Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
GraphQL.Client.LocalExecution
Advanced tools
GraphQL.Client.LocalExecution
A GraphQL Client which executes the queries directly on a provided GraphQL schema using graphql-dotnet
GraphQL.Client
A GraphQL Client for .NET Standard over HTTP.
Provides the following packages:
| Package | Downloads | Nuget Latest |
|---|---|---|
| GraphQL.Client |  |  |
| GraphQL.Client.Abstractions |  |  |
| GraphQL.Client.Abstractions.Websocket |  |  |
| GraphQL.Client.LocalExecution |  |  |
| GraphQL.Client.Serializer.Newtonsoft |  |  |
| GraphQL.Client.Serializer.SystemTextJson |  |  |
| GraphQL.Primitives |  |  |
Specification
The Library will try to follow the following standards and documents:
Usage
The intended use of GraphQLHttpClient is to keep one instance alive per endpoint (obvious in case you're
operating full websocket, but also true for regular requests) and is built with thread-safety in mind.
Create a GraphQLHttpClient
// To use NewtonsoftJsonSerializer, add a reference to
// NuGet package GraphQL.Client.Serializer.Newtonsoft
var graphQLClient = new GraphQLHttpClient(
"https://api.example.com/graphql",
new NewtonsoftJsonSerializer());
[!NOTE] GraphQLHttpClient is meant to be used as a single long-lived instance per endpoint (i.e. register as singleton in a DI system), which should be reused for multiple requests.
Create a GraphQLRequest:
Simple Request:
var heroRequest = new GraphQLRequest {
Query = """
{
hero {
name
}
}
"""
};
OperationName and Variables Request:
var personAndFilmsRequest = new GraphQLRequest {
Query ="""
query PersonAndFilms($id: ID) {
person(id: $id) {
name
filmConnection {
films {
title
}
}
}
}
""",
OperationName = "PersonAndFilms",
Variables = new {
id = "cGVvcGxlOjE="
}
};
[!WARNING] Be careful when using
byte[]in your variables object, as most JSON serializers will treat that as binary data.If you really need to send a list of bytes with a
byte[]as a source, then convert it to aList<byte>first, which will tell the serializer to output a list of numbers instead of a base64-encoded string.
Execute Query/Mutation
public class ResponseType
{
public PersonType Person { get; set; }
}
public class PersonType
{
public string Name { get; set; }
public FilmConnectionType FilmConnection { get; set; }
}
public class FilmConnectionType {
public List<FilmContentType> Films { get; set; }
}
public class FilmContentType {
public string Title { get; set; }
}
var graphQLResponse = await graphQLClient.SendQueryAsync<ResponseType>(personAndFilmsRequest);
var personName = graphQLResponse.Data.Person.Name;
Using the extension method for anonymously typed responses (namespace GraphQL.Client.Abstractions) you could achieve the same result with the following code:
var graphQLResponse = await graphQLClient.SendQueryAsync(
personAndFilmsRequest,
() => new { person = new PersonType()});
var personName = graphQLResponse.Data.person.Name;
[!IMPORTANT] Note that the field in the GraphQL response which gets deserialized into the response object is the
datafield.A common mistake is to try to directly use the
PersonTypeclass as response type (because thats the thing you actually want to query), but the returned response object contains a propertypersoncontaining aPersonTypeobject (like theResponseTypemodelled above).
Use Subscriptions
public class UserJoinedSubscriptionResult {
public ChatUser UserJoined { get; set; }
public class ChatUser {
public string DisplayName { get; set; }
public string Id { get; set; }
}
}
Create subscription
var userJoinedRequest = new GraphQLRequest {
Query = @"
subscription {
userJoined{
displayName
id
}
}"
};
IObservable<GraphQLResponse<UserJoinedSubscriptionResult>> subscriptionStream
= client.CreateSubscriptionStream<UserJoinedSubscriptionResult>(userJoinedRequest);
var subscription = subscriptionStream.Subscribe(response =>
{
Console.WriteLine($"user '{response.Data.UserJoined.DisplayName}' joined")
});
End Subscription
subscription.Dispose();
Automatic persisted queries (APQ)
Automatic persisted queries (APQ) are supported since client version 6.1.0.
APQ can be enabled by configuring GraphQLHttpClientOptions.EnableAutomaticPersistedQueries to resolve to true.
By default, the client will automatically disable APQ for the current session if the server responds with a PersistedQueryNotSupported error or a 400 or 600 HTTP status code.
This can be customized by configuring GraphQLHttpClientOptions.DisableAPQ.
To re-enable APQ after it has been automatically disabled, GraphQLHttpClient needs to be disposed an recreated.
APQ works by first sending a hash of the query string to the server, and only sending the full query string if the server has not yet cached a query with a matching hash.
With queries supplied as a string parameter to GraphQLRequest, the hash gets computed each time the request is sent.
When you want to reuse a query string (propably to leverage APQ :wink:), declare the query using the GraphQLQuery class. This way, the hash gets computed once on construction
of the GraphQLQuery object and handed down to each GraphQLRequest using the query.
GraphQLQuery query = new("""
query PersonAndFilms($id: ID) {
person(id: $id) {
name
filmConnection {
films {
title
}
}
}
}
""");
var graphQLResponse = await graphQLClient.SendQueryAsync<ResponseType>(
query,
"PersonAndFilms",
new { id = "cGVvcGxlOjE=" });
Syntax Highlighting for GraphQL strings in IDEs
.NET 7.0 introduced the StringSyntaxAttribute to have a unified way of telling what data is expected in a given string or ReadOnlySpan<char>. IDEs like Visual Studio and Rider can then use this to provide syntax highlighting and checking.
From v6.0.4 on all GraphQL string parameters in this library are decorated with the [StringSyntax("GraphQL")] attribute.
Currently, there is no native support for GraphQL formatting and syntax highlighting in Visual Studio, but the GraphQLTools Extension provides that for you.
For Rider, JetBrains provides a Plugin, too.
To leverage syntax highlighting in variable declarations, use the GraphQLQuery class.
Useful Links
Blazor WebAssembly Limitations
Blazor WebAssembly differs from other platforms as it does not support all features of other .NET runtime implementations. For instance, the following WebSocket options properties are not supported and will not be set:
Keywords
FAQs
A GraphQL Client which executes the queries directly on a provided GraphQL schema using graphql-dotnet
We found that graphql.client.localexecution demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 May 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025