Home / apollographql / apollo-server
Repository Analysis

apollographql/apollo-server

🌍  Spec-compliant and production ready JavaScript GraphQL server that lets you develop in a schema-first way. Built for Express, Connect, Hapi, Koa, and more.

2.2 Likely human-written View on GitHub
2.2
Adjusted Score
2.2
Raw Score
100%
Time Factor
2026-05-30
Last Push
13,936
Stars
TypeScript
Language
52,245
Lines of Code
209
Files
100
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 2MEDIUM 3LOW 95

Pattern Findings

100 matches across 5 categories. Click a row to expand file-level details.

Hyper-Verbose Identifiers49 hits · 52 pts
SeverityFileLineSnippet
LOWpackages/integration-testsuite/src/httpSpecTests.ts8export function defineIntegrationTestSuiteHttpSpecTests(
LOWpackages/integration-testsuite/src/apolloServerTests.ts164export function defineIntegrationTestSuiteApolloServerTests(
LOWpackages/integration-testsuite/src/apolloServerTests.ts2379 async function makeFakeUsageReportingServer({
LOWpackages/integration-testsuite/src/apolloServerTests.ts2584 function createApolloFetchAsIfFromGateway(uri: string): ApolloFetch {
LOWpackages/integration-testsuite/src/httpServerTests.ts268export function defineIntegrationTestSuiteHttpServerTests(
LOWpackages/integration-testsuite/src/index.ts27export function defineIntegrationTestSuite(
LOWpackages/server/src/runHttpQuery.ts37function searchParamIfSpecifiedOnce(
LOWpackages/server/src/runHttpQuery.ts54function jsonParsedSearchParamIfSpecifiedOnce(
LOWpackages/server/src/runHttpQuery.ts99function ensureQueryIsStringOrMissing(query: unknown) {
LOWpackages/server/src/runHttpQuery.ts369function orderExecutionResultFields(
LOWpackages/server/src/requestPipeline.ts88function isBadUserInputGraphQLError(error: GraphQLError): boolean {
LOWpackages/server/src/ApolloServer.ts1429export function chooseContentTypeForSingleResultResponse(
LOW…ckages/server/src/plugin/subscriptionCallback/index.ts20export function ApolloServerPluginSubscriptionCallback(
LOWpackages/server/src/plugin/cacheControl/index.ts55export function ApolloServerPluginCacheControl(
LOWpackages/server/src/plugin/cacheControl/index.ts102 function memoizedCacheAnnotationFromType(
LOWpackages/server/src/plugin/cacheControl/index.ts114 function memoizedCacheAnnotationFromField(
LOWpackages/server/src/plugin/cacheControl/index.ts350function parseExistingCacheControlHeader(
LOWpackages/server/src/plugin/cacheControl/index.ts372function cacheAnnotationFromDirectives(
LOWpackages/server/src/plugin/inlineTrace/index.ts47export function ApolloServerPluginInlineTrace(
LOW…src/plugin/usageReporting/operationDerivedDataCache.ts10export function createOperationDerivedDataCache({
LOW…src/plugin/usageReporting/operationDerivedDataCache.ts56export function operationDerivedDataCacheKey(
LOWpackages/server/src/plugin/usageReporting/plugin.ts221 function executableSchemaIdForSchema(schema: GraphQLSchema) {
LOWpackages/server/src/plugin/usageReporting/plugin.ts237 async function sendAllReportsAndReportErrors(): Promise<void> {
LOWpackages/server/src/plugin/usageReporting/plugin.ts245 async function sendReportAndReportErrors(
LOWpackages/server/src/plugin/usageReporting/plugin.ts423 async function maybeCallIncludeRequestHook(
LOW…kages/server/src/plugin/usageReporting/traceDetails.ts75function handleVariableValueTransformError(
LOW…/plugin/usageReporting/defaultSendOperationsAsTrace.ts6export function defaultSendOperationsAsTrace() {
LOWpackages/server/src/plugin/disabled/index.ts23export function ApolloServerPluginCacheControlDisabled(): ApolloServerPlugin<BaseContext> {
LOWpackages/server/src/plugin/disabled/index.ts27export function ApolloServerPluginInlineTraceDisabled(): ApolloServerPlugin<BaseContext> {
LOWpackages/server/src/plugin/disabled/index.ts31export function ApolloServerPluginLandingPageDisabled(): ApolloServerPlugin<BaseContext> {
LOWpackages/server/src/plugin/disabled/index.ts35export function ApolloServerPluginSchemaReportingDisabled(): ApolloServerPlugin<BaseContext> {
LOWpackages/server/src/plugin/disabled/index.ts39export function ApolloServerPluginUsageReportingDisabled(): ApolloServerPlugin<BaseContext> {
LOWpackages/server/src/plugin/schemaReporting/index.ts60export function ApolloServerPluginSchemaReporting(
LOWpackages/server/src/plugin/drainHttpServer/index.ts27export function ApolloServerPluginDrainHttpServer(
LOWpackages/server/src/plugin/landingPage/default/index.ts23export function ApolloServerPluginLandingPageLocalDefault(
LOWpackages/server/src/plugin/landingPage/default/index.ts38export function ApolloServerPluginLandingPageProductionDefault(
LOWpackages/server/src/plugin/disableSuggestions/index.ts4export function ApolloServerPluginDisableSuggestions(): ApolloServerPlugin {
LOWpackages/server/src/utils/schemaInstrumentation.ts46export function pluginsEnabledForSchemaResolvers(
LOWpackages/server/src/__tests__/runQuery.test.ts1037 function createLifecyclePluginMocks() {
LOWpackages/server/src/__tests__/runQuery.test.ts1141 function cacheRepresentationOfQuery(query: string): string {
LOW…rc/__tests__/plugin/subscriptionCallback/index.test.ts2151function mockRouterCheckResponseWithError(opts?: {
LOW…rc/__tests__/plugin/subscriptionCallback/index.test.ts2213function mockRouterCompleteResponse(requestOpts?: {
LOW…ests__/plugin/cacheControl/collectCacheControlHints.ts10export async function collectCacheControlHintsAndPolicyIfCacheable(
LOW…c/__tests__/plugin/cacheControl/cacheControlSupport.ts8export function augmentTypeDefsWithCacheControlSupport(typeDefs: string) {
LOW…c/__tests__/plugin/cacheControl/cacheControlSupport.ts25export function buildSchemaWithCacheControlSupport(source: string) {
LOW…c/__tests__/plugin/cacheControl/cacheControlSupport.ts29export function makeExecutableSchemaWithCacheControlSupport(
LOW…ver/src/__tests__/plugin/usageReporting/plugin.test.ts311 function containsFieldExecutionData(
LOW…server/src/validationRules/RecursiveSelectionsLimit.ts157export function createMaxRecursiveSelectionsRule(
LOWpackages/cache-control-types/src/index.ts79export function maybeCacheControlFromInfo(
Over-Commented Block44 hits · 44 pts
SeverityFileLineSnippet
LOW.gitleaks.toml1# This file exists primarily to influence scheduled scans that Apollo runs of all repos in Apollo-managed orgs.
LOWsmoke-test/smoke-test.sh41node generated/tsc/smoke-test.mjs
LOWpackages/integration-testsuite/src/httpSpecTests.ts41 }
LOWpackages/integration-testsuite/src/resolvable.ts1// Copyright 2019 Joseph Gentle
LOWpackages/server/src/internalPlugin.ts1import type { BaseContext, ApolloServerPlugin } from './externalTypes/index.js';
LOWpackages/server/src/preventCsrf.ts1import MIMEType from 'whatwg-mimetype';
LOWpackages/server/src/preventCsrf.ts21const NON_PREFLIGHTED_CONTENT_TYPES = [
LOWpackages/server/src/preventCsrf.ts41// content types. For those operations, we require (if this feature is enabled)
LOWpackages/server/src/preventCsrf.ts61 // actually *ok* because that would lead to a preflight. (For example, the
LOWpackages/server/src/requestPipeline.ts281 return await sendErrorResponse(
LOWpackages/server/src/requestPipeline.ts481 // The first thing that execution does is coerce the request's variables
LOWpackages/server/src/ApolloServer.ts181 legacyExperimentalExecuteIncrementally?: LegacyExperimentalExecuteIncrementally;
LOWpackages/server/src/ApolloServer.ts381 'The `status400ForVariableCoercionErrors: false` configuration option is deprecated and will be removed in Apo
LOWpackages/server/src/ApolloServer.ts401 // Apollo Server 3+ the functions like `expressMiddleware` use `assertStarted`
LOWpackages/server/src/ApolloServer.ts621 process.on(signal, signalHandler);
LOWpackages/server/src/ApolloServer.ts681 }.'`,
LOWpackages/server/src/ApolloServer.ts761 // missing/undefined means use the default (creating a new one each
LOWpackages/server/src/ApolloServer.ts1001 // this if an API key was configured and log a warning.)
LOWpackages/server/src/ApolloServer.ts1341 logger: server.logger,
LOWpackages/server/src/externalTypes/plugins.ts81 // Called on startup fail. This can occur if the schema fails to load or if a
LOWpackages/server/src/plugin/traceTreeBuilder.ts81 }
LOWpackages/server/src/plugin/traceTreeBuilder.ts101 //
LOWpackages/server/src/plugin/traceTreeBuilder.ts281 return err;
LOWpackages/server/src/plugin/schemaIsSubgraph.ts1import {
LOWpackages/server/src/plugin/cacheControl/index.ts221 // (uncached) or the default if specified in the constructor.
LOWpackages/server/src/plugin/cacheControl/index.ts301 policyIfCacheable &&
LOW…src/plugin/usageReporting/operationDerivedDataCache.ts21 },
LOWpackages/server/src/plugin/usageReporting/plugin.ts141
LOWpackages/server/src/plugin/usageReporting/plugin.ts501 requestContext.operation === undefined;
LOWpackages/server/src/plugin/usageReporting/stats.ts21// interface is what is accepted as input. We build up our messages using custom
LOWpackages/server/src/plugin/usageReporting/stats.ts301
LOW…/plugin/usageReporting/defaultSendOperationsAsTrace.ts1import { LRUCache } from 'lru-cache';
LOWpackages/server/src/plugin/drainHttpServer/stoppable.ts1// This file is adapted from the stoppable npm package:
LOW…s/server/src/utils/makeGatewayGraphQLRequestContext.ts21// exist any more.
LOW…s/server/src/utils/makeGatewayGraphQLRequestContext.ts41//
LOW…s/server/src/utils/makeGatewayGraphQLRequestContext.ts61// Similarly, it's not clear what the intended use case of mutating `debug` in
LOWpackages/server/src/utils/resolvable.ts1// Copyright 2019 Joseph Gentle
LOW…src/__tests__/plugin/drainHttpServer/stoppable.test.ts1// This file is adapted from the stoppable npm package:
LOWpackages/cache-control-types/src/index.ts61 extends Omit<GraphQLResolveInfo, 'cacheControl'> {
LOW…-response-cache/src/ApolloServerPluginResponseCache.ts21 // JSON object with keys representing the query document, operation name,
LOW…-response-cache/src/ApolloServerPluginResponseCache.ts41 // - Else it will be cached under a cache key tagged with the mode
LOW…-response-cache/src/ApolloServerPluginResponseCache.ts61 // Note: this hook has been updated in Apollo Server v4 to only return a
LOW…-response-cache/src/ApolloServerPluginResponseCache.ts81
LOW…-response-cache/src/ApolloServerPluginResponseCache.ts301 if (errors || !data || !policyIfCacheable) {
Synthetic Comment Markers2 hits · 10 pts
SeverityFileLineSnippet
HIGHCHANGELOG_historical.md1202- Add support for GraphiQL editor themes in [#484](https://github.com/apollographql/apollo-server/pull/484) as requested
HIGHCHANGELOG_historical.md1202- Add support for GraphiQL editor themes in [#484](https://github.com/apollographql/apollo-server/pull/484) as requested
AI Slop Vocabulary3 hits · 9 pts
SeverityFileLineSnippet
MEDIUM.gitleaks.toml12# or wasn't as robust as we needed. For example, one of the allowlisting options offered by Gitleaks depends on the line
MEDIUM.gitleaks.toml14# This creates a fairly fragile allowlisting mechanism. This file allows us to leverage the full capabilities of the Git
MEDIUMpackages/server/src/requestPipeline.ts216 // utilize the operation's hash to lookup the AST from the previously
Fake / Example Data2 hits · 2 pts
SeverityFileLineSnippet
LOWdocs/source/schema/schema.md557 "name": "Jane Doe",
LOWdocs/source/schema/schema.md606 "name": "Jane Doe",