npmpackage.info

Gathering detailed insights and metrics for graphql

graphql - 16.11.0 | npmpackage.info

graphql

A reference implementation of GraphQL for JavaScript

16.11.0

20,217

MIT

TypeScript

1.30 MB

7.6

Installations

npm install graphql

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Min. Node Version

^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0

Node Version

20.13.0

NPM Version

10.5.2 Pull Requests

Open

69

Total

3,155

Closed

543

Merged

2,543

Issues

Open

91

Total

1,145

Closed

1,054

Releases

161

v17.0.0-alpha.9

Updated on Jun 11, 2025

16.11.0

v16.11.0

Updated on Apr 26, 2025

v17.0.0-alpha.8

Updated on Feb 06, 2025

v15.10.1

Updated on Jan 14, 2025

v15.10.0

Updated on Jan 13, 2025

16.10.0

v16.10.0

Updated on Dec 15, 2024

View All 161 releases

Languages

TypeScript

MDX

JavaScript

CSS

Shell

TypeScript (85.59%)

MDX (11.67%)

JavaScript (2.29%)

CSS (0.39%)

Shell (0.07%)

Developer

graphql

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

MIT License

20,217 Stars

3,242 Commits

2,049 Forks

395 Watchers

42 Branches

204 Contributors

Updated on Jul 13, 2025

Maintainers

View All 204 Contributors

Package Meta Information

Latest Version

16.11.0

Package Id

graphql@16.11.0

Unpacked Size

1.30 MB

Size

278.19 kB

File Count

391

NPM Version

10.5.2

Node Version

20.13.0

Published on

Apr 26, 2025

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

No dependencies detected.

GraphQL.js

The JavaScript reference implementation for GraphQL, a query language for APIs created by Facebook.

See more complete documentation at https://graphql.org/ and https://graphql.org/graphql-js/.

Looking for help? Find resources from the community.

Getting Started

A general overview of GraphQL is available in the README for the Specification for GraphQL. That overview describes a simple set of GraphQL examples that exist as tests in this repository. A good way to get started with this repository is to walk through that README and the corresponding tests in parallel.

Using GraphQL.js

Install GraphQL.js from npm

With npm:

1npm install --save graphql

or using yarn:

1yarn add graphql

GraphQL.js provides two important capabilities: building a type schema and serving queries against that type schema.

First, build a GraphQL type schema which maps to your codebase.

1import {
2  graphql,
3  GraphQLSchema,
4  GraphQLObjectType,
5  GraphQLString,
6} from 'graphql';
7
8var schema = new GraphQLSchema({
9  query: new GraphQLObjectType({
10    name: 'RootQueryType',
11    fields: {
12      hello: {
13        type: GraphQLString,
14        resolve() {
15          return 'world';
16        },
17      },
18    },
19  }),
20});

This defines a simple schema, with one type and one field, that resolves to a fixed value. The resolve function can return a value, a promise, or an array of promises. A more complex example is included in the top-level tests directory.

Then, serve the result of a query against that type schema.

1var source = '{ hello }';
2
3graphql({ schema, source }).then((result) => {
4  // Prints
5  // {
6  //   data: { hello: "world" }
7  // }
8  console.log(result);
9});

This runs a query fetching the one field defined. The graphql function will first ensure the query is syntactically and semantically valid before executing it, reporting errors otherwise.

1var source = '{ BoyHowdy }';
2
3graphql({ schema, source }).then((result) => {
4  // Prints
5  // {
6  //   errors: [
7  //     { message: 'Cannot query field BoyHowdy on RootQueryType',
8  //       locations: [ { line: 1, column: 3 } ] }
9  //   ]
10  // }
11  console.log(result);
12});

Note: Please don't forget to set NODE_ENV=production if you are running a production server. It will disable some checks that can be useful during development but will significantly improve performance.

Want to ride the bleeding edge?

The npm branch in this repository is automatically maintained to be the last commit to main to pass all tests, in the same form found on npm. It is recommended to use builds deployed to npm for many reasons, but if you want to use the latest not-yet-released version of graphql-js, you can do so by depending directly on this branch:

npm install graphql@git://github.com/graphql/graphql-js.git#npm

Experimental features

Each release of GraphQL.js will be accompanied by an experimental release containing support for the @defer and @stream directive proposal. We are hoping to get community feedback on these releases before the proposal is accepted into the GraphQL specification. You can use this experimental release of GraphQL.js by adding the following to your project's package.json file.

"graphql": "experimental-stream-defer"

Community feedback on this experimental release is much appreciated and can be provided on the issue created for this purpose.

Using in a Browser

GraphQL.js is a general-purpose library and can be used both in a Node server and in the browser. As an example, the GraphiQL tool is built with GraphQL.js!

Building a project using GraphQL.js with webpack or rollup should just work and only include the portions of the library you use. This works because GraphQL.js is distributed with both CommonJS (require()) and ESModule (import) files. Ensure that any custom build configurations look for .mjs files!

Contributing

We actively welcome pull requests. Learn how to contribute.

This repository is managed by EasyCLA. Project participants must sign the free (GraphQL Specification Membership agreement before making a contribution. You only need to do this one time, and it can be signed by individual contributors or their employers.

To initiate the signature process please open a PR against this repo. The EasyCLA bot will block the merge if we still need a membership agreement from you.

You can find detailed information here. If you have issues, please email operations@graphql.org.

If your company benefits from GraphQL and you would like to provide essential financial support for the systems and people that power our community, please also consider membership in the GraphQL Foundation.

Changelog

Changes are tracked as GitHub releases.

License

GraphQL.js is MIT-licensed.

Moderate

5.3/10

Summary

graphql Uncontrolled Resource Consumption vulnerability

Affected Versions

>= 16.3.0, < 16.8.1

Patched Versions

16.8.1

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Maintained

Determines if the project is "actively maintained".

10

License

Determines if the project has defined a license.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Security-Policy

Determines if the project has published a security policy.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

10

SAST

Determines if the project uses static code analysis.

5

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 5

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:230: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:247: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:260: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:265: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:277: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-artifact-as-branch.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/deploy-artifact-as-branch.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-artifact-as-branch.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/deploy-artifact-as-branch.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_opened.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request_opened.yml/16.x.x?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:96
Info: 0 out of 30 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 2 third-party GitHubAction dependencies pinned
Info: 9 out of 10 npmCommand dependencies pinned

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Score

7.6

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More