A reference implementation of GraphQL for JavaScript
Installations
npm install graphql
Score
99.4
Supply Chain
100
Quality
98.6
Maintenance
100
Vulnerability
100
License
Releases
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0
Typescript Support
Yes
Node Version
20.11.1
NPM Version
10.2.4
Statistics
20,100 Stars
3,188 Commits
2,027 Forks
399 Watching
30 Branches
195 Contributors
Updated on 27 Nov 2024
Bundle Size
170.18 kB
Minified
41.04 kB
Minified + Gzipped
Languages
TypeScript (92.46%)
MDX (4.59%)
JavaScript (2.45%)
CSS (0.42%)
Shell (0.07%)
Total Downloads
Cumulative downloads
Total Downloads
2,207,547,330
Last day
-3%
2,851,479
Compared to previous day
Last week
2.7%
14,944,023
Compared to previous week
Last month
13.6%
62,076,100
Compared to previous month
Last year
16.7%
634,227,732
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
GraphQL.js
The JavaScript reference implementation for GraphQL, a query language for APIs created by Facebook.
See more complete documentation at https://graphql.org/ and https://graphql.org/graphql-js/.
Looking for help? Find resources from the community.
Getting Started
A general overview of GraphQL is available in the README for the Specification for GraphQL. That overview describes a simple set of GraphQL examples that exist as tests in this repository. A good way to get started with this repository is to walk through that README and the corresponding tests in parallel.
Using GraphQL.js
Install GraphQL.js from npm
With npm:
1npm install --save graphql
or using yarn:
1yarn add graphql
GraphQL.js provides two important capabilities: building a type schema and serving queries against that type schema.
First, build a GraphQL type schema which maps to your codebase.
1import { 2 graphql, 3 GraphQLSchema, 4 GraphQLObjectType, 5 GraphQLString, 6} from 'graphql'; 7 8var schema = new GraphQLSchema({ 9 query: new GraphQLObjectType({ 10 name: 'RootQueryType', 11 fields: { 12 hello: { 13 type: GraphQLString, 14 resolve() { 15 return 'world'; 16 }, 17 }, 18 }, 19 }), 20});
This defines a simple schema, with one type and one field, that resolves
to a fixed value. The resolve
function can return a value, a promise,
or an array of promises. A more complex example is included in the top-level tests directory.
Then, serve the result of a query against that type schema.
1var source = '{ hello }'; 2 3graphql({ schema, source }).then((result) => { 4 // Prints 5 // { 6 // data: { hello: "world" } 7 // } 8 console.log(result); 9});
This runs a query fetching the one field defined. The graphql
function will
first ensure the query is syntactically and semantically valid before executing
it, reporting errors otherwise.
1var source = '{ BoyHowdy }'; 2 3graphql({ schema, source }).then((result) => { 4 // Prints 5 // { 6 // errors: [ 7 // { message: 'Cannot query field BoyHowdy on RootQueryType', 8 // locations: [ { line: 1, column: 3 } ] } 9 // ] 10 // } 11 console.log(result); 12});
Note: Please don't forget to set NODE_ENV=production
if you are running a production server. It will disable some checks that can be useful during development but will significantly improve performance.
Want to ride the bleeding edge?
The npm
branch in this repository is automatically maintained to be the last
commit to main
to pass all tests, in the same form found on npm. It is
recommended to use builds deployed to npm for many reasons, but if you want to use
the latest not-yet-released version of graphql-js, you can do so by depending
directly on this branch:
npm install graphql@git://github.com/graphql/graphql-js.git#npm
Experimental features
Each release of GraphQL.js will be accompanied by an experimental release containing support for the @defer
and @stream
directive proposal. We are hoping to get community feedback on these releases before the proposal is accepted into the GraphQL specification. You can use this experimental release of GraphQL.js by adding the following to your project's package.json
file.
"graphql": "experimental-stream-defer"
Community feedback on this experimental release is much appreciated and can be provided on the issue created for this purpose.
Using in a Browser
GraphQL.js is a general-purpose library and can be used both in a Node server and in the browser. As an example, the GraphiQL tool is built with GraphQL.js!
Building a project using GraphQL.js with webpack or
rollup should just work and only include
the portions of the library you use. This works because GraphQL.js is distributed
with both CommonJS (require()
) and ESModule (import
) files. Ensure that any
custom build configurations look for .mjs
files!
Contributing
We actively welcome pull requests. Learn how to contribute.
This repository is managed by EasyCLA. Project participants must sign the free (GraphQL Specification Membership agreement before making a contribution. You only need to do this one time, and it can be signed by individual contributors or their employers.
To initiate the signature process please open a PR against this repo. The EasyCLA bot will block the merge if we still need a membership agreement from you.
You can find detailed information here. If you have issues, please email operations@graphql.org.
If your company benefits from GraphQL and you would like to provide essential financial support for the systems and people that power our community, please also consider membership in the GraphQL Foundation.
Changelog
Changes are tracked as GitHub releases.
License
GraphQL.js is MIT-licensed.
Stable Version
The latest stable version of the package.
Stable Version
16.9.0
MODERATE
1
5.3/10
Summary
graphql Uncontrolled Resource Consumption vulnerability
Affected Versions
>= 16.3.0, < 16.8.1
Patched Versions
16.8.1
Reason
no dangerous workflow patterns detected
Reason
18 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/graphql/.github/SECURITY.md:1
- Info: Found linked content: github.com/graphql/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/graphql/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/graphql/.github/SECURITY.md:1
Reason
Found 15/30 approved changesets -- score normalized to 5
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:183: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:188: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:211: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:216: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:227: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/ci.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-publish-pr-on-npm.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-publish-pr-on-npm.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-run-benchmark.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-run-benchmark.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-run-benchmark.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-run-benchmark.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cmd-run-benchmark.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/cmd-run-benchmark.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-artifact-as-branch.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/deploy-artifact-as-branch.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-artifact-as-branch.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/deploy-artifact-as-branch.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/github-actions-bot.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/github-actions-bot.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request.yml/16.x.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_opened.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/graphql/graphql-js/pull_request_opened.yml/16.x.x?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:77
- Info: 0 out of 42 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 11 out of 12 npmCommand dependencies pinned
Reason
8 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/cmd-publish-pr-on-npm.yml:1
- Warn: no topLevel permission defined: .github/workflows/cmd-run-benchmark.yml:1
- Warn: no topLevel permission defined: .github/workflows/deploy-artifact-as-branch.yml:1
- Warn: no topLevel permission defined: .github/workflows/github-actions-bot.yml:1
- Warn: no topLevel permission defined: .github/workflows/pull_request.yml:1
- Warn: no topLevel permission defined: .github/workflows/pull_request_opened.yml:1
- Warn: no topLevel permission defined: .github/workflows/push.yml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Score
5.6
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to graphql
@opentelemetry/instrumentation-graphql
OpenTelemetry instrumentation for `graphql` gql query language and runtime for GraphQL
@graphql-tools/graphql-tag-pluck
Pluck graphql-tag template literals
@octokit/graphql
GitHub GraphQL API client for browsers and Node
@graphql-tools/documents
Utilities for GraphQL documents.