Download Latest Version
@apollo_server-integration-testsuite@5.5.0 source code.tar.gz (2.4 MB)
Get an email when there's a new version of Apollo Server
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| @apollo_server@5.5.0 source code.tar.gz | 2026-03-24 | 2.4 MB | |
| @apollo_server@5.5.0 source code.zip | 2026-03-24 | 2.6 MB | |
| README.md | 2026-03-24 | 1.9 kB | |
| Totals: 3 Items | 4.9 MB | 0 | |
Minor Changes
-
#8191
ada1200Thanks @glasser! - ⚠️ SECURITY@apollo/server/standalone:Apollo Server now rejects GraphQL
GETrequests which contain aContent-Typeheader other thanapplication/json(with optional parameters such as; charset=utf-8). Any other value is now rejected with a 415 status code.(GraphQL
GETrequests without aContent-Typeheader are still allowed, though they do still need to contain a non-emptyX-Apollo-Operation-NameorApollo-Require-Preflightheader to be processed if the default CSRF prevention feature is enabled.)This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.
If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.
This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty
Content-Typeheaders withGETrequests with types other thanapplication/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.See advisory GHSA-9q82-xgwf-vj6h for more details.
