chore(deps): update dependency @apollo/composition to v2.12.1 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/composition (source)	2.11.3 -> 2.12.1

---

Release Notes

apollographql/federation (@​apollo/composition)

v2.12.1

Compare Source

Patch Changes

• Fixed access control verification of transitive requirements (through @requires and/or @fromContext) to ensure it works with chains of transitive dependencies. (#​3343)

• Allow interface object fields to specify access control (#​3343)

  Update composition logic to allow specifying access control directives (@authenticated, @requiresScopes and @policy) on @interfaceObject fields. While we disallow access control on interface types and fields, we decided to support it on @interfaceObject as it is a useful pattern to define a single resolver (that may need access controls) for common interface fields. Alternative would require our users to explicitly define resolvers for all implementations which defeats the purpose of @interfaceObject.

  This PR refactors in how we propagate access control by providing additional merge sources when merging directives on interfaces, interface fields and object fields.

• Updated dependencies [09e596e6a0c753071ca822e84f525d73ada395cf, ac1ed2946c48e0fef4b413b192d8c5fbdb2370ae]:

  • @​apollo/federation-internals@​2.12.1
  • @​apollo/query-graphs@​2.12.1

v2.12.0

Compare Source

Minor Changes

• Federation 2.12 and Connect 0.3 (#​3276)

• Added isSuccess argument to @​connect and @​source (#​3294)

• Fixes a bug where composition may not generate a satisfiability error for an unsatisfiable @shareable mutation field. (#​3305) (#​3305)

• Automatically propagate authorization requirements from implementing type to interface in the supergraph. (#​3321)

  Authorization requirements now automatically propagate from implementing types to interfaces during composition. Direct auth specifications on interfaces are no longer allowed. Interface access requires satisfying ALL implementing types' requirements (AND rule), with these requirements included in the supergraph for backward compatibility with older routers.

• Fix transitive auth requirements on @requires and @fromcontext (#​3321)

  Adds new postMergeValidation check to ensure that all fields that depends on data from other parts of the supergraph through @requires and/or @fromContext directives explicitly specify matching @authenticated, @requiresScopes and/or @policy auth requirements, e.g.

  type T @​key(fields: "id") {
    id: ID!
    extra: String @​external
    # we need explicit `@authenticated` as it is needed to access extra
    requiresExtra: String @​requires(fields: "extra") @​authenticated
  }
  
  type T @​key(fields: "id") {
    id: ID!
    extra: String @​authenticated
  }

• Adding new CompositionOption maxValidationSubgraphPaths. This value represents the maximum number of SubgraphPathInfo objects that may exist in a ValidationTraversal when checking for satisfiability. Setting this value can help composition error before running out of memory. Default is 1,000,000. (#​3275)

• Restrict usage of auth directives on interfaces (#​3321)

  Restricts usage of @authenticated, @policy and @requiresScopes from being applied on interfaces, interface objects and their fields.

  GraphQL spec currently does not define any interface inheritance rules and developers have to explicitly redefine all interface fields on their implementations. At runtime, GraphQL servers cannot return abstract types and always return concrete output types. Due to the above, applying auth directives on the interfaces may lead to unexpected runtime behavior as they won't have any effect at runtime.

• Stricter merge rules for @​requiresScopes and @​policy (#​3321)

  Current merge policies for @authenticated, @requiresScopes and @policy were inconsistent.

  If a shared field uses the same authorization directives across subgraphs, composition merges them using OR logic. However, if a shared field uses different authorization directives across subgraphs composition merges them using AND logic. This simplified schema evolution, but weakened security requirements. Therefore, the behavior has been changed to always apply AND logic to authorization directives applied to the same field across subgraphs.

  Since @policy and @requiresScopes values represent boolean conditions in Disjunctive Normal Form, we can merge them conjunctively to get the final auth requirements. For example:

  # subgraph A
  type T @​authenticated {
    # requires scopes (A1 AND A2) OR A3
    secret: String @​requiresScopes(scopes: [["A1", "A2"], ["A3"]])
  }
  
  # subgraph B
  type T {
    # requires scopes B1 OR B2
    secret: String @​requiresScopes(scopes: [["B1"], ["B2"]]
  }
  
  # composed supergraph
  type T @​authenticated {
    secret: String @​requiresScopes(
      scopes: [
        ["A1", "A2", "B1"],
        ["A1", "A2", "B2"],
        ["A3", "B1"],
        ["A3", "B2"]
      ])
  }

  This algorithm also deduplicates redundant requirements, e.g.

  # subgraph A
  type T {
    # requires A1 AND A2 scopes to access
    secret: String @​requiresScopes(scopes: [["A1", "A2"]])
  }
  
  # subgraph B
  type T {
    # requires only A1 scope to access
    secret: String @​requiresScopes(scopes: [["A1"]])
  }
  
  # composed supergraph
  type T {
    # requires only A1 scope to access as A2 is redundant
    secret: String @​requiresScopes(scopes: [["A1"]])
  }

• Fixed handling @requires dependency on fields returned by @interfaceObject (#​3318)

  Depending on the merge order of the types, we could fail composition if a type that @requires data from an @interfaceObject is merged before the interface. Updated merge logic to use explicit merge order of scalars, input objects, interfaces, and finally objects.

• Added preview @cacheTag directive support (#​3274)

Patch Changes

• Updated dependencies [3e2b0a8569a9fe46726182887ed0b4bfc0b52468, bb4614d338ae03bac51a5fc2439590f172c4e54d, 99f2da21de88f9ad9a32ee7ed64b2d4a92887b40, 468f27842608f4e390cfc88bc7e6b4b0945f95ff, 3fd5157b309f1d3439b2d87c67b0601fb246d04c, b734ea04d118db09cf6077fdd968c8f04a96327a, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, e7e67579908d5cd2fa6fe558228dffe4808cd98d, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, faea2d1174d80593264f2227cfde9a2ba1a59b96, 97b9d2edfcfeed99124f9e115f992cbef3804682, f6af504f1ba8283fd00af0d6e3c9c1a665d62736, a595235d3cf8f67611efd8395332b64d067b5f1f]:
  • @​apollo/query-graphs@​2.12.0
  • @​apollo/federation-internals@​2.12.0

v2.11.5

Compare Source

Patch Changes

• Fixed access control verification of transitive requirements (through @requires and/or @fromContext) to ensure it works with chains of transitive dependencies. (#​3333)

• Allow interface object fields to specify access control (#​3333)

  Update composition logic to allow specifying access control directives (@authenticated, @requiresScopes and @policy) on @interfaceObject fields. While we disallow access control on interface types and fields, we decided to support it on @interfaceObject as it is a useful pattern to define a single resolver (that may need access controls) for common interface fields. Alternative would require our users to explicitly define resolvers for all implementations which defeats the purpose of @interfaceObject.

  This PR refactors in how we propagate access control by providing additional merge sources when merging directives on interfaces, interface fields and object fields.

• Updated dependencies [e1c58611c3c996b4fff98a54e49f00549ff2115d, 3e2d1fd315db54a089fedf131cfaa27792bdd049]:

  • @​apollo/federation-internals@​2.11.5
  • @​apollo/query-graphs@​2.11.5

v2.11.4

Compare Source

Patch Changes

• Automatically propagate authorization requirements from implementing type to interface in the supergraph. (#​3325)

  Authorization requirements now automatically propagate from implementing types to interfaces during composition. Direct auth specifications on interfaces are no longer allowed. Interface access requires satisfying ALL implementing types' requirements (AND rule), with these requirements included in the supergraph for backward compatibility with older routers.

• Fix transitive auth requirements on @requires and @fromcontext (#​3325)

  Adds new postMergeValidation check to ensure that all fields that depends on data from other parts of the supergraph through @requires and/or @fromContext directives explicitly specify matching @authenticated, @requiresScopes and/or @policy auth requirements, e.g.

  type T @​key(fields: "id") {
    id: ID!
    extra: String @​external
    # we need explicit `@authenticated` as it is needed to access extra
    requiresExtra: String @​requires(fields: "extra") @​authenticated
  }
  
  type T @​key(fields: "id") {
    id: ID!
    extra: String @​authenticated
  }

• Restrict usage of auth directives on interfaces (#​3325)

  Restricts usage of @authenticated, @policy and @requiresScopes from being applied on interfaces, interface objects and their fields.

  GraphQL spec currently does not define any interface inheritance rules and developers have to explicitly redefine all interface fields on their implementations. At runtime, GraphQL servers cannot return abstract types and always return concrete output types. Due to the above, applying auth directives on the interfaces may lead to unexpected runtime behavior as they won't have any effect at runtime.

• Stricter merge rules for @requiresScopes and @policy (#​3325)

  Current merge policies for @authenticated, @requiresScopes and @policy were inconsistent.

  If a shared field uses the same authorization directives across subgraphs, composition merges them using OR logic. However, if a shared field uses different authorization directives across subgraphs composition merges them using AND logic. This simplified schema evolution, but weakened security requirements. Therefore, the behavior has been changed to always apply AND logic to authorization directives applied to the same field across subgraphs.

  Since @policy and @requiresScopes values represent boolean conditions in Disjunctive Normal Form, we can merge them conjunctively to get the final auth requirements. For example:

  # subgraph A
  type T @​authenticated {
    # requires scopes (A1 AND A2) OR A3
    secret: String @​requiresScopes(scopes: [["A1", "A2"], ["A3"]])
  }
  
  # subgraph B
  type T {
    # requires scopes B1 OR B2
    secret: String @​requiresScopes(scopes: [["B1"], ["B2"]]
  }
  
  # composed supergraph
  type T @​authenticated {
    secret: String @​requiresScopes(
      scopes: [
        ["A1", "A2", "B1"],
        ["A1", "A2", "B2"],
        ["A3", "B1"],
        ["A3", "B2"]
      ])
  }

  This algorithm also deduplicates redundant requirements, e.g.

  # subgraph A
  type T {
    # requires A1 AND A2 scopes to access
    secret: String @​requiresScopes(scopes: [["A1", "A2"]])
  }
  
  # subgraph B
  type T {
    # requires only A1 scope to access
    secret: String @​requiresScopes(scopes: [["A1"]])
  }
  
  # composed supergraph
  type T {
    # requires only A1 scope to access as A2 is redundant
    secret: String @​requiresScopes(scopes: [["A1"]])
  }

• Updated dependencies [d221ac04c3ee00a3c7a671d9d56e2cfa36943b49, 7730c03e128be6754b9e40c086d5cb5c4685ac66, 4bda3a498eba36e187dfd9ae673eca12d3f3502c, f3ab499eaf62b1a1c0f08b838d2cbde5accb303a, 6adbf7e86927de969aedab665b6a3a8dbf3a6095, 2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:

  • @​apollo/federation-internals@​2.11.4
  • @​apollo/query-graphs@​2.11.4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.