fix(deps): update dependency graphql to v16.8.1 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
graphql	16.3.0 -> 16.8.1

GitHub Vulnerability Alerts

CVE-2023-26144

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

---

Release Notes

graphql/graphql-js (graphql)

v16.8.1

Compare Source

v16.8.1 (2023-09-19)

Bug Fix 🐞

• #​3967 OverlappingFieldsCanBeMergedRule: Fix performance degradation (@​AaronMoat)

Committers: 1

• Aaron Moat(@​AaronMoat)

v16.8.0

Compare Source

v16.8.0 (2023-08-14)

New Feature 🚀

• #​3950 Support fourfold nested lists (@​gschulze)

Committers: 1

• Gunnar Schulze(@​gschulze)

v16.7.1

Compare Source

v16.7.1 (2023-06-22)

📢 Big shout out to @​phryneas, who managed to reproduce this issue and come up with this fix.

Bug Fix 🐞

• #​3923 instanceOf: workaround bundler issue with process.env (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v16.7.0

Compare Source

v16.7.0 (2023-06-21)

New Feature 🚀

• #​3887 check "globalThis.process" before accessing it (@​kettanaito)

Bug Fix 🐞

• #​3707 Fix crash in node when mixing sync/async resolvers (backport of #​3706) (@​chrskrchr)
• #​3838 Fix/invalid error propagation custom scalars (backport for 16.x.x) (@​stenreijers)

Committers: 3

• Artem Zakharchenko(@​kettanaito)
• Chris Karcher(@​chrskrchr)
• Sten Reijers(@​stenreijers)

v16.6.0

Compare Source

v16.6.0 (2022-08-16)

New Feature 🚀

• #​3645 createSourceEventStream: introduce named arguments and deprecate positional arguments (@​yaacovCR)
• #​3702 parser: limit maximum number of tokens (@​IvanGoncharov)

Bug Fix 🐞

• #​3686 Workaround for codesandbox having bug with TS enums (@​IvanGoncharov)
• #​3701 Parser: allow 'options' to explicitly accept undefined (@​IvanGoncharov)

Committers: 2

• Ivan Goncharov(@​IvanGoncharov)
• Yaacov Rydzinski (@​yaacovCR)

v16.5.0

Compare Source

v16.5.0 (2022-05-09)

New Feature 🚀

• #​3565 Expose GraphQLErrorOptions type (#​3554) (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v16.4.0

Compare Source

v16.4.0 (2022-04-25)

New Feature 🚀

• #​3465 refactor: use object for GraphQLError constructor (@​n1ru4l)
• #​3487 feat: expose getArgumentValues (@​saihaj)

Bug Fix 🐞

• #​3514 GraphQLError: switch constructor overload order (@​glasser)

Docs 📝

2 PRs were merged

• #​3505 correct outdated documentation (@​Ginhing)
• #​3512 Update documentation on deprecated formatError(..) (@​dwelch2344)

Polish 💅

3 PRs were merged

• #​3522 tests(execution): add missing new lines (@​IvanGoncharov)
• #​3524 tests(printSchema): test omitting schema of common names (@​IvanGoncharov)
• #​3537 ESLint: disallow using node globals in src/tests (@​IvanGoncharov)

Internal 🏠

26 PRs were merged

• #​3468 ci: add stub action for canary releases on PRs (@​IvanGoncharov)
• #​3470 ci: implement canary releases on PRs (@​IvanGoncharov)
• #​3472 ci: remove NPM caching on canary release script (@​IvanGoncharov)
• #​3473 ci: Pass 'GITHUB_TOKEN' to GitHub CLI (@​IvanGoncharov)
• #​3475 ci: checkout repo in canary workflow (@​IvanGoncharov)
• #​3477 ci: fix & cleanup script for modifying NPM package into canary (@​IvanGoncharov)
• #​3479 ci: Add missing require to canary script (@​IvanGoncharov)
• #​3481 ci: fix missing PR number in canary release workflow (@​IvanGoncharov)
• #​3483 ci: fix missing PR number in canary release workflow (@​IvanGoncharov)
• #​3484 ci: Moving GH Action template syntax to env variables (@​IvanGoncharov)
• #​3486 ci: improve comment on canary releases (@​IvanGoncharov)
• #​3488 ci: Extract branch publishing into separate workflow (@​IvanGoncharov)
• #​3489 ci: use '.node-version' file to configure node version used for CI (@​IvanGoncharov)
• #​3491 ci: use separate workflows for 'push' and 'pull_request' (@​IvanGoncharov)
• #​3493 ci: remove unused 'workflow_id' input (@​IvanGoncharov)
• #​3496 ci: fix deprecation of canary package (@​IvanGoncharov)
• #​3497 ci: use environments to track deployments (@​IvanGoncharov)
• #​3502 ci: fix deployments of npm & deno branches (@​IvanGoncharov)
• #​3503 ci: Add '@​github-actions' bot (@​IvanGoncharov)
• #​3523 github-actions-bot: replace 'octokit/request-action' action (@​IvanGoncharov)
• #​3525 github-actions-bot: Fix collapsing of unrelated comments (@​IvanGoncharov)
• #​3530 integrationTests/node: fix crash on Mac with M1 by using docker (@​IvanGoncharov)
• #​3534 github-actions-bot: fix publishing of canary releases (@​IvanGoncharov)
• #​3536 github-actions-bot: fix usage of NPM_CANARY_PR_PUBLISH_TOKEN (@​IvanGoncharov)
• #​3538 github-actions-bot: fix reply on commands (@​IvanGoncharov)
• #​3543 pass valid value to codecov config (@​is2ei)

Dependency 📦

2 PRs were merged

• #​3485 Update deps (@​IvanGoncharov)
• #​3533 Update deps (@​IvanGoncharov)

Committers: 7

• David Glasser(@​glasser)
• David Welch(@​dwelch2344)
• Ginhing(@​Ginhing)
• Horie Issei(@​is2ei)
• Ivan Goncharov(@​IvanGoncharov)
• Laurin Quast(@​n1ru4l)
• Saihajpreet Singh(@​saihaj)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
graphql	16.3.0...16.8.1	None	+0/-0	1.34 MB	i1g