chore(deps): update module github.com/vektah/gqlparser/v2 to v2.5.14 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/vektah/gqlparser/v2	v2.5.6 -> v2.5.14

GitHub Vulnerability Alerts

CVE-2023-49559

An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function.

---

gqlparser denial of service vulnerability via the parserDirectives function

CVE-2023-49559 / GHSA-2hmf-46v7-v6fx / GO-2024-2920

More information

Details

An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-49559
• https://github.com/99designs/gqlgen/issues/3118
• https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977
• https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1
• https://github.com/advisories/GHSA-2hmf-46v7-v6fx
• https://github.com/vektah/gqlparser
• https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser

CVE-2023-49559 / GHSA-2hmf-46v7-v6fx / GO-2024-2920

More information

Details

An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.

Severity

Unknown

References

• https://github.com/advisories/GHSA-2hmf-46v7-v6fx
• https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977
• https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1
• https://github.com/99designs/gqlgen/issues/3118
• https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

vektah/gqlparser (github.com/vektah/gqlparser/v2)

v2.5.14

Compare Source

What's Changed

• Add ParseQueryWithLimit by @​StevenACoffman in #​304

Full Changelog: vektah/gqlparser@v2.5.13...v2.5.14

v2.5.13

Compare Source

What's Changed

• Bump the actions-deps group in /validator/imported with 6 updates by @​dependabot in #​298
• Bump prettier from 3.2.5 to 3.3.0 in /validator/imported in the actions-deps group by @​dependabot in #​299
• Bump the actions-deps group in /validator/imported with 7 updates by @​dependabot in #​301
• Bump braces from 3.0.2 to 3.0.3 in /validator/imported by @​dependabot in #​302
• Token limit fix CVE-2023-49559 by @​uvzz in #​291

New Contributors

• @​uvzz made their first contribution in #​291

Full Changelog: vektah/gqlparser@v2.5.12...v2.5.13

v2.5.12

Compare Source

What's Changed

• Disallow empty parens (#​292). by @​yuchenshi in #​293
• WithBuiltin FormatterOption added by @​atzedus in #​294
• Redo github actions by @​StevenACoffman in #​295
• Bump github.com/stretchr/testify from 1.4.0 to 1.9.0 in the actions-deps group by @​dependabot in #​296
• Bump the actions-deps group in /validator/imported with 8 updates by @​dependabot in #​297

New Contributors

• @​yuchenshi made their first contribution in #​293

Full Changelog: vektah/gqlparser@v2.5.11...v2.5.12

v2.5.11

Compare Source

What's Changed

• Bump get-func-name from 2.0.0 to 2.0.2 in /validator/imported by @​dependabot in #​284
• Bump @​babel/traverse from 7.22.6 to 7.23.2 in /validator/imported by @​dependabot in #​285
• Fix description formatting (possible " character) by @​blmhemu in #​289
• gqlerror: implement List.Unwrap by @​emersion in #​290

New Contributors

• @​blmhemu made their first contribution in #​289
• @​emersion made their first contribution in #​290

Full Changelog: vektah/gqlparser@v2.5.10...v2.5.11

v2.5.10

Compare Source

What's Changed

• fix for #​281 by @​Metamogul in #​282
• Format the error file from #​282 by @​StevenACoffman in #​283

New Contributors

• @​Metamogul made their first contribution in #​282

Full Changelog: vektah/gqlparser@v2.5.9...v2.5.10

v2.5.9

Compare Source

What's Changed

• Convenience to avoid wrapping nil by @​StevenACoffman in #​274
• Add WrapIfUnwrapped and other Lint fixes by @​StevenACoffman in #​275
• More lint by @​StevenACoffman in #​276
• More minor tweaks by @​StevenACoffman in #​277
• Make all fields of *gqlerror.Error public by @​fredzqm in #​273
• Revert Path string change by @​StevenACoffman in #​278
• Adjust lexer to return gqlerror where it does not break tests by @​StevenACoffman in #​279

Full Changelog: vektah/gqlparser@v2.5.8...v2.5.9

v2.5.8

Compare Source

What's Changed

• Put comments behind an option in formatter by @​benjaminjkraft in #​271

Full Changelog: vektah/gqlparser@v2.5.7...v2.5.8

v2.5.7

Compare Source

What's Changed

• [Snyk] Security upgrade @​babel/preset-env from 7.16.11 to 7.22.6 by @​lwc in #​267
• Bump semver from 5.7.1 to 5.7.2 in /validator/imported by @​dependabot in #​268
• Allow ommitting Directive arguments that are non-null if they have defaults by @​StevenACoffman in #​270

Full Changelog: vektah/gqlparser@v2.5.6...v2.5.7

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.