[Snyk] Upgrade graphql from 16.6.0 to 16.11.0

[X-oss-byte]

Snyk has created this PR to upgrade graphql from 16.6.0 to 16.11.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 15 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181	586	Proof of Concept

Release notes

Package name: graphql

• 16.11.0 - 2025-04-26
  

  v16.11.0 (2025-04-26)

  New Feature 🚀

  • #4363 Ensure we validate for using nullable variables in oneOf input fields (@ JoviDeCroock)
  • #4366 feat(execution): add max coercion errors option to execution context (@ cristunaranjo)

  Bug Fix 🐞

  • #4367 fix(coerce-input-value): input object coercion rejects arrays (@ cristunaranjo)

  Docs 📝

  11 PRs were merged

  • #4310 First draft for upgrade guide to v17 (@ JoviDeCroock)
  • #4331 fix sidebar for documentation and /api-v16 (@ dimaMachina)
  • #4335 Add cspell exception (@ JoviDeCroock)
  • #4340 Improve flow of documentation around GraphiQL (@ benjie)
  • #4343 typofix: removes extra parenthesis from getting started code snippet (@ rabahalishah)
  • #4351 fixed wrong variable name (@ fto-dev)
  • #4352 docs(getting-started): promises current links (@ guspan-tanadi)
  • #4368 Update docs for execution options (@ JoviDeCroock)
  • #4369 Correct some syntax (@ JoviDeCroock)
  • #4372 Refactor every code-first example to leverage resolve (@ JoviDeCroock)
  • #4373 docs: Update getting-started.mdx (@ Shubhdeep12)

  Polish 💅

  • #4312 Increase print/visit performance (@ JoviDeCroock)

  Internal 🏠

  4 PRs were merged

  • #4327 Add redirect for /api (@ JoviDeCroock)
  • #4377 Chore: bump setup-node (@ JoviDeCroock)
  • #4378 Change to gqlConf 2025 (@ JoviDeCroock)
  • #4379 Add missing parenthesis (@ benjie)

  Committers: 8

  • Benjie(@ benjie)
  • Cris Naranjo (@ cristunaranjo)
  • Dimitri POSTOLOV(@ dimaMachina)
  • Fatih Ozdemir(@ fto-dev)
  • Guspan Tanadi(@ guspan-tanadi)
  • Jovi De Croock(@ JoviDeCroock)
  • Rabah Ali Shah(@ rabahalishah)
  • Shubhdeep Chhabra(@ Shubhdeep12)
• 16.11.0-canary.pr.4384.c095a7b7d5dc33c988f84f0c921ae2f74bb710e6 - 2025-05-01
• 16.11.0-canary.pr.4364.2b4ffe237616247a733274dfdcb404c3d55d9f02 - 2025-04-30
• 16.10.0 - 2024-12-15
  

  v16.10.0 (2024-12-15)

  New Feature 🚀

  • #4286 fix: properly type extensions in GraphQLFormattedError (@ tpoisseau)
  • #4292 Expose tokenCount on the DocumentNode (@ JoviDeCroock)

  Bug Fix 🐞

  • #4137 backport(v16): Require non-empty directive locations (#4100) (@ benjie)
  • #4168 fix(validation): catch OverlappingFieldsCanBeMergedRule violations with nested fragments (@ sachindshinde)
  • #4226 Backport introspection type fix (@ JoviDeCroock)
  • #4291 Address empty selection-set (@ JoviDeCroock)

  Docs 📝

  10 PRs were merged

  • #4240 Convert from docusaurus to nextra (@ JoviDeCroock)
  • #4248 Add content from graphql/graphql.github.io#1782 (@ JoviDeCroock)
  • #4249 Styling fixes (@ JoviDeCroock)
  • #4256 Various fixes to docs (@ JoviDeCroock)
  • #4279 Solve some low hanging fruit in the documentation (@ JoviDeCroock)
  • #4283 Add overview page and add stackblitz to tutorial (@ JoviDeCroock)
  • #4284 Provide people with tabs so they can use classes as well (@ JoviDeCroock)
  • #4289 Add note about defer/stream being v17 (@ JoviDeCroock)
  • #4290 Write about @ oneOf in the graphql-js documentation (@ JoviDeCroock)
  • #4295 Split up in v16 API documentation (@ JoviDeCroock)

  Internal 🏠

  4 PRs were merged

  • #4138 Upgrade codecov action and pass token (@ benjie)
  • #4139 Fix codecov workflow (@ benjie)
  • #4157 Add GraphQLConf 2024 banner (@ bignimbus)
  • #4193 Upgrade deprecated actions (@ JoviDeCroock)

  Committers: 5

  • Benjie(@ benjie)
  • Jeff Auriemma(@ bignimbus)
  • Jovi De Croock(@ JoviDeCroock)
  • Sachin D. Shinde(@ sachindshinde)
  • tpoisseau(@ tpoisseau)
• 16.10.0-canary.pr.4364.6b142546832c1283b535908fb8c9a171b2f7cc20 - 2025-03-27
• 16.10.0-canary.pr.4359.9fe5229b2fc30d3e5b07a6b00693fac42b649fdd - 2025-04-03
• 16.10.0-canary.pr.4192.22fb497360b20aa7bf7c12aa87d2420ff394b3a0 - 2025-03-27
• 16.9.0 - 2024-06-21
  

  v16.9.0 (2024-06-21)

  New Feature 🚀

  • #4119 backport[v16]: Introduce "recommended" validation rules (@ benjie)
  • #4122 backport[v16]: Enable passing values configuration to GraphQLEnumType as a thunk (@ benjie)
  • #4124 backport[v16]: Implement OneOf Input Objects via @ oneOf directive (@ benjie)

  Committers: 1

  • Benjie(@ benjie)
• 16.9.0-canary.pr.4192.1813397076f44a55e5798478e7321db9877de97a - 2024-09-14
• 16.9.0-canary.pr.4159.0fa29326c53fcd63c6473c7357c28aa13fa0019d - 2024-08-13
• 16.8.2 - 2024-06-12
• 16.8.1 - 2023-09-19
• 16.8.0 - 2023-08-14
• 16.7.1 - 2023-06-22
• 16.7.0 - 2023-06-21
• 16.6.0 - 2022-08-16

from graphql GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Bug Fixes:

• Bump graphql to ^16.11.0 to fix a Denial of Service vulnerability (SNYK-JS-GRAPHQL-5905181)

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2963ec7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide

This PR upgrades the project’s GraphQL dependency from v16.6.0 to v16.11.0 to address a medium-severity DoS vulnerability and regenerates the lockfile accordingly.

File-Level Changes

Change	Details	Files
Bump GraphQL dependency and refresh lockfile	Updated graphql version constraint Regenerated package-lock.json to capture new version	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀