Skip to content

chore(deps): bump graphql from 16.14.2 to 17.0.0#532

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/graphql-17.0.0
Closed

chore(deps): bump graphql from 16.14.2 to 17.0.0#532
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/graphql-17.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown

Bumps graphql from 16.14.2 to 17.0.0.

Release notes

Sourced from graphql's releases.

v17.0.0 (2026-06-15)

New Feature 🚀

Bug Fix 🐞

Docs 📝

Polish 💅

Internal 🏠

... (truncated)

Commits
  • c7e494a chore(release): v17.0.0
  • d977f66 docs: post 17.rc-0 update (#4817)
  • 39f865f docs: document @experimental_disableErrorPropagation (#4820)
  • 61db552 feat: graduate directives on directives (#4819)
  • e8e5d64 Revert "feat(validation): reject directive definition cycles (#4726)" (#4815)
  • f8ffad3 feat(validation): reject directive definition cycles (#4726)
  • 6618357 polish(KnownDirectivesRule): cover field argument directives in extensions
  • 242c99e fix(KnownDirectivesRule): directive locations for input obj extensions
  • 83dc508 internal: upgrade website prettier
  • a98dc3e internal: support local api doc generation
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [graphql](https://github.com/graphql/graphql-js) from 16.14.2 to 17.0.0.
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.14.2...v17.0.0)

---
updated-dependencies:
- dependency-name: graphql
  dependency-version: 17.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026
@github-actions

Copy link
Copy Markdown

Test Coverage Report

Overall Coverage: 96.84%

Metric Percentage
Statements 96.2%
Branches 87.97%
Functions 94.83%
Lines 96.84%

View detailed coverage report

@greptile-apps

greptile-apps Bot commented Jun 16, 2026

Copy link
Copy Markdown

Greptile Summary

  • Updates packages/gitlab-mcp to depend on graphql@^17.0.0.
  • Updates yarn.lock so the workspace resolves graphql@17.0.0.
  • Leaves the rest of the GraphQL-related dependency set unchanged.

Confidence Score: 4/5

The dependency bump is not merge-safe until the GraphQL peer dependency mismatch is resolved.

The changed dependency set was narrow and the install-time incompatibility was confirmed with real package-manager output.

packages/gitlab-mcp/package.json needs graphql and graphql-tag brought back into a compatible peer range.

Reviews (1): Last reviewed commit: "chore(deps): bump graphql from 16.14.2 t..." | Re-trigger Greptile

"@modelcontextprotocol/sdk": "^1.29.0",
"express": "^5.2.1",
"graphql": "^16.14.2",
"graphql": "^17.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Unsupported peer combination

Bumping graphql to ^17.0.0 leaves this package on graphql-tag@2.12.6, whose peer range only accepts GraphQL through ^16.0.0. A fresh install now reports YN0060 / YN0086 for the workspace-provided graphql@17.0.0, so CI or downstream install steps that enforce peer requirements can fail before the package is usable. Keep GraphQL on 16, or update/remove graphql-tag at the same time with a version/path that supports GraphQL 17.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

polaz added a commit that referenced this pull request Jun 22, 2026
* fix(runners): send job status filter as a GitLab list argument

GitLab's runner jobs(statuses:) argument is [CiJobStatus!], but the
ListRunnerJobs query declared $statuses as a singular CiJobStatus. GitLab
rejects the query with "List dimension mismatch on variable $statuses"
whenever a runner with executed jobs exists, so browse_runners list_jobs
failed against real data regardless of whether a status filter was passed.

Declare the variable as [CiJobStatus!] and wrap the single-status filter in
a list before sending. The unit test now asserts the value reaches GitLab as
["FAILED"] rather than the bare enum.

Closes #535

* chore(deps): bump graphql to 17 and refresh dev dependencies

- graphql 16.14.2 -> 17.0.1 (resolves Dependabot #532 / #533). Node engine
  already requires >=24, which graphql 17 supports.
- graphql-tag 2.12.6 -> 2.12.7 so its peer range covers graphql 17.
- @clack/prompts 1.5.1 -> 1.6.0.
- @cloudflare/workers-types and @types/node patch refresh (within ^25).

Verified with the full unit suite (5206 tests) and full integration suite
(443 tests) against a live GitLab instance.

* ci(release): auto-generate server.json marketing copy and commit all READMEs

The MCP Registry listing is driven by server.json's description, which read
"GitLab MCP server with 58 tools for projects, MRs, pipelines, and more". That
undersells the server next to the README hero line. prepare-release.sh now
generates the description from the live tool / operation / entity counts as
"<tools> CQRS tools exposing <operations> GitLab operations across <entities>
entity types", mirroring the README and staying under the registry's 100-char
description limit.

prepare-release.sh renders the README to all three shipping locations (core npm
page, GitHub repo landing, db npm page), but the release sync job only staged
the core README, so the root and db pages drifted a release behind (download
badge still on 9.0.0 while core was 9.1.0). Stage all three so the public counts
and version stay consistent across npm, GitHub, and the db page.

server.json and the root/db READMEs are regenerated here to the current counts.

* chore(deps): force form-data >=4.0.6 to close CRLF injection advisory

The resolved form-data 4.0.5 is in the vulnerable range (>= 4.0.0, < 4.0.6) for
the CRLF-injection-via-multipart-field-names advisory (GHSA, high). Pin it to
>=4.0.6 in root resolutions so the dev/CI tree no longer trips the alert.

js-yaml's quadratic-merge-key DoS (medium) is left as-is: the only consumer is
@istanbuljs/load-nyc-config (dev coverage tooling, parses trusted local config),
its sole patch lives in js-yaml 4.x, and forcing that major would break the 3.x
safeLoad API the loader relies on.

* chore(deps): bound form-data resolution to ^4.0.6

* fix(runners): accept multiple job statuses in list_jobs filter

GitLab's jobs(statuses:) argument is [CiJobStatus!], so it natively filters by
more than one status. The list_jobs schema now takes an array of statuses
instead of a single value, and the handler forwards it straight through. Callers
can request e.g. ["FAILED", "CANCELED"] in one query.
@polaz polaz closed this Jun 22, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/graphql-17.0.0 branch June 22, 2026 11:55
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant