chore(deps): update ghcr.io/apollographql/router docker tag to v2.8.0

[svc-secops]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/apollographql/router	final	minor	v2.2.0 -> v2.8.0

---

Release Notes

apollographql/router (ghcr.io/apollographql/router)

v2.8.0

Compare Source

🚀 Features

Response caching

Available on all GraphOS plans including Free, Developer, Standard and Enterprise.

Response caching enables the router to cache GraphQL subgraph origin responses using Redis, delivering performance improvements by reducing subgraph load and query latency. Unlike traditional HTTP caching or client-side caching, response caching works at the GraphQL entity level—caching reusable portions of query responses that can be shared across different operations and users.

Response caching caches two types of data:

• Root query fields: Responses for root field fetches
• Entity representations: Individual entities, offering reuse across queries

Benefits include:

• Active cache invalidation: Target specific cached data for immediate removal using cache tags
• Cache debugger: Debugging in Apollo Sandbox shows cache status, TTLs, and cache tags during development
• GraphQL-aware: Understands GraphQL operations to improve partial cache hit rates while respecting data visibility and authorization
• Entity-level granularity: Caches at the entity level rather than entire responses
• Flexible TTL control: Data cached using HTTP Cache-Control headers from subgraph origins

Response caching solves traditional GraphQL caching challenges including mixed TTL requirements across a single response, personalized versus public data mixing, and high data duplication.

Configure response caching using the preview_response_cache configuration option with Redis as the cache backend. For complete setup instructions and advanced configuration, see the Response Caching documentation.

Migration from entity caching: For existing entity caching users, migration is as simple as renaming configuration options. For migration details see the Response Caching FAQ.

Support per-stage coprocessor URLs (PR #​8384)

You can now configure different coprocessor URLs for each stage of request/response processing (router, supergraph, execution, subgraph). Each stage can specify its own url field that overrides the global default URL.

Changes:

• Add optional url field to all stage configuration structs
• Update all stage as_service methods to accept and resolve URLs
• Add tests for URL validation and per-stage configuration

This change maintains full backward compatibility—existing configurations with a single global URL continue to work unchanged.

By @​cgati in https://github.com/apollographql/router/pull/8384

Add automatic unit conversion for duration instruments with non-second units

The router now automatically converts duration measurements to match the configured unit for telemetry instruments.
Previously, duration instruments always recorded values in seconds regardless of the configured unit field.
When you specify units like "ms" (milliseconds), "us" (microseconds), or "ns" (nanoseconds),
the router automatically converts the measured duration to the appropriate scale.

Supported units:

• "s" - seconds (default)
• "ms" - milliseconds
• "us" - microseconds
• "ns" - nanoseconds

[!NOTE]
Use this feature only when you need to integrate with an observability platform that doesn't properly translate from source time units to target time units (for example, seconds to milliseconds). In all other cases, follow the OTLP convention that you "SHOULD" use seconds as the unit.

Example:

telemetry:
  instrumentation:
    instruments:
      subgraph:
        acme.request.duration:
          value: duration
          type: histogram
          unit: ms # Values are now automatically converted to milliseconds
          description: "Metric to get the request duration in milliseconds"

By @​theJC in https://github.com/apollographql/router/pull/8415

Add response reformatting and result coercion errors (PR #​8441)

All subgraph responses are checked and corrected to ensure alignment with the schema and query. When a misaligned value is returned, it's nullified. When enabled, errors for this nullification are now included in the errors array in the response.

Enable this feature in your router configuration:

supergraph:
  enable_result_coercion_errors: true

When enabled, the router generates validation errors with the code RESPONSE_VALIDATION_FAILED for any values that don't match the expected GraphQL type. These errors include the specific path and reason for the validation failure, helping you identify data inconsistencies between your subgraphs and schema.

While this feature improves GraphQL correctness, clients may encounter errors in responses where they previously did not, which may require consideration based on your specific usage patterns.

By @​TylerBloom in https://github.com/apollographql/router/pull/8441

Add router overhead metric (PR #​8455)

The apollo.router.overhead histogram provides a direct measurement of router processing overhead. This metric tracks the time the router spends on tasks other than waiting for downstream HTTP requests—including GraphQL parsing, validation, query planning, response composition, and plugin execution.

The overhead calculation excludes time spent waiting for downstream HTTP services (subgraphs and connectors), giving you visibility into the router's actual processing time versus downstream latency. This metric helps identify when the router itself is a bottleneck versus when delays are caused by downstream services.

Note: Coprocessor request time is currently included in the overhead calculation. In a future release, coprocessor time may be excluded similar to subgraphs and connectors.

telemetry:
  instrumentation:
    instruments:
      router:
        apollo.router.overhead: true

[!NOTE]
Note that the use of this metric is nuanced, and there is risk of misinterpretation. See the full docs for this metric to help understand how it can be used.

By @​BrynCooke in https://github.com/apollographql/router/pull/8455

Include invalid Trace ID values in error logs (PR #​8149)

Error messages for malformed Trace IDs now include the invalid value to help with debugging. Previously, when the router received an unparseable Trace ID in incoming requests, error logs only indicated that the Trace ID was invalid without showing the actual value.

Trace IDs can be unparseable due to invalid hexadecimal characters, incorrect length, or non-standard formats. Including the invalid value in error logs makes it easier to diagnose and resolve tracing configuration issues.

By @​juancarlosjr97 in https://github.com/apollographql/router/pull/8149

Add ability to rename metrics (PR #​8424)

The router can now rename instruments via OpenTelemetry views. Details on how to use this feature can be found in the docs.

Benefits:

• Cost optimization: Some observability platforms only allow tag indexing controls on a per-metric name basis. Using OTLP semantic naming conventions and having the same metric name emitted by different services can prevent effective use of these controls.
• Convention alignment: Many customers have specific metric naming conventions across their organization—this feature allows them to align with those conventions.

By @​theJC in https://github.com/apollographql/router/pull/8412

🐛 Fixes

Reload telemetry only when configuration changes (PR #​8328)

Previously, schema or config reloads would always reload telemetry, dropping existing exporters and creating new ones.

Telemetry exporters are now only recreated when relevant configuration has changed.

By @​BrynCooke in https://github.com/apollographql/router/pull/8328

Replace Redis connections metric with clients metric (PR #​8161)

The apollo.router.cache.redis.connections metric has been removed and replaced with the apollo.router.cache.redis.clients metric.

The connections metric was implemented with an up-down counter that would sometimes not be collected properly (it could go negative). The name connections was also inaccurate since Redis clients each make multiple connections, one to each node in the Redis pool (if in clustered mode).

The new clients metric counts the number of clients across the router via an AtomicU64 and surfaces that value in a gauge.

[!NOTE]
The old metric included a kind attribute to reflect the number of clients in each pool (for example, entity caching, query planning). The new metric doesn't include this attribute; the purpose of the metric is to ensure the number of clients isn't growing unbounded (#​7319).

By @​carodewig in https://github.com/apollographql/router/pull/8161

Prevent entity caching of expired data based on Age header (PR #​8456)

When the Age header is higher than the max-age directive in Cache-Control, the router no longer caches the data because it's already expired.

For example, with these headers:

Cache-Control: max-age=5
Age: 90

The data won't be cached since Age (90) exceeds max-age (5).

By @​bnjjj in https://github.com/apollographql/router/pull/8456

Reduce config and schema reload log noise (PR #​8336)

File watch events during an existing hot reload no longer spam the logs. Hot reload continues as usual after the existing reload finishes.

By @​goto-bus-stop in https://github.com/apollographql/router/pull/8336

Prevent query planning errors for @shareable mutation fields (PR #​8352)

Query planning a mutation operation that executes a @shareable mutation field at the top level may unexpectedly error when attempting to generate a plan where that mutation field is called more than once across multiple subgraphs. Query planning now avoids generating such plans.

By @​sachindshinde in https://github.com/apollographql/router/pull/8352

Prevent UpDownCounter drift using RAII guards (PR #​8379)

UpDownCounters now use RAII guards instead of manual incrementing and decrementing, ensuring they're always decremented when dropped.

This fix resolves drift in apollo.router.opened.subscriptions that occurred due to manual incrementing and decrementing.

By @​BrynCooke in https://github.com/apollographql/router/pull/8379

Reduce Rhai short circuit response log noise (PR #​8364)

Rhai scripts that short-circuit the pipeline by throwing now only log an error if a response body isn't present.

For example the following will NOT log:

    throw #{
        status: 403,
        body: #{
            errors: [#{
                message: "Custom error with body",
                extensions: #{
                    code: "FORBIDDEN"
                }
            }]
        }
    };

For example the following WILL log:

throw "An error occurred without a body";

By @​BrynCooke in https://github.com/apollographql/router/pull/8364

Prevent query planning error where @requires subgraph jump fetches @key from wrong subgraph (PR #​8016)

During query planning, a subgraph jump added due to a @requires field may sometimes try to collect the necessary @key fields from an upstream subgraph fetch as an optimization, but it wasn't properly checking whether that subgraph had those fields. This is now fixed and resolves query planning errors with messages like "Cannot add selection of field T.id to selection set of parent type T".

By @​sachindshinde in https://github.com/apollographql/router/pull/8016

Reduce log level for interrupted WebSocket streams (PR #​8344)

The router now logs interrupted WebSocket streams at trace level instead of error level.

Previously, WebSocket stream interruptions logged at error level, creating excessive noise in logs when clients disconnected normally or networks experienced transient issues. Client disconnections and network interruptions are expected operational events that don't require immediate attention.

Your logs will now be cleaner and more actionable, making genuine errors easier to spot. You can enable trace level logging when debugging WebSocket connection issues.

By @​bnjjj in https://github.com/apollographql/router/pull/8344

Respect Redis cluster slots when inserting multiple items (PR #​8185)

The existing insert code would silently fail when trying to insert multiple values that correspond to different Redis cluster hash slots. This change corrects that behavior, raises errors when inserts fail, and adds new metrics to track Redis client health.

New metrics:

• apollo.router.cache.redis.unresponsive: counter for 'unresponsive' events raised by the Redis library
  • kind: Redis cache purpose (APQ, query planner, entity)
  • server: Redis server that became unresponsive
• apollo.router.cache.redis.reconnection: counter for 'reconnect' events raised by the Redis library
  • kind: Redis cache purpose (APQ, query planner, entity)
  • server: Redis server that required client reconnection

By @​carodewig in https://github.com/apollographql/router/pull/8185

Prevent unnecessary precomputation during query planner construction (PR #​8373)

A regression introduced in v2.5.0 caused query planner construction to unnecessarily precompute metadata, leading to increased CPU and memory utilization during supergraph loading. Query planner construction now correctly avoids this unnecessary precomputation.

By @​sachindshinde in https://github.com/apollographql/router/pull/8373

Update cache key version for entity caching (PR #​8458)

[!IMPORTANT]
If you have enabled Entity caching, this release contains changes that necessarily alter the hashing algorithm used for the cache keys. You should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service.

The entity cache key version has been bumped to avoid keeping invalid cached data for too long (fixed in #​8456).

By @​bnjjj in https://github.com/apollographql/router/pull/8458

📃 Configuration

Add telemetry instrumentation config for http_client headers (PR #​8349)

A new telemetry instrumentation configuration for http_client spans allows request headers added by Rhai scripts to be attached to the http_client span. The some_rhai_response_header value remains available on the subgraph span as before.

telemetry:
  instrumentation:
    spans:
      mode: spec_compliant
      subgraph:
        attributes:
          http.response.header.some_rhai_response_header:
            subgraph_response_header: "some_rhai_response_header"
      http_client:
        attributes:
          http.request.header.some_rhai_request_header:
            request_header: "some_rhai_request_header"

By @​bonnici in https://github.com/apollographql/router/pull/8349

Promote Subgraph Insights metrics flag to general availability (PR #​8392)

The subgraph_metrics config flag that powers the Studio Subgraph Insights feature is now promoted from preview to general availability.
The flag name has been updated from preview_subgraph_metrics to

telemetry:
  apollo:
    subgraph_metrics: true

By @​david_castanhttps://github.com/apollographql/router/pull/8392ll/8392

🛠 Maintenance

Add export destination details to trace and metrics error messages (PR #​8363)

Error messages raised during tracing and metric exports now indicate whether the error occurred when exporting to Apollo Studio or to your configured OTLP or Zipkin endpoint. For example, errors that occur when exporting Apollo Studio traces look like:
OpenTelemetry trace error occurred: [apollo traces] <etc>
while errors that occur when exporting traces to your configured OTLP endpoint look like:
OpenTelemetry trace error occurred: [otlp traces] <etc>

By @​bonnici in https://github.com/apollographql/router/pull/8363

📚 Documentation

Change MCP default port from 5000 to 8000 (PR #​8375)

MCP's default port has changed from 5000 to 8000.

Add Render and Railway deployment guides (PR #​8242)

Two new deployment guides are now available for popular hosting platforms: Render and Railway.

By @​the-gigi-apollo in https://github.com/apollographql/router/pull/8242

Add comprehensive context key reference (PR #​8420)

The documentation now includes a comprehensive reference for all context keys the router supports.

By @​faisalwaseem in https://github.com/apollographql/router/pull/8420

Reorganize observability documentation structure (PR #​8183)

Restructured the router observability and telemetry documentation to improve content discoverability and user experience. GraphOS insights documentation and router OpenTelemetry telemetry documentation are now in separate sections, with APM-specific documentation organized in dedicated folders for each APM provider (Datadog, Dynatrace, Jaeger, Prometheus, New Relic, Zipkin). This reorganization makes it easier for users to find relevant monitoring and observability configuration for their specific APM tools.

By @​Robert113289 in https://github.com/apollographql/router/pull/8183

Add comprehensive Datadog integration documentation (PR #​8319)

The Datadog APM guide has been expanded to include the OpenTelemetry Collector, recommended router telemetry configuration, and out-of-the-box dashboard templates:

• New pages: Connection methods overview, OpenTelemetry Collector setup, router instrumentation, and dashboard template
• Structure: Complete configurations upfront, followed by detailed explanations and best practices

By @​Robert113289 in https://github.com/apollographql/router/pull/8319

Clarify timeout hierarchy for traffic shaping (PR #​8203)

The documentation reflects more clearly that subgraph timeouts should not be higher than the router timeout or the router timeout will initiate prior to the subgraph.

By @​abernix in https://github.com/apollographql/router/pull/8203

v2.7.0

Compare Source

🚀 Features

Add ResponseErrors selector to router response (PR #​7882)

The ResponseErrors selector in telemetry configurations captures router response errors, enabling you to log errors encountered at the router service layer. This selector enhances logging by allowing you to log only router errors instead of the entire router response body, reducing noise in your telemetry data.

telemetry:
  instrumentation:
    events:
      router:
        router.error:
          attributes:
            "my_attribute":
              response_errors: "$.[0]"

##### Examples: "$.[0].message", "$.[0].locations", "$.[0].extensions", etc.

By @​Aguilarjaf in https://github.com/apollographql/router/pull/7882

🐛 Fixes

_entities Apollo error metrics missing service attribute (PR #​8153)

The error counting feature introduced in v2.5.0 caused _entities errors from subgraph fetches to no longer report a service (subgraph or connector) attribute. This incorrectly categorized these errors as originating from the router instead of their actual service in Apollo Studio.

The service attribute is now correctly included for _entities errors.

By @​rregitsky in https://github.com/apollographql/router/pull/8153

WebSocket connection cleanup for subscriptions (PR #​8104)

A regression introduced in v2.5.0 caused WebSocket connections to subgraphs to remain open after all client subscriptions ended. This led to unnecessary resource usage and connections not being cleaned up until a new event was received.

The router now correctly closes WebSocket connections to subgraphs when clients disconnect from subscription streams.

By @​bnjjj in https://github.com/apollographql/router/pull/8104

OTLP metrics Up/Down counter drift (PR #​8174)

When using OTLP metrics export with delta temporality configured, UpDown counters could exhibit drift issues where counter values became inaccurate over time. This occurred because UpDown counters were incorrectly exported as deltas instead of cumulative values.

UpDown counters now export as aggregate values according to the OpenTelemetry specification.

By @​BrynCooke in https://github.com/apollographql/router/pull/8174

WebSocket subscription connection_error message handling (Issue #​6138)

The router now correctly processes connection_error messages from subgraphs that don't include an id field. Previously, these messages were ignored because the router incorrectly required an id field. According to the graphql-transport-ws specification, connection_error messages only require a payload field.

The id field is now optional for connection_error messages, allowing underlying error messages to propagate to clients when connection failures occur.

By @​jeffutter in https://github.com/apollographql/router/pull/8189

Add Helm chart support for deployment annotations (PR #​8164)

The Helm chart now supports customizing annotations on the deployment itself using the deploymentAnnotations value. Previously, you could only customize pod annotations with podAnnotations.

By @​glasser in https://github.com/apollographql/router/pull/8164

Uncommon query planning error with interface object types (PR #​8109)

An uncommon query planning error has been resolved: "Cannot add selection of field X to selection set of parent type Y that is potentially an interface object type at runtime". The router now handles __typename selections from interface object types correctly, as these selections are benign even when unnecessary.

By @​duckki in https://github.com/apollographql/router/pull/8109

Connection shutdown race condition during hot reload (PR #​8169)

A race condition during hot reload that occasionally left connections in an active state instead of terminating has been fixed. This issue could cause out-of-memory errors over time as multiple pipelines remained active.

Connections that are opening during shutdown now immediately terminate.

By @​BrynCooke in https://github.com/apollographql/router/pull/8169

Persisted Query usage reporting for safelisted operation body requests (PR #​8168)

Persisted Query metrics now include operations requested by safelisted operation body. Previously, the router only recorded metrics for operations requested by ID.

By @​bonnici in https://github.com/apollographql/router/pull/8168

📃 Configuration

Separate Apollo telemetry batch processor configurations (PR #​8258)

Apollo telemetry configuration now allows separate fine-tuning for metrics and traces batch processors. The configuration has changed from:

telemetry:
  apollo:
    batch_processor:
      scheduled_delay: 5s
      max_export_timeout: 30s
      max_export_batch_size: 512
      max_concurrent_exports: 1
      max_queue_size: 2048

To:

telemetry:
  apollo:
    tracing:

##### Config for Apollo OTLP and  Apollo usage report traces
      batch_processor:
        max_export_timeout: 130s
        scheduled_delay: 5s
        max_export_batch_size: 512
        max_concurrent_exports: 1
        max_queue_size: 2048
        
    metrics:

##### Config for Apollo OTLP metrics. 
      otlp:
        batch_processor:
          scheduled_delay: 13s # This does not apply config gauge metrics, which have a non-configurable scheduled_delay.
          max_export_timeout: 30s

##### Config for Apollo usage report metrics.
      usage_reports:
        batch_processor:
          max_export_timeout: 30s
          scheduled_delay: 5s
          max_queue_size: 2048

The old telemetry.apollo.batch_processor configuration will be used if you don't specify these new values. The router displays the configuration being used in an info-level log message at startup.

By @​bonnici in https://github.com/apollographql/router/pull/8258

Promote Subgraph Insights metrics flag to preview (PR #​8200)

The subgraph_metrics configuration flag that powers Apollo Studio's Subgraph Insights feature has been promoted from experimental to preview. The flag name has been updated from experimental_subgraph_metrics to preview_subgraph_metrics:

telemetry:
  apollo:
    preview_subgraph_metrics: true

By @​rregitsky in https://github.com/apollographql/router/pull/8200

v2.6.2

Compare Source

🐛 Fixes

Connection shutdown sometimes fails during hot-reload (PR #​8169)

A race condition in connection shutdown during a hot reload event occasionally left some connections in an active state instead of entering terminating state. This could cause out-of-memory errors over time as multiple pipelines remained active.

Connections that open during shutdown now immediately terminate.

By @​BrynCooke in https://github.com/apollographql/router/pull/8169

v2.6.1

Compare Source

🐛 Fixes

ARM64 Docker images no longer contain AMD64 binary

The ARM64 Docker images shipped for v2.6.0 incorrectly contained AMD64/x86 binaries due to a CI build pipeline bug. This has been remedied in v2.6.1.

_entities Apollo Error Metrics Missing Service Attribute (PR #​8153)

The error counting feature introduced in v2.5.0 (PR #​7712) caused a bug where _entities errors from subgraph fetches no longer included a service (subgraph or connector) attribute. This incorrectly categorized these errors as originating from the router instead of their actual service in the Apollo Studio UI.

This fix restores the missing service attribute.

By @​rregitsky in https://github.com/apollographql/router/pull/8153

Deduplication and WebSocket stream termination (PR #​8104)

Fixed a regression introduced in v2.5.0, where WebSocket connections to subgraphs would remain open after all client subscriptions were closed. This could lead to unnecessary resource usage and connections not being properly cleaned up until a new event was received.

Previously, when clients disconnected from subscription streams, the router would correctly close client connections but would leave the underlying WebSocket connection to the subgraph open indefinitely in some cases.

By @​bnjjj in https://github.com/apollographql/router/pull/8104

Make the id field optional for WebSocket subscription connection_error messages (Issue #​6138)

Fixed a Subscriptions over WebSocket issue where connection_error messages from subgraphs would be swallowed by the router because they incorrectly required an id field. According to the graphql-transport-ws specification (one of two transport specifications we provide support for), connection_error messages only require a payload field, not an id field. The id field in is now optional which will allow the underlying error message to propagate to clients when underlying connection failures occur.

By @​jeffutter in https://github.com/apollographql/router/pull/8189

Enable annotations on deployments via Helm Chart (PR #​8164)

The Helm chart previously did not allow customization of annotations on the deployment itself (as opposed to the pods within it, which is done with podAnnotations); this can now be done with the deploymentAnnotations value.

By @​glasser in https://github.com/apollographql/router/pull/8164

v2.6.0

Compare Source

[!IMPORTANT]
Due to a CI bug, our ARM64 Docker images published for v2.6.0 incorrectly contained AMD64/x86 artifacts. This is fixed in v2.6.1.

🚀 Features

[Subgraph Insights] Experimental Apollo Subgraph Fetch Histogram (PR #​8013, PR #​8045)

This change adds a new, experimental histogram to capture subgraph fetch duration for GraphOS. This will
eventually be used to power subgraph-level insights in Apollo Studio.

This can be toggled on using a new boolean config flag:

telemetry:
  apollo:
    experimental_subgraph_metrics: true

The new instrument is only sent to GraphOS and is not available in 3rd-party OTel export targets. It is not currently
customizable. Users requiring a customizable alternative can use the existing http.client.request.duration
instrument, which measures the same value.

By @​rregitsky in https://github.com/apollographql/router/pull/8013 and https://github.com/apollographql/router/pull/8045

Redis cache metrics (PR #​7920)

The router now provides Redis cache monitoring with new metrics that help track performance, errors, and resource usage.

Connection and performance metrics:

• apollo.router.cache.redis.connections: Number of active Redis connections
• apollo.router.cache.redis.command_queue_length: Commands waiting to be sent to Redis, indicates if Redis is keeping up with demand
• apollo.router.cache.redis.commands_executed: Total number of Redis commands executed
• apollo.router.cache.redis.redelivery_count: Commands retried due to connection issues
• apollo.router.cache.redis.errors: Redis errors by type, to help diagnose authentication, network, and configuration problems

Experimental performance metrics:

• experimental.apollo.router.cache.redis.network_latency_avg: Average network latency to Redis
• experimental.apollo.router.cache.redis.latency_avg: Average Redis command execution time
• experimental.apollo.router.cache.redis.request_size_avg: Average request payload size
• experimental.apollo.router.cache.redis.response_size_avg: Average response payload size

[!NOTE]
The experimental metrics may change in future versions as we improve the underlying Redis client integration.

You can configure how often metrics are collected using the metrics_interval setting:

supergraph:
  query_planning:
    cache:
      redis:
        urls: ["redis://localhost:6379"]
        ttl: "60s"
        metrics_interval: "1s"  # Collect metrics every second (default: 1s)

By @​BrynCooke in https://github.com/apollographql/router/pull/7920

Granular license enforcement (PR #​7917)

The router license functionality now allows granular specification of features enabled to support current and future pricing plans.

By @​DMallare in https://github.com/apollographql/router/pull/7917

Additional Connector Custom Instrument Selectors (PR #​8045)

This adds new custom instrument selectors for Connectors and enhances some existing selectors. The new selectors are:

• supergraph_operation_name
  • The supergraph's operation name
• supergraph_operation_kind
  • The supergraph's operation type (e.g. query, mutation, subscription)
• request_context
  • Takes the value of the given key on the request context
• connector_on_response_error
  • Returns true when the response does not meet the is_successful condition. Or, if that condition is not set,
    returns true when the response has a non-200 status code

These selectors were modified to add additional functionality:

• connector_request_mapping_problems
  • Adds a new boolean variant that will return true when a mapping problem exists on the request
• connector_response_mapping_problems
  • Adds a new boolean variant that will return true when a mapping problem exists on the response

By @​rregitsky in https://github.com/apollographql/router/pull/8045

Enable jemalloc on MacOS (PR #​8046)

This PR enables the jemalloc allocator on MacOS by default, making it easier to do memory profiling. Previously, this was only done for Linux.

By @​Velfi in https://github.com/apollographql/router/pull/8046

🐛 Fixes

Entity caching: fix inconsistency in cache-control header handling (PR #​7987)

When the Subgraph Entity Caching feature is in use, it determines the Cache-Control HTTP response header sent to supergraph clients based on those received from subgraph servers.
In this process, Apollo Router only emits the max-age directive and not s-maxage.
This PR fixes a bug where, for a query that involved a single subgraph fetch that was not already cached, the subgraph response’s Cache-Control header would be forwarded as-is.
Instead, it now goes through the same algorithm as other cases.

By @​SimonSapin in https://github.com/apollographql/router/pull/7987

Query planning errors with progressive override on interface implementations (PR #​7929)

The router now correctly generates query plans when using progressive override (@override with labels) on types that implement interfaces within the same subgraph. Previously, the Rust query planner would fail to generate plans for these scenarios with the error "Was not able to find any options for {}: This shouldn't have happened.", while the JavaScript planner handled them correctly.

This fix resolves planning failures when your schema uses:

• Interface implementations local to a subgraph
• Progressive override directives on both the implementing type and its fields
• Queries that traverse through the overridden interface implementations

The router will now successfully plan and execute queries that previously resulted in query planning errors.

By @​TylerBloom in https://github.com/apollographql/router/pull/7929

Reliably distinguish GraphQL errors and transport errors in subscriptions (PR #​7901)

The Multipart HTTP protocol for GraphQL Subscriptions distinguishes between GraphQL-level errors and fatal transport-level errors. The router previously used a heuristic to determine if a given error was fatal or not, which could sometimes cause errors to be wrongly classified. For example, if a subgraph returned a GraphQL-level error for a subscription and then immediately ended the subscription, the router might propagate this as a fatal transport-level error.

This is now fixed. Fatal transport-level errors are tagged as such when they are constructed, so the router can reliably know how to serialize errors when sending them to the client.

By @​goto-bus-stop in https://github.com/apollographql/router/pull/7901

📚 Documentation

Update Documentation To Add DockerHub References

Now that we have a DockerHub account we have published the Runtime Container to that account.
This fix simply adds a reference to that to the documentation

By @​jonathanrainer in https://github.com/apollographql/router/pull/8054

v2.5.0

Compare Source

🚀 Features

Introduce per-origin CORS policies (PR #​7853)

Configuration can now specify different Cross-Origin Resource Sharing (CORS) rules for different origins using the cors.policies key. See the CORS documentation for details.

cors:
  policies:

##### The default CORS options work for Studio.
    - origins: ["https://studio.apollographql.com"]

##### Specific config for trusted origins
    - match_origins: ["^https://(dev|staging|www)?\\.my-app\\.(com|fr|tn)$"]
      allow_credentials: true
      allow_headers: ["content-type", "authorization", "x-web-version"]

##### Catch-all for untrusted origins
    - origins: ["*"]
      allow_credentials: false
      allow_headers: ["content-type"]

By @​Velfi in https://github.com/apollographql/router/pull/7853

jemalloc metrics (PR #​7735)

This PR adds the following new metrics when running the router on Linux with its default global-allocator feature:

• apollo_router_jemalloc_active: Total number of bytes in active pages allocated by the application.
• apollo_router_jemalloc_allocated: Total number of bytes allocated by the application.
• apollo_router_jemalloc_mapped: Total number of bytes in active extents mapped by the allocator.
• apollo_router_jemalloc_metadata: Total number of bytes dedicated to metadata, which comprise base allocations used for bootstrap-sensitive allocator metadata structures and internal allocations.
• apollo_router_jemalloc_resident: Maximum number of bytes in physically resident data pages mapped by the allocator, comprising all pages dedicated to allocator metadata, pages backing active allocations, and unused dirty pages.
• apollo_router_jemalloc_retained: Total number of bytes in virtual memory mappings that were retained rather than being returned to the operating system via e.g. munmap(2) or similar.

By @​Velfi in https://github.com/apollographql/router/pull/7735

🐛 Fixes

Coprocessor: improve handling of invalid GraphQL responses with conditional validation (PR #​7731)

The router was creating invalid GraphQL responses internally, especially when subscriptions terminate. When a coprocessor is configured, it validates all responses for correctness, causing errors to be logged when the router generates invalid internal responses. This affects the reliability of subscription workflows with coprocessors.

Fix handling of invalid GraphQL responses returned from coprocessors, particularly when used with subscriptions. Added conditional response validation and improved testing to ensure correctness. Added the response_validation configuration option at the coprocessor level to enable the response validation (by default it's enabled).

By @​BrynCooke in https://github.com/apollographql/router/pull/7731

Fix deduplicated subscriptions hanging when one subscription closes (PR #​7879)

Fixes a regression introduced in v1.50.0. When multiple client subscriptions are deduped onto a single subgraph subscription in WebSocket passthrough mode, and the first client subscription closes, the Router would close the subgraph subscription. The other deduplicated subscriptions would then silently stop receiving events.

Now outgoing subscriptions to subgraphs are kept open as long as any client subscription uses them.

By @​bnjjj in https://github.com/apollographql/router/pull/7879

Fix several hot reload issues with subscriptions (PR #​7746)

When a hot reload is triggered by a configuration change, the router attempted to apply updated configuration to open subscriptions. This could cause excessive logging.

When a hot reload was triggered by a schema change, the router closed subscriptions with a SUBSCRIPTION_SCHEMA_RELOAD error. This happened before the new schema was fully active and warmed up, so clients could reconnect to the old schema, which should not happen.

To fix these issues, a configuration and a schema change now have the same behavior. The router waits for the new configuration and schema to be active, and then closes all subscriptions with a SUBSCRIPTION_SCHEMA_RELOAD/SUBSCRIPTION_CONFIG_RELOAD error, so clients can reconnect.

By @​goto-bus-stop and @​bnjjj in https://github.com/apollographql/router/pull/7777

Fix error when removing non-UTF-8 headers with Rhai plugin (PR #​7801)

When trying to remove non-UTF-8 headers from a Rhai plugin, users were faced with an unhelpful error. Now, non-UTF-8 values will be lossy converted to UTF-8 when accessed from Rhai. This change affects get, get_all, and remove operations.

By @​Velfi in https://github.com/apollographql/router/pull/7801

Query planning errors with progressive override on interface implementations (PR #​7929)

The router now correctly generates query plans when using progressive override (@override with labels) on types that implement interfaces within the same subgraph. Previously, the Rust query planner would fail to generate plans for these scenarios with the error "Was not able to find any options for {}: This shouldn't have happened.", while the JavaScript planner handled them correctly.

This fix resolves planning failures when your schema uses:

• Interface implementations local to a subgraph
• Progressive override directives on both the implementing type and its fields
• Queries that traverse through the overridden interface implementations

The router will now successfully plan and execute queries that previously resulted in query planning errors.

By @​TylerBloom in https://github.com/apollographql/router/pull/7929

Fix startup hang with an empty Persisted Queries list (PR #​7831)

When the Persisted Queries feature is enabled, the router no longer hangs during startup when using a GraphOS account with no Persisted Queries manifest.

Remove @ from error paths (Issue #​4548)

When a subgraph returns an unexpected response (ie not a body with at least one of errors or data), the errors surfaced by the router include an @ in the path which indicates an error applied to all elements in the array. This is not a behavior defined in the GraphQL spec and is not easily parsed.

This fix expands the @ symbol to reflect all paths that the error applies to.

Example

Consider a federated graph with two subgraphs, products and inventory, and a topProducts query which fetches a list of products from products and then fetches an inventory status for each product.

A successful response might look like:

{
    "data": {
        "topProducts": [
            {"name": "Table", "inStock": true},
            {"name": "Chair", "inStock": false}
        ]
    }
}

Prior to this change, if the inventory subgraph returns a malformed response, the router response would look like:

{
    "data": {"topProducts": [{"name": "Table", "inStock": null}, {"name": "Chair", "inStock": null}]}, 
    "errors": [
        {
            "message": "service 'inventory' response was malformed: graphql response without data must contain at least one error", 
            "path": ["topProducts", "@​"], 
            "extensions": {"service": "inventory", "reason": "graphql response without data must contain at least one error", "code": "SUBREQUEST_MALFORMED_RESPONSE"}
        }
    ]
}

With this change, the response will look like:

{
    "data": {"topProducts": [{"name": "Table", "inStock": null}, {"name": "Chair", "inStock": null}]},
    "errors": [
        {
            "message": "service 'inventory' response was malformed: graphql response without data must contain at least one error",
            "path": ["topProducts", 0],
            "extensions": {"service": "inventory", "reason": "graphql response without data must contain at least one error", "code": "SUBREQUEST_MALFORMED_RESPONSE"}
        },
        {
            "message": "service 'inventory' response was malformed: graphql response without data must contain at least one error",
            "path": ["topProducts", 1],
            "extensions": {"service": "inventory", "reason": "graphql response without data must contain at least one error", "code": "SUBREQUEST_MALFORMED_RESPONSE"}
        }
    ]
}

The above examples reflect the behavior with include_subgraph_errors = true; if include_subgraph_errors is false:

{
    "data": {"topProducts": [{"name": "Table", "inStock": null}, {"name": "Chair", "inStock": null}]},
    "errors": [
        {
            "message": "Subgraph errors redacted",
            "path": ["topProducts", 0]
        },
        {
            "message": "Subgraph errors redacted",
            "path": ["topProducts", 1]
        }
    ]
}

By @​carodewig in https://github.com/apollographql/router/pull/7684

Remove use of APOLLO_TELEMETRY_DISABLED from the fleet detector plugin (PR #​7907)

The APOLLO_TELEMETRY_DISABLED environment variable only disables anonymous telemetry, it was never meant for disabling identifiable telemetry. This includes metrics from the fleet detection plugin.

By @​DMallare in https://github.com/apollographql/router/pull/7907

v2.4.0

Compare Source

🚀 Features

Support JWT audience (aud) validation (PR #​7578)

The router now supports JWT audience (aud) validation. This allows the router to ensure that the JWT is intended
for the specific audience it is being used with, enhancing security by preventing token misuse across different audiences.

The following sample configuration will validate the JWT's aud claim against the specified audiences and ensure a match with either https://my.api or https://my.other.api. If the aud claim does not match either of those configured audiences, the router will reject the request.

authentication:
 router:
   jwt:
     jwks: # This key is required.
       - url: https://dev-zzp5enui.us.auth0.com/.well-known/jwks.json
         issuers: # optional list of issuers
           - https://issuer.one
           - https://issuer.two
         audiences: # optional list of audiences
           - https://my.api
           - https://my.other.api
         poll_interval: <optional poll interval>
         headers: # optional list of static headers added to the HTTP request to the JWKS URL
           - name: User-Agent
             value: router

##### These keys are optional. Default values are shown.
     header_name: Authorization
     header_value_prefix: Bearer
     on_error: Error

##### array of alternative token sources
     sources:
       - type: header
         name: X-Authorization
         value_prefix: Bearer
       - type: cookie
         nam

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjQwLjYyLjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->