Skip to content

chore(deps): bump @apollo/gateway from 2.11.2 to 2.13.2#2042

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/apollo/gateway-2.13.2
Open

chore(deps): bump @apollo/gateway from 2.11.2 to 2.13.2#2042
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/apollo/gateway-2.13.2

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 14, 2026

Bumps @apollo/gateway from 2.11.2 to 2.13.2.

Release notes

Sourced from @​apollo/gateway's releases.

@​apollo/gateway@​2.13.1

Patch Changes

  • Allow bumping make-fetch-happen dependency to v15. (#3374)

    This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.

    The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.

    There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:

    this changes the underlying http agents to those provided by @​npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.

    As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.

    We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.

    Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.

    The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.

  • Updated dependencies []:

    • @​apollo/composition@​2.13.1
    • @​apollo/federation-internals@​2.13.1
    • @​apollo/query-planner@​2.13.1

@​apollo/gateway@​2.13.0

Minor Changes

  • Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

@​apollo/gateway@​2.13.0-preview.2

Minor Changes

    • Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

... (truncated)

Changelog

Sourced from @​apollo/gateway's changelog.

2.13.2

Patch Changes

  • Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain. (#3396)

    See the associated GitHub Advisories GHSA-pfjj-6f4p-rvmh for more information.

  • Updated dependencies [84e9226b606b176ede097410f5ba35ba03d140ed]:

    • @​apollo/query-planner@​2.13.2
    • @​apollo/federation-internals@​2.13.2
    • @​apollo/composition@​2.13.2

2.13.1

Patch Changes

  • Allow bumping make-fetch-happen dependency to v15. (#3374)

    This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.

    The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.

    There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:

    this changes the underlying http agents to those provided by @​npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.

    As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.

    We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.

    Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.

    The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.

  • Updated dependencies []:

    • @​apollo/composition@​2.13.1
    • @​apollo/federation-internals@​2.13.1
    • @​apollo/query-planner@​2.13.1

2.13.0

Minor Changes

  • Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by dkuc, a new releaser for @​apollo/gateway since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump @apollo/gateway from 2.11.2 to 2.13.2
97578f6 
Bumps [@apollo/gateway](https://github.com/apollographql/federation/tree/HEAD/gateway-js) from 2.11.2 to 2.13.2.
- [Release notes](https://github.com/apollographql/federation/releases)
- [Changelog](https://github.com/apollographql/federation/blob/main/gateway-js/CHANGELOG.md)
- [Commits](https://github.com/apollographql/federation/commits/@apollo/gateway@2.13.2/gateway-js)

---
updated-dependencies:
- dependency-name: "@apollo/gateway"
  dependency-version: 2.13.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants