Skip to content

chore(deps): bump graphql from 16.14.2 to 17.0.0 in /packages/gitlab-mcp#533

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/packages/gitlab-mcp/graphql-17.0.0
Closed

chore(deps): bump graphql from 16.14.2 to 17.0.0 in /packages/gitlab-mcp#533
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/packages/gitlab-mcp/graphql-17.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown

Bumps graphql from 16.14.2 to 17.0.0.

Release notes

Sourced from graphql's releases.

v17.0.0 (2026-06-15)

New Feature 🚀

Bug Fix 🐞

Docs 📝

Polish 💅

Internal 🏠

... (truncated)

Commits
  • c7e494a chore(release): v17.0.0
  • d977f66 docs: post 17.rc-0 update (#4817)
  • 39f865f docs: document @experimental_disableErrorPropagation (#4820)
  • 61db552 feat: graduate directives on directives (#4819)
  • e8e5d64 Revert "feat(validation): reject directive definition cycles (#4726)" (#4815)
  • f8ffad3 feat(validation): reject directive definition cycles (#4726)
  • 6618357 polish(KnownDirectivesRule): cover field argument directives in extensions
  • 242c99e fix(KnownDirectivesRule): directive locations for input obj extensions
  • 83dc508 internal: upgrade website prettier
  • a98dc3e internal: support local api doc generation
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [graphql](https://github.com/graphql/graphql-js) from 16.14.2 to 17.0.0.
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.14.2...v17.0.0)

---
updated-dependencies:
- dependency-name: graphql
  dependency-version: 17.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026
@greptile-apps

greptile-apps Bot commented Jun 16, 2026

Copy link
Copy Markdown

Greptile Summary

  • Updates the graphql dependency in packages/gitlab-mcp from ^16.14.2 to ^17.0.0.
  • This is a dependency-only manifest change for the GitLab MCP package.

Confidence Score: 3/5

Merge should wait until the dependency graph is made consistent for the GraphQL upgrade.

The manifest-only dependency bump leaves at least one GraphQL consumer with an incompatible peer range, so install validation reports a package-manager compatibility issue that should be resolved before merging.

packages/gitlab-mcp/package.json and the package-manager lockfile/dependency graph need attention.

Reviews (1): Last reviewed commit: "chore(deps): bump graphql from 16.14.2 t..." | Re-trigger Greptile

"@modelcontextprotocol/sdk": "^1.29.0",
"express": "^5.2.1",
"graphql": "^16.14.2",
"graphql": "^17.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Update the lockfile

This workspace uses Yarn with an immutable yarn.lock, but this change updates only package.json. The lockfile still records the workspace dependency as graphql: "npm:^16.14.2" and still resolves graphql@16.14.2, so yarn install --immutable fails because it would need to rewrite the lockfile to graphql@17.0.0. Please commit the regenerated yarn.lock with this dependency bump.

Comment on lines +564 to 565
"graphql": "^17.0.0",
"graphql-tag": "^2.12.6",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Resolve peer mismatch

graphql-tag@2.12.6 remains in this package, and its recorded peer range accepts GraphQL versions through ^16.0.0 but not ^17.0.0. After this bump, Yarn reports graphql 17 as an incorrectly met peer for graphql-tag, while the source builds GraphQL documents through graphql-tag in the GraphQL query modules. Please upgrade or replace graphql-tag, or add an explicit compatibility override only after validating it with GraphQL 17.

polaz added a commit that referenced this pull request Jun 22, 2026
* fix(runners): send job status filter as a GitLab list argument

GitLab's runner jobs(statuses:) argument is [CiJobStatus!], but the
ListRunnerJobs query declared $statuses as a singular CiJobStatus. GitLab
rejects the query with "List dimension mismatch on variable $statuses"
whenever a runner with executed jobs exists, so browse_runners list_jobs
failed against real data regardless of whether a status filter was passed.

Declare the variable as [CiJobStatus!] and wrap the single-status filter in
a list before sending. The unit test now asserts the value reaches GitLab as
["FAILED"] rather than the bare enum.

Closes #535

* chore(deps): bump graphql to 17 and refresh dev dependencies

- graphql 16.14.2 -> 17.0.1 (resolves Dependabot #532 / #533). Node engine
  already requires >=24, which graphql 17 supports.
- graphql-tag 2.12.6 -> 2.12.7 so its peer range covers graphql 17.
- @clack/prompts 1.5.1 -> 1.6.0.
- @cloudflare/workers-types and @types/node patch refresh (within ^25).

Verified with the full unit suite (5206 tests) and full integration suite
(443 tests) against a live GitLab instance.

* ci(release): auto-generate server.json marketing copy and commit all READMEs

The MCP Registry listing is driven by server.json's description, which read
"GitLab MCP server with 58 tools for projects, MRs, pipelines, and more". That
undersells the server next to the README hero line. prepare-release.sh now
generates the description from the live tool / operation / entity counts as
"<tools> CQRS tools exposing <operations> GitLab operations across <entities>
entity types", mirroring the README and staying under the registry's 100-char
description limit.

prepare-release.sh renders the README to all three shipping locations (core npm
page, GitHub repo landing, db npm page), but the release sync job only staged
the core README, so the root and db pages drifted a release behind (download
badge still on 9.0.0 while core was 9.1.0). Stage all three so the public counts
and version stay consistent across npm, GitHub, and the db page.

server.json and the root/db READMEs are regenerated here to the current counts.

* chore(deps): force form-data >=4.0.6 to close CRLF injection advisory

The resolved form-data 4.0.5 is in the vulnerable range (>= 4.0.0, < 4.0.6) for
the CRLF-injection-via-multipart-field-names advisory (GHSA, high). Pin it to
>=4.0.6 in root resolutions so the dev/CI tree no longer trips the alert.

js-yaml's quadratic-merge-key DoS (medium) is left as-is: the only consumer is
@istanbuljs/load-nyc-config (dev coverage tooling, parses trusted local config),
its sole patch lives in js-yaml 4.x, and forcing that major would break the 3.x
safeLoad API the loader relies on.

* chore(deps): bound form-data resolution to ^4.0.6

* fix(runners): accept multiple job statuses in list_jobs filter

GitLab's jobs(statuses:) argument is [CiJobStatus!], so it natively filters by
more than one status. The list_jobs schema now takes an array of statuses
instead of a single value, and the handler forwards it straight through. Callers
can request e.g. ["FAILED", "CANCELED"] in one query.
@polaz polaz closed this Jun 22, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/packages/gitlab-mcp/graphql-17.0.0 branch June 22, 2026 11:55
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant