{"id":16229226,"url":"https://github.com/morris/gqlm","last_synced_at":"2026-04-30T02:36:38.292Z","repository":{"id":183444781,"uuid":"619195444","full_name":"morris/gqlm","owner":"morris","description":"A framework for fully automatic monkey testing of GraphQL APIs","archived":false,"fork":false,"pushed_at":"2024-03-09T15:04:37.000Z","size":410,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-11T19:47:10.490Z","etag":null,"topics":["graphql","testing"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/morris.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-03-26T14:51:52.000Z","updated_at":"2025-07-11T10:57:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"7f72dd0c-1d0b-436b-a15c-05536238420f","html_url":"https://github.com/morris/gqlm","commit_stats":null,"previous_names":["morris/gqlm"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/morris/gqlm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morris%2Fgqlm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morris%2Fgqlm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morris%2Fgqlm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morris%2Fgqlm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/morris","download_url":"https://codeload.github.com/morris/gqlm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morris%2Fgqlm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32452741,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["graphql","testing"],"created_at":"2024-10-10T12:57:44.121Z","updated_at":"2026-04-30T02:36:38.265Z","avatar_url":"https://github.com/morris.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GQLM\n\n🐵 A framework for fully automatic **monkey testing/fuzz testing** of GraphQL APIs.\n\nGQLM explores GraphQL schemas with almost **zero human input**,\ndiscovering bugs, edge cases, and security issues.\n\n## Installation\n\nIn an existing Node.js project, run:\n\n```sh\nnpm install gqlm\n```\n\nOr, if you want to set up a new project just for running tests on an API,\nrun these in a new directory:\n\n```sh\nnpm init -y\nnpm install gqlm\n```\n\n## Usage\n\nCreate a file `test.gqlm.mjs` with the following contents:\n\n```ts\nimport { GQLM } from 'gqlm';\n\nGQLM.run({\n  url: 'https://my.graphql.api/graphql',\n  count: 5,\n});\n```\n\nThen, run `node test.gqlm.mjs`.\nThis will start automatic, explorative testing of your API with up to 5 requests.\n\n- Test results with requests and responses are written to `__gqlm__/\u003cn\u003e.json`.\n- Collected memory is written to `__gqlm__/memory.json`.\n- Schema coverage is written to `__gqlm__/coverage.json`.\n- Inspect these files to determine fitness of the tested GraphQL API.\n- A good workflow is to follow up by creating integration/snapshot tests for conservation of behavior.\n\nExample result:\n\n```js\nexport const operation = `{\n  search(q: \"Blades of the Darkmoon\") {\n    __typename\n    ... on Company {\n      contracts {\n        customer {\n          __typename\n          ... on Company {\n            employees {\n              firstname\n              lastname\n              birthdate\n              __typename\n            }\n          }\n        }\n      }\n    }\n  }\n}`;\n\nexport const result = {\n  status: 200,\n  responseTime: 3,\n  failed: false,\n  data: {\n    search: [\n      {\n        __typename: 'Company',\n        contracts: [\n          {\n            customer: {\n              __typename: 'Company',\n              employees: [\n                {\n                  firstname: 'Dark Sun Gwyndolin',\n                  lastname: '?',\n                  birthdate: '2011-09-23',\n                  __typename: 'Person',\n                },\n                {\n                  firstname: 'Darkmoon Knightess',\n                  lastname: '?',\n                  birthdate: '2011-09-24',\n                  __typename: 'Person',\n                },\n              ],\n            },\n          },\n        ],\n      },\n    ],\n  },\n};\n```\n\n## Authentication\n\nFor secured GraphQL APIs, you are free to authenticate in any way\nand pass headers to the GQLM options. For example:\n\n```ts\nimport { GQLM } from 'gqlm';\n\nasync function run() {\n  const authResponse = await fetch('https://my.oauth.api/token', {\n    headers: {\n      'content-type': 'application/json',\n    },\n    body: JSON.stringify({\n      grant_type: 'password',\n      username: 'foo',\n      password: 'bar',\n    }),\n  });\n\n  const { access_token } = await authResponse.json();\n\n  await GQLM.run({\n    url: 'https://my.graphql.api/graphql',\n    requestInit: {\n      headers: {\n        authorization: `Bearer ${access_token}`,\n      },\n    },\n    count: 5,\n  });\n}\n```\n\n## Options\n\nGQLM accepts the following options:\n\n- `url: string` - URL of GraphQL API to test\n- `count: number` - Maximum number of requests to run\n- `requestInit?: RequestInit` - Additional parameters for fetch(), e.g. headers\n- `seed?: string` - Seed for randomization; if set, GQLM will behave deterministically\n- `input?: Record\u003cstring, unknown\u003e` - Map of initial data for generating inputs.\n- `exit?: boolean` - Should GQLM exit on the first failed request?\n- `isFailure?: (result: ExecutionResult) =\u003e boolean` - Callback to determine whether a GraphQL result is considered a failure.\n- `outDir?: string` - Output directory; defaults to `__gqlm__`.\n\n## Advanced Usage\n\nExpanding the pattern for authentication above,\nyou can design arbitrary environments around GQLM, e.g.\n\n- starting a local server to test,\n- seeding data,\n- running with multiple users of different access levels,\n- use GQLM for load testing,\n- etc.\n\nAdditionally, you can extend the GQLM class and override some behavior (see source code).\n\n## Mutations\n\nCurrently, only GraphQL queries are supported. Mutations need some discovery\non how to test them safely and make the results useful. PRs welcome!\n\n## TypeScript\n\nTest files can also be written in TypeScript (`.ts` extension).\nJust install and use `ts-node` instead of `node`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorris%2Fgqlm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmorris%2Fgqlm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorris%2Fgqlm/lists"}