add graphql-js v17 blog post#2430
Conversation
|
@yaacovCR is attempting to deploy a commit to the The GraphQL Foundation Team on Vercel. A member of the Team first needs to authorize it. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
martinbonnin
left a comment
There was a problem hiding this comment.
Very very (very) excited by this!
| from validation errors. Use it alongside `NoSchemaIntrospectionCustomRule` to | ||
| reduce schema-shape leakage through both suggestion text and introspection. |
There was a problem hiding this comment.
I find this really problematic. The shape of the schema is generally inferrable from the way that it's queried, "reducing schema-shape leakage" is not something that we should be posting about. These rules are important for security, hideSuggestions because it's expensive and is a DoS vector, and NoSchemaIntrospectionCustomRule because validation can also be a target of attacks (particularly depth attacks), but the motivation for these should be security of the system in terms of avoiding DoS attacks, not in terms of preventing "schema-shape leakage". The shape of the schema should not be a secret - if it's a secret, then it's very hard to safely query it! Fields that are not queried should not be in the schema. Secret experimental fields for features only visible to a few users should be in a schema that's only visible to those same users.
Uh oh!
There was an error while loading. Please reload this page.