value.toString is not a function

[jerelmiller]

We've received reports of users encountering an ApolloError with the message value.toString is not a function starting on December 5. Our team is actively investigating the root cause and working to resolve issues under our control. Our initial findings lead us to believe this issue may be linked to a feature within Kaspersky’s anti-virus software, affecting websites using Apollo Client (in particular, versions prior to 3.11.8).

What We Know So Far

Our initial analysis and user reports indicates this error occurs when Kaspersky's "Encrypted Connections Scan" features is enabled. This seems to result in Apollo Client requests being modified in ways that cause the error. Additionally, we have observed that the issue appears limited to Apollo Client versions prior to 3.11.8

Recommended Action

To address and mitigate the issue, we recommend updating your Apollo Client to version 3.11.8 or higher. After updating, please verify if the problem persists.

We have informed Kaspersky of the problem, and they are investigating. While it does not appear that this issue is caused by Apollo Client, our team is committed to resolving this matter as quickly as possible and will provide updates as soon as we have more information to share. If you have additional questions or require assistance with the update, please don’t hesitate to reach out.

Thank you for your understanding and cooperation

[jerelmiller]

After thorough investigation, we determined that this issue is not caused by Apollo Client but stems from a bug in certain Kaspersky products. Specifically, this bug interferes with Apollo Client’s functionality when users visit websites utilizing Apollo Client versions older than 3.11.8.

We have informed Kaspersky of this issue, and they are actively investigating. However, at this time, the affected version of Kaspersky's software is still being shipped.

How This May Impact You

If an end user has Kaspersky installed on their computer, they may experience the above error when visiting a website if the UI was built using and older version of Apollo Client, creating the false impression of a bug in Apollo Client. This can disrupt user experiences and lead to confusion among developers and end-users.

Recommended Action

To prevent this issue, we strongly recommend any of the following options:

• Upgrading your Apollo Client to version 3.11.8 or later. This version includes adjustments that mitigate the impact of the Kaspersky bug.
• Locally backporting the changes made in 3.11.8 using patch-package. Here is an example patch for Apollo Client 3.7.17: @apollo+client+3.7.17.patch
• By providing a custom fetch function to HttpLink that replaces the headers before they hit the Kaspersky extension

  new ApolloClient({
    cache: new InMemoryCache({
      /*...*/
    }),
    link: new HttpLink({
      uri: "...",
      fetch: (input, init) => {
        if (!init || !init.headers) {
          return fetch(input, init);
        }
        return fetch(input, {
          ...init,
          headers: { ...headers },
        });
      },
    }),
  });

Any of these mitigation techniques will help ensure a seamless experience for end users while Kaspersky works on resolving the issue.

We are closely monitoring this situation and will provide updates to this post as Kaspersky makes progress on resolving the bug. In the meantime, if you experience any related issues after upgrading to Apollo Client 3.11.8 or later, please open an issue.

[LevanArabuli]

+1, experiencing the same issue as well
It specifically happens because of the Inject script into web traffic to interact with web pages option in the AV

[bignimbus]

Status update: a Kaspersky team member indicated in this forum post that a fix in their software is on its way in a release slated for late January / early February 2025.