fix(deps): update dependency graphql to v16.8.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
graphql	16.5.0 → 16.8.1

---

graphql Uncontrolled Resource Consumption vulnerability

CVE-2023-26144 / GHSA-9pv7-vfvm-6vr7

More information

Details

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-26144
• https://github.com/graphql/graphql-js/issues/3955
• https://github.com/graphql/graphql-js/pull/3972
• https://github.com/graphql/graphql-js/releases/tag/v16.8.1
• https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
• https://github.com/graphql/graphql-js/commit/8f4c64eb6a7112a929ffeef00caa67529b3f2fcf
• https://github.com/advisories/GHSA-9pv7-vfvm-6vr7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

graphql/graphql-js (graphql)

v16.8.1

Compare Source

v16.8.1 (2023-09-19)

Bug Fix 🐞

• #​3967 OverlappingFieldsCanBeMergedRule: Fix performance degradation (@​AaronMoat)

Committers: 1

• Aaron Moat(@​AaronMoat)

v16.8.0

Compare Source

v16.8.0 (2023-08-14)

New Feature 🚀

• #​3950 Support fourfold nested lists (@​gschulze)

Committers: 1

• Gunnar Schulze(@​gschulze)

v16.7.1

Compare Source

v16.7.1 (2023-06-22)

📢 Big shout out to @​phryneas, who managed to reproduce this issue and come up with this fix.

Bug Fix 🐞

• #​3923 instanceOf: workaround bundler issue with process.env (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v16.7.0

Compare Source

v16.7.0 (2023-06-21)

New Feature 🚀

• #​3887 check "globalThis.process" before accessing it (@​kettanaito)

Bug Fix 🐞

• #​3707 Fix crash in node when mixing sync/async resolvers (backport of #​3706) (@​chrskrchr)
• #​3838 Fix/invalid error propagation custom scalars (backport for 16.x.x) (@​stenreijers)

Committers: 3

• Artem Zakharchenko(@​kettanaito)
• Chris Karcher(@​chrskrchr)
• Sten Reijers(@​stenreijers)

v16.6.0

Compare Source

v16.6.0 (2022-08-16)

New Feature 🚀

• #​3645 createSourceEventStream: introduce named arguments and deprecate positional arguments (@​yaacovCR)
• #​3702 parser: limit maximum number of tokens (@​IvanGoncharov)

Bug Fix 🐞

• #​3686 Workaround for codesandbox having bug with TS enums (@​IvanGoncharov)
• #​3701 Parser: allow 'options' to explicitly accept undefined (@​IvanGoncharov)

Committers: 2

• Ivan Goncharov(@​IvanGoncharov)
• Yaacov Rydzinski (@​yaacovCR)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cursor]

Stale comment

Automated review skipped — dependency-only update.

This PR contains only a graphql version bump (security patch from Renovate). The code-review orchestrator is configured to skip dependency-only PRs immediately. No source files, tests, or public contracts were modified.

  

_{Sent by Cursor Automation: Flatbread PR Review}

[cursor]

Automated review skipped — dependency-only update.

This PR contains only a transitive dependency bump (graphql → v16.8.1, security fix) with no source, test, config, or documentation changes. The code-review orchestrator is configured to skip dependency-only PRs immediately.

No action required from reviewers beyond standard merge-queue checks.

  

_{Sent by Cursor Automation: Flatbread PR Review}