{"id":13475191,"url":"https://github.com/slicknode/graphql-query-complexity","last_synced_at":"2025-04-13T06:18:27.677Z","repository":{"id":41145720,"uuid":"99100259","full_name":"slicknode/graphql-query-complexity","owner":"slicknode","description":"GraphQL query complexity analysis and validation for graphql-js","archived":false,"fork":false,"pushed_at":"2025-04-08T02:29:33.000Z","size":344,"stargazers_count":735,"open_issues_count":12,"forks_count":41,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-13T06:18:03.633Z","etag":null,"topics":["analysis","complexity","dos-attack","graphql","graphql-js","graphql-query-analysis","graphql-query-complexity","validation"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/slicknode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-02T09:47:32.000Z","updated_at":"2025-04-08T02:03:04.000Z","dependencies_parsed_at":"2023-01-21T13:46:03.950Z","dependency_job_id":"27c54be8-7e77-4bb8-b617-458e957f858e","html_url":"https://github.com/slicknode/graphql-query-complexity","commit_stats":{"total_commits":107,"total_committers":21,"mean_commits":5.095238095238095,"dds":"0.33644859813084116","last_synced_commit":"455978d4ed2934d7160a457965ab104998a3c515"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slicknode%2Fgraphql-query-complexity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slicknode%2Fgraphql-query-complexity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slicknode%2Fgraphql-query-complexity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slicknode%2Fgraphql-query-complexity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/slicknode","download_url":"https://codeload.github.com/slicknode/graphql-query-complexity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248670437,"owners_count":21142905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","complexity","dos-attack","graphql","graphql-js","graphql-query-analysis","graphql-query-complexity","validation"],"created_at":"2024-07-31T16:01:18.147Z","updated_at":"2025-04-13T06:18:27.668Z","avatar_url":"https://github.com/slicknode.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","\u003ca name=\"TypeScript\"\u003e\u003c/a\u003eTypeScript"],"sub_categories":[],"readme":"# GraphQL Query Complexity Analysis for graphql-js\n\n[![npm](https://img.shields.io/npm/dm/graphql-query-complexity)](https://www.npmjs.com/package/graphql-query-complexity)\n[![npm version](https://badge.fury.io/js/graphql-query-complexity.svg)](https://badge.fury.io/js/graphql-query-complexity)\n[![Twitter Follow](https://img.shields.io/twitter/follow/slicknode?style=social)](https://twitter.com/slicknode)\n\nThis library provides GraphQL query analysis to reject complex queries to your GraphQL server.\nIt can be used to protect your GraphQL servers against resource exhaustion and DoS attacks.\n\nThis library was originally developed as part of the [Slicknode GraphQL Framework + Headless CMS](https://slicknode.com).\n\nWorks with [graphql-js](https://github.com/graphql/graphql-js) reference implementation.\n\n## Installation\n\nInstall the package via npm\n\n```bash\nnpm install -S graphql-query-complexity\n```\n\n## Usage\n\nCreate the rule with a maximum query complexity:\n\n```javascript\nimport {\n  createComplexityRule,\n  simpleEstimator\n} from 'graphql-query-complexity';\n\nconst rule = createComplexityRule({\n  // The maximum allowed query complexity, queries above this threshold will be rejected\n  maximumComplexity: 1_000,\n\n  // The query variables. This is needed because the variables are not available\n  // in the visitor of the graphql-js library\n  variables: {},\n\n  // The context object for the request (optional)\n  context: {}\n\n  // Specify operation name when evaluating multi-operation documents\n  operationName?: string,\n\n  // The maximum number of query nodes to evaluate (fields, fragments, composite types).\n  // If a query contains more than the specified number of nodes, the complexity rule will\n  // throw an error, regardless of the complexity of the query.\n  //\n  // Default: 10_000\n  maxQueryNodes?: 10_000,\n\n  // Optional callback function to retrieve the determined query complexity\n  // Will be invoked whether the query is rejected or not\n  // This can be used for logging or to implement rate limiting\n  onComplete: (complexity: number) =\u003e {console.log('Determined query complexity: ', complexity)},\n\n  // Optional function to create a custom error\n  createError: (max: number, actual: number) =\u003e {\n    return new GraphQLError(`Query is too complex: ${actual}. Maximum allowed complexity: ${max}`);\n  },\n\n  // Add any number of estimators. The estimators are invoked in order, the first\n  // numeric value that is being returned by an estimator is used as the field complexity.\n  // If no estimator returns a value, an exception is raised.\n  estimators: [\n    // Add more estimators here...\n\n    // This will assign each field a complexity of 1 if no other estimator\n    // returned a value.\n    simpleEstimator({\n      defaultComplexity: 1\n    })\n  ]\n});\n```\n\n## Configuration / Complexity Estimators\n\nThe complexity calculation of a GraphQL query can be customized with so called complexity estimators.\nA complexity estimator is a simple function that calculates the complexity for a field. You can add\nany number of complexity estimators to the rule, which are then executed one after another.\nThe first estimator that returns a numeric complexity value determines the complexity for that field.\n\nAt least one estimator has to return a complexity value, otherwise an exception is raised. You can\nfor example use the [simpleEstimator](./src/estimators/simple/README.md) as the last estimator\nin your chain to define a default value.\n\nYou can use any of the available estimators to calculate the complexity of a field\nor write your own:\n\n- **[`simpleEstimator`](src/estimators/simple/README.md):** The simple estimator returns a fixed complexity for each field. Can be used as\n  last estimator in the chain for a default value.\n- **[`directiveEstimator`](src/estimators/directive/README.md):** Set the complexity via a directive in your\n  schema definition (for example via GraphQL SDL)\n- **[`fieldExtensionsEstimator`](src/estimators/fieldExtensions/README.md):** The field extensions estimator lets you set a numeric value or a custom estimator\n  function in the field config extensions of your schema.\n- PRs welcome...\n\nConsult the documentation of each estimator for information about how to use them.\n\n## Creating Custom Estimators\n\nAn estimator has the following function signature:\n\n```typescript\ntype ComplexityEstimatorArgs = {\n  // The composite type (interface, object, union) that the evaluated field belongs to\n  type: GraphQLCompositeType;\n\n  // The GraphQLField that is being evaluated\n  field: GraphQLField\u003cany, any\u003e;\n\n  // The GraphQL node that is being evaluated\n  node: FieldNode;\n\n  // The input arguments of the field\n  args: { [key: string]: any };\n\n  // The complexity of all child selections for that field\n  childComplexity: number;\n\n  // The context object for the request if it was provided\n  context?: Record\u003cstring, any\u003e;\n};\n\ntype ComplexityEstimator = (options: ComplexityEstimatorArgs) =\u003e number | void;\n```\n\n## Usage with express-graphql\n\nTo use the query complexity analysis validation rule with express-graphql, use something like the\nfollowing:\n\n```javascript\nimport {\n  simpleEstimator,\n  createComplexityRule,\n} from 'graphql-query-complexity';\nimport express from 'express';\nimport graphqlHTTP from 'express-graphql';\nimport schema from './schema';\n\nconst app = express();\napp.use(\n  '/api',\n  graphqlHTTP(async (request, response, { variables }) =\u003e ({\n    schema,\n    validationRules: [\n      createComplexityRule({\n        estimators: [\n          // Configure your estimators\n          simpleEstimator({ defaultComplexity: 1 }),\n        ],\n        maximumComplexity: 1000,\n        variables,\n        onComplete: (complexity: number) =\u003e {\n          console.log('Query Complexity:', complexity);\n        },\n      }),\n    ],\n  }))\n);\n```\n\n## Calculate query complexity\n\nIf you want to calculate the complexity of a GraphQL query outside of the validation phase, for example to\nreturn the complexity value in a resolver, you can calculate the complexity via `getComplexity`:\n\n```javascript\nimport { getComplexity, simpleEstimator } from 'graphql-query-complexity';\nimport { parse } from 'graphql';\n\n// Import your schema or get it form the info object in your resolver\nimport schema from './schema';\n\n// You can also use gql template tag to get the parsed query\nconst query = parse(`\n  query Q($count: Int) {\n    some_value\n    some_list(count: $count) {\n      some_child_value\n    }\n  }\n`);\n\ntry {\n  const complexity = getComplexity({\n    estimators: [simpleEstimator({ defaultComplexity: 1 })],\n    schema,\n    query,\n    variables: {\n      count: 10,\n    },\n  });\n\n  console.log(complexity); // Output: 3\n} catch (e) {\n  // Log error in case complexity cannot be calculated (invalid query, misconfiguration, etc.)\n  console.error('Could not calculate complexity', e.message);\n}\n```\n\n## Prior Art\n\nThis project is inspired by the following prior projects:\n\n- Query complexity analysis in the [Sangria GraphQL](http://sangria-graphql.org/) implementation.\n- [graphql-cost-analysis](https://github.com/pa-bru/graphql-cost-analysis) - Multipliers and directiveEstimator\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslicknode%2Fgraphql-query-complexity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslicknode%2Fgraphql-query-complexity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslicknode%2Fgraphql-query-complexity/lists"}