chore(deps): bump graphql from 16.14.2 to 17.0.0 in /packages/gitlab-mcp#533
chore(deps): bump graphql from 16.14.2 to 17.0.0 in /packages/gitlab-mcp#533dependabot[bot] wants to merge 2 commits into
Conversation
Bumps [graphql](https://github.com/graphql/graphql-js) from 16.14.2 to 17.0.0. - [Release notes](https://github.com/graphql/graphql-js/releases) - [Commits](graphql/graphql-js@v16.14.2...v17.0.0) --- updated-dependencies: - dependency-name: graphql dependency-version: 17.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
| "@modelcontextprotocol/sdk": "^1.29.0", | ||
| "express": "^5.2.1", | ||
| "graphql": "^16.14.2", | ||
| "graphql": "^17.0.0", |
There was a problem hiding this comment.
This workspace uses Yarn with an immutable yarn.lock, but this change updates only package.json. The lockfile still records the workspace dependency as graphql: "npm:^16.14.2" and still resolves graphql@16.14.2, so yarn install --immutable fails because it would need to rewrite the lockfile to graphql@17.0.0. Please commit the regenerated yarn.lock with this dependency bump.
| "graphql": "^17.0.0", | ||
| "graphql-tag": "^2.12.6", |
There was a problem hiding this comment.
graphql-tag@2.12.6 remains in this package, and its recorded peer range accepts GraphQL versions through ^16.0.0 but not ^17.0.0. After this bump, Yarn reports graphql 17 as an incorrectly met peer for graphql-tag, while the source builds GraphQL documents through graphql-tag in the GraphQL query modules. Please upgrade or replace graphql-tag, or add an explicit compatibility override only after validating it with GraphQL 17.
* fix(runners): send job status filter as a GitLab list argument GitLab's runner jobs(statuses:) argument is [CiJobStatus!], but the ListRunnerJobs query declared $statuses as a singular CiJobStatus. GitLab rejects the query with "List dimension mismatch on variable $statuses" whenever a runner with executed jobs exists, so browse_runners list_jobs failed against real data regardless of whether a status filter was passed. Declare the variable as [CiJobStatus!] and wrap the single-status filter in a list before sending. The unit test now asserts the value reaches GitLab as ["FAILED"] rather than the bare enum. Closes #535 * chore(deps): bump graphql to 17 and refresh dev dependencies - graphql 16.14.2 -> 17.0.1 (resolves Dependabot #532 / #533). Node engine already requires >=24, which graphql 17 supports. - graphql-tag 2.12.6 -> 2.12.7 so its peer range covers graphql 17. - @clack/prompts 1.5.1 -> 1.6.0. - @cloudflare/workers-types and @types/node patch refresh (within ^25). Verified with the full unit suite (5206 tests) and full integration suite (443 tests) against a live GitLab instance. * ci(release): auto-generate server.json marketing copy and commit all READMEs The MCP Registry listing is driven by server.json's description, which read "GitLab MCP server with 58 tools for projects, MRs, pipelines, and more". That undersells the server next to the README hero line. prepare-release.sh now generates the description from the live tool / operation / entity counts as "<tools> CQRS tools exposing <operations> GitLab operations across <entities> entity types", mirroring the README and staying under the registry's 100-char description limit. prepare-release.sh renders the README to all three shipping locations (core npm page, GitHub repo landing, db npm page), but the release sync job only staged the core README, so the root and db pages drifted a release behind (download badge still on 9.0.0 while core was 9.1.0). Stage all three so the public counts and version stay consistent across npm, GitHub, and the db page. server.json and the root/db READMEs are regenerated here to the current counts. * chore(deps): force form-data >=4.0.6 to close CRLF injection advisory The resolved form-data 4.0.5 is in the vulnerable range (>= 4.0.0, < 4.0.6) for the CRLF-injection-via-multipart-field-names advisory (GHSA, high). Pin it to >=4.0.6 in root resolutions so the dev/CI tree no longer trips the alert. js-yaml's quadratic-merge-key DoS (medium) is left as-is: the only consumer is @istanbuljs/load-nyc-config (dev coverage tooling, parses trusted local config), its sole patch lives in js-yaml 4.x, and forcing that major would break the 3.x safeLoad API the loader relies on. * chore(deps): bound form-data resolution to ^4.0.6 * fix(runners): accept multiple job statuses in list_jobs filter GitLab's jobs(statuses:) argument is [CiJobStatus!], so it natively filters by more than one status. The list_jobs schema now takes an array of statuses instead of a single value, and the handler forwards it straight through. Callers can request e.g. ["FAILED", "CANCELED"] in one query.
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
|



Bumps graphql from 16.14.2 to 17.0.0.
Release notes
Sourced from graphql's releases.
... (truncated)
Commits
c7e494achore(release): v17.0.0d977f66docs: post 17.rc-0 update (#4817)39f865fdocs: document@experimental_disableErrorPropagation(#4820)61db552feat: graduate directives on directives (#4819)e8e5d64Revert "feat(validation): reject directive definition cycles (#4726)" (#4815)f8ffad3feat(validation): reject directive definition cycles (#4726)6618357polish(KnownDirectivesRule): cover field argument directives in extensions242c99efix(KnownDirectivesRule): directive locations for input obj extensions83dc508internal: upgrade website prettiera98dc3einternal: support local api doc generationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)