graphql 2.0.28 → 2.2.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44b42111ec0fc37bc4139cee1cbe87189248b9b8dc591ed316b617e6d2a845ce
-  data.tar.gz: 4d7321243adbd6072f4bc15e06c5ecbfff845910e8beb3dd2d339bf0710141e2
+  metadata.gz: 1bae060f1dcf449082e9e53be024476505d848448a13d592f31e67c11024caa4
+  data.tar.gz: ebc753b89b657c18771641869a4dffea9e79fe324a3f7e46c1a84304a6cc3375
 SHA512:
-  metadata.gz: 3e49b6047f8ff405b0364339bd4445a4f0911188041165c9384c8cf53d34a4a70a32c1be77efe725a7727faddedb8cfedb154b7d202c0fc4e6b15a6688a2d335
-  data.tar.gz: dcdff8dee011e849cc00acc6e601f9437d74e3087da9535c51a7993415398555aa0483d23cd5f9a5afa3e6ecd77c41d060ce220778bab5dfc4ceae834c82e56d
+  metadata.gz: 0bd27d12cd1efd1c4166c20062e401fa524bcda469de51cbfe89fd21542fd3433a2f23628c21330c9e3d700a9627c683a6a1691887a06ef06105ede4c2241b26
+  data.tar.gz: abc65a9217ae76239458695a3ee47d3e2bf3d072e16d62b9df16a65a380110e4a9a207af17473ca0f14fcce5d907a2552866597dd53785c890979a37aa2c500b

data/lib/generators/graphql/install/templates/base_mutation.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Mutations
   class BaseMutation < GraphQL::Schema::RelayClassicMutation

data/lib/generators/graphql/install/templates/mutation_type.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class MutationType < Types::BaseObject

data/lib/generators/graphql/install_generator.rb

@@ -105,6 +105,9 @@ module Graphql
           template("#{base_type}.erb", "#{options[:directory]}/types/#{base_type}.rb")
         end
 
+        # All resolvers are defined as living in their own module, including this class.
+        template("base_resolver.erb", "#{options[:directory]}/resolvers/base_resolver.rb")
+
         # Note: You can't have a schema without the query type, otherwise introspection breaks
         template("query_type.erb", "#{options[:directory]}/types/query_type.rb")
         insert_root_type('query', 'QueryType')

data/lib/generators/graphql/templates/base_argument.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseArgument < GraphQL::Schema::Argument

data/lib/generators/graphql/templates/base_connection.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseConnection < Types::BaseObject

data/lib/generators/graphql/templates/base_edge.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseEdge < Types::BaseObject

data/lib/generators/graphql/templates/base_enum.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseEnum < GraphQL::Schema::Enum

data/lib/generators/graphql/templates/base_field.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseField < GraphQL::Schema::Field

data/lib/generators/graphql/templates/base_input_object.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseInputObject < GraphQL::Schema::InputObject

data/lib/generators/graphql/templates/base_interface.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   module BaseInterface

data/lib/generators/graphql/templates/base_object.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseObject < GraphQL::Schema::Object

data/lib/generators/graphql/templates/base_resolver.erb

@@ -0,0 +1,6 @@
+<% module_namespacing_when_supported do -%>
+module Resolvers
+  class BaseResolver < GraphQL::Schema::Resolver
+  end
+end
+<% end -%>

data/lib/generators/graphql/templates/base_scalar.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseScalar < GraphQL::Schema::Scalar

data/lib/generators/graphql/templates/base_union.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class BaseUnion < GraphQL::Schema::Union

data/lib/generators/graphql/templates/graphql_controller.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 class GraphqlController < ApplicationController
   # If accessing from outside this domain, nullify the session

data/lib/generators/graphql/templates/loader.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Loaders
   class <%= class_name %> < GraphQL::Batch::Loader

data/lib/generators/graphql/templates/mutation.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Mutations
   class <%= class_name %> < BaseMutation

data/lib/generators/graphql/templates/node_type.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   module NodeType

data/lib/generators/graphql/templates/query_type.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 module Types
   class QueryType < Types::BaseObject

data/lib/generators/graphql/templates/schema.erb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 <% module_namespacing_when_supported do -%>
 class <%= schema_name %> < GraphQL::Schema
   query(Types::QueryType)

data/lib/graphql/analysis/ast/analyzer.rb

@@ -29,6 +29,13 @@ module GraphQL
           true
         end
 
+        # Analyzer hook to decide at analysis time whether analysis
+        # requires a visitor pass; can be disabled for precomputed results.
+        # @return [Boolean] If analysis requires visitation or not
+        def visit?
+          true
+        end
+
         # The result for this analyzer. Returning {GraphQL::AnalysisError} results
         # in a query error.
         # @return [Any] The analyzer result

data/lib/graphql/analysis/ast/field_usage.rb

@@ -8,6 +8,7 @@ module GraphQL
           @used_fields = Set.new
           @used_deprecated_fields = Set.new
           @used_deprecated_arguments = Set.new
+          @used_deprecated_enum_values = Set.new
         end
 
         def on_leave_field(node, parent, visitor)
@@ -15,7 +16,7 @@ module GraphQL
           field = "#{visitor.parent_type_definition.graphql_name}.#{field_defn.graphql_name}"
           @used_fields << field
           @used_deprecated_fields << field if field_defn.deprecation_reason
-          arguments = visitor.query.arguments_for(node, visitor.field_definition)
+          arguments = visitor.query.arguments_for(node, field_defn)
           # If there was an error when preparing this argument object,
           # then this might be an error or something:
           if arguments.respond_to?(:argument_values)
@@ -28,6 +29,7 @@ module GraphQL
             used_fields: @used_fields.to_a,
             used_deprecated_fields: @used_deprecated_fields.to_a,
             used_deprecated_arguments: @used_deprecated_arguments.to_a,
+            used_deprecated_enum_values: @used_deprecated_enum_values.to_a,
           }
         end
 
@@ -41,16 +43,39 @@ module GraphQL
 
             next if argument.value.nil?
 
-            if argument.definition.type.kind.input_object?
+            argument_type = argument.definition.type
+            if argument_type.non_null?
+              argument_type = argument_type.of_type
+            end
+
+            if argument_type.kind.input_object?
               extract_deprecated_arguments(argument.value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
-            elsif argument.definition.type.list?
-              argument
-                .value
-                .select { |value| value.respond_to?(:arguments) }
-                .each { |value| extract_deprecated_arguments(value.arguments.argument_values) } # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
+            elsif argument_type.kind.enum?
+              extract_deprecated_enum_value(argument_type, argument.value)
+            elsif argument_type.list?
+              inner_type = argument_type.unwrap
+              case inner_type.kind
+              when TypeKinds::INPUT_OBJECT
+                argument.value.each do |value|
+                  extract_deprecated_arguments(value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
+                end
+              when TypeKinds::ENUM
+                argument.value.each do |value|
+                  extract_deprecated_enum_value(inner_type, value)
+                end
+              else
+                # Not a kind of input that we track
+              end
             end
           end
         end
+
+        def extract_deprecated_enum_value(enum_type, value)
+          enum_value = @query.warden.enum_values(enum_type).find { |ev| ev.value == value }
+          if enum_value&.deprecation_reason
+            @used_deprecated_enum_values << enum_value.path
+          end
+        end
       end
     end
   end

data/lib/graphql/analysis/ast/query_complexity.rb

@@ -16,10 +16,11 @@ module GraphQL
           max_possible_complexity
         end
 
-        class ScopedTypeComplexity
-          # A single proc for {#scoped_children} hashes. Use this to avoid repeated allocations,
-          # since the lexical binding isn't important.
-          HASH_CHILDREN = ->(h, k) { h[k] = {} }
+        # ScopedTypeComplexity models a tree of GraphQL types mapped to inner selections, ie:
+        # Hash<GraphQL::BaseType, Hash<String, ScopedTypeComplexity>>
+        class ScopedTypeComplexity < Hash
+          # A proc for defaulting empty namespace requests as a new scope hash.
+          DEFAULT_PROC = ->(h, k) { h[k] = {} }
 
           attr_reader :field_definition, :response_path, :query
 
@@ -27,32 +28,19 @@ module GraphQL
           # @param field_definition [GraphQL::Field, GraphQL::Schema::Field] Used for getting the `.complexity` configuration
           # @param query [GraphQL::Query] Used for `query.possible_types`
           # @param response_path [Array<String>] The path to the response key for the field
+          # @return [Hash<GraphQL::BaseType, Hash<String, ScopedTypeComplexity>>]
           def initialize(parent_type, field_definition, query, response_path)
+            super(&DEFAULT_PROC)
             @parent_type = parent_type
             @field_definition = field_definition
             @query = query
             @response_path = response_path
-            @scoped_children = nil
             @nodes = []
           end
 
           # @return [Array<GraphQL::Language::Nodes::Field>]
           attr_reader :nodes
 
-          # Returns true if this field has no selections, ie, it's a scalar.
-          # We need a quick way to check whether we should continue traversing.
-          def terminal?
-            @scoped_children.nil?
-          end
-
-          # This value is only calculated when asked for to avoid needless hash allocations.
-          # Also, if it's never asked for, we determine that this scope complexity
-          # is a scalar field ({#terminal?}).
-          # @return [Hash<Hash<Class => ScopedTypeComplexity>]
-          def scoped_children
-            @scoped_children ||= Hash.new(&HASH_CHILDREN)
-          end
-
           def own_complexity(child_complexity)
             @field_definition.calculate_complexity(query: @query, nodes: @nodes, child_complexity: child_complexity)
           end
@@ -65,19 +53,14 @@ module GraphQL
           return if visitor.skipping?
           parent_type = visitor.parent_type_definition
           field_key = node.alias || node.name
-          # Find the complexity calculation for this field --
-          # if we're re-entering a selection, we'll already have one.
-          # Otherwise, make a new one and store it.
-          #
-          # `node` and `visitor.field_definition` may appear from a cache,
-          # but I think that's ok. If the arguments _didn't_ match,
-          # then the query would have been rejected as invalid.
-          complexities_on_type = @complexities_on_type_by_query[visitor.query] ||= [ScopedTypeComplexity.new(nil, nil, query, visitor.response_path)]
-
-          complexity = complexities_on_type.last.scoped_children[parent_type][field_key] ||= ScopedTypeComplexity.new(parent_type, visitor.field_definition, visitor.query, visitor.response_path)
-          complexity.nodes.push(node)
-          # Push it on the stack.
-          complexities_on_type.push(complexity)
+
+          # Find or create a complexity scope stack for this query.
+          scopes_stack = @complexities_on_type_by_query[visitor.query] ||= [ScopedTypeComplexity.new(nil, nil, query, visitor.response_path)]
+
+          # Find or create the complexity costing node for this field.
+          scope = scopes_stack.last[parent_type][field_key] ||= ScopedTypeComplexity.new(parent_type, visitor.field_definition, visitor.query, visitor.response_path)
+          scope.nodes.push(node)
+          scopes_stack.push(scope)
         end
 
         def on_leave_field(node, parent, visitor)
@@ -85,89 +68,61 @@ module GraphQL
           # we'll visit them when we hit the spreads instead
           return if visitor.visiting_fragment_definition?
           return if visitor.skipping?
-          complexities_on_type = @complexities_on_type_by_query[visitor.query]
-          complexities_on_type.pop
+          scopes_stack = @complexities_on_type_by_query[visitor.query]
+          scopes_stack.pop
         end
 
         private
 
         # @return [Integer]
         def max_possible_complexity
-          @complexities_on_type_by_query.reduce(0) do |total, (query, complexities_on_type)|
-            root_complexity = complexities_on_type.last
-            # Use this entry point to calculate the total complexity
-            total_complexity_for_query = merged_max_complexity_for_scopes(query, [root_complexity.scoped_children])
-            total + total_complexity_for_query
+          @complexities_on_type_by_query.reduce(0) do |total, (query, scopes_stack)|
+            total + merged_max_complexity_for_scopes(query, [scopes_stack.first])
           end
         end
 
         # @param query [GraphQL::Query] Used for `query.possible_types`
-        # @param scoped_children_hashes [Array<Hash>] Array of scoped children hashes
+        # @param scopes [Array<ScopedTypeComplexity>] Array of scoped type complexities
         # @return [Integer]
-        def merged_max_complexity_for_scopes(query, scoped_children_hashes)
-          # Figure out what scopes are possible here.
+        def merged_max_complexity_for_scopes(query, scopes)
+          # Aggregate a set of all possible scope types encountered (scope keys).
           # Use a hash, but ignore the values; it's just a fast way to work with the keys.
-          all_scopes = {}
-          scoped_children_hashes.each do |h|
-            all_scopes.merge!(h)
+          possible_scope_types = scopes.each_with_object({}) do |scope, memo|
+            memo.merge!(scope)
           end
 
-          # If an abstract scope is present, but _all_ of its concrete types
-          # are also in the list, remove it from the list of scopes to check,
-          # because every possible type is covered by a concrete type.
-          # (That is, there are no remainder types to check.)
-          prev_keys = all_scopes.keys
-          prev_keys.each do |scope|
-            next unless scope.kind.abstract?
-
-            missing_concrete_types = query.possible_types(scope).select { |t| !all_scopes.key?(t) }
-            # This concrete type is possible _only_ as a member of the abstract type.
-            # So, attribute to it the complexity which belongs to the abstract type.
-            missing_concrete_types.each do |concrete_scope|
-              all_scopes[concrete_scope] = all_scopes[scope]
+          # Expand abstract scope types into their concrete implementations;
+          # overlapping abstracts coalesce through their intersecting types.
+          possible_scope_types.keys.each do |possible_scope_type|
+            next unless possible_scope_type.kind.abstract?
+
+            query.possible_types(possible_scope_type).each do |impl_type|
+              possible_scope_types[impl_type] ||= true
             end
-            all_scopes.delete(scope)
+            possible_scope_types.delete(possible_scope_type)
           end
 
-          # This will hold `{ type => int }` pairs, one for each possible branch
-          complexity_by_scope = {}
-
-          # For each scope,
-          # find the lexical selections that might apply to it,
-          # and gather them together into an array.
-          # Then, treat the set of selection hashes
-          # as a set and calculate the complexity for them as a unit
-          all_scopes.each do |scope, _|
-            # These will be the selections on `scope`
-            children_for_scope = []
-            scoped_children_hashes.each do |sc_h|
-              sc_h.each do |inner_scope, children_hash|
-                if applies_to?(query, scope, inner_scope)
-                  children_for_scope << children_hash
-                end
+          # Aggregate the lexical selections that may apply to each possible type,
+          # and then return the maximum cost among possible typed selections.
+          possible_scope_types.each_key.reduce(0) do |max, possible_scope_type|
+            # Collect inner selections from all scopes that intersect with this possible type.
+            all_inner_selections = scopes.each_with_object([]) do |scope, memo|
+              scope.each do |scope_type, inner_selections|
+                memo << inner_selections if types_intersect?(query, scope_type, possible_scope_type)
               end
             end
 
-            # Calculate the complexity for `scope`, merging all
-            # possible lexical branches.
-            complexity_value = merged_max_complexity(query, children_for_scope)
-            complexity_by_scope[scope] = complexity_value
+            # Find the maximum complexity for the scope type among possible lexical branches.
+            complexity = merged_max_complexity(query, all_inner_selections)
+            complexity > max ? complexity : max
           end
-
-          # Return the max complexity among all scopes
-          complexity_by_scope.each_value.max
         end
 
-        def applies_to?(query, left_scope, right_scope)
-          if left_scope == right_scope
-            # This can happen when several branches are being analyzed together
-            true
-          else
-            # Check if these two scopes have _any_ types in common.
-            possible_right_types = query.possible_types(right_scope)
-            possible_left_types = query.possible_types(left_scope)
-            !(possible_right_types & possible_left_types).empty?
-          end
+        def types_intersect?(query, a, b)
+          return true if a == b
+
+          a_types = query.possible_types(a)
+          query.possible_types(b).any? { |t| a_types.include?(t) }
         end
 
         # A hook which is called whenever a field's max complexity is calculated.
@@ -179,50 +134,47 @@ module GraphQL
         def field_complexity(scoped_type_complexity, max_complexity:, child_complexity: nil)
         end
 
-        # @param children_for_scope [Array<Hash>] An array of `scoped_children[scope]` hashes
-        # (`{field_key => complexity}`)
-        # @return [Integer] Complexity value for all these selections in the current scope
-        def merged_max_complexity(query, children_for_scope)
-          all_keys = []
-          children_for_scope.each do |c|
-            all_keys.concat(c.keys)
+        # @param inner_selections [Array<Hash<String, ScopedTypeComplexity>>] Field selections for a scope
+        # @return [Integer] Total complexity value for all these selections in the parent scope
+        def merged_max_complexity(query, inner_selections)
+          # Aggregate a set of all unique field selection keys across all scopes.
+          # Use a hash, but ignore the values; it's just a fast way to work with the keys.
+          unique_field_keys = inner_selections.each_with_object({}) do |inner_selection, memo|
+            memo.merge!(inner_selection)
           end
-          all_keys.uniq!
-          complexity_for_keys = {}
-
-          all_keys.each do |child_key|
-            scoped_children_for_key = nil
-            complexity_for_key = nil
-            children_for_scope.each do |children_hash|
-              next unless children_hash.key?(child_key)
-
-              complexity_for_key = children_hash[child_key]
-              if complexity_for_key.terminal?
-                # Assume that all terminals would return the same complexity
-                # Since it's a terminal, its child complexity is zero.
-                complexity = complexity_for_key.own_complexity(0)
-                complexity_for_keys[child_key] = complexity
-
-                field_complexity(complexity_for_key, max_complexity: complexity, child_complexity: nil)
+
+          # Add up the total cost for each unique field name's coalesced selections
+          unique_field_keys.each_key.reduce(0) do |total, field_key|
+            composite_scopes = nil
+            field_cost = 0
+
+            # Collect composite selection scopes for further aggregation,
+            # leaf selections report their costs directly.
+            inner_selections.each do |inner_selection|
+              child_scope = inner_selection[field_key]
+              next unless child_scope
+
+              # Empty child scopes are leaf nodes with zero child complexity.
+              if child_scope.empty?
+                field_cost = child_scope.own_complexity(0)
+                field_complexity(child_scope, max_complexity: field_cost, child_complexity: nil)
               else
-                scoped_children_for_key ||= []
-                scoped_children_for_key << complexity_for_key.scoped_children
+                composite_scopes ||= []
+                composite_scopes << child_scope
               end
             end
 
-            next unless scoped_children_for_key
+            if composite_scopes
+              child_complexity = merged_max_complexity_for_scopes(query, composite_scopes)
 
-            child_complexity = merged_max_complexity_for_scopes(query, scoped_children_for_key)
-            # This is the _last_ one we visited; assume it's representative.
-            max_complexity = complexity_for_key.own_complexity(child_complexity)
-
-            field_complexity(complexity_for_key, max_complexity: max_complexity, child_complexity: child_complexity)
+              # This is the last composite scope visited; assume it's representative (for backwards compatibility).
+              # Note: it would be more correct to score each composite scope and use the maximum possibility.
+              field_cost = composite_scopes.last.own_complexity(child_complexity)
+              field_complexity(composite_scopes.last, max_complexity: field_cost, child_complexity: child_complexity)
+            end
 
-            complexity_for_keys[child_key] = max_complexity
+            total + field_cost
           end
-
-          # Calculate the child complexity by summing the complexity of all selections
-          complexity_for_keys.each_value.inject(0, &:+)
         end
       end
     end

data/lib/graphql/analysis/ast/query_depth.rb

@@ -28,17 +28,22 @@ module GraphQL
         def initialize(query)
           @max_depth = 0
           @current_depth = 0
+          @count_introspection_fields = query.schema.count_introspection_fields
           super
         end
 
         def on_enter_field(node, parent, visitor)
-          return if visitor.skipping? || visitor.visiting_fragment_definition?
+          return if visitor.skipping? ||
+            visitor.visiting_fragment_definition? ||
+              (@count_introspection_fields == false && visitor.field_definition.introspection?)
 
           @current_depth += 1
         end
 
         def on_leave_field(node, parent, visitor)
-          return if visitor.skipping? || visitor.visiting_fragment_definition?
+          return if visitor.skipping? ||
+            visitor.visiting_fragment_definition? ||
+            (@count_introspection_fields == false && visitor.field_definition.introspection?)
 
           if @max_depth < @current_depth
             @max_depth = @current_depth

data/lib/graphql/analysis/ast/visitor.rb

@@ -5,12 +5,12 @@ module GraphQL
       # Depth first traversal through a query AST, calling AST analyzers
       # along the way.
       #
-      # The visitor is a special case of GraphQL::Language::Visitor, visiting
+      # The visitor is a special case of GraphQL::Language::StaticVisitor, visiting
       # only the selected operation, providing helpers for common use cases such
       # as skipped fields and visiting fragment spreads.
       #
       # @see {GraphQL::Analysis::AST::Analyzer} AST Analyzers for queries
-      class Visitor < GraphQL::Language::Visitor
+      class Visitor < GraphQL::Language::StaticVisitor
         def initialize(query:, analyzers:)
           @analyzers = analyzers
           @path = []

data/lib/graphql/analysis/ast.rb

@@ -6,6 +6,7 @@ require "graphql/analysis/ast/query_complexity"
 require "graphql/analysis/ast/max_query_complexity"
 require "graphql/analysis/ast/query_depth"
 require "graphql/analysis/ast/max_query_depth"
+require "timeout"
 
 module GraphQL
   module Analysis
@@ -51,30 +52,39 @@ module GraphQL
         query.current_trace.analyze_query(query: query) do
           query_analyzers = analyzers
             .map { |analyzer| analyzer.new(query) }
-            .select { |analyzer| analyzer.analyze? }
+            .tap { _1.select!(&:analyze?) }
 
           analyzers_to_run = query_analyzers + multiplex_analyzers
           if analyzers_to_run.any?
-            visitor = GraphQL::Analysis::AST::Visitor.new(
-              query: query,
-              analyzers: analyzers_to_run
-            )
 
-            visitor.visit
+            analyzers_to_run.select!(&:visit?)
+            if analyzers_to_run.any?
+              visitor = GraphQL::Analysis::AST::Visitor.new(
+                query: query,
+                analyzers: analyzers_to_run
+              )
 
-            if visitor.rescued_errors.any?
-              visitor.rescued_errors
-            else
-              query_analyzers.map(&:result)
+              # `nil` or `0` causes no timeout
+              Timeout::timeout(query.validate_timeout_remaining) do
+                visitor.visit
+              end
+
+              if visitor.rescued_errors.any?
+                return visitor.rescued_errors
+              end
             end
+
+            query_analyzers.map(&:result)
           else
             []
           end
         end
+      rescue Timeout::Error
+        [GraphQL::AnalysisError.new("Timeout on validation of query")]
       end
 
       def analysis_errors(results)
-        results.flatten.select { |r| r.is_a?(GraphQL::AnalysisError) }
+        results.flatten.tap { _1.select! { |r| r.is_a?(GraphQL::AnalysisError) } }
       end
     end
   end