upgrade graphql, other security related upgrades (#3488)

Author: acao

.changeset/plenty-bees-fry.md

@@ -0,0 +1,7 @@
+---
+'graphql-language-service-cli': patch
+'graphql-language-service-server': patch
+'vscode-graphql': patch
+---
+
+Bump graphql & graphql-tools version to fix potential runtime security bugs

examples/cm6-graphql-legacy-parcel/package.json

@@ -25,7 +25,7 @@
     "@codemirror/basic-setup": "^0.20.0",
     "@codemirror/language": "^0.20.0",
     "codemirror-graphql": "^2.0.2",
-    "graphql": "^16.4.0"
+    "graphql": "^16.8.1"
   },
   "devDependencies": {
     "parcel-bundler": "^1.12.4",

examples/cm6-graphql-parcel/package.json

@@ -29,7 +29,7 @@
     "@codemirror/theme-one-dark": "6.0.0",
     "@codemirror/view": "6.1.2",
     "cm6-graphql": "0.0.1",
-    "graphql": "^16.4.0"
+    "graphql": "^16.8.1"
   },
   "devDependencies": {
     "parcel": "^2.6.2",

examples/graphiql-create-react-app/package.json

@@ -4,7 +4,7 @@
   "private": true,
   "dependencies": {
     "graphiql": "^2.2.0",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-scripts": "5.0.1"

examples/graphiql-parcel/package.json

@@ -23,7 +23,7 @@
   },
   "dependencies": {
     "graphiql": "^2.2.0",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0"
   },

examples/graphiql-webpack/package.json

@@ -14,7 +14,7 @@
     "@graphiql/toolkit": "^0.9.1",
     "@graphiql/react": "^0.20.2",
     "graphiql": "^3.1.0",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-ws": "^5.5.5",
     "react": "^18.2.0",
     "regenerator-runtime": "^0.13.9"

examples/monaco-graphql-nextjs/package.json

@@ -10,7 +10,7 @@
   },
   "dependencies": {
     "@graphiql/toolkit": "^0.9.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-ws": "^5.5.5",
     "jsonc-parser": "^3.2.0",
     "marked": "^4.2.12",

examples/monaco-graphql-react-vite/package.json

@@ -4,7 +4,7 @@
   "version": "0.0.0",
   "dependencies": {
     "@graphiql/toolkit": "^0.9.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-language-service": "^5.2.0",
     "jsonc-parser": "^3.2.0",
     "monaco-editor": "^0.39.0",

examples/monaco-graphql-webpack/package.json

@@ -9,7 +9,7 @@
     "start": "cross-env NODE_ENV=development webpack-cli serve"
   },
   "dependencies": {
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-language-service": "^5.2.0",
     "json-schema": "^0.4.0",
     "jsonc-parser": "^3.2.0",

package.json

@@ -136,5 +136,8 @@
     "typescript": "^4.6.3",
     "vitest": "^0.32.2",
     "wsrun": "^5.2.4"
+  },
+  "resolutions": {
+    "@babel/traverse": "^7.23.2"
   }
 }

packages/cm6-graphql/package.json

@@ -30,7 +30,7 @@
     "@lezer/highlight": "^1.0.0",
     "@lezer/lr": "^1.1.0",
     "esbuild": "0.18.10",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "rollup": "^2.60.2",
     "rollup-plugin-dts": "^4.0.1",
     "rollup-plugin-esbuild": "^4.9.1",

packages/codemirror-graphql/package.json

@@ -51,7 +51,7 @@
     "@codemirror/language": "^6.0.0",
     "codemirror": "^5.65.3",
     "cross-env": "^7.0.2",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "rimraf": "^3.0.2",
     "sane": "2.0.0"
   }

packages/graphiql-plugin-code-exporter/package.json

@@ -41,7 +41,7 @@
   "devDependencies": {
     "@graphiql/react": "^0.20.2",
     "@vitejs/plugin-react": "^4.0.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "postcss-nesting": "^10.1.7",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",

packages/graphiql-plugin-explorer/package.json

@@ -40,7 +40,7 @@
   "devDependencies": {
     "@graphiql/react": "^0.20.2",
     "@vitejs/plugin-react": "^4.0.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "typescript": "^4.6.3",

packages/graphiql-react/package.json

@@ -69,7 +69,7 @@
     "@testing-library/react": "14.0.0",
     "@types/set-value": "^4.0.1",
     "@vitejs/plugin-react": "^4.0.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "postcss-nesting": "^10.1.7",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",

packages/graphiql-toolkit/package.json

@@ -24,7 +24,7 @@
     "meros": "^1.1.4"
   },
   "devDependencies": {
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-ws": "^5.5.5",
     "isomorphic-fetch": "^3.0.0",
     "subscriptions-transport-ws": "0.11.0"

packages/graphiql/package.json

@@ -73,7 +73,7 @@
     "cypress": "^12.6.0",
     "express": "^4.18.2",
     "fork-ts-checker-webpack-plugin": "7.3.0",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-http": "^1.19.0",
     "graphql-subscriptions": "^2.0.0",
     "html-webpack-plugin": "^5.5.0",

packages/graphql-language-service-cli/package.json

@@ -42,6 +42,6 @@
     "yargs": "^16.2.0"
   },
   "devDependencies": {
-    "graphql": "^16.4.0"
+    "graphql": "^16.8.1"
   }
 }

packages/graphql-language-service-server/package.json

@@ -37,15 +37,15 @@
     "graphql": "^15.5.0 || ^16.0.0"
   },
   "dependencies": {
-    "@babel/parser": "^7.22.6",
-    "@babel/types": "^7.22.5",
-    "@graphql-tools/code-file-loader": "8.0.1",
-    "@vue/compiler-sfc": "^3.2.41",
+    "@babel/parser": "^7.23.6",
+    "@babel/types": "^7.23.5",
+    "@graphql-tools/code-file-loader": "8.0.3",
+    "@vue/compiler-sfc": "^3.4.5",
     "cosmiconfig-toml-loader": "^1.0.0",
     "dotenv": "10.0.0",
     "fast-glob": "^3.2.7",
     "glob": "^7.2.0",
-    "graphql-config": "5.0.2",
+    "graphql-config": "5.0.3",
     "graphql-language-service": "^5.2.0",
     "mkdirp": "^1.0.4",
     "node-abort-controller": "^3.0.1",
@@ -54,14 +54,14 @@
     "vscode-languageserver": "^8.0.1",
     "vscode-languageserver-types": "^3.17.2",
     "vscode-uri": "^3.0.2",
-    "svelte2tsx": "^0.6.19",
+    "svelte2tsx": "^0.6.27",
     "svelte": "^4.1.1",
     "source-map-js": "1.0.2"
   },
   "devDependencies": {
     "@types/glob": "^8.1.0",
     "@types/mkdirp": "^1.0.1",
     "cross-env": "^7.0.2",
-    "graphql": "^16.4.0"
+    "graphql": "^16.8.1"
   }
 }

packages/graphql-language-service-server/src/findGraphQLTags.ts

@@ -7,7 +7,7 @@
  *
  */
 
-import {
+import type {
   Expression,
   TaggedTemplateExpression,
   TemplateLiteral,

packages/graphql-language-service-server/src/parsers/vue.ts

@@ -1,6 +1,7 @@
 import { parse, compileScript, SFCScriptBlock } from '@vue/compiler-sfc';
 import { RangeMapper, SourceParser } from './types';
 import { Position, Range } from 'graphql-language-service';
+import { BlockStatement, Statement } from '@babel/types';
 
 type ParseVueSFCResult =
   | { type: 'error'; errors: Error[] }
@@ -39,8 +40,8 @@ export function parseVueSFC(source: string): ParseVueSFCResult {
   return {
     type: 'ok',
     scriptOffset: scriptBlock.loc.start.line - 1,
-    scriptSetupAst: scriptBlock?.scriptSetupAst,
-    scriptAst: scriptBlock?.scriptAst,
+    scriptSetupAst: scriptBlock?.scriptSetupAst as Statement[],
+    scriptAst: scriptBlock?.scriptAst as BlockStatement[],
   };
 }
 

packages/graphql-language-service/package.json

@@ -43,8 +43,8 @@
     "@types/json-schema": "7.0.9",
     "@types/picomatch": "^2.3.0",
     "benchmark": "^2.1.4",
-    "graphql": "^16.4.0",
-    "graphql-config": "5.0.2",
+    "graphql": "^16.8.1",
+    "graphql-config": "5.0.3",
     "lodash": "^4.17.15",
     "platform": "^1.3.5",
     "ts-node": "^8.10.2",

packages/monaco-graphql/package.json

@@ -71,7 +71,7 @@
   },
   "devDependencies": {
     "execa": "^7.1.1",
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "monaco-editor": "^0.39.0",
     "prettier": "3.0.0-alpha.12",
     "vscode-languageserver-types": "^3.17.1"

packages/vscode-graphql-execution/package.json

@@ -102,15 +102,15 @@
     "vsce": "^2.13.0"
   },
   "dependencies": {
-    "@graphql-tools/code-file-loader": "8.0.1",
+    "@graphql-tools/code-file-loader": "8.0.3",
     "@urql/core": "2.6.1",
     "@whatwg-node/fetch": "0.2.8",
     "capitalize": "2.0.4",
     "cosmiconfig": "8.2.0",
     "cosmiconfig-toml-loader": "^1.0.0",
     "dotenv": "10.0.0",
-    "graphql": "^16.4.0",
-    "graphql-config": "5.0.2",
+    "graphql": "^16.8.1",
+    "graphql-config": "5.0.3",
     "graphql-tag": "2.12.6",
     "graphql-ws": "5.10.0",
     "svelte": "^4.1.1",

packages/vscode-graphql/package.json

@@ -172,7 +172,7 @@
     "vsce": "^2.13.0"
   },
   "dependencies": {
-    "graphql": "^16.4.0",
+    "graphql": "^16.8.1",
     "graphql-language-service-server": "^2.11.6",
     "vscode-languageclient": "8.0.2"
   }