Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@wundergraph/composition
Advanced tools
[![npm version](https://badge.fury.io/js/%40wundergraph%2Fcomposition.svg)](https://badge.fury.io/js/%40wundergraph%2Fcomposition)
The WunderGraph composition library allows to federate multiple subgraph schemas into a single federated GraphQL schema.
The federateSubgraphs
function is responsible for producing a valid federated graph.
Each subgraph will be normalized and validated before federation.
This normalization process does not affect the upstream schema.
The final federated graph will also be validated.
The function must be provided with an array of at least one Subgraph
object.
An example federation of two simple subgraphs:
import { federateSubgraphs, Subgraph } from '@wundergraph.composition';
import { parse } from 'graphql';
const federationResult: FederationResult = federateSubgraphs([subgraphA, subgraphB]);
const subgraphA: Subgraph = {
name: 'subgraph-a',
url: 'http://localhost:4001',
definitions: parse(`
type User @key(fields: "id") {
id: ID!
name: String!
}
`),
};
const subgraphB: Subgraph = {
name: 'subgraph-b',
url: 'http://localhost:4002',
definitions: parse(`
type Query {
users: [User!]!
}
type User @key(fields: "id") {
id: ID!
interests: [String!]!
}
`),
};
The federateSubgraphs
function returns a FederationResult
object.
If federation was successful, the errors
property will be undefined, and both the federatedGraphAST
and
the federatedGraphSchema
objects will be defined.
property | Description | type |
---|---|---|
errors | unique name of the subgraph | Error[] | undefined |
federatedGraphAST | federated schema represented as an AST | graphql.DocumentNode | undefined |
federatedGraphSchema | federated schema represented as a schema object | graphql.GraphQLSchema | undefined |
If normalization of any subgraph fails, or the federated graph itself is invalid, the AST and schema will not be produced (undefined properties). In these cases, the errors array will be defined and populated. An example of a simple debugging framework might be:
import { federateSubgraphs, Subgraph } from '@wundergraph.composition';
import { print, printSchema } from 'graphql';
const result = federateSubgraphs([subgraphA, subgraphB]);
if (result.errors) {
for (const err of result.errors) {
console.log(err.message);
}
} else {
// Both options to print the federated graph as a string are included for documentational purposes only
console.log(print(result.federatedGraphAST!)); // log the federated graph AST as a string
console.log(printSchema(result.federatedGraphSchema!)); // log the federated graph schema as a string
}
// subgraph definitions would be below [removed for brevity]
Errors can happen in three main stages:
Subgraph
object has a unique name.All errors will be appended to the FederationResult.errors
array.
Often, the error message will suggest potential fixes. For instance:
Error: The following root path is unresolvable: Query.user.name This is because: The root type field "Query.user" is defined in the following subgraphs: "subgraph-b". However, "User.name" is only defined in the following subgraphs: "subgraph-c". Consequently, "User.name" cannot be resolved through the root type field "Query.user". Potential solutions: Convert "User" into an entity using a "@key" directive. Add the shareable root type field "Query.user" to the following subgraphs: "subgraph-c". For example (note that V1 fields are shareable by default and do not require a directive): type Query { ... user: User @shareable }
The Subgraph
object is the core of the WunderGraph composition library.
An example is shown below:
import { Subgraph } from '@wundergraph/composition'
import { parse } from 'graphql';
const subgraphA: Subgraph = {
name: 'subgraph-a',
url: 'http://localhost:4001',
definitions: parse(`
type User {
name: String!
}
`),
};
property | Description | type |
---|---|---|
name | unique name of the subgraph | string |
url | unique endpoint for the subgraph | string |
definitions | SDL of the subgraph | graphql.DocumentNode |
FAQs
Unknown package
The npm package @wundergraph/composition receives a total of 19,446 weekly downloads. As such, @wundergraph/composition popularity was classified as popular.
We found that @wundergraph/composition demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.