Update dependency graphql to v2.1.15 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
graphql (source, changelog)	2.1.0 -> 2.1.15

---

graphql allows remote code execution when loading a crafted GraphQL schema

CVE-2025-27407 / GHSA-q92j-grw3-h492

More information

Details

Summary

Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.

Severity

• CVSS Score: 9.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
• https://nvd.nist.gov/vuln/detail/CVE-2025-27407
• https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
• https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
• https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
• https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
• https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
• https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
• https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
• https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
• https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
• https://github.com/github-community-projects/graphql-client
• https://github.com/rmosolgo/graphql-ruby
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rmosolgo/graphql-ruby (graphql)

v2.1.15

Compare Source

v2.1.13

Compare Source

v2.1.12

Compare Source

v2.1.11

Compare Source

v2.1.10

Compare Source

• Dataloader: remove Fiber#transfer support because of unpredictable Ruby control flow #​4753

v2.1.9

Compare Source

Bug fixes

• Dataloader: fix some fiber scheduling bugs #​4744

v2.1.8

Compare Source

New features

• Rails generators: generate a base resolver class by default #​4513
• Dataloader: add some support for transfer-based Fiber schedulers, simplify algorithm #​4625 #​4729
• prepare: check for the named method on the argument owner, too #​4717

v2.1.7

Compare Source

New features

• Make NullContext inherit from Context, to make typechecking easier #​4709
• Accept a custom Schema.query_class to use for executing queries #​4679

Bug fixes

• Default reauthorize_scoped_objects to false #​4720
• Fix subscriptions.trigger with custom enum values #​4713
• Fix backtrace: true with GraphQL-Pro @defer #​4708
• Omit to_h from Input Object validation error message #​4701
• When trimming whitespace from block strings, remove first and last lines that contain only whitespace #​4704

v2.1.6

Compare Source

Breaking Changes

• The parser cache is now opt-in. Add config.graphql.parser_cache = true to your Rails environment setup to enable it. #​4648

New features

• New ISO8601Duration scalar #​4688

Bug fixes

• Trace: fix custom trace mode inheritance #​4693

v2.1.5

Compare Source

Bug fixes

• Logger: Fix Schema.default_logger when Rails is present but doesn't have a logger #​4686

v2.1.4

Compare Source

New features

• Add Query#logger #​4674
• Lookahead: Add with_alias: option #​2912
• Improve support for load_application_object_failed #​4667

Bug fixes

• Execution: Fix runtime loop in some cases with fragments #​4684
• Fix Connection#initialize outside of execution #​4675
• Fix ParseError in Subscriptions#trigger #​4673
• Mongo: don't load all records in hasNextPage #​4671
• Interfaces: fix definition_methods when interfaces implement other interfaces #​4670
• Migrate NullContext to use the built-in Singleton module #​4669
• Speed up type lookup #​4664
• Fix ScopeExtension#after_resolve outside of execution #​4685
• Speed up one_of? checks #​4680

v2.1.3

Compare Source

Bug fixes

• Tracing: fix legacy tracers added to GraphQL::Schema #​4663
• Add racc as a dependency because it's not included by default in Ruby 3.3 #​4661
• Connections: don't add automatic connection behaviors for types named "Connection" #​4668

v2.1.2

Compare Source

New features

• Depth: accept count_introspection_fields: false #​4658
• Dataloader: add get_fiber_variables and set_fiber_variables #​4593
• Trace: Add Schema.default_trace_mode #​4642

Bug fixes

• Fix merging results after calling directives #​4639 #​4660
• Visibility: don't reveal implementers of hidden abstract types #​4589
• Bump required Ruby version to 2.7 since numbered block arguments are used #​4659
• hash_key:: use the configured hash key when the underlying Hash has a default value Proc #​4656

v2.1.1

Compare Source

• Dataloader: remove Fiber#transfer support because of unpredictable Ruby control flow #​4753

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.