Skip to content

Update dependency @apollo/gateway to v2 [SECURITY] #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency @apollo/gateway to v2 [SECURITY] #201

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 7, 2025
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
@apollo/gateway (source) ^0.29.0 -> ^2.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-32030

Impact

Summary

A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This could lead to excessive resource consumption and denial of service.

Details

Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved.

Fix/Mitigation

A new Query Fragment Expansion Limit metric has been introduced:

  • This metric computes the number of selections a query would have if its fragment spreads were fully expanded.
  • The metric is checked against a limit to prevent excessive computation.

Patches

This has been remediated in @apollo/gateway version 2.10.1.

Workarounds

No known direct workarounds exist.

References

Query Planning Documentation

Acknowledgements

We appreciate the efforts of the security community in identifying and improving the performance and security of query planning mechanisms.

CVE-2025-32031

Impact

Summary

A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. This could lead to excessive resource consumption and denial of service.

Details

The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can render gateway inoperable.

Fix/Mitigation

  • A new Query Optimization Limit metric has been added:
    • This metric approximates the number of selections that cannot be skipped by the existing optimization.
    • The metric is checked against a limit to prevent excessive computation.

Given the complexity of query planning optimizations, we will continue refining these solutions based on real-world performance and accuracy tests.

Patches

This has been remediated in @apollo/gateway version 2.10.1.

Workarounds

No known direct workarounds exist.

References

Query Planning Documentation

Acknowledgements

We appreciate the efforts of the security community in identifying and improving the performance and security of query planning mechanisms.

Release Notes

apollographql/federation (@​apollo/gateway)

v2.10.1

Compare Source

Patch Changes

v2.10.0

Compare Source

Patch Changes

v2.9.3

Compare Source

Patch Changes

v2.9.2

Compare Source

Patch Changes

v2.9.1

Compare Source

Patch Changes

v2.9.0

Compare Source

Patch Changes

v2.8.5

Compare Source

v2.8.4

Compare Source

Patch Changes

v2.8.3

Compare Source

Patch Changes

v2.8.2

Compare Source

Patch Changes

v2.8.1

Compare Source

Patch Changes

v2.8.0

Compare Source

Minor Changes

  • Implement new directives to allow getting and setting context. This allows resolvers to reference and access data referenced by entities that exist in the GraphPath that was used to access the field. The following example demonstrates the ability to access the prop field within the Child resolver. (#​2988)

    type Query {
  p: Parent!
}
type Parent @​key(fields: "id") @​context(name: "context") {
  id: ID!
  child: Child!
  prop: String!
}
type Child @​key(fields: "id") {
  id: ID!
  b: String!
  field(a: String @​fromContext(field: "$context { prop }")): Int!
}
Patch Changes

v2.7.8

Compare Source

Patch Changes

v2.7.7

Compare Source

Patch Changes

v2.7.6

Compare Source

Patch Changes

v2.7.5

Compare Source

Patch Changes

v2.7.4

Compare Source

Patch Changes

v2.7.3

Compare Source

Patch Changes

v2.7.2

Compare Source

Patch Changes

v2.7.1

Compare Source

Patch Changes

v2.7.0

Compare Source

Minor Changes

  • Implement progressive @override functionality (#​2911)

    The progressive @override feature brings a new argument to the @override directive: label: String. When a label is added to an @override application, the override becomes conditional, depending on parameters provided to the query planner (a set of which labels should be overridden). Note that this feature will be supported in router for enterprise users only.

    Out-of-the-box, the router will support a percentage-based use case for progressive @override. For example:

    type Query {
  hello: String @​override(from: "original", label: "percent(5)")
}

    The above example will override the root hello field from the "original" subgraph 5% of the time.

    More complex use cases will be supported by the router via the use of coprocessors/rhai to resolve arbitrary labels to true/false values (i.e. via a feature flag service).

Patch Changes

v2.6.3

Compare Source

Patch Changes

v2.6.2

Compare Source

Patch Changes

v2.6.1

Compare Source

Patch Changes

v2.6.0

Compare Source

Minor Changes

  • Add more information to OpenTelemetry spans. (#​2700)

    Rename operationName to graphql.operation.name and add a
    graphql.operation.type attribute, in conformance with the OpenTelemetry
    Semantic Conventions for GraphQL. The operationName attribute is now
    deprecated, but it is still emitted alongside graphql.operation.name.

    Add a graphql.document span attribute to the gateway.request span,
    containing the entire GraphQL source sent in the request. This feature
    is disable by default.

    When one or more GraphQL or internal errors occur, report them in the
    OpenTelemetry span in which they took place, as an exception event. This
    feature is disabled by default.

    To enable the graphql.document span attribute and the exception event
    reporting, add the following entries to your ApolloGateway instance
    configuration:

    const gateway = new ApolloGateway({
  // ...
  telemetry: {
    // Set to `true` to include the `graphql.document` attribute
    includeDocument: true,
    // Set to `true` to report all exception events, or set to a number
    // to report at most that number of exception events per span
    reportExceptions: true,
    // or: reportExceptions: 1
  },
});

  • Update license field in package.json to use Elastic-2.0 SPDX identifier (#​2741)

  • Introduce the new @policy scope for composition (#​2818)

    Note that this directive will only be fully supported by the Apollo Router as a GraphOS Enterprise feature at runtime. Also note that composition of valid @policy directive applications will succeed, but the resulting supergraph will not be executable by the Gateway or an Apollo Router which doesn't have the GraphOS Enterprise entitlement.

    Users may now compose @policy applications from their subgraphs into a supergraph.

    The directive is defined as follows:

    scalar federation__Policy

directive @​policy(
  policies: [[federation__Policy!]!]!
) on FIELD_DEFINITION | OBJECT | INTERFACE | SCALAR | ENUM

    The Policy scalar is effectively a String, similar to the FieldSet type.

    In order to compose your @policy usages, you must update your subgraph's federation spec version to v2.6 and add the @policy import to your existing imports like so:

    @​link(url: "https://specs.apollo.dev/federation/v2.6", import: [..., "@​policy"])

  • Add graphql.operation.name attribute on gateway.plan span (#​2807)

Patch Changes

v2.5.7

Compare Source

Patch Changes

v2.5.6

Compare Source

Patch Changes

v2.5.5

Compare Source

Patch Changes

  • Fix specific case for requesting __typename on interface entity type (#​2775)

    In certain cases, when resolving a __typename on an interface entity (due to it actual being requested in the operation), that fetch group could previously be trimmed / treated as useless. At a glance, it appears to be a redundant step, i.e.:

    { ... on Product { __typename id }} => { ... on Product { __typename} }

    It's actually necessary to preserve this in the case that we're coming from an interface object to an (entity) interface so that we can resolve the concrete __typename correctly.

  • Don't preserve useless fetches which downgrade __typename from a concrete type back to its interface type. (#​2778)

    In certain cases, the query planner was preserving some fetches which were "useless" that would rewrite **typename from its already-resolved concrete type back to its interface type. This could result in (at least) requested fields being "filtered" from the final result due to the interface's **typename in the data where the concrete type's __typename was expected.

    Specifically, the solution was compute the path between newly created groups and their parents when we know that it's trivial ([]). Further along in the planning process, this allows to actually remove the known-useless group.

  • Propagate type information when renaming entity fields (#​2776)

    Aliased entity fields might have been incorrectly overwritten if multiple fields/aliases shared the same name. Query planner automatically renames conflicting fields to ensure we can always generate a valid GraphQL query. The underlying issue was that this key rewriting logic was assuming the same type of an object. In case of entity queries asking for those aliased fields, we ended up always attempting to apply field renaming logic regardless, whether or not a given entity was of the correct type. This fix ensures that the query planner logic correctly accounts for the object type when applying field renaming logic.

  • Updated dependencies [66d7e4ce, a37bbbf6]:

v2.5.4

Compare Source

Patch Changes

  • Adds header to change the format of exposed query plans, and allows formatting it as json. (#​2724)

    When the gateway is configured to allow it, adding the Apollo-Query-Plan-Experimental header to a request already allowed a "prettified" text version of the query plan used for the query is returned in the response extension. This changes adds support for a new (optional) accompanying header, Apollo-Query-Plan-Experimental-Format, which can be set to the value "internal" to have the query plan returned as a json object (that correspond to the internal representation of that query plan) instead of the text version otherwise sent. Note that if that new header is not provided, then the query plan continues to be send in the previous prettified text version.

  • Fix some potentially incorrect query plans with @requires when some dependencies are involved. (#​2726)

    In some rare case of @requires, an over-eager optimisation was incorrectly considering that
    a dependency between 2 subgraph fetches was unnecessary, leading to doing 2 subgraphs queries
    in parallel when those should be done sequentially (because the 2nd query rely on results
    from the 1st one). This effectively resulted in the required fields not being provided (the
    consequence of which depends a bit on the resolver detail, but if the resolver expected
    the required fields to be populated (as they should), then this could typically result
    in a message of the form GraphQLError: Cannot read properties of null).

  • Updated dependencies [203b0a44]:

v2.5.3

Compare Source

Patch Changes

v2.5.2

Compare Source

Patch Changes

  • Remove extraneous call to span.setStatus() on a span which has already ended. (#​2697)

    In cases where a subgraph responded with an error, we would sometimes try to set
    the status of a span which had already ended. This resulted in a warning log to
    the console (but no effect otherwise). This warning should no longer happen.

  • Fix fallbackPollIntervalInMs behavior. (#​2709)

    The fallbackPollIntervalInMs serves 2 purposes:

    • it allows users to provide an Uplink poll interval if Uplink doesn't provide one
    • it allows users to use a longer poll interval that what's prescribed by Uplink

    The second bullet is how the configuration option is documented, but not how it was previously implemented. This change corrects the behavior to respect this configuration if it's provided AND is longer than the Uplink interval.

  • Updated dependencies [35179f08]:

v2.5.1

Compare Source

Patch Changes

  • Reapply #​2639: (#​2687)

    Try reusing named fragments in subgraph fetches even if those fragment only apply partially to the subgraph. Before this change, only named fragments that were applying entirely to a subgraph were tried, leading to less reuse that expected. Concretely, this change can sometimes allow the generation of smaller subgraph fetches.

    Additionally, resolve a bug which surfaced in the fragment optimization logic which could result in invalid/incorrect optimizations / fragment reuse.

  • Updated dependencies [b9052fdd]:

v2.5.0

Compare Source

Minor Changes

  • Do not run the full suite of graphQL validations on supergraphs and their extracted subgraphs by default in production environment. (#​2657)

    Running those validations on every updates of the schema takes a non-negligible amount of time (especially on large
    schema) and mainly only serves in catching bugs early in the supergraph handling code, and in some limited cases,
    provide slightly better messages when a corrupted supergraph is received, neither of which is worth the cost in
    production environment.

    A new validateSupergraph option is also introduced in the gateway configuration to force this behaviour.

  • Support responses from subgraphs which use the application/graphql-response+json content-type header. (#​2162)

    See graphql-over-http spec for more details:
    https://graphql.github.io/graphql-over-http/draft/#sec-application-graphql-response-json

  • Introduce the new @authenticated directive for composition (#​2644)

    Note that this directive will only be fully supported by the Apollo Router as a GraphOS Enterprise feature at runtime. Also note that composition of valid @authenticated directive applications will succeed, but the resulting supergraph will not be executable by the Gateway or an Apollo Router which doesn't have the GraphOS Enterprise entitlement.

    Users may now compose @authenticated applications from their subgraphs into a supergraph. This addition will support a future version of Apollo Router that enables authenticated access to specific types and fields via directive applications.

    The directive is defined as follows:

    directive @​authenticated on FIELD_DEFINITION | OBJECT | INTERFACE | SCALAR | ENUM

    In order to compose your @authenticated usages, you must update your subgraph's federation spec version to v2.5 and add the @authenticated import to your existing imports like so:

    @​link(url: "https://specs.apollo.dev/federation/v2.5", import: [..., "@​authenticated"])

  • Introduce the new @requiresScopes directive for composition (#​2649)

    Note that this directive will only be fully supported by the Apollo Router as a GraphOS Enterprise feature at runtime. Also note that composition of valid @requiresScopes directive applications will succeed, but the resulting supergraph will not be executable by the Gateway or an Apollo Router which doesn't have the GraphOS Enterprise entitlement.

    Users may now compose @requiresScopes applications from their subgraphs into a supergraph. This addition will support a future version of Apollo Router that enables scoped access to specific types and fields via directive applications.

    The directive is defined as follows:

    scalar federation__Scope

directive @​requiresScopes(
  scopes: [federation__Scope!]!
) on FIELD_DEFINITION | OBJECT | INTERFACE | SCALAR | ENUM

    The Scope scalar is effectively a String, similar to the FieldSet type.

    In order to compose your @requiresScopes usages, you must update your subgraph's federation spec version to v2.5 and add the @requiresScopes import to your existing imports like so:

    @​link(url: "https://specs.apollo.dev/federation/v2.5", import: [..., "@​requiresScopes"])
Patch Changes

v2.4.13

Compare Source

Patch Changes

v2.4.12

Compare Source

Patch Changes

  • Remove extraneous call to span.setStatus() on a span which has already ended. (#​2717)

    In cases where a subgraph responded with an error, we would sometimes try to set
    the status of a span which had already ended. This resulted in a warning log to
    the console (but no effect otherwise). This warning should no longer happen.

  • Fix fallbackPollIntervalInMs behavior. (#​2717)

    The fallbackPollIntervalInMs serves 2 purposes:

    • it allows users to provide an Uplink poll interval if Uplink doesn't provide one
    • it allows users to use a longer poll interval that what's prescribed by Uplink

    The second bullet is how the configuration option is documented, but not how it was previously implemented. This change corrects the behavior to respect this configuration if it's provided AND is longer than the Uplink interval.

  • Updated dependencies [693c2433]:

v2.4.11

Compare Source

Patch Changes

  • Reapply #​2639: (#​2684)

    Try reusing named fragments in subgraph fetches even if those fragment only apply partially to the subgraph. Before this change, only named fragments that were applying entirely to a subgraph were tried, leading to less reuse that expected. Concretely, this change can sometimes allow the generation of smaller subgraph fetches.

    Additionally, resolve a bug which surfaced in the fragment optimization logic which could result in invalid/incorrect optimizations / fragment reuse.

  • Updated dependencies [a740e071]:

v2.4.10

Compare Source

Patch Changes

v2.4.9

Compare Source

Patch Changes

v2.4.8

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-apollo-gateway-vulnerability branch 2 times, most recently from f281345 to e2ef4af Compare August 13, 2025 17:08
@renovate renovate bot force-pushed the renovate/npm-apollo-gateway-vulnerability branch from e2ef4af to c850d7d Compare August 19, 2025 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants