed a fatal execution error with the new
[email protected]
.
- Breaking:
apollo-server-hapi
: now supports Hapi v17, and no longer supports Hapi v16. For information on running Apollo Server 1.x with Hapi v16, check this documentation. - New package:
apollo-server-adonis
supporting the Adonis framework! - The
graphqlOptions
parameter to server GraphQL integration functions now accepts context as a function and as an object with a prototype. PR #679 apollo-server-express
: Send Content-Length header.apollo-server-micro
: Allow Micro 9 inpeerDependencies
. PR #671- GraphiQL integration:
- Recognize Websocket endpoints with secure
wss://
URLs. - Only include truthy values in GraphiQL URL.
- Recognize Websocket endpoints with secure
- New feature: Add support for Apollo Cache Control. Enable
apollo-cache-control
by passingcacheControl: true
to your server's GraphQL integration function. - Include README.md in published npm packages.
- Added support for the vhost option for Hapi PR #611
- Fix dependency on
apollo-tracing
to be less strict.
(v1.1.4 had a major bug and was immediately unpublished. v1.1.5 was identical to v1.1.6.)
- GraphiQL integration: Fixes bug where CORS would not allow
Access-Control-Allow-Origin: *
with credential 'include', changed to 'same-origin' Issue #514 - Updated peer dependencies to support
[email protected]
.
- Fixed bug with no URL query params with GraphiQL on Lambda Issue #504 PR #512
- Added support for Azure Functions #503
- Added ability to provide custom default field resolvers #482
- Add
tracing
option to collect and expose trace data in the Apollo Tracing format - Add support for GraphiQL editor themes in #484 as requested in #444
- Add support for full websocket using GraphiQL #491
- Updated restify lib (@yucun) in #472
- Updated package apollo-server-micro, updated micro in devDependencies and peerDependencies to ^8.0.1
- Revert #463, because it's a breaking change that shouldn't have been a patch update.
- Rename packages from graphql-server- to apollo-server- #465. We'll continue to publish
graphql-server-
packages that depend on the renamedapollo-server-
packages for the time being, to ensure backwards compatibility.
- Add package readmes for Express, Hapi, Koa, Restify (@helfer) in #442
- Updated & fixed typescript typings (@helfer) in #440
- Fix: graphql-server-micro now properly returns response promises #401
- Fix issue with auto-updating dependencies that caused fibers to update accidentally (@helfer) on #425
- Persist
window.location.hash
on URL updates #386 - Added support for
graphql-js
> 0.10.0 #407 - Updated
subscriptions-transport-ws
for GraphiQL with subscriptions #407
- Fix include passHeader field that was accidentally removed
- Fix GraphiQL fetcher to use endpointURL parameter instead of hardcoded URI.#365
- Add Zeit Micro Integration #324
- add support for subscriptionURL to GraphiQL (@urigo on #320
- Restify: Fix for calling next() (@jadkap) on #285
- Breaking: Update all dependencies #329
- Add AWS Lambda Integration PR #247
- Update GraphiQL to version 0.9.1 (@ephemer) on #293
- Restify integration (@joelgriffith) on #189
- run batched requests in parallel (@DxCx) on #273
- Fix GraphiQL options variables. Issue #193. (@alanchristensen) on PR #255
- Allow [email protected] as peerDependency (@Chris-R3) on PR #278
- Switch graphql typings for typescript to @types/graphql #260
- Restructure Apollo Server into 6 new packages, and rename to GraphQL Server (@DxCx) and (@stubailo) in #183 and #164.
- There are now 6 packages that make up the GraphQL server family:
graphql-server-core
graphql-module-graphiql
graphql-module-operation-store
graphql-server-express
graphql-server-hapi
graphql-server-koa
- Exports have been renamed. Everything that used to export
apollo*
now exportsgraphql*
, for exampleapolloExpress
has becomegraphqlExpress
. - The repository is now managed using Lerna.
- Fix passHeader option in GraphiQL (Both Hapi and Koa)
- Pass
ctx
instead ofctx.request
to options function in Koa integration (@HriBB) in PR #154 - Manage TypeScript declaration files using npm. (@od1k in #162)
- Fix connect example in readme. (@conrad-vanl in #165)
- Add try/catch to formatError. (@nicolaslopezj in #174)
- Clone context object for each query in a batch.
- Refactor Hapi integration to improve the API and make the plugins more idiomatic. (@nnance) in PR #127
- Fixed query batching with Hapi integration. Issue #123 (@nnance) in PR #127
- Add support for route options in Hapi integration. Issue #97. (@nnance) in PR #127
- CamelCase Hapi. Issue #129. (@nnance) in PR #132
- Fix error handling when parsing variables parameter. Issue #130. (@nnance) in PR #131
- Improve logging function. Issue #79. (@nnance) in PR #136
- Output stack trace for errors in debug mode. Issue #111. (@nnance) in PR #137
- Allow to pass custom headers in GraphiQL (@nicolaslopezj in #133).
- Expose the OperationStore as part of the public API. (@nnance)
- Support adding parsed operations to the OperationStore. (@nnance)
- Expose ApolloOptions as part of the public API.
- Complete refactor of Apollo Server using TypeScript. PR #41
- Added Hapi integration (@nnance in #46)
- Added Koa integration (@HriBB in #59)
- Changed express integration to support connect as well (@helfer in #58)
- Dropped express-graphql dependency
- Dropped support for GET requests, only POST requests are allowed now
- Split GraphiQL into a separate middleware
- Factored out core to support Hapi, Koa and connect implementations
- Added support for query batching
- Added support for query whitelisting / stored queries
- Removed body parsing from express integration. Body must be parsed outside of apollo now
- Added
formatRequest
andformatResponse
functions to apollo options. - Removed support for shorthand schema definitions, connectors and mocks (use
graphql-tools
instead)
- BUG: Fixed a bug with tracer mocks that would throw a TypeError when using Ava #26
- Updated graphql dependency to 0.6.0