Background
The graphql-depth-limit@1.1.0 package is unmaintained (7+ years, repository deleted). It crashes on fragment spreads within dynamic-zone unions (reads .kind on undefined nodes). Currently worked around with depthLimit: 100 in apps/cms/config/plugins.ts, which effectively disables DoS protection.
Raised in PR #443 review: #443
Expected outcome
Strapi GraphQL plugin uses a maintained depth-limiting library that correctly handles fragment spreads in unions, with a reasonable depth limit (10–15) restoring DoS protection.
Acceptance criteria
Possible solution(s)
- Check if upgrading
@strapi/plugin-graphql to latest resolves the dependency
- If not, use pnpm
overrides to swap graphql-depth-limit for @graphile/depth-limit
- Custom Strapi middleware to replace the built-in depth validation
References
Background
The
graphql-depth-limit@1.1.0package is unmaintained (7+ years, repository deleted). It crashes on fragment spreads within dynamic-zone unions (reads.kindon undefined nodes). Currently worked around withdepthLimit: 100inapps/cms/config/plugins.ts, which effectively disables DoS protection.Raised in PR #443 review: #443
Expected outcome
Strapi GraphQL plugin uses a maintained depth-limiting library that correctly handles fragment spreads in unions, with a reasonable depth limit (10–15) restoring DoS protection.
Acceptance criteria
graphql-depth-limitwith@graphile/depth-limit(or equivalent maintained library)depthLimitto a reasonable value (10–15)apps/cms/config/plugins.tsPossible solution(s)
@strapi/plugin-graphqlto latest resolves the dependencyoverridesto swapgraphql-depth-limitfor@graphile/depth-limitReferences