Skip to content

fix: Revert accidental breaking default values for query complexity limits#10205

Merged
mtrezza merged 1 commit intoparse-community:alphafrom
mtrezza:fix/GHSA-cmj3-wx7h-ffvg-v9
Mar 15, 2026
Merged

fix: Revert accidental breaking default values for query complexity limits#10205
mtrezza merged 1 commit intoparse-community:alphafrom
mtrezza:fix/GHSA-cmj3-wx7h-ffvg-v9

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Mar 15, 2026
edited by coderabbitai bot
Loading

Issue

Revert accidental breaking default values for query complexity limits that were introduced with the fix for GHSA-cmj3-wx7h-ffvg

Summary by CodeRabbit

  • Configuration Changes

    • Updated default request complexity settings to be disabled by default. Previously configured limits for query depth, field counts, and include operations are now disabled until explicitly configured. Users can re-enable these constraints as needed.

  • Documentation

    • Updated documentation to reflect new default configuration values for request complexity options.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Mar 15, 2026
edited
Loading

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Mar 15, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link

coderabbitai bot commented Mar 15, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR changes default values for RequestComplexity configuration properties (includeDepth, includeCount, subqueryDepth, graphQLDepth, graphQLFields) from concrete numbers (5, 50, 200) to -1 across test, configuration, and documentation files, indicating a shift to disabled-by-default behavior.

Changes

Cohort / File(s) Summary
Test Files
spec/RequestComplexity.spec.js, spec/SecurityCheckGroups.spec.js		 Updated test expectations to reflect new -1 defaults for includeCount, subqueryDepth, graphQLDepth, and graphQLFields; expanded config.requestComplexity structure in security checks tests.
Configuration Defaults
src/Options/Definitions.js, src/Options/index.js		 Changed default values from concrete numbers to -1 for includeDepth, includeCount, subqueryDepth, graphQLDepth, and graphQLFields; updated corresponding help text documentation.
API Documentation
src/Options/docs.js		 Updated RequestComplexityOptions public interface documentation to reflect new -1 defaults for all modified properties.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive PR description is minimal but directly addresses the issue. It clearly identifies the problem (breaking default values) and references the related security advisory, though it lacks implementation details and task tracking. Expand description with Approach section explaining how defaults are reverted, and complete the Tasks checklist to clarify what work was done and what still needs completion.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: reverting accidental breaking default values for query complexity limits, which aligns with the file changes across all modified files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Mar 15, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.56%. Comparing base (f44e306) to head (714bdc0).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha   #10205      +/-   ##
==========================================
+ Coverage   92.55%   92.56%   +0.01%     
==========================================
  Files         192      192              
  Lines       16284    16284              
  Branches      199      199              
==========================================
+ Hits        15072    15074       +2     
+ Misses       1195     1193       -2     
  Partials       17       17

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza merged commit ab8dd54 into parse-community:alpha Mar 15, 2026
22 of 24 checks passed
parseplatformorg pushed a commit that referenced this pull request Mar 15, 2026
@semantic-release-bot
chore(release): 9.6.0-alpha.22 [skip ci]
2b28587 
# [9.6.0-alpha.22](9.6.0-alpha.21...9.6.0-alpha.22) (2026-03-15)

### Bug Fixes

* Revert accidental breaking default values for query complexity limits ([#10205](#10205)) ([ab8dd54](ab8dd54))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Mar 15, 2026

🎉 This change has been released in version 9.6.0-alpha.22

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Mar 15, 2026
@mtrezza mtrezza deleted the fix/GHSA-cmj3-wx7h-ffvg-v9 branch March 15, 2026 03:46
@coderabbitai coderabbitai bot mentioned this pull request Mar 15, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg