npmpackage.info

graphql-helix

A highly evolved GraphQL HTTP Server 🧬

1.13.0

830

MIT

TypeScript

320.45 kB

3,461,061 2.7

Installations

npm install graphql-helix

Score

93.8

Supply Chain

100

Quality

78.5

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

48

Total

246

Closed

42

Merged

156

Issues

Open

22

Total

57

Closed

35

Releases

graphql-helix@1.13.0

Published on 09 Jul 2022

graphql-helix@1.12.0

Published on 08 Mar 2022

graphql-helix@1.11.0

Published on 16 Dec 2021

graphql-helix@1.10.3

Published on 25 Nov 2021

graphql-helix@1.10.2

Published on 19 Nov 2021

graphql-helix@1.10.1

Published on 18 Nov 2021

View all 14 releases

Developer

contrawork

Developer Guide

BETA

Module System

CommonJS, ESM

Min. Node Version

Typescript Support

No

Node Version

16.15.1

NPM Version

8.11.0 Statistics

830 Stars

252 Commits

49 Forks

22 Watching

50 Branches

30 Contributors

Updated on 21 Nov 2024

Bundle Size

1.09 MB

Minified

320.45 kB

Minified + Gzipped

Bundlephobia

Languages

TypeScript (96.48%)

CSS (2.48%)

JavaScript (1.04%)

Total Downloads

Cumulative downloads

Total Downloads

3,461,061

Last day

-13.3%

2,318

Compared to previous day

Last week

32.2%

14,321

Compared to previous week

Last month

22.2%

55,917

Compared to previous month

Last year

-51.7%

589,266

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Peer Dependencies

graphql

Dev Dependencies

Versions

A highly evolved GraphQL HTTP Server 🧬

GraphQL Helix is a collection of utility functions for building your own GraphQL HTTP server. You can check out Building a GraphQL server with GraphQL Helix on DEV for a detailed tutorial on getting started.

Features

Framework and runtime agnostic. Use whatever HTTP library you want. GraphQL Helix works in Node, Deno and in the browser.
HTTP first. GraphQL Helix allows you to create a GraphQL over HTTP specification-compliant server, while exposing a single HTTP endpoint for everything from documentation to subscriptions.
Server push and client pull. GraphQL Helix supports real-time requests with both subscriptions and @defer and @stream directives.
Flexible. GraphQL Helix abstracts away logic that's common to all GraphQL HTTP servers, while leaving the implementation to you. Implement the features you want and take full control of your transport layer.
Minimal. No bloat. No paid platform integration. Zero dependencies outside of graphql-js.

Installation

npm install graphql-helix

yarn add graphql-helix

Basic Usage

The following example shows how to integrate GraphQL Helix with Node.js using Express. This example shows how to implement all the basic features, including a GraphiQL interface, subscriptions and support for @stream and @defer. See the rest of the examples for implementations using other frameworks and runtimes. For implementing additional features, see the Recipes section below.

1import express, { RequestHandler } from "express";
2import { getGraphQLParameters, processRequest, renderGraphiQL, shouldRenderGraphiQL, sendResult } from "graphql-helix";
3import { schema } from "./schema";
4
5const app = express();
6
7app.use(express.json());
8
9app.use("/graphql", async (req, res) => {
10  // Create a generic Request object that can be consumed by Graphql Helix's API
11  const request = {
12    body: req.body,
13    headers: req.headers,
14    method: req.method,
15    query: req.query,
16  };
17
18  // Determine whether we should render GraphiQL instead of returning an API response
19  if (shouldRenderGraphiQL(request)) {
20    res.send(renderGraphiQL());
21  } else {
22    // Extract the Graphql parameters from the request
23    const { operationName, query, variables } = getGraphQLParameters(request);
24
25    // Validate and execute the query
26    const result = await processRequest({
27      operationName,
28      query,
29      variables,
30      request,
31      schema,
32    });
33
34    // processRequest returns one of three types of results depending on how the server should respond
35    // 1) RESPONSE: a regular JSON payload
36    // 2) MULTIPART RESPONSE: a multipart response (when @stream or @defer directives are used)
37    // 3) PUSH: a stream of events to push back down the client for a subscription
38    // The "sendResult" is a NodeJS-only shortcut for handling all possible types of Graphql responses,
39    // See "Advanced Usage" below for more details and customizations available on that layer.
40    sendResult(result, res);
41  }
42});
43
44const port = process.env.PORT || 4000;
45
46app.listen(port, () => {
47  console.log(`GraphQL server is running on port ${port}.`);
48});

Transports Variations

The processRequest will return one of the following types:

RESPONSE: a regular JSON payload
MULTIPART_RESPONSE: a multipart response (when @stream or @defer directives are used)
PUSH: a stream of events to push back down the client for a GraphQL subscription

If you GraphQL schema doesn't have the type Subscription defined, or the @stream / @defer / @live directives available, you'll get RESPONSE in your result payload, so you can just use sendResult helper to send the response data in one line of code.

If you wish to have more control over you transports, you can use one of the following exported helpers:

sendResponseResult - matches the RESPONSE type.
sendMultipartResponseResult - matches the MULTIPART_RESPONSE type.
sendPushResult - matches the PUSH type.

And you'll be able to construct a custom flow. Here's a quick example for customizing the response per each type of result:

1if (result.type === "RESPONSE") {
2  sendResponseResult(result, res);
3} else if (result.type === "MULTIPART_RESPONSE") {
4  sendMultipartResponseResult(result, res);
5} else if (result.type === "PUSH") {
6  sendPushResult(result, res);
7}

This way you can also disable specific responses if you wish, by return an error instead of calling the helpers.

Checkout docs to learn more.

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

2

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/benchmark.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/benchmark.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/benchmark.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/canary.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/canary.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/canary.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/canary.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/canary.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/canary.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/canary.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/contra/graphql-helix/release.yml/main?enable=pin
Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 5 third-party GitHubAction dependencies pinned

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

50 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-c2jc-4fpr-4vhg
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
Warn: Project is vulnerable to: GHSA-23wx-cgxq-vpwx
Warn: Project is vulnerable to: GHSA-f6v4-cf5j-vf3w
Warn: Project is vulnerable to: GHSA-6h5x-7c5m-7cr7
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-3fjj-p79j-c9hh
Warn: Project is vulnerable to: GHSA-mhxj-85r3-2x55
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2
Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc
Warn: Project is vulnerable to: GHSA-g77x-44xx-532m
Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
Warn: Project is vulnerable to: GHSA-pgw7-wx7w-2w33
Warn: Project is vulnerable to: GHSA-3cvr-822r-rqcc
Warn: Project is vulnerable to: GHSA-q768-x9m6-m9qp / GHSA-wqq4-5wpv-mx2g
Warn: Project is vulnerable to: GHSA-8qr4-xgw6-wmr3
Warn: Project is vulnerable to: GHSA-f772-66g8-q5h3
Warn: Project is vulnerable to: GHSA-5r9g-qh6m-jxff
Warn: Project is vulnerable to: GHSA-r6ch-mqf9-qc9w
Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q

Score

2.7

/10

Last Scanned on 2024-11-25

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to graphql-helix

helix-flare

2.0.0

GraphQL Helix for your Cloudflare Workers

@escape.tech/graphql-armor

3.1.2

Dead-simple, yet highly customizable security middleware for Apollo GraphQL servers shield

@adobe/helix-rum-js

2.10.0

Helix RUM JS

graphql

16.9.0

A Query Language and Runtime which can target any service.