-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPEC/BUG: Ambiguity with null variable values and default values #1274
Conversation
src/execution/values.js
Outdated
const value = inputs[varName]; | ||
if (isInvalid(value)) { | ||
if (!hasValue || isNullish(value)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isNullish
checks that value !== value
that is not a problem if variables always comes from JSON. But I see a potential problem with NaN if variables come from some binary protocol or created by JS.
BTW. Nothing prevents a user from creating custom scalar like DoubleIEEE754
that accepting NaN
, Infinity
, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fair. This could be a more general == null
check
src/execution/values.js
Outdated
if (isNonNullType(varType)) { | ||
// If no value or a nullish value was provided to a variable with a | ||
// non-null type (required), produce an error. | ||
errors.push( | ||
new GraphQLError( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's confusing to get such error if you pass null
:
Variable "${name}" of required type "${String(argType)}" was not provided.
I think it should have a special error message for this case, similar to how it's done for arguments:
`Variable "${name}" of non-null type "${String(argType)}" must not be null.'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great point, I agree
6824ecb
to
c1076c3
Compare
This updates this proposal to be a bit broader in scope however much narrower in breaking behavior changes. Mirroring the changes in graphql/graphql-js#1274, this update better defines the difference between a "required" and "non-null" argument / input field as a non-null typed argument / input-field with a default value is no longer required. As such the validation rule which prohibited queries from using non-null variables and default values has been removed. This also adds clarity to the input field validation - this rule has existed in the GraphQL.js reference implementation however was found missing within the spec. This also updates the CoerceVariableValues() and CoerceArgumentValues() algorithms to retain explicit null values overriding a default value (minimizing breaking changes), however critically adding additional protection to CoerceArgumentValues() to explicitly block null values from variables - thus allowing the older pattern of passing a nullable variable into a non-null argument while limiting the problematic case of an explicit null value at runtime.
Changes based on feedback: This preserves the behavior of explicit null values taking precedence over default values, greatly reducing the scope of breaking changes. This adds a change to argument coercion to enforce null checking on variable valuesand removes one validation rule: VariablesDefaultValueAllowed. This allows supplying default values to non-nullable variables, widening the gap between "required" and "nullable". It also changes the validation rules for arguments - allowing non-null arguments with default values to be omitted. This preserves all existing behavior (with the critical exception of no longer allowing |
This updates this proposal to be a bit broader in scope however much narrower in breaking behavior changes. Mirroring the changes in graphql/graphql-js#1274, this update better defines the difference between a "required" and "non-null" argument / input field as a non-null typed argument / input-field with a default value is no longer required. As such the validation rule which prohibited queries from using non-null variables and default values has been removed. This also adds clarity to the input field validation - this rule has existed in the GraphQL.js reference implementation however was found missing within the spec. This also updates the CoerceVariableValues() and CoerceArgumentValues() algorithms to retain explicit null values overriding a default value (minimizing breaking changes), however critically adding additional protection to CoerceArgumentValues() to explicitly block null values from variables - thus allowing the older pattern of passing a nullable variable into a non-null argument while limiting the problematic case of an explicit null value at runtime.
Updated to most recent version of spec proposal. This is now a breaking change. The default validation rules are stricter, however with a configuration flag the previous lax behavior can be used which will ensure an existing service can support all existing incoming operations. For example to continue to support existing queries after updating to the new version, replace: graphql({ schema, source }) With: graphql({ schema, source, options: {
allowNullableVariablesInNonNullPositions: true
}}) Another more minor breaking change is that the final |
See graphql/graphql-spec#418 (comment) - after discussion, the breaking change is too costly at large, so I'll be updating this to account for that. |
Ok, I've updated this to match the latest proposal in the spec and just updated the description to be accurate to the final version of the change. At this point I believe this is ready to merge. I'll first wait for a bit for others to review and comment. |
* RFC: Fix ambiguity with null variable values and default values > This is a **behavioral change** which changes how explicit `null` values interact with variable and argument default values. This also changes a validation rule which makes the rule more strict. There is currently ambiguity and inconsistency in how `null` values are coerced and resolved as part of variable values, default values, and argument values. This inconsistency and ambiguity can allow for `null` values to appear at non-null arguments, which might result in unforseen null-pointer-errors. This appears in three distinct but related issues: **Validation: All Variable Usages are Allowed** The explicit value `null` may be used as a default value for a variable with a nullable type, however this rule asks to treat a variable's type as non-null if it has a default value. Instead this rule should specifically only treat the variable's type as non-null if the default value is not `null`. Additionally, the `AreTypesCompatible` algorithm is underspecificied, which could lead to further misinterpretation of this validation rule. **Coercing Variable Values** `CoerceVariableValues()` allows the explicit `null` value to be used instead of a default value. This can result in a null value flowing to a non-null argument due to the validation rule mentioned above. Instead a default value must be used even when an explicit `null` value is provided. This is also more consistent with the explanation for validation rule "Variable Default Value Is Allowed" Also, how to treat an explicit `null` value is currently underspecified. While an input object explains that a `null` value should result in an explicit `null` value at the input object field, there is no similar explaination for typical scalar input types. Instead, `CoerceVariableValues()` should explicitly handle the `null` value to make it clear a `null` is the resulting value in the `coercedValues` Map. **Coercing Argument Values** The `CoerceArgumentValues()` algorithm is intentionally similar to `CoerceVariableValues()` and suffers from the same inconsistency. Explicit `null` values should not take precedence over default values, and should also be explicitly handled rather than left to underspecified input scalar coercion. * Updated based on feedback. This updates this proposal to be a bit broader in scope however much narrower in breaking behavior changes. Mirroring the changes in graphql/graphql-js#1274, this update better defines the difference between a "required" and "non-null" argument / input field as a non-null typed argument / input-field with a default value is no longer required. As such the validation rule which prohibited queries from using non-null variables and default values has been removed. This also adds clarity to the input field validation - this rule has existed in the GraphQL.js reference implementation however was found missing within the spec. This also updates the CoerceVariableValues() and CoerceArgumentValues() algorithms to retain explicit null values overriding a default value (minimizing breaking changes), however critically adding additional protection to CoerceArgumentValues() to explicitly block null values from variables - thus allowing the older pattern of passing a nullable variable into a non-null argument while limiting the problematic case of an explicit null value at runtime. * One step further towards the idealized "from scratch" proposal, this makes it more explicitly clear that changing the effective type of a variable definition is only relevent when supporting legacy clients and suggests that new services should not use this behavior. I like that this balances a clear description of how this rule should work for existing services along with a stricter and therefore safer future path for new services. * Editing AreTypesCompatible() to avoid trailing "Otherwise return false" statements for easier reading. Functionality is equivalent. * Update "All Variable Usages are Allowed" to remove breaking change. Also attempts to improve clarity and formatting and adds an example case. * Make related changes to input object coercion rules * Final review edits
This change corresponds to a spec proposal which solves an ambiguity in how variable values and default values behave with explicit null values. Otherwise, this ambiguity allows for null values to appear in non-null argument values, which may result in unforseen null-pointer-errors. This appears in three distinct but related issues: **VariablesInAllowedPosition validation rule** The explicit value `null` may be used as a default value for a variable, however `VariablesInAllowedPositions` allowed a nullable type with a default value to flow into an argument expecting a non-null type. This validation rule must explicitly not allow `null` default values to flow in this manner. **Coercing Variable Values** coerceVariableValues allows the explicit `null` value to be used over a default value, which can result in flowing a null value to a non-null argument when paired with the validation rule mentioned above. Instead a default value must be used even when an explicit `null` value is provided. **Coercing Argument Values** coerceArgumentValues allows the explicit `null` default value to be used before checking for a non-null type. This could inadvertently allow a null value into a non-null typed argument.
This preserves the behavior of explicit null values taking precedence over default values, greatly reducing the scope of breaking changes. This adds a change to argument coercion to enforce null checking on variable valuesand removes one validation rule: VariablesDefaultValueAllowed. This allows supplying default values to non-nullable variables, widening the gap between "required" and "nullable". It also changes the validation rules for arguments - allowing non-null arguments with default values to be omitted. This preserves all existing behavior (with the critical exception of no longer allowing `null` values into non-null arguments) while allowing queries which were previously considered invalid to be valid.
This is now *a breaking change*. The default validation rules are stricter, however with a configuration flag the previous lax behavior can be used which will ensure an existing service can support all existing incoming operations. For example to continue to support existing queries after updating to the new version, replace: ```js graphql({ schema, source }) ``` With: ```js graphql({ schema, source, options: { allowNullableVariablesInNonNullPositions: true }}) ``` Another more minor breaking change is that the final `typeInfo` argument to `validate` has moved positions. However very few should be reliant on this experimental arg.
… definition Based on discussion with @dschafer Adds getDefaultValue() to TypeInfo so the default value at any position in an AST visit is known.
e9c1ede
to
4c17d15
Compare
I reviewed all `isNonNullType` calls and it the last one that needs to be fixed to complete #1274
## Version **14.0.0** of **graphql** was just published. <table> <tr> <th align=left> Dependency </th> <td> <a target=_blank href=https://github.com/graphql/graphql-js>graphql</a> </td> </tr> <tr> <th align=left> Current Version </th> <td> 0.13.2 </td> </tr> <tr> <th align=left> Type </th> <td> dependency </td> </tr> </table> The version **14.0.0** is **not covered** by your **current version range**. If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update. It might be worth looking into these changes and trying to get this project onto the latest version of graphql. If you have a solid test suite and good coverage, a passing build is a strong indicator that you can take advantage of these changes directly by merging the proposed change into your project. If the build fails or you don’t have such unconditional trust in your tests, this branch is a great starting point for you to work on the update. --- <details> <summary>Release Notes</summary> <strong>v14.0.0</strong> <p><strong>Breaking:</strong></p> <ul> <li>Drops support for node v4 and v9, makes sure node v10 is supported (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="320331530" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1338" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1338">#1338</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347064508" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1445" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1445">#1445</a>)</li> <li>Reject invalid scalar value coercion (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="329203491" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1365" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1365">#1365</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="320302933" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1336" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1336">#1336</a>)</li> <li>Removes <code>VariablesDefaultValueAllowed</code> validation rule, and <code>ProvidedNonNullArguments</code> became <code>ProvidedRequiredArguments</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="302567815" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1274" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1274">#1274</a>)</li> <li>Stricter coercion of Scalar Types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331077407" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1382" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1382">#1382</a>)</li> <li>Removes deprecated Introspection fields <code>onOperation</code>, <code>onFragment</code>, and <code>onField</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331430870" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1385" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1385">#1385</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="343635964" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1429" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1429">#1429</a>)</li> <li><code>GraphQL*Config</code> are now exact types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331763019" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1391" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1391">#1391</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347050549" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1443" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1443">#1443</a>)</li> <li>"Schema Change" keys in <code>BreakingChangeType</code> and <code>DangerousChangeType</code> for detecting adding args and input fields changed name (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="355220055" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1492" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1492">#1492</a>)</li> <li><code>formatError</code> API changed for error message extensions. To upgrade without changing existing server responses, wrap <code>graphql</code>'s <code>formatError</code>:</li> </ul> <pre><code>import { formatError as baseFormatError, /* ... */ } from 'graphql'; { // other options formatError(error) { const { extensions, ...rest } = baseFormatError(error); return { ...extensions, ...rest }; }, } </code></pre> <p><strong>New:</strong></p> <ul> <li>Parse new schema extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="315664664" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1314" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1314">#1314</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="317012679" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1323" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1323">#1323</a>)</li> <li>Export SDL AST types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="315694355" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1315" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1315">#1315</a>)</li> <li><code>extendSchema</code> extended with spec-compliant SDL extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="330426164" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1373" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1373">#1373</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331961053" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1392" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1392">#1392</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="346266873" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1441" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1441">#1441</a>)</li> <li><code>symbol.toStringTag</code> support (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="307864327" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1297" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1297">#1297</a>)</li> <li>Expose <code>getOperationRootType(schema, operationAST)</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="322058451" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1345" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1345">#1345</a>)</li> <li>Package is marked as side-effect free (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="314458450" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1312" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1312">#1312</a>)</li> <li><code>validateSchema</code> works with Schema extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="337240645" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1410" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1410">#1410</a>)</li> <li><code>validate</code> works on SDL definitions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="345971682" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1438" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1438">#1438</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331081195" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1383" href="https://urls.greenkeeper.io/graphql/graphql-js/issues/1383">#1383</a>)</li> <li>directives can be added to variable definitions, behind <code>experimentalVariableDefinitionDirectives</code> flag (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="345484247" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1437" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1437">#1437</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="348424943" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1454" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1454">#1454</a>)</li> <li>ASTNode predicates, like <code>isDefinitionNode</code> and <code>isTypeSystemDefinitionNode</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="349160476" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1459" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1459">#1459</a>)</li> <li><code>isRequiredArgument</code> and <code>isRequiredInputField</code> predicates (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="349831716" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1463" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1463">#1463</a>)</li> </ul> <p><strong>Fixed:</strong></p> <ul> <li>Fixes for custom enum types</li> <li>Prettier, Flow and eslint upgrades (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="310208412" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1304" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1304">#1304</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="316500173" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1319" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1319">#1319</a>)</li> <li>Babel 7 upgrade (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="323277037" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1350" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1350">#1350</a>)</li> <li>Introspection query perf improved (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="318663971" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1329" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1329">#1329</a>)</li> <li><code>introspectionFromSchema</code> has default options (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="336268824" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1408" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1408">#1408</a>)</li> <li><code>buildSchema</code> memory leaks and infinite recursion fixed (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="341094161" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1417" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1417">#1417</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="343182956" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1427" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1427">#1427</a>)</li> <li><code>watch</code> command fixed (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347719430" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1449" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1449">#1449</a>)</li> <li>Benchmarking for <code>validation</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="350893741" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1471" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1471">#1471</a>)</li> </ul> <p><strong>Deprecated:</strong></p> <p>These will be removed in v15</p> <ul> <li><code>introspectionQuery</code>, use <code>getIntrospectionQuery</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> <li><code>getDescription</code>, use the schema AST node to get descriptions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="333742859" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1396" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1396">#1396</a>)</li> <li><code>isValidJSValue</code>, use <code>coerceValue</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> <li><code>isValidLiteralValue</code>, use validation (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> </ul> </details> <details> <summary>FAQ and help</summary> There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new). </details> --- Your [Greenkeeper](https://greenkeeper.io) bot 🌴
## Version **14.0.0** of **graphql** was just published. <table> <tr> <th align=left> Dependency </th> <td> <a target=_blank href=https://github.com/graphql/graphql-js>graphql</a> </td> </tr> <tr> <th align=left> Current Version </th> <td> 0.13.2 </td> </tr> <tr> <th align=left> Type </th> <td> dependency </td> </tr> </table> The version **14.0.0** is **not covered** by your **current version range**. If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update. It might be worth looking into these changes and trying to get this project onto the latest version of graphql. If you have a solid test suite and good coverage, a passing build is a strong indicator that you can take advantage of these changes directly by merging the proposed change into your project. If the build fails or you don’t have such unconditional trust in your tests, this branch is a great starting point for you to work on the update. --- <details> <summary>Release Notes</summary> <strong>v14.0.0</strong> <p><strong>Breaking:</strong></p> <ul> <li>Drops support for node v4 and v9, makes sure node v10 is supported (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="320331530" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1338" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1338">#1338</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347064508" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1445" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1445">#1445</a>)</li> <li>Reject invalid scalar value coercion (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="329203491" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1365" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1365">#1365</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="320302933" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1336" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1336">#1336</a>)</li> <li>Removes <code>VariablesDefaultValueAllowed</code> validation rule, and <code>ProvidedNonNullArguments</code> became <code>ProvidedRequiredArguments</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="302567815" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1274" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1274">#1274</a>)</li> <li>Stricter coercion of Scalar Types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331077407" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1382" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1382">#1382</a>)</li> <li>Removes deprecated Introspection fields <code>onOperation</code>, <code>onFragment</code>, and <code>onField</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331430870" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1385" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1385">#1385</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="343635964" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1429" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1429">#1429</a>)</li> <li><code>GraphQL*Config</code> are now exact types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331763019" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1391" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1391">#1391</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347050549" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1443" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1443">#1443</a>)</li> <li>"Schema Change" keys in <code>BreakingChangeType</code> and <code>DangerousChangeType</code> for detecting adding args and input fields changed name (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="355220055" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1492" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1492">#1492</a>)</li> <li><code>formatError</code> API changed for error message extensions. To upgrade without changing existing server responses, wrap <code>graphql</code>'s <code>formatError</code>:</li> </ul> <pre><code>import { formatError as baseFormatError, /* ... */ } from 'graphql'; { // other options formatError(error) { const { extensions, ...rest } = baseFormatError(error); return { ...extensions, ...rest }; }, } </code></pre> <p><strong>New:</strong></p> <ul> <li>Parse new schema extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="315664664" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1314" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1314">#1314</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="317012679" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1323" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1323">#1323</a>)</li> <li>Export SDL AST types (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="315694355" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1315" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1315">#1315</a>)</li> <li><code>extendSchema</code> extended with spec-compliant SDL extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="330426164" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1373" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1373">#1373</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331961053" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1392" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1392">#1392</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="346266873" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1441" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1441">#1441</a>)</li> <li><code>symbol.toStringTag</code> support (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="307864327" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1297" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1297">#1297</a>)</li> <li>Expose <code>getOperationRootType(schema, operationAST)</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="322058451" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1345" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1345">#1345</a>)</li> <li>Package is marked as side-effect free (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="314458450" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1312" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1312">#1312</a>)</li> <li><code>validateSchema</code> works with Schema extensions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="337240645" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1410" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1410">#1410</a>)</li> <li><code>validate</code> works on SDL definitions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="345971682" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1438" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1438">#1438</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331081195" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1383" href="https://urls.greenkeeper.io/graphql/graphql-js/issues/1383">#1383</a>)</li> <li>directives can be added to variable definitions, behind <code>experimentalVariableDefinitionDirectives</code> flag (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="345484247" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1437" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1437">#1437</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="348424943" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1454" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1454">#1454</a>)</li> <li>ASTNode predicates, like <code>isDefinitionNode</code> and <code>isTypeSystemDefinitionNode</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="349160476" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1459" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1459">#1459</a>)</li> <li><code>isRequiredArgument</code> and <code>isRequiredInputField</code> predicates (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="349831716" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1463" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1463">#1463</a>)</li> </ul> <p><strong>Fixed:</strong></p> <ul> <li>Fixes for custom enum types</li> <li>Prettier, Flow and eslint upgrades (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="310208412" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1304" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1304">#1304</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="316500173" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1319" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1319">#1319</a>)</li> <li>Babel 7 upgrade (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="323277037" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1350" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1350">#1350</a>)</li> <li>Introspection query perf improved (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="318663971" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1329" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1329">#1329</a>)</li> <li><code>introspectionFromSchema</code> has default options (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="336268824" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1408" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1408">#1408</a>)</li> <li><code>buildSchema</code> memory leaks and infinite recursion fixed (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="341094161" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1417" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1417">#1417</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="343182956" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1427" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1427">#1427</a>)</li> <li><code>watch</code> command fixed (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="347719430" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1449" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1449">#1449</a>)</li> <li>Benchmarking for <code>validation</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="350893741" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1471" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1471">#1471</a>)</li> </ul> <p><strong>Deprecated:</strong></p> <p>These will be removed in v15</p> <ul> <li><code>introspectionQuery</code>, use <code>getIntrospectionQuery</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> <li><code>getDescription</code>, use the schema AST node to get descriptions (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="333742859" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1396" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1396">#1396</a>)</li> <li><code>isValidJSValue</code>, use <code>coerceValue</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> <li><code>isValidLiteralValue</code>, use validation (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="331432132" data-permission-text="Issue title is private" data-url="graphql/graphql-js#1386" href="https://urls.greenkeeper.io/graphql/graphql-js/pull/1386">#1386</a>)</li> </ul> </details> <details> <summary>FAQ and help</summary> There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new). </details> --- Your [Greenkeeper](https://greenkeeper.io) bot 🌴
This change corresponds to a spec proposal (graphql/graphql-spec#418) which solves an ambiguity in how variable values and default values behave with explicit null values, and changes validation rules to better define the behavior of default values. Otherwise, this ambiguity can allows for null values to appear in non-null argument values, which may result in unforeseen null-pointer-errors.
In summary this change includes:
BREAKING: Removal of
VariablesDefaultValueAllowed
validation rule. All variables may now specify a default value.Change to
VariablesInAllowedPosition
rule to explicitly not allow anull
default value when flowing into a non-null argument, and now allows optional (nullable) variables in non-null arguments that provide default values.Changes to
ProvidedRequiredArguments
rule (BREAKING: renamed fromProvidedNonNullArguments
) to no longer require values to be provided to non-null arguments which provide a default value.Changes to
getVariableValues()
andgetArgumentValues()
to ensure anull
value never flows into a non-null argument.Changes to
valueFromAST()
to ensurenull
variable values do not flow into non-null types.Adds to the
TypeInfo
API to allow referencing the expected default value at a given AST position.This appears in three distinct but related issues:
VariablesInAllowedPosition validation rule
The explicit value
null
may be used as a default value for a variable, howeverVariablesInAllowedPositions
allowed a nullable type with a default value to flow into an argument expecting a non-null type. This validation rule must explicitly not allownull
default values to flow in this manner.Coercing Variable Values
coerceVariableValues allows the explicit
null
value to be used over a default value, which can result in flowing a null value to a non-null argument when paired with the validation rule mentioned above. Instead a default value must be used even when an explicitnull
value is provided.Coercing Argument Values
coerceArgumentValues allows the explicit
null
default value to be used before checking for a non-null type. This could inadvertently allow a null value into a non-null typed argument.