Merge branch 'main' into digits

Author: bmhatfield

.github/workflows/codeql-analysis.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ main ]
   schedule:
     - cron: '16 17 * * 5'
 

.github/workflows/go.yml

@@ -4,9 +4,9 @@ name: Go
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "main" ]
   pull_request:
-    branches: [ "master" ]
+    branches: [ "main" ]
 
 permissions:
   contents: read
@@ -21,7 +21,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.24
+        go-version: 1.25
 
     - name: Build
       run: go build -v ./...
@@ -32,4 +32,4 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v8
       with:
-          version: v2.1.6
+          version: v2.4.0

CHANGELOG.md

@@ -1,5 +1,17 @@
 # CHANGELOG
 
+[v1.7.2](https://github.com/graph-gophers/graphql-go/releases/tag/v1.7.2) Release v1.7.2
+
+* [BUGFIX] Fix checksum mismatch between direct git access and golang proxy for v1.7.1. This version contains identical functionality to v1.7.1 but with proper tag creation to ensure consistent checksums across all proxy configurations.
+
+[v1.7.1](https://github.com/graph-gophers/graphql-go/releases/tag/v1.7.1) Release v1.7.1
+
+* [IMPROVEMENT] `SelectedFieldNames` now returns dot-delimited nested field paths (e.g. `products`, `products.id`, `products.category`, `products.category.id`). Intermediate container object/list paths are included so resolvers can check for both a branch (`products.category`) and its leaves (`products.category.id`). `HasSelectedField` and `SortedSelectedFieldNames` operate on these paths. This aligns behavior with typical resolver projection needs and fixes missing nested selections.
+* [BUGFIX] Reject object, interface, and input object type definitions that declare zero fields/input values (spec compliance).
+* [IMPROVEMENT] Optimize overlapping field validation to avoid quadratic memory blowups on large sibling field lists.
+* [FEATURE] Add configurable safety valve for overlapping field comparison count with `OverlapValidationLimit(n)` schema option (0 disables the cap). When exceeded validation aborts early with rule `OverlapValidationLimitExceeded`. Disabled by default.
+* [TEST] Add benchmarks & randomized overlap stress test for mixed field/fragment patterns.
+
 [v1.7.0](https://github.com/graph-gophers/graphql-go/releases/tag/v1.7.0) Release v1.7.0
 
 * [FEATURE] Add resolver field selection inspection helpers (`SelectedFieldNames`, `HasSelectedField`, `SortedSelectedFieldNames`). Helpers are available by default and compute results lazily only when called. An explicit opt-out (`DisableFieldSelections()` schema option) is provided for applications that want to remove even the minimal context insertion overhead when the helpers are never used.
@@ -32,7 +44,7 @@
 
 * [FEATURE] Add types package #437
 * [FEATURE] Expose `packer.Unmarshaler` as `decode.Unmarshaler` to the public #450
-* [FEATURE] Add location fields to type definitions #454 
+* [FEATURE] Add location fields to type definitions #454
 * [FEATURE] `errors.Errorf` preserves original error similar to `fmt.Errorf` #456
 * [BUGFIX] Fix duplicated __typename in response (fixes #369) #443
 

CONTRIBUTING.md

@@ -6,7 +6,7 @@
   - Review existing issues and provide feedback or react to them.
 
 - With pull requests:
-  - Open your pull request against `master`
+  - Open your pull request against `main`
   - Your pull request should have no more than two commits, if not you should squash them.
   - It should pass all tests in the available continuous integrations systems such as TravisCI.
   - You should add/modify tests to cover your proposed code changes.

README.md

@@ -98,11 +98,7 @@ func (r *helloWorldResolver) Hello(ctx context.Context) (string, error) {
 ```
 
 ### Separate resolvers for different operations
-> **NOTE**: This feature is not in the stable release yet. In order to use it you need to run `go get github.com/graph-gophers/graphql-go@master` and in your `go.mod` file you will have something like:
->  ```
->  v1.5.1-0.20230216224648-5aa631d05992
->  ```
-> It is expected to be released in `v1.6.0` soon.
+This feature was released in `v1.6.0`.
 
 The GraphQL specification allows for fields with the same name defined in different query types. For example, the schema below is a valid schema definition:
 ```graphql
@@ -157,6 +153,7 @@ schema := graphql.MustParseSchema(sdl, &RootResolver{}, nil)
 - `PanicHandler(panicHandler errors.PanicHandler)` is used to transform panics into errors during query execution. It defaults to `errors.DefaultPanicHandler`.
 - `DisableIntrospection()` disables introspection queries.
 - `DisableFieldSelections()` disables capturing child field selections used by helper APIs (see below).
+- `OverlapValidationLimit(n int)` sets a hard cap on examined overlap pairs during validation; exceeding it emits `OverlapValidationLimitExceeded` error.
 
 ### Field Selection Inspection Helpers
 

example/federation/integration/gateway/package-lock.json

@@ -20,14 +20,20 @@ func (*mutnb) Toggle(args struct{ Enabled graphql.NullBool }) string {
 	return fmt.Sprintf("enabled '%v'", *args.Enabled.Value)
 }
 
+func (r *mutnb) Name() string {
+	return "test"
+}
+
 // ExampleNullBool demonstrates how to use nullable Bool type when it is necessary to differentiate between nil and not set.
 func ExampleNullBool() {
 	const s = `
 		schema {
 			query: Query
 			mutation: Mutation
 		}
-		type Query{}
+		type Query{
+			name: String!
+		}
 		type Mutation{
 			toggle(enabled: Boolean): String!
 		}

example_nullbool_test.go

@@ -31,6 +31,10 @@ type Args struct {
 
 type mutation struct{}
 
+func (m *mutation) Name() string {
+	return "test"
+}
+
 func (*mutation) Hello(args Args) string {
 	fmt.Println(args)
 	return "Args accepted!"
@@ -40,7 +44,9 @@ func Example_customScalarMap() {
 	s := `
 		scalar Map
 	
-		type Query {}
+		type Query {
+			name: String!
+		}
 		
 		type Mutation {
 			hello(

example_scalar_map_test.go

@@ -12,10 +12,16 @@ type (
 	userResolver struct{ u user }
 )
 
-func (r *userResolver) ID() graphql.ID                              { return graphql.ID(r.u.id) }
-func (r *userResolver) Name() *string                               { return &r.u.name }
-func (r *userResolver) Email() *string                              { return &r.u.email }
-func (r *userResolver) Friends(ctx context.Context) []*userResolver { return nil }
+func (r *userResolver) ID() graphql.ID { return graphql.ID(r.u.id) }
+func (r *userResolver) Name() *string  { return &r.u.name }
+func (r *userResolver) Email() *string { return &r.u.email }
+func (r *userResolver) Friends(ctx context.Context) []*userResolver {
+	// Return a couple of dummy friends (data itself not important for field selection example)
+	return []*userResolver{
+		{u: user{id: "F1", name: "Bob"}},
+		{u: user{id: "F2", name: "Carol"}},
+	}
+}
 
 type root struct{}
 
@@ -34,8 +40,8 @@ func Example_selectedFieldNames() {
         type User { id: ID! name: String email: String friends: [User!]! }
     `
 	schema := graphql.MustParseSchema(s, &root{})
-	query := `query { user(id: "U1") { id name } }`
+	query := `query { user(id: "U1") { id name friends { id name } } }`
 	_ = schema.Exec(context.Background(), query, "", nil)
 	// Output:
-	// [id name]
+	// [id name friends friends.id friends.name]
 }

example_selection_test.go

@@ -87,6 +87,7 @@ type Schema struct {
 	useFieldResolvers        bool
 	allowNullableZeroValues  bool
 	disableFieldSelections   bool
+	overlapPairLimit         int
 }
 
 // AST returns the abstract syntax tree of the GraphQL schema definition.
@@ -182,6 +183,14 @@ func MaxQueryLength(n int) SchemaOpt {
 	}
 }
 
+// OverlapValidationLimit caps the number of overlapping selection pairs that will be examined
+// during validation of a single operation (including fragments). A value of 0 disables the cap.
+// When the cap is exceeded validation aborts early with an error (rule: OverlapValidationLimitExceeded)
+// to protect against maliciously constructed queries designed to exhaust memory/CPU.
+func OverlapValidationLimit(n int) SchemaOpt {
+	return func(s *Schema) { s.overlapPairLimit = n }
+}
+
 // Tracer is used to trace queries and fields. It defaults to [noop.Tracer].
 func Tracer(t tracer.Tracer) SchemaOpt {
 	return func(s *Schema) {
@@ -277,7 +286,7 @@ func (s *Schema) ValidateWithVariables(queryString string, variables map[string]
 		return []*errors.QueryError{errors.Errorf("executable document must contain at least one operation")}
 	}
 
-	return validation.Validate(s.schema, doc, variables, s.maxDepth)
+	return validation.Validate(s.schema, doc, variables, s.maxDepth, s.overlapPairLimit)
 }
 
 // Exec executes the given query with the schema's resolver. It panics if the schema was created
@@ -300,7 +309,7 @@ func (s *Schema) exec(ctx context.Context, queryString string, operationName str
 	}
 
 	validationFinish := s.validationTracer.TraceValidation(ctx)
-	errs := validation.Validate(s.schema, doc, variables, s.maxDepth)
+	errs := validation.Validate(s.schema, doc, variables, s.maxDepth, s.overlapPairLimit)
 	validationFinish(errs)
 	if len(errs) != 0 {
 		return &Response{Errors: errs}