build(deps): bump the graphql group across 1 directory with 3 updates

[dependabot]

Bumps the graphql group with 3 updates in the / directory: @apollo/client, graphql and graphql-tag.

Updates @apollo/client from 4.2.2 to 4.2.3

Release notes

Sourced from @​apollo/client's releases.

@​apollo/client@​4.2.3

Patch Changes

• #13254 66e9dfc Thanks @​jerelmiller! - Add support for graphql v17 as a valid peer dependency.

Changelog

Sourced from @​apollo/client's changelog.

4.2.3

Patch Changes

• #13254 66e9dfc Thanks @​jerelmiller! - Add support for graphql v17 as a valid peer dependency.

Commits

• 48d2d16 Version Packages (#13266)
• 66e9dfc Support GraphQL v17 (#13254)
• ec68620 chore(deps): update actions/stale action to v10.3.0 (#13263)
• 98729ba chore(deps): update all dependencies - patch updates (#13262)
• e45bbfb docs: unify d.ts example filename to apollo.d.ts (#13261)
• 5e8b651 Tweak renovate config (#13260)
• See full diff in compare view

Updates graphql from 16.14.1 to 17.0.1

Release notes

Sourced from graphql's releases.

v17.0.1 (2026-06-16)

Bug Fix 🐞

• #4824 fix(diagnostics): emit asyncStart after promise settlement to match native tracePromise (@​logaretm)

Internal 🏠

• #4823 chore(npm): remove obsolete ESM-only package build (@​yaacovCR)
• #4825 chore(release): protect latest release channels (@​yaacovCR)

Committers: 2

• Abdelrahman Awad(@​logaretm)
• Yaacov Rydzinski (@​yaacovCR)

v17.0.0 (2026-06-15)

New Feature 🚀

• #4819 feat: graduate directives on directives (@​yaacovCR)

Bug Fix 🐞

• #4799 fix: raise request error on invalid fragment variables (@​yaacovCR)
• #4800 fix: apply directives when SDL contains type definitions and extensions with directives (@​yaacovCR)
• #4564 OneOf Inhabitability (@​jbellenger)
• #4814 fix(KnownDirectivesRule): locations for input field arguments in extensions (@​yaacovCR)
• #4726 feat(validation): reject directive definition cycles (@​yaacovCR)
• #4815 Revert "feat(validation): reject directive definition cycles (#4726)" (@​yaacovCR)

Docs 📝

• #4790 docs: minor diagnostics doc comment improvements (@​yaacovCR)
• #4791 fix: docs: polish diagnostics comments further (@​yaacovCR)
• #4793 docs: further improve general execution and tracing docs (@​yaacovCR)
• #4802 docs: correct extension field comments - v17 (@​yaacovCR)
• #4805 docs: publish fixed extensions comments (@​yaacovCR)
• #4807 docs: add prettier for jsdoc examples (@​yaacovCR)
• #4435 Subscriptions docs suggestions (@​Urigo)
• #4811 docs: fix a few indentations inside string literals (@​yaacovCR)
• #4813 internal: docs update (@​yaacovCR)
• #4820 docs: document @experimental_disableErrorPropagation (@​yaacovCR)
• #4817 docs: post 17.rc-0 update (@​yaacovCR)

Polish 💅

... (truncated)

Commits

• 9617473 chore(release): v17.0.1
• 851bd6a chore(release): protect latest release channels (#4825)
• c471d36 fix(diagnostics): emit asyncStart after promise settlement to match native `t...
• 3f3895f chore(npm): remove obsolete ESM-only package build (#4823)
• c7e494a chore(release): v17.0.0
• d977f66 docs: post 17.rc-0 update (#4817)
• 39f865f docs: document @experimental_disableErrorPropagation (#4820)
• 61db552 feat: graduate directives on directives (#4819)
• e8e5d64 Revert "feat(validation): reject directive definition cycles (#4726)" (#4815)
• f8ffad3 feat(validation): reject directive definition cycles (#4726)
• Additional commits viewable in compare view

Updates graphql-tag from 2.12.6 to 2.12.7

Release notes

Sourced from graphql-tag's releases.

v2.12.7

Patch Changes

• #823 bc285e5 Thanks @​phryneas! - add support for graphql 17

• #458 fd82f1c Thanks @​kidroca! - loader: allow a space between # and import word in gql files.

Changelog

Sourced from graphql-tag's changelog.

2.12.7

Patch Changes

• #823 bc285e5 Thanks @​phryneas! - add support for graphql 17

• #458 fd82f1c Thanks @​kidroca! - loader: allow a space between # and import word in gql files.

Commits

• 60464f3 ensure npm >= 11.15.0
• e9a2a55 adjust npm staged publishing shim
• 1d6ea01 Version Packages (#825)
• 2175303 add changesets for publishing (#824)
• bc285e5 add support for graphql 17 (#823)
• f463d87 Merge pull request #812 from apollographql/secops/202401/semgrep
• ca0fb16 feat: add semgrep job
• eeb670e Merge pull request #811 from apollographql/secops/202311/add-codeowners
• 27dbd7c add default CODEOWNERS
• f287273 Merge pull request #809 from apollographql/secops/add-gitleaks
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for graphql-tag since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@apollo/client	4.2.3	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 10/23 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 6 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
npm/graphql	17.0.1	🟢 7.3	Details Check Score Reason Code-Review ⚠️ 1 Found 4/25 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/graphql-tag	2.12.7	🟢 4.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 6/8 approved changesets -- score normalized to 7 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package.json

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud