build(deps): bump the npm_and_yarn group across 3 directories with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /libraries/hermes directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /modules/database directory: mongoose.
Bumps the npm_and_yarn group with 1 update in the /modules/email directory: nodemailer.

Updates @apollo/server from 4.13.0 to 5.5.1

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.1

Patch Changes

• Updated dependencies [3f46c51]:
  • @​apollo/server@​5.5.1

@​apollo/server@​5.5.1

Patch Changes

• #8201 3f46c51 Thanks @​mhassan1! - Replace dependency uuid with calls to crypto.randomUUID.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.1

Patch Changes

• #8201 3f46c51 Thanks @​mhassan1! - Replace dependency uuid with calls to crypto.randomUUID.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

• #8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

... (truncated)

Commits

• 4f15406 Version Packages (#8207)
• 3f46c51 fix(deps): remove vulnerable dependency uuid (#8201)
• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• 443e547 fix repository urls
• 28d6d47 Version Packages (#8172)
• 26320bc feat: Allow configuration of graphql validation options #8014
• f2c16a7 bump dependency
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​apollo/server since your current version.

Updates mongoose from 8.9.5 to 8.22.1

Release notes

Sourced from mongoose's releases.

8.22.1 / 2025-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.21.0 / 2025-12-29

• feat(document): add support for getAtomics() to allow custom container types to utilize atomics #15817
• feat(document+model): pass options to pre('deleteOne') and update+options to pre('updateOne') hooks #15908 #15870
• fix: add support for typescript style enums #15914 #15913 mjfwebb

8.20.4 / 2025-12-18

• fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #15898
• fix(document): use bitwise OR to accumulate version mode flags #15893 #15888 AbdelrahmanHafez

8.20.3 / 2025-12-15

• perf: use Object.hasOwn instead of Object#hasOwnProperty #15875 AbdelrahmanHafez
• fix: improve error when calling Document.prototype.init() with null/undefined #15812 Vegapunk-debug
• types(schema): avoid treating paths with default: null as required #15889
• types(schema): allow partial statics to schema.statics() #15780

8.20.2 / 2025-12-05

• fix(model): bump version if necessary after successful bulkSave() #15809 #15800
• fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
• types(schema): allow calling schema.static() with as TStatics #15794 #15780

8.20.1 / 2025-11-20

• types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
• docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
• docs: update version support documentation for Mongoose #15761 ManmathX
• docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07

8.20.0 / 2025-11-17

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.22.1 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

7.8.9 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1 / 2026-01-23

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

9.1.5 / 2026-01-20

• fix(map): validate map subdocument when loaded with init #15960 #15957 AbdelrahmanHafez
• fix(discriminator): prevent indexes and callQueue duplication with shared nested schemas #15974 #15966 AbdelrahmanHafez
• fix(subdocuments): do not pass parent path on init #15970 #15969 #15682 AbdelrahmanHafez
• types(inferrawdoctype): correct handling for subdocs and doc arrays #15967 #13772
• docs: improve grammar and clarity in TypeScript schema comments #15971 harshsinghpujari

9.1.4 / 2026-01-15

• fix: attach sessions to docs retrieved by cursor #15953 #15949 mjfwalsh
• fix(model): make hydrate() handle nested schema arrays #15964 #15956
• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 #15954 AbdelrahmanHafez
• fix: prevent crash when accessing nested paths on prototype #15962 #15961 som14062005

9.1.3 / 2026-01-09

• fix(model): support timestamps option to insertMany() as both boolean and QueryTimestampsConfig #15941 #15938
• fix(query): include preview of current and incoming update in error when merging normal update with pipeline #15939 #15928
• types(model): apply basic type casting to paths underneath subdocuments #15948 #15947
• types(utility): make WithLevel1NestedPaths correctly handle PopulatedDoc and other TypeScript unions with Document members #15942 #15923
• docs(schema): expose "DocumentArrayElement" #15590 hasezoey

9.1.2 / 2026-01-05

• fix(subdocs): pass options to pre-save hooks for subdocs #15921 #15920 AbdelrahmanHafez
• perf(model): select only _id when checking document existence during save() #15919 AbdelrahmanHafez

... (truncated)

Commits

• 472e7c7 chore: release 8.22.1
• 1735149 Merge branch '7.x' into 8.x
• 5227801 chore: release 7.8.9
• b804e34 fix: handle other top-level query operators in sanitizeFilter
• 8d9a81f chore: release 8.22.0
• f752854 Merge pull request #15985 from Automattic/8.22
• e7a57ed avoid hardcoding dbName
• 31adbb4 chore: release 8.21.1
• 62a5af7 test: bring test cases from #15958 into 8.x to ensure fixes are applied in 8.x
• bc8cb23 implement review suggestions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongoose since your current version.

Updates nodemailer from 7.0.13 to 8.0.7

Release notes

Sourced from nodemailer's releases.

v8.0.7

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

v8.0.6

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

... (truncated)

Commits

• 1997040 chore(master): release 8.0.7 (#1815)
• 9b9c545 chore: drop nodemailer-ntlm-auth devDependency (#1816)
• 22bf90c Bumped dev deps
• 66d4ecb fix: keep domain as UTF-8 when local part is non-ASCII (#1814)
• 6a4a01e Fix/base64 wrap trailing crlf (#1813)
• a22efbc chore(master): release 8.0.6 (#1812)
• b1ae6c1 fix: restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1...
• 202cfb3 chore(master): release 8.0.5 (#1809)
• b634abf docs: add CLAUDE.md with project conventions and release process
• 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.