@genql/cli@6.3.4

1. Fixed code injection vulnerability in generated JSDoc comments (CWE-94) — GraphQL type/field descriptions containing */ could break out of JSDoc comments and inject arbitrary TypeScript into the generated client. When a consumer imports or bundles the generated code, the injected statements execute. Any */ in schema-derived text is now escaped to *\/ before interpolation into JSDoc blocks.

   This affects any pipeline that calls generate() with a schema obtained from an untrusted source (typosquatted endpoints, compromised GraphQL servers, multi-tenant platforms where users can edit type descriptions).

   Thanks to Hamza Haroon for the responsible disclosure. See #197.

@genql/cli@6.3.3

Patch Changes

• Deprecate cli options --esm