Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
graphql-tag
Advanced tools
The graphql-tag npm package is primarily used for parsing GraphQL queries and fragments into a standard GraphQL AST (Abstract Syntax Tree). It is commonly used in JavaScript or TypeScript projects that interact with a GraphQL server. The package provides a simple and efficient way to embed GraphQL queries within the code.
Parsing GraphQL queries
This feature allows developers to write GraphQL queries inside JavaScript or TypeScript files using template literals. The gql function parses the query string into a GraphQL AST, which can then be used with GraphQL clients like Apollo Client.
import gql from 'graphql-tag';
const MY_QUERY = gql`
query GetUserInfo($userId: ID!) {
user(id: $userId) {
id
name
email
}
}
`;
Parsing GraphQL fragments
This feature allows the definition of GraphQL fragments that can be reused across multiple queries or mutations. The gql function is used to parse the fragment, and it can be embedded within queries or mutations to avoid repetition of field definitions.
import gql from 'graphql-tag';
const USER_FRAGMENT = gql`
fragment UserFragment on User {
id
name
email
}
`;
const MY_QUERY = gql`
query GetUserInfo($userId: ID!) {
user(id: $userId) {
...UserFragment
}
}
${USER_FRAGMENT}
`;
Support for multiple operations in a single document
graphql-tag supports defining multiple operations, such as queries and mutations, within a single gql template literal. This can be useful for organizing related operations together in one place.
import gql from 'graphql-tag';
const MULTIPLE_OPERATIONS = gql`
query GetUserInfo($userId: ID!) {
user(id: $userId) {
id
name
}
}
mutation UpdateUserName($userId: ID!, $newName: String!) {
updateUser(id: $userId, name: $newName) {
id
name
}
}
`;
The 'graphql' package is the core JavaScript implementation of GraphQL itself. It includes functionality for parsing queries, but it's more general-purpose and lower-level compared to graphql-tag. It does not provide the same template literal syntax for embedding queries.
Apollo Boost is a package that includes graphql-tag as one of its dependencies. It provides a zero-config way to start using Apollo Client. It's more of a complete solution for managing GraphQL state in applications, whereas graphql-tag is focused solely on parsing queries.
graphql.macro provides similar functionality to graphql-tag but is designed to work with Create React App without ejecting. It allows you to load .graphql and .gql files at compile time, which graphql-tag does not do by default.
GraphQL printing and parsing with bundled dependencies. Includes:
gql
A JavaScript template literal tag that parses GraphQL query strings into the standard GraphQL AST./parser
A bundled version of graphql/language/parser
, that builds correctly in React Native./printer
A bundled version of graphql/language/printer
, that builds correctly in React Native./loader
A webpack loader to preprocess queriesThis is a template literal tag you can use to concisely write a GraphQL query that is parsed into the standard GraphQL AST:
import gql from 'graphql-tag';
const query = gql`
{
user(id: 5) {
firstName
lastName
}
}
`
// query is now a GraphQL syntax tree object
console.log(query);
// {
// "kind": "Document",
// "definitions": [
// {
// "kind": "OperationDefinition",
// "operation": "query",
// "name": null,
// "variableDefinitions": null,
// "directives": [],
// "selectionSet": {
// "kind": "SelectionSet",
// "selections": [
// {
// "kind": "Field",
// "alias": null,
// "name": {
// "kind": "Name",
// "value": "user",
// ...
You can easily explore GraphQL ASTs on astexplorer.net.
This package is the way to pass queries into Apollo Client. If you're building a GraphQL client, you can use it too!
GraphQL strings are the right way to write queries in your code, because they can be statically analyzed using tools like eslint-plugin-graphql. However, strings are inconvenient to manipulate, if you are trying to do things like add extra fields, merge multiple queries together, or other interesting stuff.
That's where this package comes in - it lets you write your queries with ES2015 template literals and compile them into an AST with the gql
tag.
This package only has one feature - it caches previous parse results in a simple dictionary. This means that if you call the tag on the same query multiple times, it doesn't waste time parsing it again. It also means you can use ===
to compare queries to check if they are identical.
This package also includes a webpack loader. There are many benefits over this approach, which saves GraphQL ASTs processing time on client-side and enable queries to be separated from script over .graphql
files.
loaders: [
{
test: /\.(graphql|gql)$/,
exclude: /node_modules/,
loader: 'graphql-tag/loader'
}
]
then:
import query from './query.graphql';
console.log(query);
// {
// "kind": "Document",
// ...
Testing environments that don't support Webpack require additional configuration. For Jest use jest-transform-graphql.
This package also includes two submodules: graphql-tag/printer
and graphql-tag/parser
, which are bundled versions of the corresponding modules from the standard graphql
package. These are included because the graphql
package currently doesn't build in React Native. Use them the same way you would use the relevant modules from graphql
:
import { parse } from 'graphql-tag/parser';
import { print } from 'graphql-tag/printer';
We generate the bundles for the printer and parser with Webpack from the graphql
package. You might notice the bundles are included in the package source on GitHub. This is to enable easy installation from a Git URL in cases where that is helpful. In the case of updates to graphql
printing or parsing (which should be very rare since the syntax is stable at this point), we will be able to easily run the build script and republish.
FAQs
A JavaScript template literal tag that parses GraphQL queries
We found that graphql-tag demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.