Releases: mercurius-js/mercurius
Releases · mercurius-js/mercurius
v16.8.0
⚠️ Security Release
- Fixes "queryDepth limit bypassed for WebSocket subscriptions" GHSA-m4h2-mjfm-mp55 CVE-2026-30241
What's Changed
- chore: remove tests-checker workflow by @Tony133 in #1207
- build(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @dependabot[bot] in #1208
Full Changelog: v16.7.0...v16.8.0
Contributors
Tony133 and dependabot
Assets 2
v16.7.0
What's Changed
- build(deps-dev): bump @types/node from 24.10.4 to 25.0.2 by @dependabot[bot] in #1200
- build(deps): bump @fastify/static from 8.3.0 to 9.0.0 by @dependabot[bot] in #1201
- build(deps): bump actions/setup-node from 5.0.0 to 6.1.0 by @dependabot[bot] in #1203
- build(deps-dev): bump @graphql-tools/utils from 10.11.0 to 11.0.0 by @dependabot[bot] in #1204
- chore: update license by @Tony133 in #1205
- chore: move borp to dev dependency by @stefanvanderwolf in #1206
- check socket before awaiting subscription iterator by @NeoPhi in #1202
- docs: add GQLoom integration documentation by @xcfox in #1199
- build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #1198
New Contributors
- @stefanvanderwolf made their first contribution in #1206
- @NeoPhi made their first contribution in #1202
- @xcfox made their first contribution in #1199
Full Changelog: v16.6.0...v16.7.0
Contributors
NeoPhi, Tony133, and 3 other contributors
Assets 2
v16.6.0
What's Changed
- feat: add highwatermakr option to subscription queue by @simone-sanfratello in #1197
Full Changelog: v16.5.0...v16.6.0
Contributors
simone-sanfratello
Assets 2
v16.5.0
What's Changed
- build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #1188
- feat: default subscription ws subprotocol by @simone-sanfratello in #1189
- chore: remove tap and others update by @Tony133 in #1183
- build(deps): bump secure-json-parse from 3.0.2 to 4.1.0 by @dependabot[bot] in #1190
- feat: default ws subprotocol option by @simone-sanfratello in #1191
- feat: subscription hooks on connection close and error by @simone-sanfratello in #1192
- feat: message id in subscription hooks by @simone-sanfratello in #1193
Full Changelog: v16.3.0...v16.5.0
Contributors
simone-sanfratello, Tony133, and dependabot
Assets 2
v16.4.0
What's Changed
- feat: csrf prevention by @simone-sanfratello in #1187
Full Changelog: v16.3.0...v16.4.0
Contributors
simone-sanfratello
Assets 2
v16.3.0
What's Changed
- fix: correct GraphiQL plugin variable names by @prkomb in #1171
- build(deps-dev): bump typescript from 5.8.3 to 5.9.2 by @dependabot[bot] in #1174
- test: migrated hooks-runner.test.js from tap to node:test by @Tony133 in #1181
- test: migrated subscription-hooks.test.js from tap to node:test by @Tony133 in #1178
- test: migrated errors.test.js from tap to node:test by @Tony133 in #1167
- test: migrated hooks.test.js from tap to node:test by @Tony133 in #1179
- test: migrated batched.test.js from tap to node:test by @Tony133 in #1176
- test: migrated app-decorator.test.js from tap to node:test by @Tony133 in #1177
- test: migrated routes.test.js from tap to node:test by @Tony133 in #1180
- test: migrated subscription.test.js from tap to node:test by @Tony133 in #1172
- build(deps-dev): bump wait-on from 8.0.5 to 9.0.1 by @dependabot[bot] in #1184
- build(deps-dev): bump @sinonjs/fake-timers from 14.0.0 to 15.0.0 by @dependabot[bot] in #1185
- fix: subscription hook onSubscriptionEnd context by @simone-sanfratello in #1186
- build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #1182
New Contributors
Full Changelog: v16.2.0...v16.3.0
Contributors
simone-sanfratello, Tony133, and 2 other contributors
Assets 2
v16.2.0
What's Changed
- fix: linting regressions by @voxpelli in #1138
- Update subscriptions.md by @cbschuld in #1134
- build(deps-dev): bump sinon from 19.0.5 to 20.0.0 by @dependabot in #1141
- simple(graphiql): bump GraphiQL version to 3.8.3 by @acoBOYZ in #1144
- build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot in #1145
- build(deps): bump mqemitter from 6.0.2 to 7.0.0 by @dependabot in #1146
- build(deps): bump actions/setup-node from 4.2.0 to 4.4.0 by @dependabot in #1147
- feat: custom pubsub with custom args on subscribe method by @simone-sanfratello in #1148
- Add Node v24 by @mcollina in #1149
- build(deps): bump single-user-cache from 1.0.1 to 2.0.0 by @dependabot in #1151
- chore: update dependencie typescript by @Tony133 in #1150
- test: migrated custom-root-types.test.js from tap to node:test by @Tony133 in #1164
- test: migrated reply-decorator.test.js from tap to node:test by @Tony133 in #1163
- test: migrated query-depth.test.js from tap to node:test by @Tony133 in #1159
- test: migrated tests from tap to node:test by @Tony133 in #1165
- test: migrated fix-790.test.js from tap to node:test by @Tony133 in #1158
- test: migrated persisted.test.js from tap to node:test by @Tony133 in #1161
- test: migrated options.test.js from tap to node:test by @Tony133 in #1157
- test: migrated loaders.test.js from tap to node:test by @Tony133 in #1156
- test: migrated validation-rules.test.js from tap to node:test by @Tony133 in #1162
- test: migrated directives.test.js from tap to node:test by @Tony133 in #1155
- test: migrated cache.test.js from tap to node:test by @Tony133 in #1154
- test: migrated alieses.test.js from tap to node:test by @Tony133 in #1153
- test: migrated subscription-connetions.test.js from tap to node:test by @Tony133 in #1166
- build(deps-dev): bump @types/node from 22.15.32 to 24.0.3 by @dependabot in #1168
- build(deps-dev): bump sinon from 20.0.0 to 21.0.0 by @dependabot in #1169
- fix memory leak in withFilter by @mcollina in #1170
- fix: removeListener called multiple times by @Hokid in #1140
New Contributors
- @cbschuld made their first contribution in #1134
- @acoBOYZ made their first contribution in #1144
- @Hokid made their first contribution in #1140
Full Changelog: v16.1.0...v16.2.0
Contributors
voxpelli, mcollina, and 6 other contributors
Assets 2
v16.1.0
What's Changed
- build(deps-dev): bump graphql-ws from 5.16.2 to 6.0.1 by @dependabot in #1131
- build(deps): bump actions/setup-node from 4.0.1 to 4.2.0 by @dependabot in #1133
- chore: update license by @Tony133 in #1135
- Handle backpressure in subscriptions by @mcollina in #1136
Full Changelog: v16.0.1...v16.1.0
Contributors
mcollina, Tony133, and dependabot
Assets 2
v16.0.1
What's Changed
- Update fastify to v5 by @mcollina in #1129
- made mercurius's implicitly injected pubsub subscribe/publish methods type safe by @adrtivv in #1115
Full Changelog: v16.0.0...v16.0.1
Contributors
mcollina and adrtivv
Assets 2
v16.0.0
What's Changed
- feat: APQ should persist queries only when inside an APQ flow by @marcoreni in #1124
- feat: improve PersistedQueryProvider types by @marcoreni in #1121
- Update all dependencies by @mcollina in #1125
New Contributors
- @marcoreni made their first contribution in #1124
Full Changelog: v15.1.0...v16.0.0
Contributors
mcollina and marcoreni