build(deps-dev): bump the graphql group across 1 directory with 3 updates

[dependabot]

Bumps the graphql group with 3 updates in the / directory: @apollo/server, graphql and mercurius.

Updates @apollo/server from 5.3.0 to 5.4.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

Changelog

Sourced from @​apollo/server's changelog.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

Commits

• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.

Updates graphql from 16.12.0 to 16.13.1

Release notes

Sourced from graphql's releases.

v16.13.1 (2026-03-04)

First 16.x.x release with trusted publishing and provenance, see: https://docs.npmjs.com/trusted-publishers for additional information.

Docs 📝

• #4433 docs: move migrate from express graphql guide to graphqlJS docs (@​sarahxsanders)

Internal 🏠

• #4608 internal: backport new release flow from 17.x.x (@​yaacovCR)
• #4610 internal: pin node version for release action (@​yaacovCR)

Committers: 2

• Sarah Sanders(@​sarahxsanders)
• Yaacov Rydzinski (@​yaacovCR)

16.13.0

v16.13.0 (2026-02-24)

New Feature 🚀

• #4458 Sibling errors should not be added after propagation (@​yaacovCR)

Bug Fix 🐞

• #4336 add deprecated note to assertValidExecutionArguments (@​yaacovCR)
• #4517 fix(validation): incorrect validation errors when variable descriptions are used (@​phryneas)

Internal 🏠

• #4506 Version packages (@​JoviDeCroock)
• #4514 chore: always ignore scripts (@​benjie)
• #4524 update contributing (@​yaacovCR)

Committers: 4

• Benjie(@​benjie)
• Jovi De Croock(@​JoviDeCroock)
• Lenz Weber-Tronic(@​phryneas)
• Yaacov Rydzinski (@​yaacovCR)

Commits

• 3b5c3f9 internal: pin node version for release action (#4610)
• 6dee435 chore(release): v16.13.1 (#4609)
• c2ad5c6 internal: backport new release flow from 17.x.x (#4608)
• adff4e6 docs: move migrate from express graphql guide to graphqlJS docs (#4433)
• 7569989 16.13.0
• 49450d8 Revert "deprecate (internal) buildResolveInfo in favor of (internal) ResolveI...
• 4149722 deprecate (internal) buildResolveInfo in favor of (internal) ResolveInfo clas...
• 4c057eb add deprecated note to assertValidExecutionArguments (#4336)
• 3f8f27a fix(validation): incorrect validation errors when variable descriptions are u...
• b34a4cd update contributing (#4524)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for graphql since your current version.

Updates mercurius from 16.7.0 to 16.8.0

Release notes

Sourced from mercurius's releases.

v16.8.0

⚠️ Security Release

• Fixes "queryDepth limit bypassed for WebSocket subscriptions" GHSA-m4h2-mjfm-mp55 CVE-2026-30241

What's Changed

• chore: remove tests-checker workflow by @​Tony133 in mercurius-js/mercurius#1207
• build(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @​dependabot[bot] in mercurius-js/mercurius#1208

Full Changelog: mercurius-js/mercurius@v16.7.0...v16.8.0

Commits

• 0e16af4 Bumped v16.8.0
• 5b56f60 Merge commit from fork
• 249809a build(deps): bump actions/setup-node from 6.1.0 to 6.2.0 (#1208)
• b39878a chore: remove tests-checker workflow (#1207)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions