apollographql/router v1.28.0 on GitHub

Warning
We have discovered an issue with comment parsing in graphql schema in this release (#3680). We will be releasing a follow up to fix this shortly. For now users should use 1.27.0.

🚀 Features

Expose the `stats_reports_key` hash to plugins. (Issue #2728)

This exposes a new key in the Context, apollo_operation_id, which identifies operation you can find in studio:

https://studio.apollographql.com/graph/<your_graph_variant>/variant/<your_graph_variant>/operations?query=<apollo_operation_id>

The apollo_operation_id context key is exposed during:

Execution service request
Subgraph service request
Subgraph service response
Execution service response
Supergraph service response
Router service response

By @o0Ignition0o in #3586

Add new (unstable) metrics (PR #3609)

Many of our existing metrics are poorly and inconsistently named. In addition, they follow Prometheus style rather than Otel style.

This changeset adds some new metrics that will give us a good foundation to build upon.
New metrics are namespaced apollo.router.operations.*.

These metrics should be treated as unstable and may change in the future.

By @BrynCooke in #3609

🐛 Fixes

Flush metrics when Router reloads or shuts down (Issue #3140)

When the Router either reloads or shuts down it now flushes metrics.
Push metrics exporters, such as OTLP, would have previously missed some metrics — in particular those related to reload events.

By @garypen in #3143

🛠 Maintenance

Upgrade to Rust 1.71.1 (PR #3536)

This includes the fix for CVE-2023-38497.

Although Apollo was not affected, users building custom binaries should consider their own build environments to determine if they were impacted.

By @SimonSapin in #3536

Add Apollo OpenTelemetry metrics (PR #3354, PR #3651)

We've added an OpenTelemetry metrics exporter which compliments and builds upon our existing Apollo Studio Protobuf format for metric transmission.

By @BrynCooke in #3354 and #3651

📚 Documentation

Clarify that hot-reload does not affect Uplink-delivered config/schema (PR #3596)

This documentation adjustment (and small CLI help change) tries to clarify some confusion around the --hot-reload command line argument and the scope of its operation.

Concretely, the supergraph and configuration that is delivered through a GraphOS Launch (and delivered through Uplink) is always loaded immediately and will take effect as soon as possible.

On the other hand, files that are provided locally - e.g., --config ./file.yaml and --supergraph ./supergraph.graphql - are only reloaded:

If --hot-reload is passed (or if another flag infers --hot-reload, as is the case with --dev) and a supergraph or configuration is changed; or
When the router process is sent a SIGHUP.

Otherwise, files provided locally to the router are only re-reloaded if the router process is completely restarted.

By @abernix in #3596

🧪 Experimental

Improvements to safelisting with Persisted Queries (preview)

(The Persisted Queries feature was initially released in Router v1.25.0, as part of a private preview requiring enablement by Apollo support. The feature is now in public preview and is accessible to any enterprise GraphOS organization.)

Several improvements to safelisting behavior based on preview feedback:

When the safelist is enabled (but require_id is not), matching now ignores the order of top-level definitions (operations and fragments) and ignored tokens (whitespace, comments, commas, etc), so that differences in these purely syntactic elements do not affect whether an operation is considered to be in the safelist.
If introspection is enabled on the server, any operation whose top-level fields are introspection fields (__type, __schema, or __typename) is considered to be in the safelist.
This special case is not applied if require_id is enabled, so that Router never parses freeform GraphQL in this mode.
When log_unknown is enabled and apq has not been disabled, the Router now logs any operation not in the safelist as unknown, even those sent via IDs if the operation was found in the APQ cache rather than the manifest.
When log_unknown and require_id are both enabled, the Router now logs all operations that rejects (i.e., all operations sent as freeform GraphQL).
Previously, the Router only logged the operations that would have been rejected by the safelist feature with require_id disabled (i.e., operations sent as freeform GraphQL that do not match an operation in the manifest).

As a side effect of this change, Router now re-downloads the PQ manifest when reloading configuration dynamically rather than caching it across reloads. If this causes a notable performance regression for your use case, please file an issue.

By @glasser in #3566