Bump the npm_and_yarn group across 11 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: picomatch and lodash-es.
Bumps the npm_and_yarn group with 1 update in the /examples/api-routes-apollo-server directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /examples/api-routes-apollo-server-and-client directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /examples/api-routes-apollo-server-and-client-auth directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /examples/cms-payload directory: payload.
Bumps the npm_and_yarn group with 1 update in the /examples/with-electron directory: electron.
Bumps the npm_and_yarn group with 1 update in the /examples/with-electron-typescript directory: electron.
Bumps the npm_and_yarn group with 1 update in the /packages/next directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /test/integration/with-electron/app directory: electron.
Bumps the npm_and_yarn group with 1 update in the /turbopack/benchmark-apps directory: yaml.
Bumps the npm_and_yarn group with 4 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory: picomatch, lodash-es, brace-expansion and nodemailer.

Updates picomatch from 4.0.1 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates lodash-es from 4.17.21 to 4.18.1

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates @apollo/server from 4.13.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

• #8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },

... (truncated)

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• 443e547 fix repository urls
• 28d6d47 Version Packages (#8172)
• 26320bc feat: Allow configuration of graphql validation options #8014
• f2c16a7 bump dependency
• 8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
• 7be3686 Version Packages (#8163)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.

Updates @apollo/server from 4.13.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

• #8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },

... (truncated)

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• 443e547 fix repository urls
• 28d6d47 Version Packages (#8172)
• 26320bc feat: Allow configuration of graphql validation options #8014
• f2c16a7 bump dependency
• 8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
• 7be3686 Version Packages (#8163)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.

Updates @apollo/server from 4.13.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

• #8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },

... (truncated)

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• 443e547 fix repository urls
• 28d6d47 Version Packages (#8172)
• 26320bc feat: Allow configuration of graphql validation options #8014
• f2c16a7 bump dependency
• 8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
• 7be3686 Version Packages (#8163)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.

Updates payload from 1.9.2 to 3.79.1

Release notes

Sourced from payload's releases.

v3.79.1

v3.79.1 (2026-03-16)

🐛 Bug Fixes

• text field validation rejecting localized object values (#15932) (fac59c8)
• use Sec-Fetch-Site header for cookie authentication validation (#15751) (ef507a6)
• improved request origin retrieval (#15919) (f30d34f)
• generate:types inlines all blocks, add forceInlineBlocks property to use in plugin mcp (#15892) (6a9e367)
• update broken custom components docs link in config types jsdoc (#15794) (17aa1b5)
• run sanitizeWhereQuery for join query access result (#15891) (dc049fe)
• early return out of me access (#15883) (c6054c5)
• scope orderable join reordering by parent relation (#15842) (17a0d19)
• stricter input validation (#15868) (e474205)
• drizzle: avoid ts errors for payload generate:db-schema with circular references (#15895) (66a2efa)
• drizzle: error when using contains operator on hasMany select fields (#15865) (fba2438)
• drizzle: correctly apply query limit on polymorphic joins (#15652) (fe36dde)
• plugin-import-export: add space in zh translation for exportDocu… (#15833) (43d5596)
• plugin-mcp: bump @​modelcontextprotocol/sdk from 1.25.2 to 1.27.1 (#15942) (94d2249)
• storage-azure: add stream aborts for error handling and connection closure (#15768) (b2a03c9)
• ui: stale data modal incorrectly shown when user saves their own document (#15933) (a5d9388)
• ui: copy & pasting block content duplicates array items in editor UI (#15941) (9bcedc8)
• ui: deleted array item reappears after reorder with autosave (#15906) (752c15a)
• ui: use consistent empty state styling in relationship table (#15914) (93b90da)
• ui: clicking filtered Combobox entries fails to trigger selection (#15788) (de3e5ae)
• ui: document status shows changed after publishing specific locale (#15765) (b95df0b)
• ui: split only on first colon in toast error messages (#15894) (fd64504)
• ui: block clipboard paste causes duplicate ID errors in Postgres (#15863) (e7d6331)
• ui: monomorphic relationship fields don't support multi-select with in/not_in operators (#15886) (f71ef61)
• ui: equal column widths for block-drawer blocks (#15867) (07f7802)
• ui: isolate join table column preferences from list view (#15846) (649f117)
• ui: falling back to UTC timezones in timezone picker (#15841) (70099b7)

⚡ Performance

• richtext-lexical: 3-15x less main thread blocking via centralized toolbar state (#15832) (2bdf7ce)

📚 Documentation

• correct type name in editMenuItems client component example (#15904) (03b20d0)
• adds req to available args and wraps examples with proper String type conversions in nested-docs (#15931) (d2a0740)
• adds docs for logger config (#15927) (46e43fc)
• fix links to virtual relationship documentation in both Blocks and Array field documentation (#15888) (fff60c8)
• broken anchor link in blocks field table (#15887) (36c051a)
• examples: clarify MongoDB prerequisites in Mongo-backed examples (#15860) (2aa973f)
• plugin-mcp: updates MCP plugin documentation (#15729) (b97b4e7)

🧪 Tests

... (truncated)

Commits

• 25a0e16 chore(release): v3.79.1 [skip ci]
• e474205 fix: stricter input validation (#15868)
• fac59c8 fix: text field validation rejecting localized object values (#15932)
• ef507a6 fix: use Sec-Fetch-Site header for cookie authentication validation (#15751)
• f30d34f fix: improved request origin retrieval (#15919)
• 6a9e367 fix: generate:types inlines all blocks, add forceInlineBlocks property to u...
• 17aa1b5 fix: update broken custom components docs link in config types jsdoc (#15794)
• dc049fe fix: run sanitizeWhereQuery for join query access result (#15891)
• c6054c5 fi...

  Description has been truncated