graphql 15.7.2 → 15.9.0

package/execution/execute.js

@@ -285,19 +285,30 @@ function executeFields(exeContext, parentType, sourceValue, path, fields) {
   var results = Object.create(null);
   var containsPromise = false;
 
-  for (var _i4 = 0, _Object$keys2 = Object.keys(fields); _i4 < _Object$keys2.length; _i4++) {
-    var responseName = _Object$keys2[_i4];
-    var fieldNodes = fields[responseName];
-    var fieldPath = (0, _Path.addPath)(path, responseName, parentType.name);
-    var result = resolveField(exeContext, parentType, sourceValue, fieldNodes, fieldPath);
+  try {
+    for (var _i4 = 0, _Object$keys2 = Object.keys(fields); _i4 < _Object$keys2.length; _i4++) {
+      var responseName = _Object$keys2[_i4];
+      var fieldNodes = fields[responseName];
+      var fieldPath = (0, _Path.addPath)(path, responseName, parentType.name);
+      var result = resolveField(exeContext, parentType, sourceValue, fieldNodes, fieldPath);
 
-    if (result !== undefined) {
-      results[responseName] = result;
+      if (result !== undefined) {
+        results[responseName] = result;
 
-      if ((0, _isPromise.default)(result)) {
-        containsPromise = true;
+        if ((0, _isPromise.default)(result)) {
+          containsPromise = true;
+        }
       }
     }
+  } catch (error) {
+    if (containsPromise) {
+      // Ensure that any promises returned by other fields are handled, as they may also reject.
+      return (0, _promiseForObject.default)(results).finally(function () {
+        throw error;
+      });
+    }
+
+    throw error;
   } // If there are no promises, we can just return the object
 
 

package/execution/execute.js.flow

@@ -457,23 +457,33 @@ function executeFields(
   const results = Object.create(null);
   let containsPromise = false;
 
-  for (const responseName of Object.keys(fields)) {
-    const fieldNodes = fields[responseName];
-    const fieldPath = addPath(path, responseName, parentType.name);
-    const result = resolveField(
-      exeContext,
-      parentType,
-      sourceValue,
-      fieldNodes,
-      fieldPath,
-    );
+  try {
+    for (const responseName of Object.keys(fields)) {
+      const fieldNodes = fields[responseName];
+      const fieldPath = addPath(path, responseName, parentType.name);
+      const result = resolveField(
+        exeContext,
+        parentType,
+        sourceValue,
+        fieldNodes,
+        fieldPath,
+      );
 
-    if (result !== undefined) {
-      results[responseName] = result;
-      if (isPromise(result)) {
-        containsPromise = true;
+      if (result !== undefined) {
+        results[responseName] = result;
+        if (isPromise(result)) {
+          containsPromise = true;
+        }
       }
     }
+  } catch (error) {
+    if (containsPromise) {
+      // Ensure that any promises returned by other fields are handled, as they may also reject.
+      return promiseForObject(results).finally(() => {
+        throw error;
+      });
+    }
+    throw error;
   }
 
   // If there are no promises, we can just return the object

package/execution/execute.mjs

@@ -273,19 +273,30 @@ function executeFields(exeContext, parentType, sourceValue, path, fields) {
   var results = Object.create(null);
   var containsPromise = false;
 
-  for (var _i4 = 0, _Object$keys2 = Object.keys(fields); _i4 < _Object$keys2.length; _i4++) {
-    var responseName = _Object$keys2[_i4];
-    var fieldNodes = fields[responseName];
-    var fieldPath = addPath(path, responseName, parentType.name);
-    var result = resolveField(exeContext, parentType, sourceValue, fieldNodes, fieldPath);
+  try {
+    for (var _i4 = 0, _Object$keys2 = Object.keys(fields); _i4 < _Object$keys2.length; _i4++) {
+      var responseName = _Object$keys2[_i4];
+      var fieldNodes = fields[responseName];
+      var fieldPath = addPath(path, responseName, parentType.name);
+      var result = resolveField(exeContext, parentType, sourceValue, fieldNodes, fieldPath);
 
-    if (result !== undefined) {
-      results[responseName] = result;
+      if (result !== undefined) {
+        results[responseName] = result;
 
-      if (isPromise(result)) {
-        containsPromise = true;
+        if (isPromise(result)) {
+          containsPromise = true;
+        }
       }
     }
+  } catch (error) {
+    if (containsPromise) {
+      // Ensure that any promises returned by other fields are handled, as they may also reject.
+      return promiseForObject(results).finally(function () {
+        throw error;
+      });
+    }
+
+    throw error;
   } // If there are no promises, we can just return the object
 
 

package/index.d.ts

@@ -138,6 +138,8 @@ export {
   GraphQLNullableType,
   GraphQLNamedType,
   Thunk,
+  GraphQLNamedInputType,
+  GraphQLNamedOutputType,
   GraphQLSchemaConfig,
   GraphQLSchemaExtensions,
   GraphQLDirectiveConfig,
@@ -315,6 +317,7 @@ export {
   ValidationContext,
   // All validation rules in the GraphQL Specification.
   specifiedRules,
+  recommendedRules,
   // Individual validation rules.
   ExecutableDefinitionsRule,
   FieldsOnCorrectTypeRule,

package/index.js

@@ -747,6 +747,12 @@ Object.defineProperty(exports, "specifiedRules", {
     return _index5.specifiedRules;
   }
 });
+Object.defineProperty(exports, "recommendedRules", {
+  enumerable: true,
+  get: function get() {
+    return _index5.recommendedRules;
+  }
+});
 Object.defineProperty(exports, "ExecutableDefinitionsRule", {
   enumerable: true,
   get: function get() {
@@ -903,6 +909,12 @@ Object.defineProperty(exports, "VariablesInAllowedPositionRule", {
     return _index5.VariablesInAllowedPositionRule;
   }
 });
+Object.defineProperty(exports, "MaxIntrospectionDepthRule", {
+  enumerable: true,
+  get: function get() {
+    return _index5.MaxIntrospectionDepthRule;
+  }
+});
 Object.defineProperty(exports, "LoneSchemaDefinitionRule", {
   enumerable: true,
   get: function get() {

package/index.js.flow

@@ -138,6 +138,8 @@ export type {
   GraphQLNullableType,
   GraphQLNamedType,
   Thunk,
+  GraphQLNamedInputType,
+  GraphQLNamedOutputType,
   GraphQLSchemaConfig,
   GraphQLDirectiveConfig,
   GraphQLArgument,
@@ -302,6 +304,7 @@ export {
   ValidationContext,
   // All validation rules in the GraphQL Specification.
   specifiedRules,
+  recommendedRules,
   // Individual validation rules.
   ExecutableDefinitionsRule,
   FieldsOnCorrectTypeRule,
@@ -329,6 +332,7 @@ export {
   ValuesOfCorrectTypeRule,
   VariablesAreInputTypesRule,
   VariablesInAllowedPositionRule,
+  MaxIntrospectionDepthRule,
   // SDL-specific validation rules
   LoneSchemaDefinitionRule,
   UniqueOperationTypesRule,

package/index.mjs

@@ -51,8 +51,8 @@ export { execute, executeSync, defaultFieldResolver, defaultTypeResolver, respon
 export { subscribe, createSourceEventStream } from "./subscription/index.mjs";
 // Validate GraphQL documents.
 export { validate, ValidationContext // All validation rules in the GraphQL Specification.
-, specifiedRules // Individual validation rules.
-, ExecutableDefinitionsRule, FieldsOnCorrectTypeRule, FragmentsOnCompositeTypesRule, KnownArgumentNamesRule, KnownDirectivesRule, KnownFragmentNamesRule, KnownTypeNamesRule, LoneAnonymousOperationRule, NoFragmentCyclesRule, NoUndefinedVariablesRule, NoUnusedFragmentsRule, NoUnusedVariablesRule, OverlappingFieldsCanBeMergedRule, PossibleFragmentSpreadsRule, ProvidedRequiredArgumentsRule, ScalarLeafsRule, SingleFieldSubscriptionsRule, UniqueArgumentNamesRule, UniqueDirectivesPerLocationRule, UniqueFragmentNamesRule, UniqueInputFieldNamesRule, UniqueOperationNamesRule, UniqueVariableNamesRule, ValuesOfCorrectTypeRule, VariablesAreInputTypesRule, VariablesInAllowedPositionRule // SDL-specific validation rules
+, specifiedRules, recommendedRules // Individual validation rules.
+, ExecutableDefinitionsRule, FieldsOnCorrectTypeRule, FragmentsOnCompositeTypesRule, KnownArgumentNamesRule, KnownDirectivesRule, KnownFragmentNamesRule, KnownTypeNamesRule, LoneAnonymousOperationRule, NoFragmentCyclesRule, NoUndefinedVariablesRule, NoUnusedFragmentsRule, NoUnusedVariablesRule, OverlappingFieldsCanBeMergedRule, PossibleFragmentSpreadsRule, ProvidedRequiredArgumentsRule, ScalarLeafsRule, SingleFieldSubscriptionsRule, UniqueArgumentNamesRule, UniqueDirectivesPerLocationRule, UniqueFragmentNamesRule, UniqueInputFieldNamesRule, UniqueOperationNamesRule, UniqueVariableNamesRule, ValuesOfCorrectTypeRule, VariablesAreInputTypesRule, VariablesInAllowedPositionRule, MaxIntrospectionDepthRule // SDL-specific validation rules
 , LoneSchemaDefinitionRule, UniqueOperationTypesRule, UniqueTypeNamesRule, UniqueEnumValueNamesRule, UniqueFieldDefinitionNamesRule, UniqueDirectiveNamesRule, PossibleTypeExtensionsRule // Custom validation rules
 , NoDeprecatedCustomRule, NoSchemaIntrospectionCustomRule } from "./validation/index.mjs";
 // Create, format, and print GraphQL errors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql",
-  "version": "15.7.2",
+  "version": "15.9.0",
   "description": "A Query Language and Runtime which can target any service.",
   "license": "MIT",
   "main": "index",
@@ -21,5 +21,8 @@
   ],
   "engines": {
     "node": ">= 10.x"
+  },
+  "publishConfig": {
+    "tag": "15.x.x"
   }
 }

package/type/definition.d.ts

@@ -254,19 +254,27 @@ export function getNullableType<T extends GraphQLNullableType>(
 /**
  * These named types do not include modifiers like List or NonNull.
  */
-export type GraphQLNamedType =
+export type GraphQLNamedType = GraphQLNamedInputType | GraphQLNamedOutputType;
+
+export type GraphQLNamedInputType =
+  | GraphQLScalarType
+  | GraphQLEnumType
+  | GraphQLInputObjectType;
+
+export type GraphQLNamedOutputType =
   | GraphQLScalarType
   | GraphQLObjectType
   | GraphQLInterfaceType
   | GraphQLUnionType
-  | GraphQLEnumType
-  | GraphQLInputObjectType;
+  | GraphQLEnumType;
 
 export function isNamedType(type: any): type is GraphQLNamedType;
 
 export function assertNamedType(type: any): GraphQLNamedType;
 
 export function getNamedType(type: undefined): undefined;
+export function getNamedType(type: GraphQLInputType): GraphQLNamedInputType;
+export function getNamedType(type: GraphQLOutputType): GraphQLNamedOutputType;
 export function getNamedType(type: GraphQLType): GraphQLNamedType;
 
 /**

package/type/definition.js.flow

@@ -494,13 +494,19 @@ export function getNullableType(type) {
 /**
  * These named types do not include modifiers like List or NonNull.
  */
-export type GraphQLNamedType =
+export type GraphQLNamedType = GraphQLNamedInputType | GraphQLNamedOutputType;
+
+export type GraphQLNamedInputType =
+  | GraphQLScalarType
+  | GraphQLEnumType
+  | GraphQLInputObjectType;
+
+export type GraphQLNamedOutputType =
   | GraphQLScalarType
   | GraphQLObjectType
   | GraphQLInterfaceType
   | GraphQLUnionType
-  | GraphQLEnumType
-  | GraphQLInputObjectType;
+  | GraphQLEnumType;
 
 export function isNamedType(type: mixed): boolean %checks {
   return (
@@ -522,6 +528,8 @@ export function assertNamedType(type: mixed): GraphQLNamedType {
 
 /* eslint-disable no-redeclare */
 declare function getNamedType(type: void | null): void;
+declare function getNamedType(type: GraphQLInputType): GraphQLNamedInputType;
+declare function getNamedType(type: GraphQLOutputType): GraphQLNamedOutputType;
 declare function getNamedType(type: GraphQLType): GraphQLNamedType;
 export function getNamedType(type) {
   /* eslint-enable no-redeclare */

package/type/index.d.ts

@@ -74,6 +74,8 @@ export {
   GraphQLNullableType,
   GraphQLNamedType,
   Thunk,
+  GraphQLNamedInputType,
+  GraphQLNamedOutputType,
   GraphQLArgument,
   GraphQLArgumentConfig,
   GraphQLArgumentExtensions,

package/type/index.js.flow

@@ -130,6 +130,8 @@ export type {
   GraphQLNullableType,
   GraphQLNamedType,
   Thunk,
+  GraphQLNamedInputType,
+  GraphQLNamedOutputType,
   GraphQLArgument,
   GraphQLArgumentConfig,
   GraphQLEnumTypeConfig,

package/validation/index.d.ts

@@ -2,7 +2,7 @@ export { validate } from './validate';
 
 export { ValidationContext, ValidationRule } from './ValidationContext';
 
-export { specifiedRules } from './specifiedRules';
+export { specifiedRules, recommendedRules } from './specifiedRules';
 
 // Spec Section: "Executable Definitions"
 export { ExecutableDefinitionsRule } from './rules/ExecutableDefinitionsRule';

package/validation/index.js

@@ -21,6 +21,12 @@ Object.defineProperty(exports, "specifiedRules", {
     return _specifiedRules.specifiedRules;
   }
 });
+Object.defineProperty(exports, "recommendedRules", {
+  enumerable: true,
+  get: function get() {
+    return _specifiedRules.recommendedRules;
+  }
+});
 Object.defineProperty(exports, "ExecutableDefinitionsRule", {
   enumerable: true,
   get: function get() {
@@ -177,6 +183,12 @@ Object.defineProperty(exports, "VariablesInAllowedPositionRule", {
     return _VariablesInAllowedPositionRule.VariablesInAllowedPositionRule;
   }
 });
+Object.defineProperty(exports, "MaxIntrospectionDepthRule", {
+  enumerable: true,
+  get: function get() {
+    return _MaxIntrospectionDepthRule.MaxIntrospectionDepthRule;
+  }
+});
 Object.defineProperty(exports, "LoneSchemaDefinitionRule", {
   enumerable: true,
   get: function get() {
@@ -290,6 +302,8 @@ var _VariablesAreInputTypesRule = require("./rules/VariablesAreInputTypesRule.js
 
 var _VariablesInAllowedPositionRule = require("./rules/VariablesInAllowedPositionRule.js");
 
+var _MaxIntrospectionDepthRule = require("./rules/MaxIntrospectionDepthRule.js");
+
 var _LoneSchemaDefinitionRule = require("./rules/LoneSchemaDefinitionRule.js");
 
 var _UniqueOperationTypesRule = require("./rules/UniqueOperationTypesRule.js");

package/validation/index.js.flow

@@ -5,7 +5,7 @@ export { ValidationContext } from './ValidationContext';
 export type { ValidationRule } from './ValidationContext';
 
 // All validation rules in the GraphQL Specification.
-export { specifiedRules } from './specifiedRules';
+export { specifiedRules, recommendedRules } from './specifiedRules';
 
 // Spec Section: "Executable Definitions"
 export { ExecutableDefinitionsRule } from './rules/ExecutableDefinitionsRule';
@@ -85,6 +85,8 @@ export { VariablesAreInputTypesRule } from './rules/VariablesAreInputTypesRule';
 // Spec Section: "All Variable Usages Are Allowed"
 export { VariablesInAllowedPositionRule } from './rules/VariablesInAllowedPositionRule';
 
+export { MaxIntrospectionDepthRule } from './rules/MaxIntrospectionDepthRule';
+
 // SDL-specific validation rules
 export { LoneSchemaDefinitionRule } from './rules/LoneSchemaDefinitionRule';
 export { UniqueOperationTypesRule } from './rules/UniqueOperationTypesRule';

package/validation/index.mjs

@@ -1,7 +1,7 @@
 export { validate } from "./validate.mjs";
 export { ValidationContext } from "./ValidationContext.mjs";
 // All validation rules in the GraphQL Specification.
-export { specifiedRules } from "./specifiedRules.mjs"; // Spec Section: "Executable Definitions"
+export { specifiedRules, recommendedRules } from "./specifiedRules.mjs"; // Spec Section: "Executable Definitions"
 
 export { ExecutableDefinitionsRule } from "./rules/ExecutableDefinitionsRule.mjs"; // Spec Section: "Field Selections on Objects, Interfaces, and Unions Types"
 
@@ -53,7 +53,8 @@ export { ValuesOfCorrectTypeRule } from "./rules/ValuesOfCorrectTypeRule.mjs"; /
 
 export { VariablesAreInputTypesRule } from "./rules/VariablesAreInputTypesRule.mjs"; // Spec Section: "All Variable Usages Are Allowed"
 
-export { VariablesInAllowedPositionRule } from "./rules/VariablesInAllowedPositionRule.mjs"; // SDL-specific validation rules
+export { VariablesInAllowedPositionRule } from "./rules/VariablesInAllowedPositionRule.mjs";
+export { MaxIntrospectionDepthRule } from "./rules/MaxIntrospectionDepthRule.mjs"; // SDL-specific validation rules
 
 export { LoneSchemaDefinitionRule } from "./rules/LoneSchemaDefinitionRule.mjs";
 export { UniqueOperationTypesRule } from "./rules/UniqueOperationTypesRule.mjs";

package/validation/rules/MaxIntrospectionDepthRule.d.ts

@@ -0,0 +1,6 @@
+import { ASTVisitor } from '../../language/visitor';
+import { SDLValidationContext } from '../ValidationContext';
+
+export function MaxIntrospectionDepthRule(
+  context: SDLValidationContext,
+): ASTVisitor;

package/validation/rules/MaxIntrospectionDepthRule.js

@@ -0,0 +1,85 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.MaxIntrospectionDepthRule = MaxIntrospectionDepthRule;
+
+var _GraphQLError = require("../../error/GraphQLError.js");
+
+var _kinds = require("../../language/kinds.js");
+
+var MAX_LISTS_DEPTH = 3;
+
+function MaxIntrospectionDepthRule(context) {
+  /**
+   * Counts the depth of list fields in "__Type" recursively and
+   * returns `true` if the limit has been reached.
+   */
+  function checkDepth(node) {
+    var visitedFragments = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : Object.create(null);
+    var depth = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 0;
+
+    if (node.kind === _kinds.Kind.FRAGMENT_SPREAD) {
+      var _fragmentName = node.name.value;
+
+      if (visitedFragments[_fragmentName] === true) {
+        // Fragment cycles are handled by `NoFragmentCyclesRule`.
+        return false;
+      }
+
+      var fragment = context.getFragment(_fragmentName);
+
+      if (!fragment) {
+        // Missing fragments checks are handled by `KnownFragmentNamesRule`.
+        return false;
+      } // Rather than following an immutable programming pattern which has
+      // significant memory and garbage collection overhead, we've opted to
+      // take a mutable approach for efficiency's sake. Importantly visiting a
+      // fragment twice is fine, so long as you don't do one visit inside the
+      // other.
+
+
+      try {
+        visitedFragments[_fragmentName] = true;
+        return checkDepth(fragment, visitedFragments, depth);
+      } finally {
+        visitedFragments[_fragmentName] = null;
+      }
+    }
+
+    if (node.kind === _kinds.Kind.FIELD && ( // check all introspection lists
+    node.name.value === 'fields' || node.name.value === 'interfaces' || node.name.value === 'possibleTypes' || node.name.value === 'inputFields')) {
+      // $FlowFixMe[reassign-const] why are argument parameters treated as const in flow?
+      depth++; // eslint-disable-line no-param-reassign
+
+      if (depth >= MAX_LISTS_DEPTH) {
+        return true;
+      }
+    } // handles fields and inline fragments
+
+
+    if ('selectionSet' in node && node.selectionSet) {
+      for (var _i2 = 0, _node$selectionSet$se2 = node.selectionSet.selections; _i2 < _node$selectionSet$se2.length; _i2++) {
+        var child = _node$selectionSet$se2[_i2];
+
+        if (checkDepth(child, visitedFragments, depth)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  return {
+    Field: function Field(node) {
+      if (node.name.value === '__schema' || node.name.value === '__type') {
+        if (checkDepth(node)) {
+          context.reportError(new _GraphQLError.GraphQLError('Maximum introspection depth exceeded', [node]));
+          return false;
+        }
+      }
+    }
+  };
+}

package/validation/rules/MaxIntrospectionDepthRule.js.flow

@@ -0,0 +1,91 @@
+// @flow strict
+import { GraphQLError } from '../../error/GraphQLError';
+
+import type { ASTNode } from '../../language/ast';
+import { Kind } from '../../language/kinds';
+import type { ASTVisitor } from '../../language/visitor';
+
+import type { ASTValidationContext } from '../ValidationContext';
+
+const MAX_LISTS_DEPTH = 3;
+
+export function MaxIntrospectionDepthRule(
+  context: ASTValidationContext,
+): ASTVisitor {
+  /**
+   * Counts the depth of list fields in "__Type" recursively and
+   * returns `true` if the limit has been reached.
+   */
+  function checkDepth(
+    node: ASTNode,
+    visitedFragments: {
+      [fragmentName: string]: true | null,
+      __proto__: null,
+    } = Object.create(null),
+    depth: number = 0,
+  ): boolean {
+    if (node.kind === Kind.FRAGMENT_SPREAD) {
+      const fragmentName = node.name.value;
+      if (visitedFragments[fragmentName] === true) {
+        // Fragment cycles are handled by `NoFragmentCyclesRule`.
+        return false;
+      }
+      const fragment = context.getFragment(fragmentName);
+      if (!fragment) {
+        // Missing fragments checks are handled by `KnownFragmentNamesRule`.
+        return false;
+      }
+
+      // Rather than following an immutable programming pattern which has
+      // significant memory and garbage collection overhead, we've opted to
+      // take a mutable approach for efficiency's sake. Importantly visiting a
+      // fragment twice is fine, so long as you don't do one visit inside the
+      // other.
+      try {
+        visitedFragments[fragmentName] = true;
+        return checkDepth(fragment, visitedFragments, depth);
+      } finally {
+        visitedFragments[fragmentName] = null;
+      }
+    }
+
+    if (
+      node.kind === Kind.FIELD &&
+      // check all introspection lists
+      (node.name.value === 'fields' ||
+        node.name.value === 'interfaces' ||
+        node.name.value === 'possibleTypes' ||
+        node.name.value === 'inputFields')
+    ) {
+      // $FlowFixMe[reassign-const] why are argument parameters treated as const in flow?
+      depth++; // eslint-disable-line no-param-reassign
+      if (depth >= MAX_LISTS_DEPTH) {
+        return true;
+      }
+    }
+
+    // handles fields and inline fragments
+    if ('selectionSet' in node && node.selectionSet) {
+      for (const child of node.selectionSet.selections) {
+        if (checkDepth(child, visitedFragments, depth)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  return {
+    Field(node) {
+      if (node.name.value === '__schema' || node.name.value === '__type') {
+        if (checkDepth(node)) {
+          context.reportError(
+            new GraphQLError('Maximum introspection depth exceeded', [node]),
+          );
+          return false;
+        }
+      }
+    },
+  };
+}

package/validation/rules/MaxIntrospectionDepthRule.mjs

@@ -0,0 +1,75 @@
+import { GraphQLError } from "../../error/GraphQLError.mjs";
+import { Kind } from "../../language/kinds.mjs";
+var MAX_LISTS_DEPTH = 3;
+export function MaxIntrospectionDepthRule(context) {
+  /**
+   * Counts the depth of list fields in "__Type" recursively and
+   * returns `true` if the limit has been reached.
+   */
+  function checkDepth(node) {
+    var visitedFragments = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : Object.create(null);
+    var depth = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 0;
+
+    if (node.kind === Kind.FRAGMENT_SPREAD) {
+      var _fragmentName = node.name.value;
+
+      if (visitedFragments[_fragmentName] === true) {
+        // Fragment cycles are handled by `NoFragmentCyclesRule`.
+        return false;
+      }
+
+      var fragment = context.getFragment(_fragmentName);
+
+      if (!fragment) {
+        // Missing fragments checks are handled by `KnownFragmentNamesRule`.
+        return false;
+      } // Rather than following an immutable programming pattern which has
+      // significant memory and garbage collection overhead, we've opted to
+      // take a mutable approach for efficiency's sake. Importantly visiting a
+      // fragment twice is fine, so long as you don't do one visit inside the
+      // other.
+
+
+      try {
+        visitedFragments[_fragmentName] = true;
+        return checkDepth(fragment, visitedFragments, depth);
+      } finally {
+        visitedFragments[_fragmentName] = null;
+      }
+    }
+
+    if (node.kind === Kind.FIELD && ( // check all introspection lists
+    node.name.value === 'fields' || node.name.value === 'interfaces' || node.name.value === 'possibleTypes' || node.name.value === 'inputFields')) {
+      // $FlowFixMe[reassign-const] why are argument parameters treated as const in flow?
+      depth++; // eslint-disable-line no-param-reassign
+
+      if (depth >= MAX_LISTS_DEPTH) {
+        return true;
+      }
+    } // handles fields and inline fragments
+
+
+    if ('selectionSet' in node && node.selectionSet) {
+      for (var _i2 = 0, _node$selectionSet$se2 = node.selectionSet.selections; _i2 < _node$selectionSet$se2.length; _i2++) {
+        var child = _node$selectionSet$se2[_i2];
+
+        if (checkDepth(child, visitedFragments, depth)) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  return {
+    Field: function Field(node) {
+      if (node.name.value === '__schema' || node.name.value === '__type') {
+        if (checkDepth(node)) {
+          context.reportError(new GraphQLError('Maximum introspection depth exceeded', [node]));
+          return false;
+        }
+      }
+    }
+  };
+}

package/validation/rules/OverlappingFieldsCanBeMergedRule.js

@@ -180,6 +180,13 @@ function collectConflictsBetweenFieldsAndFragment(context, conflicts, cachedFiel
   // and any fragment names found in the given fragment.
 
   for (var i = 0; i < fragmentNames2.length; i++) {
+    var referencedFragmentName = fragmentNames2[i]; // Memoize so two fragments are not compared for conflicts more than once.
+
+    if (comparedFragmentPairs.has(referencedFragmentName, fragmentName, areMutuallyExclusive)) {
+      continue;
+    }
+
+    comparedFragmentPairs.add(referencedFragmentName, fragmentName, areMutuallyExclusive);
     collectConflictsBetweenFieldsAndFragment(context, conflicts, cachedFieldsAndFragmentNames, comparedFragmentPairs, areMutuallyExclusive, fieldMap, fragmentNames2[i]);
   }
 } // Collect all conflicts found between two fragments, including via spreading in

package/validation/rules/OverlappingFieldsCanBeMergedRule.js.flow

@@ -265,6 +265,24 @@ function collectConflictsBetweenFieldsAndFragment(
   // (E) Then collect any conflicts between the provided collection of fields
   // and any fragment names found in the given fragment.
   for (let i = 0; i < fragmentNames2.length; i++) {
+    const referencedFragmentName = fragmentNames2[i];
+
+    // Memoize so two fragments are not compared for conflicts more than once.
+    if (
+      comparedFragmentPairs.has(
+        referencedFragmentName,
+        fragmentName,
+        areMutuallyExclusive,
+      )
+    ) {
+      continue;
+    }
+    comparedFragmentPairs.add(
+      referencedFragmentName,
+      fragmentName,
+      areMutuallyExclusive,
+    );
+
     collectConflictsBetweenFieldsAndFragment(
       context,
       conflicts,

package/validation/rules/OverlappingFieldsCanBeMergedRule.mjs

@@ -164,6 +164,13 @@ function collectConflictsBetweenFieldsAndFragment(context, conflicts, cachedFiel
   // and any fragment names found in the given fragment.
 
   for (var i = 0; i < fragmentNames2.length; i++) {
+    var referencedFragmentName = fragmentNames2[i]; // Memoize so two fragments are not compared for conflicts more than once.
+
+    if (comparedFragmentPairs.has(referencedFragmentName, fragmentName, areMutuallyExclusive)) {
+      continue;
+    }
+
+    comparedFragmentPairs.add(referencedFragmentName, fragmentName, areMutuallyExclusive);
     collectConflictsBetweenFieldsAndFragment(context, conflicts, cachedFieldsAndFragmentNames, comparedFragmentPairs, areMutuallyExclusive, fieldMap, fragmentNames2[i]);
   }
 } // Collect all conflicts found between two fragments, including via spreading in

package/validation/specifiedRules.d.ts

@@ -1,5 +1,11 @@
 import { ValidationRule, SDLValidationRule } from './ValidationContext';
 
+/**
+ * Technically these aren't part of the spec but they are strongly encouraged
+ * validation rules.
+ */
+export const recommendedRules: ReadonlyArray<ValidationRule>;
+
 /**
  * This set includes all validation rules defined by the GraphQL spec.
  *

package/validation/specifiedRules.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.specifiedSDLRules = exports.specifiedRules = void 0;
+exports.specifiedSDLRules = exports.specifiedRules = exports.recommendedRules = void 0;
 
 var _ExecutableDefinitionsRule = require("./rules/ExecutableDefinitionsRule.js");
 
@@ -57,6 +57,8 @@ var _OverlappingFieldsCanBeMergedRule = require("./rules/OverlappingFieldsCanBeM
 
 var _UniqueInputFieldNamesRule = require("./rules/UniqueInputFieldNamesRule.js");
 
+var _MaxIntrospectionDepthRule = require("./rules/MaxIntrospectionDepthRule.js");
+
 var _LoneSchemaDefinitionRule = require("./rules/LoneSchemaDefinitionRule.js");
 
 var _UniqueOperationTypesRule = require("./rules/UniqueOperationTypesRule.js");
@@ -97,15 +99,23 @@ var _PossibleTypeExtensionsRule = require("./rules/PossibleTypeExtensionsRule.js
 // Spec Section: "All Variable Usages Are Allowed"
 // Spec Section: "Field Selection Merging"
 // Spec Section: "Input Object Field Uniqueness"
+// TODO: Spec Section
 // SDL-specific validation rules
 
+/**
+ * Technically these aren't part of the spec but they are strongly encouraged
+ * validation rules.
+ */
+var recommendedRules = Object.freeze([_MaxIntrospectionDepthRule.MaxIntrospectionDepthRule]);
 /**
  * This set includes all validation rules defined by the GraphQL spec.
  *
  * The order of the rules in this list has been adjusted to lead to the
  * most clear output when encountering multiple validation errors.
  */
-var specifiedRules = Object.freeze([_ExecutableDefinitionsRule.ExecutableDefinitionsRule, _UniqueOperationNamesRule.UniqueOperationNamesRule, _LoneAnonymousOperationRule.LoneAnonymousOperationRule, _SingleFieldSubscriptionsRule.SingleFieldSubscriptionsRule, _KnownTypeNamesRule.KnownTypeNamesRule, _FragmentsOnCompositeTypesRule.FragmentsOnCompositeTypesRule, _VariablesAreInputTypesRule.VariablesAreInputTypesRule, _ScalarLeafsRule.ScalarLeafsRule, _FieldsOnCorrectTypeRule.FieldsOnCorrectTypeRule, _UniqueFragmentNamesRule.UniqueFragmentNamesRule, _KnownFragmentNamesRule.KnownFragmentNamesRule, _NoUnusedFragmentsRule.NoUnusedFragmentsRule, _PossibleFragmentSpreadsRule.PossibleFragmentSpreadsRule, _NoFragmentCyclesRule.NoFragmentCyclesRule, _UniqueVariableNamesRule.UniqueVariableNamesRule, _NoUndefinedVariablesRule.NoUndefinedVariablesRule, _NoUnusedVariablesRule.NoUnusedVariablesRule, _KnownDirectivesRule.KnownDirectivesRule, _UniqueDirectivesPerLocationRule.UniqueDirectivesPerLocationRule, _KnownArgumentNamesRule.KnownArgumentNamesRule, _UniqueArgumentNamesRule.UniqueArgumentNamesRule, _ValuesOfCorrectTypeRule.ValuesOfCorrectTypeRule, _ProvidedRequiredArgumentsRule.ProvidedRequiredArgumentsRule, _VariablesInAllowedPositionRule.VariablesInAllowedPositionRule, _OverlappingFieldsCanBeMergedRule.OverlappingFieldsCanBeMergedRule, _UniqueInputFieldNamesRule.UniqueInputFieldNamesRule]);
+
+exports.recommendedRules = recommendedRules;
+var specifiedRules = Object.freeze([_ExecutableDefinitionsRule.ExecutableDefinitionsRule, _UniqueOperationNamesRule.UniqueOperationNamesRule, _LoneAnonymousOperationRule.LoneAnonymousOperationRule, _SingleFieldSubscriptionsRule.SingleFieldSubscriptionsRule, _KnownTypeNamesRule.KnownTypeNamesRule, _FragmentsOnCompositeTypesRule.FragmentsOnCompositeTypesRule, _VariablesAreInputTypesRule.VariablesAreInputTypesRule, _ScalarLeafsRule.ScalarLeafsRule, _FieldsOnCorrectTypeRule.FieldsOnCorrectTypeRule, _UniqueFragmentNamesRule.UniqueFragmentNamesRule, _KnownFragmentNamesRule.KnownFragmentNamesRule, _NoUnusedFragmentsRule.NoUnusedFragmentsRule, _PossibleFragmentSpreadsRule.PossibleFragmentSpreadsRule, _NoFragmentCyclesRule.NoFragmentCyclesRule, _UniqueVariableNamesRule.UniqueVariableNamesRule, _NoUndefinedVariablesRule.NoUndefinedVariablesRule, _NoUnusedVariablesRule.NoUnusedVariablesRule, _KnownDirectivesRule.KnownDirectivesRule, _UniqueDirectivesPerLocationRule.UniqueDirectivesPerLocationRule, _KnownArgumentNamesRule.KnownArgumentNamesRule, _UniqueArgumentNamesRule.UniqueArgumentNamesRule, _ValuesOfCorrectTypeRule.ValuesOfCorrectTypeRule, _ProvidedRequiredArgumentsRule.ProvidedRequiredArgumentsRule, _VariablesInAllowedPositionRule.VariablesInAllowedPositionRule, _OverlappingFieldsCanBeMergedRule.OverlappingFieldsCanBeMergedRule, _UniqueInputFieldNamesRule.UniqueInputFieldNamesRule].concat(recommendedRules));
 /**
  * @internal
  */

package/validation/specifiedRules.js.flow

@@ -83,6 +83,9 @@ import { OverlappingFieldsCanBeMergedRule } from './rules/OverlappingFieldsCanBe
 // Spec Section: "Input Object Field Uniqueness"
 import { UniqueInputFieldNamesRule } from './rules/UniqueInputFieldNamesRule';
 
+// TODO: Spec Section
+import { MaxIntrospectionDepthRule } from './rules/MaxIntrospectionDepthRule';
+
 // SDL-specific validation rules
 import { LoneSchemaDefinitionRule } from './rules/LoneSchemaDefinitionRule';
 import { UniqueOperationTypesRule } from './rules/UniqueOperationTypesRule';
@@ -92,6 +95,12 @@ import { UniqueFieldDefinitionNamesRule } from './rules/UniqueFieldDefinitionNam
 import { UniqueDirectiveNamesRule } from './rules/UniqueDirectiveNamesRule';
 import { PossibleTypeExtensionsRule } from './rules/PossibleTypeExtensionsRule';
 
+/**
+ * Technically these aren't part of the spec but they are strongly encouraged
+ * validation rules.
+ */
+export const recommendedRules = Object.freeze([MaxIntrospectionDepthRule]);
+
 /**
  * This set includes all validation rules defined by the GraphQL spec.
  *
@@ -125,6 +134,7 @@ export const specifiedRules = Object.freeze([
   VariablesInAllowedPositionRule,
   OverlappingFieldsCanBeMergedRule,
   UniqueInputFieldNamesRule,
+  ...recommendedRules,
 ]);
 
 /**

package/validation/specifiedRules.mjs

@@ -49,7 +49,9 @@ import { VariablesInAllowedPositionRule } from "./rules/VariablesInAllowedPositi
 
 import { OverlappingFieldsCanBeMergedRule } from "./rules/OverlappingFieldsCanBeMergedRule.mjs"; // Spec Section: "Input Object Field Uniqueness"
 
-import { UniqueInputFieldNamesRule } from "./rules/UniqueInputFieldNamesRule.mjs"; // SDL-specific validation rules
+import { UniqueInputFieldNamesRule } from "./rules/UniqueInputFieldNamesRule.mjs"; // TODO: Spec Section
+
+import { MaxIntrospectionDepthRule } from "./rules/MaxIntrospectionDepthRule.mjs"; // SDL-specific validation rules
 
 import { LoneSchemaDefinitionRule } from "./rules/LoneSchemaDefinitionRule.mjs";
 import { UniqueOperationTypesRule } from "./rules/UniqueOperationTypesRule.mjs";
@@ -58,6 +60,12 @@ import { UniqueEnumValueNamesRule } from "./rules/UniqueEnumValueNamesRule.mjs";
 import { UniqueFieldDefinitionNamesRule } from "./rules/UniqueFieldDefinitionNamesRule.mjs";
 import { UniqueDirectiveNamesRule } from "./rules/UniqueDirectiveNamesRule.mjs";
 import { PossibleTypeExtensionsRule } from "./rules/PossibleTypeExtensionsRule.mjs";
+/**
+ * Technically these aren't part of the spec but they are strongly encouraged
+ * validation rules.
+ */
+
+export var recommendedRules = Object.freeze([MaxIntrospectionDepthRule]);
 /**
  * This set includes all validation rules defined by the GraphQL spec.
  *
@@ -65,7 +73,7 @@ import { PossibleTypeExtensionsRule } from "./rules/PossibleTypeExtensionsRule.m
  * most clear output when encountering multiple validation errors.
  */
 
-export var specifiedRules = Object.freeze([ExecutableDefinitionsRule, UniqueOperationNamesRule, LoneAnonymousOperationRule, SingleFieldSubscriptionsRule, KnownTypeNamesRule, FragmentsOnCompositeTypesRule, VariablesAreInputTypesRule, ScalarLeafsRule, FieldsOnCorrectTypeRule, UniqueFragmentNamesRule, KnownFragmentNamesRule, NoUnusedFragmentsRule, PossibleFragmentSpreadsRule, NoFragmentCyclesRule, UniqueVariableNamesRule, NoUndefinedVariablesRule, NoUnusedVariablesRule, KnownDirectivesRule, UniqueDirectivesPerLocationRule, KnownArgumentNamesRule, UniqueArgumentNamesRule, ValuesOfCorrectTypeRule, ProvidedRequiredArgumentsRule, VariablesInAllowedPositionRule, OverlappingFieldsCanBeMergedRule, UniqueInputFieldNamesRule]);
+export var specifiedRules = Object.freeze([ExecutableDefinitionsRule, UniqueOperationNamesRule, LoneAnonymousOperationRule, SingleFieldSubscriptionsRule, KnownTypeNamesRule, FragmentsOnCompositeTypesRule, VariablesAreInputTypesRule, ScalarLeafsRule, FieldsOnCorrectTypeRule, UniqueFragmentNamesRule, KnownFragmentNamesRule, NoUnusedFragmentsRule, PossibleFragmentSpreadsRule, NoFragmentCyclesRule, UniqueVariableNamesRule, NoUndefinedVariablesRule, NoUnusedVariablesRule, KnownDirectivesRule, UniqueDirectivesPerLocationRule, KnownArgumentNamesRule, UniqueArgumentNamesRule, ValuesOfCorrectTypeRule, ProvidedRequiredArgumentsRule, VariablesInAllowedPositionRule, OverlappingFieldsCanBeMergedRule, UniqueInputFieldNamesRule].concat(recommendedRules));
 /**
  * @internal
  */

package/version.js

@@ -13,7 +13,7 @@ exports.versionInfo = exports.version = void 0;
 /**
  * A string containing the version of the GraphQL.js library
  */
-var version = '15.7.2';
+var version = '15.9.0';
 /**
  * An object containing the components of the GraphQL.js version string
  */
@@ -21,8 +21,8 @@ var version = '15.7.2';
 exports.version = version;
 var versionInfo = Object.freeze({
   major: 15,
-  minor: 7,
-  patch: 2,
+  minor: 9,
+  patch: 0,
   preReleaseTag: null
 });
 exports.versionInfo = versionInfo;

package/version.js.flow

@@ -7,14 +7,14 @@
 /**
  * A string containing the version of the GraphQL.js library
  */
-export const version = '15.7.2';
+export const version = '15.9.0';
 
 /**
  * An object containing the components of the GraphQL.js version string
  */
 export const versionInfo = Object.freeze({
   major: 15,
-  minor: 7,
-  patch: 2,
+  minor: 9,
+  patch: 0,
   preReleaseTag: null,
 });

package/version.mjs

@@ -6,14 +6,14 @@
 /**
  * A string containing the version of the GraphQL.js library
  */
-export var version = '15.7.2';
+export var version = '15.9.0';
 /**
  * An object containing the components of the GraphQL.js version string
  */
 
 export var versionInfo = Object.freeze({
   major: 15,
-  minor: 7,
-  patch: 2,
+  minor: 9,
+  patch: 0,
   preReleaseTag: null
 });