Skip to content

fix(deps): update dependency graphql to v16.8.1 [security]#181

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-graphql-vulnerability
Open

fix(deps): update dependency graphql to v16.8.1 [security]#181
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-graphql-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Sep 21, 2023

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
graphql 16.6.016.8.1 age confidence
graphql 16.5.016.8.1 age confidence

graphql Uncontrolled Resource Consumption vulnerability

CVE-2023-26144 / GHSA-9pv7-vfvm-6vr7

More information

Details

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

graphql/graphql-js (graphql)

v16.8.1

Compare Source

v16.8.1 (2023-09-19)

Bug Fix 🐞
Committers: 1

v16.8.0

Compare Source

v16.8.0 (2023-08-14)

New Feature 🚀
Committers: 1

v16.7.1

Compare Source

v16.7.1 (2023-06-22)

📢 Big shout out to @​phryneas, who managed to reproduce this issue and come up with this fix.

Bug Fix 🐞
Committers: 1

v16.7.0

Compare Source

v16.7.0 (2023-06-21)

New Feature 🚀
Bug Fix 🐞
Committers: 3

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from 4b9038c to 8a52512 Compare October 2, 2023 03:16
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 8a52512 to 4143f32 Compare October 9, 2023 03:39
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 4143f32 to d57ffb9 Compare September 12, 2024 15:14
@coderabbitai

coderabbitai Bot commented Sep 12, 2024

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 5 times, most recently from e8ad40f to e07c904 Compare September 16, 2024 04:13
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 3 times, most recently from 1dcecd1 to 235e3a4 Compare September 25, 2024 16:47
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from 941276f to 9f95d09 Compare October 7, 2024 03:45
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from f499bea to 78eca92 Compare October 21, 2024 03:24
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from 124fd08 to 3d81496 Compare November 4, 2024 03:38
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 3d81496 to 0a03d8a Compare November 11, 2024 03:33
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 0a03d8a to 8be9b1b Compare January 22, 2025 05:33
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 8be9b1b to 75c2fc8 Compare August 10, 2025 12:28
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 75c2fc8 to b68a03a Compare August 19, 2025 14:05
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from b68a03a to 88d054b Compare September 25, 2025 19:02
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 88d054b to 36c1ae5 Compare November 11, 2025 00:46
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 36c1ae5 to 11f1c87 Compare November 18, 2025 11:42
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 11f1c87 to 1516353 Compare December 31, 2025 14:10
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 1516353 to a1bbbdf Compare January 8, 2026 17:43
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from a1bbbdf to afba179 Compare January 19, 2026 18:12
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from afba179 to f510f5d Compare February 2, 2026 20:28
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from 67503c4 to 323fec1 Compare February 17, 2026 19:03
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 323fec1 to e332223 Compare March 5, 2026 17:52
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from e332223 to 01bed5d Compare March 13, 2026 16:50
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16.8.1 [security] fix(deps): update dependency graphql to v16.8.1 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-graphql-vulnerability branch March 27, 2026 00:56
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16.8.1 [security] - autoclosed fix(deps): update dependency graphql to v16.8.1 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 4 times, most recently from 8105595 to 566be31 Compare April 1, 2026 20:12
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 566be31 to ea062e2 Compare April 8, 2026 19:17
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16.8.1 [security] fix(deps): update dependency graphql to v16.8.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16.8.1 [security] - autoclosed fix(deps): update dependency graphql to v16.8.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from ea062e2 to 5471b4a Compare April 27, 2026 22:09
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from a750fc0 to f3de59d Compare May 18, 2026 11:01
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from f3de59d to 1eeb2a7 Compare May 28, 2026 19:16
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 1eeb2a7 to 6f7e001 Compare June 11, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants