fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@apollo/server (source)	4.11.0 -> 4.12.2			dependencies	minor
@types/cors (source)	2.8.17 -> 2.8.19			devDependencies	patch
@types/express (source)	5.0.0 -> 5.0.3			devDependencies	patch
@types/morgan (source)	1.9.9 -> 1.9.10			devDependencies	patch
@types/node (source)	22.8.1 -> 22.16.4			devDependencies	minor
express (source)	4.21.1 -> 4.21.2			dependencies	patch
github.com/brianvoe/gofakeit/v7	v7.1.2 -> v7.3.0			require	minor
github.com/spf13/cobra	v1.8.1 -> v1.9.1			require	minor
golang	1.23 -> 1.24			stage	minor
graphql	16.9.0 -> 16.11.0			dependencies	minor
helmet (source)	8.0.0 -> 8.1.0			dependencies	minor
typescript (source)	5.6.3 -> 5.8.3			devDependencies	minor

---

Release Notes

apollographql/apollo-server (@​apollo/server)

v4.12.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.12.1

Compare Source

Patch Changes

• #​8064 41f98d4 Thanks @​glasser! - Update README.md to recommend Express v5 integration now that Express v5 is released.

v4.12.0

Compare Source

Minor Changes

• #​8054 89e3f84 Thanks @​clenfest! - Adds a new graphql-js validation rule to reject operations that recursively request selections above a specified maximum, which is disabled by default. Use configuration option maxRecursiveSelections=true to enable with a maximum of 10,000,000, or maxRecursiveSelections=<number> for a custom maximum. Enabling this validation can help avoid performance issues with configured validation rules or plugins.

Patch Changes

• #​8031 2550d9f Thanks @​slagiewka! - Add return after sending 400 response in doubly escaped JSON parser middleware

v4.11.3

Compare Source

Patch Changes

• #​8010 f4228e8 Thanks @​glasser! - Compatibility with Next.js Turbopack. Fixes #​8004.

v4.11.2

Compare Source

(No change; there is a change to the @apollo/server-integration-testsuite used to test integrations, and the two packages always have matching versions.)

v4.11.1

Compare Source

Patch Changes

• #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

  @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

  However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

  The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

  However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

expressjs/express (express)

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in https://github.com/expressjs/express/pull/6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in https://github.com/expressjs/express/pull/5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in https://github.com/expressjs/express/pull/6209
• Release: 4.21.2 by @​UlisesGascon in https://github.com/expressjs/express/pull/6094

Full Changelog: expressjs/express@4.21.1...4.21.2

brianvoe/gofakeit (github.com/brianvoe/gofakeit/v7)

v7.3.0: ISBN

Compare Source

📚 New Feature: ISBN Generation

This release adds support for generating valid ISBN identifiers, perfect for mock book data or publishing applications.

Generate a valid ISBN-10 or ISBN-13 string with customizable separator.

gofakeit.ISBN(ISBNOptions{Version: "13", Separator: "-"}) // "978-1-2345-6789-0"

🧰 Options

Field	Description
Version	"10" or "13" (default is "13")
Separator	Custom string separator (e.g. "-", "")

Thanks to @​phoenisx , gofakeit is even more versatile for testing systems that work with books, publishing tools, or educational content.

v7.2.1

Compare Source

v7.2.0

Compare Source

spf13/cobra (github.com/spf13/cobra)

v1.9.1

Compare Source

🐛 Fixes

• Fix CompletionFunc implementation by @​ccoVeille in https://github.com/spf13/cobra/pull/2234
• Revert "Make detection for test-binary more universal (#​2173)" by @​marckhouzam in https://github.com/spf13/cobra/pull/2235

Full Changelog: spf13/cobra@v1.9.0...v1.9.1

v1.9.0

Compare Source

✨ Features

• Allow linker to perform deadcode elimination for program using Cobra by @​aarzilli in https://github.com/spf13/cobra/pull/1956
• Add default completion command even if there are no other sub-commands by @​marckhouzam in https://github.com/spf13/cobra/pull/1559
• Add CompletionWithDesc helper by @​ccoVeille in https://github.com/spf13/cobra/pull/2231

🐛 Fixes

• Fix deprecation comment for Command.SetOutput by @​thaJeztah in https://github.com/spf13/cobra/pull/2172
• Replace deprecated ioutil usage by @​nirs in https://github.com/spf13/cobra/pull/2181
• Fix --version help and output for plugins by @​nirs in https://github.com/spf13/cobra/pull/2180
• Allow to reset the templates to the default by @​marckhouzam in https://github.com/spf13/cobra/pull/2229

🤖 Completions

• Make Powershell completion work in constrained mode by @​lstemplinger in https://github.com/spf13/cobra/pull/2196
• Improve detection for flags that accept multiple values by @​thaJeztah in https://github.com/spf13/cobra/pull/2210
• add CompletionFunc type to help with completions by @​ccoVeille in https://github.com/spf13/cobra/pull/2220
• Add similar whitespace escape logic to bash v2 completions than in other completions by @​kangasta in https://github.com/spf13/cobra/pull/1743
• Print ActiveHelp for bash along other completions by @​marckhouzam in https://github.com/spf13/cobra/pull/2076
• fix(completions): Complete map flags multiple times by @​gabe565 in https://github.com/spf13/cobra/pull/2174
• fix(bash): nounset unbound file filter variable on empty extension by @​scop in https://github.com/spf13/cobra/pull/2228

🧪 Testing

• Test also with go 1.23 by @​nirs in https://github.com/spf13/cobra/pull/2182
• Make detection for test-binary more universal by @​thaJeztah in https://github.com/spf13/cobra/pull/2173

✍🏼 Documentation

• docs: update README.md by @​eltociear in https://github.com/spf13/cobra/pull/2197
• Improve site formatting by @​nirs in https://github.com/spf13/cobra/pull/2183
• doc: add Conduit by @​raulb in https://github.com/spf13/cobra/pull/2230
• doc: azion project added to the list of CLIs that use cobra by @​maxwelbm in https://github.com/spf13/cobra/pull/2198
• Fix broken links in active_help.md by @​vuil in https://github.com/spf13/cobra/pull/2202
• chore: fix function name in comment by @​zhuhaicity in https://github.com/spf13/cobra/pull/2216

🔧 Dependency upgrades

• build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 by @​thaJeztah in https://github.com/spf13/cobra/pull/2206
• Update to latest go-md2man by @​mikelolasagasti in https://github.com/spf13/cobra/pull/2201
• Upgrade pflag dependencies for v1.9.0 by @​jpmcb in https://github.com/spf13/cobra/pull/2233

---

Thank you to all of our amazing contributors and all the great work that's been going into the completions feature!!

👋🏼 New Contributors

• @​gabe565 made their first contribution in https://github.com/spf13/cobra/pull/2174
• @​maxwelbm made their first contribution in https://github.com/spf13/cobra/pull/2198
• @​lstemplinger made their first contribution in https://github.com/spf13/cobra/pull/2196
• @​vuil made their first contribution in https://github.com/spf13/cobra/pull/2202
• @​mikelolasagasti made their first contribution in https://github.com/spf13/cobra/pull/2201
• @​zhuhaicity made their first contribution in https://github.com/spf13/cobra/pull/2216
• @​ccoVeille made their first contribution in https://github.com/spf13/cobra/pull/2220
• @​kangasta made their first contribution in https://github.com/spf13/cobra/pull/1743
• @​aarzilli made their first contribution in https://github.com/spf13/cobra/pull/1956

Full Changelog: spf13/cobra@v1.8.1...v1.9.0

graphql/graphql-js (graphql)

v16.11.0: 16.11.0

Compare Source

v16.11.0 (2025-04-26)

New Feature 🚀

• #​4363 Ensure we validate for using nullable variables in oneOf input fields (@​JoviDeCroock)
• #​4366 feat(execution): add max coercion errors option to execution context (@​cristunaranjo)

Bug Fix 🐞

• #​4367 fix(coerce-input-value): input object coercion rejects arrays (@​cristunaranjo)

Docs 📝

11 PRs were merged

• #​4310 First draft for upgrade guide to v17 (@​JoviDeCroock)
• #​4331 fix sidebar for documentation and /api-v16 (@​dimaMachina)
• #​4335 Add cspell exception (@​JoviDeCroock)
• #​4340 Improve flow of documentation around GraphiQL (@​benjie)
• #​4343 typofix: removes extra parenthesis from getting started code snippet (@​rabahalishah)
• #​4351 fixed wrong variable name (@​fto-dev)
• #​4352 docs(getting-started): promises current links (@​guspan-tanadi)
• #​4368 Update docs for execution options (@​JoviDeCroock)
• #​4369 Correct some syntax (@​JoviDeCroock)
• #​4372 Refactor every code-first example to leverage resolve (@​JoviDeCroock)
• #​4373 docs: Update getting-started.mdx (@​Shubhdeep12)

Polish 💅

• #​4312 Increase print/visit performance (@​JoviDeCroock)

Internal 🏠

4 PRs were merged

• #​4327 Add redirect for /api (@​JoviDeCroock)
• #​4377 Chore: bump setup-node (@​JoviDeCroock)
• #​4378 Change to gqlConf 2025 (@​JoviDeCroock)
• #​4379 Add missing parenthesis (@​benjie)

Committers: 8

• Benjie(@​benjie)
• Cris Naranjo (@​cristunaranjo)
• Dimitri POSTOLOV(@​dimaMachina)
• Fatih Ozdemir(@​fto-dev)
• Guspan Tanadi(@​guspan-tanadi)
• Jovi De Croock(@​JoviDeCroock)
• Rabah Ali Shah(@​rabahalishah)
• Shubhdeep Chhabra(@​Shubhdeep12)

v16.10.0: 16.10.0

Compare Source

v16.10.0 (2024-12-15)

New Feature 🚀

• #​4286 fix: properly type extensions in GraphQLFormattedError (@​tpoisseau)
• #​4292 Expose tokenCount on the DocumentNode (@​JoviDeCroock)

Bug Fix 🐞

• #​4137 backport(v16): Require non-empty directive locations (#​4100) (@​benjie)
• #​4168 fix(validation): catch OverlappingFieldsCanBeMergedRule violations with nested fragments (@​sachindshinde)
• #​4226 Backport introspection type fix (@​JoviDeCroock)
• #​4291 Address empty selection-set (@​JoviDeCroock)

Docs 📝

10 PRs were merged

• #​4240 Convert from docusaurus to nextra (@​JoviDeCroock)
• #​4248 Add content from https://github.com/graphql/graphql.github.io/pull/1782 (@​JoviDeCroock)
• #​4249 Styling fixes (@​JoviDeCroock)
• #​4256 Various fixes to docs (@​JoviDeCroock)
• #​4279 Solve some low hanging fruit in the documentation (@​JoviDeCroock)
• #​4283 Add overview page and add stackblitz to tutorial (@​JoviDeCroock)
• #​4284 Provide people with tabs so they can use classes as well (@​JoviDeCroock)
• #​4289 Add note about defer/stream being v17 (@​JoviDeCroock)
• #​4290 Write about @oneOf in the graphql-js documentation (@​JoviDeCroock)
• #​4295 Split up in v16 API documentation (@​JoviDeCroock)

Internal 🏠

4 PRs were merged

• #​4138 Upgrade codecov action and pass token (@​benjie)
• #​4139 Fix codecov workflow (@​benjie)
• #​4157 Add GraphQLConf 2024 banner (@​bignimbus)
• #​4193 Upgrade deprecated actions (@​JoviDeCroock)

Committers: 5

• Benjie(@​benjie)
• Jeff Auriemma(@​bignimbus)
• Jovi De Croock(@​JoviDeCroock)
• Sachin D. Shinde(@​sachindshinde)
• tpoisseau(@​tpoisseau)

helmetjs/helmet (helmet)

v8.1.0

Compare Source

Changed

• Content-Security-Policy gives a better error when a directive value, like self, should be quoted. See #​482

microsoft/TypeScript (typescript)

v5.8.3

Compare Source

v5.8.2

Compare Source

v5.7.3: TypeScript 5.7.3

Compare Source

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.7.0 (Beta).
• fixed issues query for Typescript 5.7.1 (RC).
• fixed issues query for Typescript 5.7.2 (Stable).
• fixed issues query for Typescript 5.7.3 (Stable).

Downloads are available on npm

v5.7.2: TypeScript 5.7

Compare Source

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.7.0 (Beta).
• fixed issues query for Typescript 5.7.1 (RC).
• fixed issues query for Typescript 5.7.2 (Stable).

Downloads are available on:

• npm

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.