fix(deps): update external-major (major)#153
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
|
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| JavaScript | Jul 16, 2026 4:45p.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
c2033ad to
29c8dca
Compare
29c8dca to
3287226
Compare
98a5b5e to
2c31797
Compare
340629c to
67037b6
Compare
045a25a to
02b8067
Compare
30ec0e1 to
5d36c6d
Compare
e38ed39 to
eae51d6
Compare
5b06953 to
ac3ae5e
Compare
a48ca2f to
e2af8af
Compare
a3d9c8f to
f0374b6
Compare
ba43237 to
84c6f65
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.13.0→^5.5.1^3.2.0→^4.1.0^20.4.3→^21.2.1^20.4.3→^21.2.0^5.22.0→^7.8.0^22.19.15→^24.13.3^4.7.0→^6.0.3v4→v6v4→v7v4→v7^16.6.1→^17.4.2^16.13.1→^17.0.2^3.0.1→^4.1.0^25.0.1→^29.1.1^5.86.0→^6.27.0^1.13.6→^2.1.10^28.21.1→^33.9.0v2→v6^5.22.0→^7.8.0^2.6.1→^3.6.0^3.4.19→^4.3.3^5.9.3→^7.0.2^6.5.1→^7.9.4Release Notes
apollographql/apollo-server (@apollo/server)
v5.5.1Compare Source
Patch Changes
3f46c51Thanks @mhassan1! - Replace dependencyuuidwith calls tocrypto.randomUUID.v5.5.0Compare Source
Minor Changes
#8191⚠️ SECURITY
ada1200Thanks @glasser! -@apollo/server/standalone:Apollo Server now rejects GraphQL
GETrequests which contain aContent-Typeheader other thanapplication/json(with optional parameters such as; charset=utf-8). Any other value is now rejected with a 415 status code.(GraphQL
GETrequests without aContent-Typeheader are still allowed, though they do still need to contain a non-emptyX-Apollo-Operation-NameorApollo-Require-Preflightheader to be processed if the default CSRF prevention feature is enabled.)This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.
This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty
Content-Typeheaders withGETrequests with types other thanapplication/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.See advisory GHSA-9q82-xgwf-vj6h for more details.
v5.4.0Compare Source
Minor Changes
d25a5bdThanks @phryneas! -@apollo/server/standalone:The default configuration of
startStandaloneServerwas vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
Any other character set will be rejected with a
415 Unsupported Media Typeerror.Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8.
Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now.
In a future major release, we may tighten this restriction further to only allow UTF-8.
If you were not using
startStandaloneServer, you were not affected by this vulnerability.Generally, please note that we provide
startStandaloneServeras a convenience tool for quickly getting started with Apollo Server.For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.
v5.3.0Compare Source
Minor Changes
#8062
8e54e58Thanks @cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)#8014
26320bcThanks @mo4islona! - Exposegraphqlvalidation options.v5.2.0Compare Source
Minor Changes
#8161
51acbebThanks @jerelmiller! - Fix an issue where some bundlers would fail to build because of the dynamic import for the optional peer dependency on@yaacovcr/transformintroduced in@apollo/server5.1.0. To provide support for the legacy incremental format, you must now provide thelegacyExperimentalExecuteIncrementallyoption to theApolloServerconstructor.If the
legacyExperimentalExecuteIncrementallyoption is not provided and the client sends anAcceptheader with a value ofmultipart/mixed; deferSpec=20220824, an error is returned by the server.v5.1.0Compare Source
Minor Changes
#8148
80a1a1aThanks @jerelmiller! - Apollo Server now supports the incremental delivery protocol (@deferand@stream) that ships withgraphql@17.0.0-alpha.9. To use the current protocol, clients must send theAcceptheader with a value ofmultipart/mixed; incrementalSpec=v0.2.Upgrading to 5.1 will depend on what version of
graphqlyou have installed and whether you already support the incremental delivery protocol.v5.0.0Compare Source
BREAKING CHANGES
Apollo Server v5 has very few breaking API changes. It is a small upgrade focused largely on adjusting which versions of Node.js and Express are supported.
Read our migration guide for more details on how to update your app.
graphqllibrary older thanv16.11.0. (Apollo Server 4 supportsgraphqlv16.6.0or later.) Upgradegraphqlbefore upgrading Apollo Server.@apollo/server/express4, or you could import it from the separate package@as-integrations/express4. In Apollo Server 5, you must import it from the separate package. You can migrate your server to the new package before upgrading to Apollo Server 5. (You can also use@as-integrations/express5for a middleware that works with Express 5.)fetchimplementation for HTTP requests by default, instead of thenode-fetchnpm package. If your server uses an HTTP proxy to make HTTP requests, you need to configure it in a slightly different way. See the migration guide for details.startStandaloneServerno longer uses Express. This is mostly invisible, but it does set slightly fewer headers. If you rely on the fact that this server is based on Express, you should explicitly use the Express middleware.@deferand@stream(which requires using a pre-release version ofgraphqlv17) now explicitly only works with version17.0.0-alpha.2ofgraphql. Note that this supports the same incremental delivery protocol implemented by Apollo Server 4, which is not the same protocol in the latest alpha version ofgraphql. As this support is experimental, we may switch over from "onlyalpha.2is supported" to "only a newer alpha or final release is supported, with a different protocol" during the lifetime of Apollo Server 5.variablesmap for a variable declared in the operation as aString) with a 400 status code, indicating a client error. This is also the behavior of Apollo Server 3. Apollo Server 4 mistakenly responds to these requests with a 200 status code by default; we recommended the use of thestatus400ForVariableCoercionErrors: trueoption to restore the intended behavior. That option now defaults to true.precomputedNonceoption to landing page plugins (which was only non-deprecated for 8 days) has been removed.Patch Changes
There are a few other small changes in v5:
#8076
5b26558Thanks @valters! - Fix some error logs to properly calllogger.errororlogger.warnwiththisset. This fixes errors or crashes from logger implementations that expectthisto be set properly in their methods.#7515
100233aThanks @trevor-scheer! - ApolloServerPluginSubscriptionCallback now takes afetcherargument, like the usage and schema reporting plugins. The default value is Node's built-in fetch.Updated dependencies [
100233a]:apollo-server-integrations/apollo-server-integration-next (@as-integrations/next)
v4.1.0Compare Source
Minor Changes
87f9e0fThanks @martinnabhan! - Add support for Next.js 16v4.0.0Compare Source
Major Changes
#264
2572fcaThanks @karl-run! - Add support for Apollo Server 5This release drops support for Apollo Server 4, and since Apollo Server 5 drops support for Node.js 18
we're also dropping support for Node.js 18.
conventional-changelog/commitlint (@commitlint/cli)
v21.2.1Compare Source
Note: Version bump only for package @commitlint/cli
v21.2.0Compare Source
Features
v21.1.0Compare Source
Features
21.0.2 (2026-05-29)
Bug Fixes
21.0.1 (2026-05-12)
Note: Version bump only for package @commitlint/cli
v21.0.2Compare Source
Bug Fixes
v21.0.1Compare Source
Note: Version bump only for package @commitlint/cli
v21.0.0Compare Source
BREAKING CHANGES
Co-authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com
20.5.3 (2026-04-30)
Note: Version bump only for package @commitlint/cli
20.5.2 (2026-04-25)
Note: Version bump only for package @commitlint/cli
v20.5.3Compare Source
Note: Version bump only for package @commitlint/cli
v20.5.2Compare Source
Note: Version bump only for package @commitlint/cli
v20.5.0Compare Source
Bug Fixes
20.4.4 (2026-03-12)
Note: Version bump only for package @commitlint/cli
20.4.3 (2026-03-03)
Bug Fixes
20.4.2 (2026-02-19)
Note: Version bump only for package @commitlint/cli
20.4.1 (2026-02-02)
Note: Version bump only for package @commitlint/cli
v20.4.4Compare Source
Note: Version bump only for package @commitlint/cli
conventional-changelog/commitlint (@commitlint/config-conventional)
v21.2.0Compare Source
Features
v21.1.0Compare Source
Note: Version bump only for package @commitlint/config-conventional
21.0.2 (2026-05-29)
Note: Version bump only for package @commitlint/config-conventional
21.0.1 (2026-05-12)
Note: Version bump only for package @commitlint/config-conventional
v21.0.2Compare Source
Note: Version bump only for package @commitlint/config-conventional
v21.0.1Compare Source
Note: Version bump only for package @commitlint/config-conventional
v21.0.0Compare Source
BREAKING CHANGES
Co-authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com
20.5.3 (2026-04-30)
Note: Version bump only for package @commitlint/config-conventional
v20.5.3Compare Source
Note: Version bump only for package @commitlint/config-conventional
v20.5.0Compare Source
Note: Version bump only for package @commitlint/config-conventional
20.4.4 (2026-03-12)
Note: Version bump only for package @commitlint/config-conventional
20.4.3 (2026-03-03)
Bug Fixes
20.4.2 (2026-02-19)
Note: Version bump only for package @commitlint/config-conventional
20.4.1 (2026-02-02)
Note: Version bump only for package @commitlint/config-conventional
v20.4.4Compare Source
Note: Version bump only for package @commitlint/config-conventional
prisma/prisma (@prisma/client)
v7.8.0Compare Source
Today, we are excited to share the
7.8.0stable release 🎉🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!
Highlights
ORM
Features
Prisma Client
queryPlanCacheMaxSizeoption to thePrismaClientconstructor for fine-grained control over the query plan cache. Pass0to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)Bug Fixes
Prisma Client
::jsonbcast when filtering on PostgreSQL JSON list columns. Queries usingwhere: { jsonListField: { equals: [...] } }no longer panic with a type mismatch or emit invalid SQL. (prisma/prisma-engines#5804)mode: insensitive), allowingwhere: { jsonField: { equals: "...", mode: "insensitive" } }to work correctly. (prisma/prisma-engines#5806)@map. (#29422)P2029), which could incorrectly reject or miss over-limit queries. (#29422)VARCHARcasts for parameterized values. (prisma/prisma-engines#5801)Schema Engine
prisma migrate diffthat referenced the--shadow-database-urlCLI flag, which was removed in Prisma 7. (#29455)prisma migrate dev(and shadow database migration replay in general) failing withCREATE INDEX CONCURRENTLY cannot run inside a transaction blockwhen a migration contained concurrent index creation statements on PostgreSQL. (prisma/prisma-engines#5799)pg_catalog.nextval('sequence_name'::regclass)instead of the barenextval(...). Columns backed by sequences now correctly appear as@default(autoincrement())in the Prisma schema in all cases. (prisma/prisma-engines#5802)Driver Adapters
createSavepoint,rollbackToSavepoint,releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)Open roles at Prisma
Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.
Enterprise support
Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.
With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.
v7.7.0Compare Source
Today, we are excited to share the
7.7.0stable release 🎉🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!
Highlights
ORM
prisma bootstrapcommandA new
prisma bootstrapcommand (#29374, #29424) sequences the full Prisma Postgres setup into a single interactive flow. It detects the current project state and runs only the steps that are needed:prisma init.@prisma/client,prisma, anddotenv.prisma migrate devif the schema contains models.prisma generate.prisma db seedif a seed script is configured.Each side-effecting step prompts for confirmation. Re-running the command skips already-completed steps.
Basic usage
With a starter template
Non-interactive (CI)
Open roles at Prisma
Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.
Enterprise support
Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.
With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.
v7.6.0Compare Source
Today, we are excited to share the
7.6.0stable release 🎉🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!
Highlights
ORM
Features
CLI
prisma postgres linkcommand that connects a local project to a Prisma Postgres database. This is the first command in a newprisma postgrescommand group for managing Prisma Postgres databases directly from the CLI. (#29352)Driver Adapters
statementNameGeneratoroption that accepts a custom prepared statement name generator to allow users to leveragepgstatement caching (#29395)useTextProtocoloption in the constructor to toggle between text and binary protocols (#29392)Bug Fixes
Prisma Client
createManyqueries to avoid cache bloat and potential Node.js crashes in bulk operations (#29382)NowGeneratorlazy to avoid synchronousnew Date()calls, fixing Next.js "dynamic usage" errors in cached components (#28724)Get<Model>GroupByPayloadtype in the newprisma-clientgenerator, making it accessible for TypeScript usage (#29346)CLI
Driver Adapters
@types/pgversion constraint to^8.16.0for compatibility with newer PostgreSQL type definitions (#29390)ColumnNotFounderrors to correctly extract column names from both quoted and unquoted PostgreSQL error messages (#29307)mariadbstatement caching by default to address a reported leak (#29392)Prisma Studio
We’re continuing our work to improve Prisma Studio with more features being added.
Dark Mode
Need we say more? You’ve all asked for it, and it’s back.
dark-mode-studio.mp4
Copy as markdown
Now, you can copy one or more rows as either CSV or Markdown
Multi-cell editing
This is big one, something that folks have been asking for. Now, it’s possible to edit multiple cells while inspecting your database. If you make any changes, you’ll be prompted to either save or discard them. This makes manually adding new rows much easier to accomplish.
Back relations
If your data references another table, Prisma Studio now links to the related records, making it easy to inspect them. This makes traversing your database much simpler.
CleanShot.2026-03-24.at.20.39.01.mp4
Generative SQL with AI
If you need to inspect your database, instead of manually writing the SQL you may need, you can use natural language and AI to generate the appropriate SQL statements.
CleanShot.2026-03-19.at.00.01.53.mp4
Open roles at Prisma
Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that’s right for you.
Enterprise support
Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.
With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.
v7.5.0Compare Source
Today, we are excited to share the
7.5.0stable release 🎉🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!
Highlights
ORM
Features
Added support for nested transaction rollbacks via savepoints (#21678)
Adds support for nested transaction rollback behavior for SQL databases: if an outer transaction fails, the inner nested transaction is rolled back as well. Implements this by tracking transaction ID + nesting depth so Prisma can reuse an existing open transaction in the underlying engine, and it also enables using
$transactionfrom an interactive transaction client.Bug fixes
Driver Adapters
adapter-mariadbuse the binary MySQL protocol to fix an issue with lossy number conversions (#29285)@types/pga direct dependency ofadapter-pgfor better TypeScript experience out-of-the-box (#29277)Prisma Client
Prisma.DbNullserializing as empty object in some bundled environments like Next.js (#29286)Invalid Datewithunixepoch-mstimestamps in some cases (#29274)@db.Datecolumns (#29327)Schema Engine
partialIndexespreview feature is disabled, preventing unnecessary drops and additions in migrations (#5790, #5795)uniqueFieldsanduniqueIndexesto prevent incorrectfindUniqueinput type generation (#5792)Studio
With the launch of Prisma ORM v7, we also introduced a rebuilt version of Prisma Studio. With the feedback we’ve gathered since the release, we’ve added some high requested features to help make Studio a better experience.
Multi-cell Selection & Full Table Search
This release brings the ability to select multiple cells when viewing your database. In addition to being able to select multiple cells, you can also search across your database. You can search for a specific table or for specific cells within that table.
More intuitive filtering
Filtering is now easier to use, and includes an option for raw SQL filters.
And if you are using Studio in Console, you can use ai generated filters:

Cmd+k Command Palette
You can now use the keyboard to perform most actions in Studio with the new cmd+k command palette

Run raw SQL queries
Another feature we’ve included in Prisma Studio is the ability to run raw SQL queries against your data. There’s a new “SQL” tab in the sidebar that will bring you to page where you can perform any queries against your data. Below, we’re getting all the rows in the “Todo” table.
Open roles at Prisma
Interested in joining Prisma? We’re growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our [Careers page](https://www.prisma.io/careers#current) and find the role that’s right for you.
Enterprise support
Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.
With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.
v7.4.2Compare Source
Today, we are issuing a 7.4.2 patch release focused on bug fixes and quality improvements.
🛠 Fixes
Prisma Client
INandNOT INfilter regression (#29243)Uint8Arrayserialization in nested JSON fields (#29268)Driver Adapters
relationJoinscompatibility check for MariaDB 8.x versions (#29246Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.