chore(deps): update renovate dependency scan (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@apollo/client (source)	3.9.4 → 4.1.6					dependencies	major
@opentelemetry/exporter-zipkin (source)	^1.0.0 → ^2.0.0					dependencies	major
@rollup/plugin-commonjs (source)	^25.0.0 → ^29.0.0					devDependencies	major
@rollup/plugin-node-resolve (source)	^15.0.0 → ^16.0.0					devDependencies	major
@testing-library/react	14.2.1 → 16.3.2					dependencies	major
@types/node (source)	20.11.17 → 25.3.0					devDependencies	major
actions/checkout	v4 → v6					action	major
babel-jest (source)	29.7.0 → 30.2.0					devDependencies	major
bcryptjs	^2.4.3 → ^3.0.0					dependencies	major
body-parser	^1.19.0 → ^2.0.0					dependencies	major
body-parser	^1.19.0 → ^2.0.0					dependencies	major
chai (source)	^5.0.0 → ^6.0.0					devDependencies	major
dotenv	^16.0.0 → ^17.0.0					dependencies	major
expect (source)	29.7.0 → 30.2.0					devDependencies	major
express (source)	^4.17.1 → ^5.0.0					dependencies	major
express (source)	^4.19.2 → ^5.0.0					dependencies	major
express (source)	4.18.2 → 5.2.1					dependencies	major
express (source)	^4.17.1 → ^5.0.0					dependencies	major
firebase (source, changelog)	^10.0.0 → ^12.0.0					dependencies	major
font-awesome (source)	6.5.1 → 7.0.1						major
github/codeql-action	v3 → v4					action	major
http-proxy-middleware	2.0.6 → 3.0.5					dependencies	major
lint-staged	^15.0.0 → ^16.0.0					devDependencies	major
lowdb	6.0.0 → 7.0.1					dependencies	major
mocha (source)	10.3.0 → 11.7.5					devDependencies	major
mocha (source)	^10.0.0 → ^11.0.0					devDependencies	major
mongodb	^6.0.0 → ^7.0.0					dependencies	major
mongoose (source)	^8.0.0 → ^9.0.0					dependencies	major
mongoose (source)	^8.1.3 → ^9.0.0					dependencies	major
node (source)	20.11.0 → 24.13.1					engines	major
p5 (source)	^1.9.4 → ^2.0.0					dependencies	major
properties-reader	^2.2.0 → ^3.0.0					devDependencies	major
react (source)	18.2.0 → 19.2.4					dependencies	major
react-dom (source)	18.2.0 → 19.2.4					dependencies	major
react-router-dom (source)	6.22.0 → 7.13.1					dependencies	major
rewire	7.0.0 → 9.0.1					devDependencies	major
sirv-cli	^2.0.0 → ^3.0.0					dependencies	major
supertest	6.3.4 → 7.2.2					devDependencies	major
svelte (source)	^4.0.0 → ^5.0.0					devDependencies	major
unique-random	^3.0.0 → ^4.0.0					dependencies	major
uuid	^9.0.0 → ^13.0.0					dependencies	major
yargs (source)	^17.1.0 → ^18.0.0					dependencies	major

---

Release Notes

apollographql/apollo-client (@​apollo/client)

v4.1.6

Compare Source

Patch Changes

• #​13128 6c0b8e4 Thanks @​pavelivanov! - Fix useQuery hydration mismatch when ssr: false and skip: true are used together

  When both options were combined, the server would return loading: false (because useSSRQuery checks skip first), but the client's getServerSnapshot was returning ssrDisabledResult with loading: true, causing a hydration mismatch.

v4.1.5

Compare Source

Patch Changes

• #​13155 3ba1583 Thanks @​jerelmiller! - Fix an issue where useQuery would poll with pollInterval when skip was initialized to true.

• #​13135 fd42142 Thanks @​jerelmiller! - Fix issue where client.query would apply options from defaultOptions.watchQuery.

v4.1.4

Compare Source

Patch Changes

• #​13124 578081f Thanks @​Re-cool! - Ensure PersistedQueryLink merges http and fetchOptions context values instead of overwriting them.

v4.1.3

Compare Source

Patch Changes

• #​13111 bf46fe0 Thanks @​RogerHYang! - Fix createFetchMultipartSubscription to support cancellation via AbortController

  Previously, calling dispose() or unsubscribe() on a subscription created by createFetchMultipartSubscription had no effect - the underlying fetch request would continue running until completion. This was because no AbortController was created or passed to fetch(), and no cleanup function was returned from the Observable.

v4.1.2

Compare Source

Patch Changes

• #​13105 8b62263 Thanks @​phryneas! - ssrMode, ssrForceFetchDelay or prioritizeCacheValues should not override fetchPolicy: 'cache-only', fetchPolicy: 'no-cache', fetchPolicy: 'standby', skip: true, or skipToken when reading the initial value of an ObservableQuery.

• #​13105 8b62263 Thanks @​phryneas! - Fix skipToken in useQuery with prerenderStatic and related SSR functions.

• #​13105 8b62263 Thanks @​phryneas! - Avoid fetches with fetchPolicy: no-cache in useQuery with prerenderStatic and related SSR functions.

v4.1.1

Compare Source

Patch Changes

• #​13103 dee7dcf Thanks @​jerelmiller! - Ensure @client fields that are children of aliased server fields are resolved correctly.

v4.1.0

Compare Source

Minor Changes

• #​13043 65e66ca Thanks @​jerelmiller! - Support headers transport for enhanced client awareness.

• #​12927 785e223 Thanks @​jerelmiller! - You can now provide a callback function as the context option on the mutate function returned by useMutation. The callback function is called with the value of the context option provided to the useMutation hook. This is useful if you'd like to merge the context object provided to the useMutation hook with a value provided to the mutate function.

  function MyComponent() {
    const [mutate, result] = useMutation(MUTATION, {
      context: { foo: true },
    });
  
    async function runMutation() {
      await mutate({
        // sends context as { foo: true, bar: true }
        context: (hookContext) => ({ ...hookContext, bar: true }),
      });
    }
  
    // ...
  }

• #​12923 94ea3e3 Thanks @​jerelmiller! - Fix an issue where deferred payloads that returned arrays with fewer items than the original cached array would retain items from the cached array. This change includes @stream arrays where stream arrays replace the cached arrays.

• #​12927 96b531f Thanks @​jerelmiller! - Don't set the fallback value of a @client field to null when a read function is defined. Instead the read function will be called with an existing value of undefined to allow default arguments to be used to set the returned value.

  When a read function is not defined nor is there a defined resolver for the field, warn and set the value to null only in that instance.

• #​12927 45ebb52 Thanks @​jerelmiller! - Add support for from: null in client.watchFragment and cache.watchFragment. When from is null, the emitted result is:

  {
    data: null,
    dataState: "complete",
    complete: true,
  }

• #​12926 2b7f2c1 Thanks @​jerelmiller! - Support the newer incremental delivery format for the @defer directive implemented in graphql@17.0.0-alpha.9. Import the GraphQL17Alpha9Handler to use the newer incremental delivery format with @defer.

  import { GraphQL17Alpha9Handler } from "@​apollo/client/incremental";
  
  const client = new ApolloClient({
    // ...
    incrementalHandler: new GraphQL17Alpha9Handler(),
  });

  [!NOTE]
  In order to use the GraphQL17Alpha9Handler, the GraphQL server MUST implement the newer incremental delivery format. You may see errors or unusual behavior if you use the wrong handler. If you are using Apollo Router, continue to use the Defer20220824Handler because Apollo Router does not yet support the newer incremental delivery format.

• #​12927 45ebb52 Thanks @​jerelmiller! - Add support for arrays with useFragment, useSuspenseFragment, and client.watchFragment. This allows the ability to use a fragment to watch multiple entities in the cache. Passing an array to from will return data as an array where each array index corresponds to the index in the from array.

  function MyComponent() {
    const result = useFragment({
      fragment,
      from: [item1, item2, item3],
    });
  
    // `data` is an array with 3 items
    console.log(result); // { data: [{...}, {...}, {...}], dataState: "complete", complete: true }
  }

• #​12927 45ebb52 Thanks @​jerelmiller! - Add a getCurrentResult function to the observable returned by client.watchFragment and cache.watchFragment that returns the current value for the watched fragment.

  const observable = client.watchFragment({
    fragment,
    from: { __typename: "Item", id: 1 },
  });
  
  console.log(observable.getCurrentResult());
  // {
  //   data: {...},
  //   dataState: "complete",
  //   complete: true,
  // }

• #​13038 109efe7 Thanks @​jerelmiller! - Add the from option to readFragment, watchFragment, and updateFragment.

• #​12918 2e224b9 Thanks @​jerelmiller! - Add support for the @stream directive on both the Defer20220824Handler and the GraphQL17Alpha2Handler.

  [!NOTE]
  The implementations of @stream differ in the delivery of incremental results between the different GraphQL spec versions. If you upgrading from the older format to the newer format, expect the timing of some incremental results to change.

• #​13056 b224efc Thanks @​jerelmiller! - InMemoryCache no longer filters out explicitly returned undefined items from read functions for array fields. This now makes it possible to create read functions on array fields that return partial data and trigger a fetch for the full list.

• #​13058 121a2cb Thanks @​jerelmiller! - Add an extensions option to cache.write, cache.writeQuery, and client.writeQuery. This makes extensions available in cache merge functions which can be accessed with the other merge function options.

  As a result of this change, any extensions returned in GraphQL operations are now available in merge in the cache writes for these operations.

• #​12927 96b531f Thanks @​jerelmiller! - Add an abstract resolvesClientField function to ApolloCache that can be used by caches to tell LocalState if it can resolve a @client field when a local resolver is not defined.

  LocalState will emit a warning and set a fallback value of null when no local resolver is defined and resolvesClientField returns false, or isn't defined. Returning true from resolvesClientField signals that a mechanism in the cache will set the field value. In this case, LocalState won't set the field value.

• #​13078 bf1e0dc Thanks @​phryneas! - Use the default stream merge function for @stream fields only if stream info is present. This change means that using the older Defer20220824Handler will not use the default stream merge function and will instead truncate the streamed array on the first chunk.

Patch Changes

• #​12884 d329790 Thanks @​phryneas! - Ensure that PreloadedQueryRef instances are unsubscribed when garbage collected

• #​13086 1a1d408 Thanks @​phryneas! - Change the returned value from null to {} when all fields in a query were skipped.

  This also fixes a bug where useSuspenseQuery would suspend indefinitely when all fields were skipped.

• #​13010 7627000 Thanks @​jerelmiller! - Fix an issue where errors parsed from incremental chunks in ErrorLink might throw when using the GraphQL17Alpha9Handler.

• #​12927 45ebb52 Thanks @​jerelmiller! - Deduplicate watches created by useFragment, client.watchFragment, and cache.watchFragment that contain the same fragment, variables, and identifier. This should improve performance in situations where a useFragment or a client.watchFragment is used to watch the same object in multiple places of an application.

• #​12927 259ae9b Thanks @​jerelmiller! - Allow FragmentType not only to be called as FragmentType<TData>, but also as FragmentType<TypedDocumentNode>.

• #​12925 5851800 Thanks @​jerelmiller! - Fix an issue where calling fetchMore with @defer or @stream would not rerender incremental results as they were streamed.

• #​12927 9e55188 Thanks @​jerelmiller! - Truncate @stream arrays only on last chunk by default.

• #​13083 f3c2be1 Thanks @​phryneas! - Expose the ExtensionsWithStreamInfo type for extensions in Cache.writeQuery, Cache.write and Cache.update so other cache implementations also can correctly access them.

• #​12923 94ea3e3 Thanks @​jerelmiller! - Improve the cache data loss warning message when existing or incoming is an array.

• #​12927 4631175 Thanks @​jerelmiller! - Ignore top-level data values on subsequent chunks in incremental responses.

• #​12927 2be8de2 Thanks @​jerelmiller! - Create mechanism to add experimental features to Apollo Client

• #​12927 96b531f Thanks @​jerelmiller! - Ensure LocalState doesn't try to read from the cache when using a no-cache fetch policy.

• #​12927 bb8ed7b Thanks @​jerelmiller! - Ensure an error is thrown when @stream is detected and an incrementalDelivery handler is not configured.

• #​13053 23ca0ba Thanks @​phryneas! - Use memoized observable mapping when using watchFragment, useFragment or useSuspenseFragment.

• #​12927 44706a2 Thanks @​jerelmiller! - Add helper type QueryRef.ForQuery<TypedDocumentNode>

• #​13082 c257418 Thanks @​phryneas! - Pass streamInfo through result extensions as a WeakRef.

• #​12927 4631175 Thanks @​jerelmiller! - Fix the Defer20220824Handler.SubsequentResult type to match the FormattedSubsequentIncrementalExecutionResult type in graphql@17.0.0-alpha.2.

• #​12927 96b531f Thanks @​jerelmiller! - Warn when using a no-cache fetch policy without a local resolver defined. no-cache queries do not read or write to the cache which meant no-cache queries are silently incomplete when the @client field value was handled by a cache read function.

• #​12927 5776ea0 Thanks @​jerelmiller! - Update the accept header used with the GraphQL17Alpha9Handler to multipart/mixed;incrementalSpec=v0.2 to ensure the newest incremental delivery format is requested.

• #​12927 45ebb52 Thanks @​jerelmiller! - DeepPartial<Array<TData>> now returns Array<DeepPartial<TData>> instead of Array<DeepPartial<TData | undefined>>.

• #​13071 99ffe9a Thanks @​phryneas! - prerenderStatic: Expose return value of renderFunction to userland, fix aborted property.

  This enables usage of resumeAndPrerender with React 19.2.

• #​13026 05eee67 Thanks @​jerelmiller! - Reduce the number of observables created by watchFragment by reusing existing observables as much as possible. This should improve performance when watching the same item in the cache multiple times after a cache update occurs.

• #​13010 7627000 Thanks @​jerelmiller! - Handle @stream payloads that send multiple items in the same chunk when using the Defer20220824Handler.

• #​13010 7627000 Thanks @​jerelmiller! - Handle an edge case with the Defer20220824Handler where an error for a @stream item that bubbles to the @stream boundary (such as an item returning null for a non-null array item) would write items from future chunks to the wrong array index. In these cases, the @stream field is no longer processed and future updates to the field are ignored. This prevents runtime errors that TypeScript would otherwise not be able to catch.

• #​13081 1e06ad7 Thanks @​jerelmiller! - Avoid calling merge functions more than once for the same incremental chunk.

v4.0.13

Compare Source

Patch Changes

• #​13094 9cbe2c2 Thanks @​phryneas! - Ensure that compact and mergeOptions preserve symbol keys.

  This fixes an issue where the change introduced in 4.0.11 via #​13049 would not
  be applied if defaultOptions for watchQuery were declared.

  Please note that compact and mergeOptions are considered internal utilities
  and they might have similar behavior changes in future releases.
  Do not use them in your application code - a change like this is not considered
  breaking and will not be announced as such.

v4.0.12

Compare Source

Patch Changes

• #​12884 d329790 Thanks @​phryneas! - Ensure that PreloadedQueryRef instances are unsubscribed when garbage collected

• #​13069 9cad04a Thanks @​jerelmiller! - Truncate @​stream arrays only on last chunk by default

v4.0.11

Compare Source

Patch Changes

• #​13050 8020829 Thanks @​phryneas! - Replace usage of findLast with more backwards-compatible methods.

• #​13049 05638de Thanks @​phryneas! - Fixes an issue where queries starting with skipToken or lazy queries from useLazyQuery were included in client.refetchQueries() before they had been executed for the first time. While generally queries with a standby fetchPolicy should be included in refetch, these queries never had variables passed in, so they should be excluded until they have run once and received their actual variables.

  These queries are now properly excluded from refetch operations until after their initial execution.

  This change adds a new hidden option to client.watchQuery, [variablesUnknownSymbol], which may be set true for queries starting with a fetchPolicy of standby. It will only be applied when creating the ObservableQuery instance and cannot be changed later. This flag indicates that the query's variables are not yet known, and thus it should be excluded from refetch operations until they are.
  This option is not meant for everyday use and is intended for framework integrations only.

v4.0.10

Compare Source

Patch Changes

• #​13045 af4acdc Thanks @​phryneas! - Fix memory leak #​13036

v4.0.9

Compare Source

Patch Changes

• #​12993 8f3bc9b Thanks @​jerelmiller! - Fix an issue where switching from options with variables to skipToken with useSuspenseQuery and useBackgroundQuery would create a new ObservableQuery. This could cause unintended refetches where variables were absent in the request when the query was referenced with refetchQueries.

v4.0.8

Compare Source

Patch Changes

• #​12983 f6d0efa Thanks @​CarsonF! - Fix cache.modify() mapping readonly arrays to singular reference

v4.0.7

Compare Source

Patch Changes

• #​12950 5b4f36a Thanks @​jerelmiller! - Don't send operationType in the payload sent by GraphQLWsLink.

v4.0.6

[Compare Source](https://redirect.github

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Node/graphql-apollo-globaldynamics/api/pnpm-lock.yaml

(node:2482) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)

File name: Node/graphql-apollo-globaldynamics/app/pnpm-lock.yaml

(node:2598) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)

File name: Node/graphql-apollo-globaldynamics/pnpm-lock.yaml

(node:2716) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)

File name: Node/graphql-apollo-v1/speakers-rest-api/pnpm-lock.yaml

(node:2832) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)

File name: Node/graphql-express/pnpm-lock.yaml

(node:2949) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)