fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@apollo/server (source)	4.10.0 → 4.13.0			dependencies	minor
@grpc/grpc-js (source)	1.10.1 → 1.14.3			dependencies	minor
@grpc/proto-loader (source)	0.7.10 → 0.8.0			dependencies	minor
@nestjs/apollo	12.1.0 → 12.2.2			dependencies	minor
@nestjs/common (source)	10.3.3 → 10.4.22			dependencies	minor
@nestjs/core (source)	10.3.3 → 10.4.22			dependencies	minor
@nestjs/cqrs	10.2.7 → 10.2.8			dependencies	patch
@nestjs/graphql	12.1.1 → 12.2.2			dependencies	minor
@nestjs/microservices (source)	10.3.3 → 10.4.22			dependencies	minor
@nestjs/platform-fastify (source)	10.3.3 → 10.4.22			dependencies	minor
@nestjs/swagger	7.3.0 → 7.4.2			dependencies	minor
@types/node (source)	20.11.24 → 20.19.39			devDependencies	minor
class-validator	0.14.1 → 0.15.1			dependencies	minor
dotenv	16.4.5 → 16.6.1			dependencies	minor
envalid	8.0.0 → 8.1.1			dependencies	minor
eslint (source)	8.57.0 → 8.57.1			devDependencies	patch
eslint-import-resolver-typescript	3.6.1 → 3.10.1			devDependencies	minor
eslint-plugin-import	2.29.1 → 2.32.0			devDependencies	minor
eslint-plugin-prettier	5.1.3 → 5.5.5			devDependencies	minor
graphql	16.8.1 → 16.13.2			dependencies	minor
graphql-scalars	1.22.5 → 1.25.0			dependencies	minor
lint-staged	15.2.2 → 15.5.2			devDependencies	minor
pnpm/action-setup	v2.4.0 → v2.4.1			action	patch
prettier (source)	3.2.5 → 3.8.1			devDependencies	minor
reflect-metadata (source)	0.2.1 → 0.2.2			dependencies	patch
rimraf	5.0.5 → 5.0.10			devDependencies	patch
rxjs (source)	7.8.1 → 7.8.2			dependencies	patch
ts-jest (source)	29.1.2 → 29.4.9			devDependencies	minor
turbo (source)	1.12.4 → 1.13.4			devDependencies	minor
typescript (source)	5.3.3 → 5.9.3			devDependencies	minor

---

Release Notes

apollographql/apollo-server (@​apollo/server)

v4.13.0

Compare Source

Minor Changes

• #​8180 e9d49d1 Thanks @​github-actions! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
  Any other character set will be rejected with a 415 Unsupported Media Type error.
  Additionally, upstream libraries used by this version of Apollo Server may not support all of these encodings, so some requests may still fail even if they pass this check.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
  For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

  Also please note that Apollo Server 4.x is considered EOL as of January 26, 2026, and Apollo no longer commits to providing support or updates for it. Please prioritize migrating to Apollo Server 5.x for continued support and updates.

v4.12.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.12.1

Compare Source

Patch Changes

• #​8064 41f98d4 Thanks @​glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.

v4.12.0

Compare Source

Minor Changes

• #​8054 89e3f84 Thanks @​clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.

Patch Changes

• #​8031 2550d9f Thanks @​slagiewka! - Add return after sending 400 response in doubly escaped JSON parser middleware

v4.11.3

Compare Source

Patch Changes

• #​8010 f4228e8 Thanks @​glasser! - Compatibility with Next.js Turbopack. Fixes #​8004.

v4.11.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.11.1

Compare Source

Patch Changes

• #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

  @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

  However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

  The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

  However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

v4.11.0

Compare Source

Minor Changes

• #​7916 4686454 Thanks @​andrewmcgivery! - Add hideSchemaDetailsFromClientErrors option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.

  Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation
  will be met with a validation error that includes a helpful "did you mean" as part of the error text.

  For example, with this option set to true, an error would read Cannot query field "help" on type "Query". whereas with this option set to false it would read Cannot query field "help" on type "Query". Did you mean "hello"?.

  We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.

  To enable, set this option to true in your ApolloServer options:

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    hideSchemaDetailsFromClientErrors: true,
  });

v4.10.5

Compare Source

Patch Changes

• #​7821 b2e15e7 Thanks @​renovate! - Non-major dependency updates

• #​7900 86d7111 Thanks @​trevor-scheer! - Inline a small dependency that was causing build issues for ESM projects

v4.10.4

Compare Source

Patch Changes

• #​7871 18a3827 Thanks @​tninesling! - Subscription heartbeats are initialized prior to awaiting subscribe(). This allows long-running setup to happen in the returned Promise without the subscription being terminated prior to resolution.

v4.10.3

Compare Source

Patch Changes

• #​7866 5f335a5 Thanks @​tninesling! - Catch errors thrown by subscription generators, and gracefully clean up the subscription instead of crashing.

v4.10.2

Compare Source

Patch Changes

• #​7849 c7e514c Thanks @​TylerBloom! - In the subscription callback server plugin, terminating a subscription now immediately closes the internal async generator. This avoids that generator existing after termination and until the next message is received.

v4.10.1

Compare Source

Patch Changes

• #​7843 72f568e Thanks @​bscherlein! - Improves timing of the willResolveField end hook on fields which return Promises resolving to Arrays. This makes the use of the setCacheHint method more reliable.

grpc/grpc-node (@​grpc/grpc-js)

v1.14.3: @​grpc/grpc-js 1.14.3

Compare Source

• Send halfClose immediately after messages to prevent late halfClose issues with Envoy (#​3031 contributed by @​serkanerip)

v1.14.2: @​grpc/grpc-js 1.14.2

Compare Source

• Fix server keep alive timeout not properly destroying connections (#​3022 contributed by @​mattias-wiberg)

v1.14.1: @​grpc/grpc-js 1.14.1

Compare Source

• Fix a regression of the settings used internally for HTTP/2 sessions (#​3023)

v1.14.0: @​grpc/grpc-js 1.14.0

Compare Source

Changelog

• Add getAuthContext method to client and server call classes (more details can be found in gRFC L35) (#​2920)
• Implement custom backend metrics support (gRFC A51) (#​2978, #​2983, #​2985, #​2986, #​2999)
• Add getConnectionInfo method to the ServerInterceptingCall class (#​2922)
• Implement the weighted_round_robin load balancing policy (#​2998)
• Fix jitter behavior for client retries (#​2960 contributed by @​ekscentrysytet)
• Start connecting from a random index in the round_robin LB policy (#​2979)
• Send connection-level WINDOW_UPDATE at session start (#​2971 contributed by @​KoenRijpstra)

Experimental API Changes

Added:

• CHANNEL_ARGS_CONFIG_SELECTOR_KEY
• StatusOr<T>
• CallStream
• statusOrFromValue
• statusOrFromError

Modified:

• ResolverListener#onSuccessfulResolution now has the signature (endpointList: StatusOr<Endpoint[]>, attributes: { [key: string]: unknown }, serviceConfig: StatusOr<ServiceConfig> | null, resolutionNote: string): boolean
• LoadBalancer#updateAddressList now has the signature `updateAddressList(endpointList: StatusOr<Endpoint[]>,lbConfig: TypedLoadBalancingConfig, channelOptions: ChannelOptions, resolutionNote: string): boolean

v1.13.4: @​grpc/grpc-js 1.13.4

Compare Source

• Fix ability to set SNI with ssl_target_name_override option (#​2956)

v1.13.3: @​grpc/grpc-js 1.13.3

Compare Source

• Disable Nagle's algorithm (#​2936)
• Avoid calling http2.getDefaultSettings (#​2937)

v1.13.2: @​grpc/grpc-js 1.13.2

Compare Source

• Fix a bug that caused clients to be unable to connect through local proxies (#​2933)

v1.13.1: @​grpc/grpc-js 1.13.1

Compare Source

• Fix a bug that caused the rejectUnauthorized channel credentials option to be handled incorrectly (#​2926)
• Fix a bug that caused the client to never send retries if any retryThrottling config was set (#​2927)
• Fix a bug that caused clients to incorrectly send retries if the feature was disabled by a channel option and a retry config was provided (#​2927)

v1.13.0

Compare Source

v1.12.6

Compare Source

• Allow garbage collection of IDLE channels (#​2896)

v1.12.5: @​grpc/grpc-js 1.12.5

Compare Source

• Prioritize HTTP status errors over message decoding errors (#​2873)

v1.12.4: @​grpc/grpc-js 1.12.4

Compare Source

• Prioritize reporting UNAVAILABLE status when handing connection drops (#​2862)

v1.12.3: @​grpc/grpc-js 1.12.3

Compare Source

• Report UNAVAILABLE if possible when handling connection drops (#​2861)

v1.12.2: @​grpc/grpc-js 1.12.2

Compare Source

• Use util.promisify instead of fs/promises for Node 12 compatibility (#​2838)

v1.12.1: @​grpc/grpc-js 1.12.1

Compare Source

• Port bugfixes from 1.11.x into 1.12.x (#​2836)

v1.12.0: @​grpc/grpc-js 1.12.0

Compare Source

Changelog

• Provide the method_name for the CallCredentials callback generateMetadata (#​2814 contributed by @​becoded)
• Add an optional rejectUnauthorized field to the VerifyOptions interface, which can be passed as an argument to credentials.createSsl and createFromSecureContext (#​2812 contributed by @​vinothsa4891)

Experimental API changes

Added:

• CaCertificateUpdate
• CaCertificateUpdateListener
• IdentityCertificateUpdate
• IdentityCertificateUpdateListener
• CertificateProvider
• FileWatcherCertificateProvider
• FileWatcherCertificateProviderConfig
• createCertificateProviderChannelCredentials
• createCertificateProviderServerCredentials

Modified:

• LoadBalancer: The constructor now takes an additional argument of type ChannelCredentials.
• ChannelControlHelper#createSubchannel: Now takes an additional argument of type ChannelCredentials | null. This should be passed along if overriding this function.
• LeafLoadBalancer: The constructor now takes an additional argument of type ChannelCredentials.

v1.11.3: @​grpc/grpc-js 1.11.3

Compare Source

• Ensure the client queries the name resolver again after connections drop while using the round_robin load balancing policy (#​2825)

v1.11.2: @​grpc/grpc-js 1.11.2

Compare Source

• Fix client crash on receiving a custom error code (#​2801 contributed by @​hastom)
• Report connection errors more consistently (#​2808)
• Avoid computing the channel constructor trace log when that tracer is not enabled (#​2817 contributed by @​ygalbel)

v1.11.1: @​grpc/grpc-js 1.11.1

Compare Source

• Revert a change that used APIs that were not available in early minor versions of Node 14 (#​2799 contributed by @​xqin)

v1.11.0: @​grpc/grpc-js 1.11.0

Compare Source

Changelog

• Add Server connection injection API as described in gRFC L114 (#​2675)
• Implement support for an alternate DNS resolver that supports custom authorities (#​2776 contributed by @​gkampitakis)
• Add a channel option to configure retry attempt limits (#​2795)
• Add a getHost method to server call objects (#​2783, #​2793)
• Fix typos and omissions in service config validation errors (#​2782 contributed by @​matthewbinshtok)

Experimental API changes

Added:

• splitHostPort
• HostPort
• createServerCredentialsWithInterceptors

v1.10.11: @​grpc/grpc-js 1.10.11

Compare Source

• Fix a bug that caused clients to reconnect unnecessarily while no requests are pending. (#​2784)
• Fix a bug that caused clients to fail to re-establish existing connections while waiting for DNS results (#​2784)
• Fix a bug that caused servers to sometimes not close idle connections depending on timing (#​2790)
• Fix a bug that caused calls to be pending indefinitely while unable to start after a channel is closed (#​2791)

v1.10.10: @​grpc/grpc-js 1.10.10

Compare Source

• Various improvements to handling of keepalive timers (#​2760 by @​davidfiala)
• Fix a bug causing unary response client requests to hang when unexpectedly receiving multiple messages (#​2772)
• Fix a bug causing some requests to fail when making requests through a local proxy (#​2746 contributed by @​mjameswh, backported in #​2777)
• Fix handling of URL-encoded user credentials in proxy configuration (#​2761 contributed by @​brendan-myers, backported in #​2777)
• Fix missing client-side handling of the grpc.max_send_message_length channel option (#​2779)

v1.10.9: @​grpc/grpc-js 1.10.9

Compare Source

• Avoid buffering significantly more than grpc.max_receive_message_size per received message.

v1.10.8: @​grpc/grpc-js 1.10.8

Compare Source

• Fix a bug that caused channels with unix: targets to not reconnect after the channel goes idle (#​2750)

v1.10.7: @​grpc/grpc-js 1.10.7

Compare Source

• Improve reporting of HTTP error codes (#​2723)
• Update dependency on @grpc/proto-loader to the latest version (#​2732)

v1.10.6: @​grpc/grpc-js 1.10.6

Compare Source

• Fix a bug that could cause a server to sometimes send the status early (#​2708)

v1.10.5: @​grpc/grpc-js 1.10.5

Compare Source

• Resolve exception when Error.stackTraceLimit is undefined (#​2701 contributed by @​davidfiala)
• Call configured checkServerIdentity when grpc.ssl_target_name_override is set (#​2704)
• Add more information to DEADLINE_EXCEEDED error details strings (#​2692)

v1.10.4: @​grpc/grpc-js 1.10.4

Compare Source

• Fix a bug that caused server interceptors to crash when using partially-populated ResponderBuilder and ListenerBuilder objects (#​2696)
• Avoid sending RST_STREAM from the client when the server has already finished its side of the stream (#​2695)

v1.10.3: @​grpc/grpc-js 1.10.3

Compare Source

• Revert client reconnection changes in #​2680 (#​2691)

v1.10.2: @​grpc/grpc-js 1.10.2

Compare Source

• Implement server connection idle timeouts and improve channelz performance (#​2677 contributed by @​AVVS)
• Fix a bug that caused clients to automatically reconnect even when there were no active requests (#​2680)
• Modify order of server call events to more closely match pre-1.10.x behavior (#​2683)

nestjs/graphql (@​nestjs/apollo)

v12.2.2

Compare Source

12.2.2 (2024-12-04)

Enhancements

• graphql
  • #​3346 refactor(graphql/lib): definitions generator defaultTypeMapping type reinforcement (@​Neosoulink)

Dependencies

• mercurius
  • #​3400 chore(deps): update dependency fastify to v4.29.0 (@​renovate[bot])
• Other
  • #​3370 chore(deps): update dependency graphql-subscriptions to v3 (@​renovate[bot])
• graphql
  • #​3368 fix(deps): update dependency @​nestjs/mapped-types to v2.0.6 (@​renovate[bot])
  • #​3349 fix(deps): update dependency uuid to v11 (@​renovate[bot])
  • #​3372 fix(deps): update graphql-tools monorepo (@​renovate[bot])
• apollo, graphql, mercurius
  • #​3360 fix(deps): update dependency tslib to v2.8.1 (@​renovate[bot])

Committers: 2

• Antonio Tripodi (@​Tony133)
• Nathan M. (@​Neosoulink)

v12.2.1

Compare Source

12.2.1 (2024-10-23)

Bug fixes

• graphql
  • #​3270 fix(graphql): avoid partial field declarations from inherited metadata with cli plugin (@​CarsonF)
  • #​3154 fix(graphql): fix case of generated method return and parameter types (@​domusofsail)

Enhancements

• apollo
  • #​3330 feat(apollo): map unprocessable entity code to bad user input (@​kishieel)
• graphql
  • #​3276 feat(@​nestjs/graphql): add support for skipNullProperties in PartialType (@​bloom-alex)

Dependencies

• Other
  • #​3236 chore(deps): update dependency release-it to v17.10.0 - autoclosed (@​renovate[bot])
  • #​3342 chore(deps): update dependency @​types/jest to v29.5.14 (@​renovate[bot])
  • #​3343 chore(deps): update dependency @​types/node to v20.16.15 (@​renovate[bot])
  • #​3333 chore(deps): update dependency eslint to v9.13.0 (@​renovate[bot])
  • #​3304 chore(deps): bump micromatch from 4.0.5 to 4.0.8 (@​dependabot[bot])
  • #​3334 chore(deps): update typescript-eslint monorepo to v8.10.0 (@​renovate[bot])
  • #​3331 chore(deps): update dependency @​types/node to v20.16.13 (@​renovate[bot])
  • #​3332 chore(deps): update dependency typescript to v5.6.3 (@​renovate[bot])
  • #​3266 chore(deps): bump tar from 6.1.15 to 6.2.1 (@​dependabot[bot])
  • #​3297 chore(deps): bump axios from 1.6.7 to 1.7.4 (@​dependabot[bot])
  • #​3312 chore(deps): bump dset from 3.1.2 to 3.1.4 (@​dependabot[bot])
  • #​3230 chore(deps): update commitlint monorepo to v19.3.0 (@​renovate[bot])
  • #​3231 chore(deps): update dependency @​types/node to v20.14.9 (@​renovate[bot])
• graphql
  • #​3338 chore(deps): update dependency ts-morph to v24 (@​renovate[bot])
  • #​3243 fix(deps): update dependency uuid to v10 (@​renovate[bot])
  • #​3246 fix(deps): update graphql-tools monorepo (@​renovate[bot])
  • #​3233 chore(deps): update dependency graphql to v16.9.0 (@​renovate[bot])
• apollo, graphql, mercurius
  • #​3306 fix(deps): update dependency tslib to v2.8.0 (@​renovate[bot])

Committers: 4

• Carson Full (@​CarsonF)
• Tomasz Kisiel (@​kishieel)
• @​bloom-alex
• @​domusofsail

v12.2.0

Compare Source

v12.2.0 (2024-07-02)

Bug fixes

• graphql
  • #​3157 fix(graphql): add deprecationReason to ArgsOptions (@​hayatekiribayashi)
  • #​3219 fix(graphql): ensure scalarsMap in buildSchemaOptions is respected (@​ssut)
• apollo, graphql
  • #​3171 fix(apollo): federation interface resolver (@​mattia-lau)

Enhancements

• apollo, graphql
  • #​3222 feat(graphql): add support for option newline at the end of schema file (@​sabolch)

Docs

• graphql
  • #​3150 docs(graphql): added jsdoc for debug and introspection. Closes #​3142 (@​aarontravass)

Dependencies

• Other
  • #​3228 chore(deps): update dependency ts-jest to v29.1.5 (@​renovate[bot])
  • #​3227 chore(deps): update dependency rimraf to v5.0.7 (@​renovate[bot])
  • #​3223 chore(deps): update dependency lerna to v8.1.5 (@​renovate[bot])
  • #​3225 chore(deps): update dependency lint-staged to v15.2.7 (@​renovate[bot])
  • #​3217 fix(deps): update dependency ws to v8.17.1 [security] - autoclosed (@​renovate[bot])
  • #​3199 chore(deps): update node.js to v21.7 (@​renovate[bot])
  • #​3207 chore(deps): bump ejs from 3.1.9 to 3.1.10 (@​dependabot[bot])
  • #​3187 chore(deps): bump follow-redirects from 1.15.5 to 1.15.6 (@​dependabot[bot])
  • #​3220 chore(deps): bump braces from 3.0.2 to 3.0.3 (@​dependabot[bot])
  • #​3192 chore(deps): bump undici from 5.26.3 to 5.28.3 (@​dependabot[bot])
  • #​3160 chore(deps): bump ip from 1.1.8 to 1.1.9 (@​dependabot[bot])
• apollo, graphql, mercurius
  • #​3229 fix(deps): update dependency tslib to v2.6.3 (@​renovate[bot])
• mercurius
  • #​3195 chore(deps): update dependency mercurius to v14 (@​renovate[bot])
  • #​3197 chore(deps): update dependency @​mercuriusjs/gateway to v3.0.1 - autoclosed (@​renovate[bot])
  • #​3203 feat(mercurius): upgrade to mercurius v14 (@​Tony133)
• graphql
  • #​3226 chore(deps): update dependency reflect-metadata to v0.2.2 (@​renovate[bot])
  • #​3144 fix(deps): update dependency graphql-ws to v5.16.0 (@​renovate[bot])
  • #​3159 fix(deps): update graphql-tools monorepo (@​renovate[bot])
  • #​3221 chore(deps): bump ws from 8.16.0 to 8.17.1 in /packages/graphql ([@​dependabot[bot]](https://redirect.github.com

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.36%. Comparing base (d47e31a) to head (7a8e1f7).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #77   +/-   ##
=======================================
  Coverage   99.36%   99.36%           
=======================================
  Files         110      110           
  Lines         947      947           
  Branches       45       45           
=======================================
  Hits          941      941           
  Misses          6        6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles