[Snyk] Upgrade graphql from 16.4.0 to 16.11.0

[X-oss-byte]

Snyk has created this PR to upgrade graphql from 16.4.0 to 16.11.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 18 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181	586	Proof of Concept

Release notes

Package name: graphql

• 16.11.0 - 2025-04-26
  

  v16.11.0 (2025-04-26)

  New Feature 🚀

  • #4363 Ensure we validate for using nullable variables in oneOf input fields (@ JoviDeCroock)
  • #4366 feat(execution): add max coercion errors option to execution context (@ cristunaranjo)

  Bug Fix 🐞

  • #4367 fix(coerce-input-value): input object coercion rejects arrays (@ cristunaranjo)

  Docs 📝

  11 PRs were merged

  • #4310 First draft for upgrade guide to v17 (@ JoviDeCroock)
  • #4331 fix sidebar for documentation and /api-v16 (@ dimaMachina)
  • #4335 Add cspell exception (@ JoviDeCroock)
  • #4340 Improve flow of documentation around GraphiQL (@ benjie)
  • #4343 typofix: removes extra parenthesis from getting started code snippet (@ rabahalishah)
  • #4351 fixed wrong variable name (@ fto-dev)
  • #4352 docs(getting-started): promises current links (@ guspan-tanadi)
  • #4368 Update docs for execution options (@ JoviDeCroock)
  • #4369 Correct some syntax (@ JoviDeCroock)
  • #4372 Refactor every code-first example to leverage resolve (@ JoviDeCroock)
  • #4373 docs: Update getting-started.mdx (@ Shubhdeep12)

  Polish 💅

  • #4312 Increase print/visit performance (@ JoviDeCroock)

  Internal 🏠

  4 PRs were merged

  • #4327 Add redirect for /api (@ JoviDeCroock)
  • #4377 Chore: bump setup-node (@ JoviDeCroock)
  • #4378 Change to gqlConf 2025 (@ JoviDeCroock)
  • #4379 Add missing parenthesis (@ benjie)

  Committers: 8

  • Benjie(@ benjie)
  • Cris Naranjo (@ cristunaranjo)
  • Dimitri POSTOLOV(@ dimaMachina)
  • Fatih Ozdemir(@ fto-dev)
  • Guspan Tanadi(@ guspan-tanadi)
  • Jovi De Croock(@ JoviDeCroock)
  • Rabah Ali Shah(@ rabahalishah)
  • Shubhdeep Chhabra(@ Shubhdeep12)
• 16.11.0-canary.pr.4384.c095a7b7d5dc33c988f84f0c921ae2f74bb710e6 - 2025-05-01
• 16.11.0-canary.pr.4364.2b4ffe237616247a733274dfdcb404c3d55d9f02 - 2025-04-30
• 16.10.0 - 2024-12-15
  

  v16.10.0 (2024-12-15)

  New Feature 🚀

  • #4286 fix: properly type extensions in GraphQLFormattedError (@ tpoisseau)
  • #4292 Expose tokenCount on the DocumentNode (@ JoviDeCroock)

  Bug Fix 🐞

  • #4137 backport(v16): Require non-empty directive locations (#4100) (@ benjie)
  • #4168 fix(validation): catch OverlappingFieldsCanBeMergedRule violations with nested fragments (@ sachindshinde)
  • #4226 Backport introspection type fix (@ JoviDeCroock)
  • #4291 Address empty selection-set (@ JoviDeCroock)

  Docs 📝

  10 PRs were merged

  • #4240 Convert from docusaurus to nextra (@ JoviDeCroock)
  • #4248 Add content from graphql/graphql.github.io#1782 (@ JoviDeCroock)
  • #4249 Styling fixes (@ JoviDeCroock)
  • #4256 Various fixes to docs (@ JoviDeCroock)
  • #4279 Solve some low hanging fruit in the documentation (@ JoviDeCroock)
  • #4283 Add overview page and add stackblitz to tutorial (@ JoviDeCroock)
  • #4284 Provide people with tabs so they can use classes as well (@ JoviDeCroock)
  • #4289 Add note about defer/stream being v17 (@ JoviDeCroock)
  • #4290 Write about @ oneOf in the graphql-js documentation (@ JoviDeCroock)
  • #4295 Split up in v16 API documentation (@ JoviDeCroock)

  Internal 🏠

  4 PRs were merged

  • #4138 Upgrade codecov action and pass token (@ benjie)
  • #4139 Fix codecov workflow (@ benjie)
  • #4157 Add GraphQLConf 2024 banner (@ bignimbus)
  • #4193 Upgrade deprecated actions (@ JoviDeCroock)

  Committers: 5

  • Benjie(@ benjie)
  • Jeff Auriemma(@ bignimbus)
  • Jovi De Croock(@ JoviDeCroock)
  • Sachin D. Shinde(@ sachindshinde)
  • tpoisseau(@ tpoisseau)
• 16.10.0-canary.pr.4364.6b142546832c1283b535908fb8c9a171b2f7cc20 - 2025-03-27
• 16.10.0-canary.pr.4359.9fe5229b2fc30d3e5b07a6b00693fac42b649fdd - 2025-04-03
• 16.10.0-canary.pr.4192.22fb497360b20aa7bf7c12aa87d2420ff394b3a0 - 2025-03-27
• 16.9.0 - 2024-06-21
  

  v16.9.0 (2024-06-21)

  New Feature 🚀

  • #4119 backport[v16]: Introduce "recommended" validation rules (@ benjie)
  • #4122 backport[v16]: Enable passing values configuration to GraphQLEnumType as a thunk (@ benjie)
  • #4124 backport[v16]: Implement OneOf Input Objects via @ oneOf directive (@ benjie)

  Committers: 1

  • Benjie(@ benjie)
• 16.9.0-canary.pr.4192.1813397076f44a55e5798478e7321db9877de97a - 2024-09-14
• 16.9.0-canary.pr.4159.0fa29326c53fcd63c6473c7357c28aa13fa0019d - 2024-08-13
• 16.8.2 - 2024-06-12
• 16.8.1 - 2023-09-19
• 16.8.0 - 2023-08-14
• 16.7.1 - 2023-06-22
• 16.7.0 - 2023-06-21
• 16.6.0 - 2022-08-16
• 16.5.0 - 2022-05-09
• 16.5.0-canary.pr.3686.d9ad8e3fd58929d38deea522d794a6b22d3244b5 - 2022-08-02
• 16.4.0 - 2022-04-25

from graphql GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade GraphQL dependency from version 16.4.0 to 16.11.0 to incorporate recent fixes and improvements, including resolution of a Denial of Service vulnerability

Bug Fixes:

• Address Denial of Service vulnerability (SNYK-JS-GRAPHQL-5905181) by upgrading graphql

Enhancements:

• Bump graphql dependency to ^16.11.0 in package.json and package-lock.json

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a986d8f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide

This PR upgrades the GraphQL library from version 16.4.0 to 16.11.0 by updating the dependency declaration in package.json and regenerating the lockfile.

Class Diagram: Key API Additions in GraphQL (Post-Upgrade to v16.11.0)

classDiagram class ExecutionContext { +maxCoercionErrors: number } class DocumentNode { +tokenCount: number } 

Loading

State Diagram: Vulnerability Mitigation via GraphQL Upgrade

stateDiagram-v2 direction LR [*] --> Vulnerable Vulnerable: Project with graphql@16.4.0\n(Affected by SNYK-JS-GRAPHQL-5905181) Vulnerable --> Patched : Upgrade to graphql@16.11.0 Patched: Project with graphql@16.11.0\n(SNYK-JS-GRAPHQL-5905181 Fixed) Patched --> [*] 

Loading

File-Level Changes

Change	Details	Files
Upgrade graphql dependency version	Bump graphql version in package.json from ^16.4.0 to ^16.11.0 Regenerate package-lock.json to lock new version	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[X-oss-byte]

✅ Deploy Preview for enchanting-melba-222e50 ready!

Name	Link
🔨 Latest commit	a986d8f
🔍 Latest deploy log	https://app.netlify.com/projects/enchanting-melba-222e50/deploys/682f3ec762de11000916dd21
😎 Deploy Preview	https://deploy-preview-20--enchanting-melba-222e50.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.