JS: model ApolloServer

[Napalys]

Added model as data support for ApolloServer from @apollo/server and similar packages.

The DCA run yielded a very positive outcome, incorporating many new sources. 🎉

[Copilot]

Pull Request Overview

This PR adds support for modeling the ApolloServer usage from the @apollo/server package and related packages, including security test cases for request-forgery.

• Added a new test file with two variations of the downloadFiles resolver for security query tests.
• Introduced a YAML model extension to associate various ApolloServer package variants with specific source model definitions.
• Updated change notes to document the new ApolloServer support.

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts	Adds test cases for downloadFiles resolver with security annotations.
javascript/ql/lib/ext/apollo-server.model.yml	Provides model extensions mapping for the ApolloServer packages.
javascript/ql/lib/change-notes/2025-03-20-apollo-server.md	Notes the addition of support for ApolloServer from various packages.

Files not reviewed (1)

• javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected: Language not supported

Comments suppressed due to low confidence (1)

javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts:17

• [nitpick] The second downloadFiles resolver lacks the usual source/alert annotations compared to the first one. If this is an intentional negative test case to verify analyzer behavior, consider adding an inline comment to clarify this intent for future maintainers.

        downloadFiles: async (_, { files }) => { // $ MISSING: Source[js/request-forgery]

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

[asgerf]

Great to see these new sources! 🎉