Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
GraphQL implementation for Python, a port of GraphQL.js, the JavaScript reference implementation for GraphQL.
GraphQL-core 3 is a Python 3.6+ port of GraphQL.js, the JavaScript reference implementation for GraphQL, a query language for APIs created by Facebook.
The current version 3.2.5 of GraphQL-core is up-to-date with GraphQL.js version 16.8.2.
An extensive test suite with over 2300 unit tests and 100% coverage comprises a replication of the complete test suite of GraphQL.js, making sure this port is reliable and compatible with GraphQL.js.
Note that for various reasons, GraphQL-core does not use SemVer like GraphQL.js. Increases in the major version of GraphQL.js are reflected in the minor version of GraphQL-core instead. This means there can be breaking changes in the API when the minor version changes, and only patch releases are fully backward compatible. Therefore, we recommend something like =~ 3.2.0
as version specifier when including GraphQL-core as a dependency.
A more detailed documentation for GraphQL-core 3 can be found at graphql-core-3.readthedocs.io.
The documentation for GraphQL.js can be found at graphql.org/graphql-js/.
The documentation for GraphQL itself can be found at graphql.org.
There will be also blog articles with more usage examples.
A general overview of GraphQL is available in the README for the Specification for GraphQL. That overview describes a simple set of GraphQL examples that exist as tests in this repository. A good way to get started with this repository is to walk through that README and the corresponding tests in parallel.
GraphQL-core 3 can be installed from PyPI using the built-in pip command:
python -m pip install graphql-core
You can also use poetry for installation in a virtual environment:
poetry install
GraphQL-core provides two important capabilities: building a type schema and serving queries against that type schema.
First, build a GraphQL type schema which maps to your codebase:
from graphql import (
GraphQLSchema, GraphQLObjectType, GraphQLField, GraphQLString)
schema = GraphQLSchema(
query=GraphQLObjectType(
name='RootQueryType',
fields={
'hello': GraphQLField(
GraphQLString,
resolve=lambda obj, info: 'world')
}))
This defines a simple schema, with one type and one field, that resolves to a fixed
value. The resolve
function can return a value, a co-routine object or a list of
these. It takes two positional arguments; the first one provides the root or the
resolved parent field, the second one provides a GraphQLResolveInfo
object which
contains information about the execution state of the query, including a context
attribute holding per-request state such as authentication information or database
session. Any GraphQL arguments are passed to the resolve
functions as individual
keyword arguments.
Note that the signature of the resolver functions is a bit different in GraphQL.js,
where the context is passed separately and arguments are passed as a single object.
Also note that GraphQL fields must be passed as a GraphQLField
object explicitly.
Similarly, GraphQL arguments must be passed as GraphQLArgument
objects.
A more complex example is included in the top-level tests directory.
Then, serve the result of a query against that type schema.
from graphql import graphql_sync
source = '{ hello }'
print(graphql_sync(schema, source))
This runs a query fetching the one field defined, and then prints the result:
ExecutionResult(data={'hello': 'world'}, errors=None)
The graphql_sync
function will first ensure the query is syntactically and
semantically valid before executing it, reporting errors otherwise.
from graphql import graphql_sync
source = '{ BoyHowdy }'
print(graphql_sync(schema, source))
Because we queried a non-existing field, we will get the following result:
ExecutionResult(data=None, errors=[GraphQLError(
"Cannot query field 'BoyHowdy' on type 'RootQueryType'.",
locations=[SourceLocation(line=1, column=3)])])
The graphql_sync
function assumes that all resolvers return values synchronously. By
using coroutines as resolvers, you can also create results in an asynchronous fashion
with the graphql
function.
import asyncio
from graphql import (
graphql, GraphQLSchema, GraphQLObjectType, GraphQLField, GraphQLString)
async def resolve_hello(obj, info):
await asyncio.sleep(3)
return 'world'
schema = GraphQLSchema(
query=GraphQLObjectType(
name='RootQueryType',
fields={
'hello': GraphQLField(
GraphQLString,
resolve=resolve_hello)
}))
async def main():
query = '{ hello }'
print('Fetching the result...')
result = await graphql(schema, query)
print(result)
asyncio.run(main())
GraphQL-core tries to reproduce the code of the reference implementation GraphQL.js in Python as closely as possible and to stay up-to-date with the latest development of GraphQL.js.
GraphQL-core 3 (formerly known as GraphQL-core-next) has been created as a modern alternative to GraphQL-core 2, a prior work by Syrus Akbary, based on an older version of GraphQL.js and also targeting older Python versions. Some parts of GraphQL-core 3 have been inspired by GraphQL-core 2 or directly taken over with only slight modifications, but most of the code has been re-implemented from scratch, replicating the latest code in GraphQL.js very closely and adding type hints for Python.
Design goals for the GraphQL-core 3 library were:
Some restrictions (mostly in line with the design goals):
Note that meanwhile we are using the amazing ruff tool to both format and check the code of GraphQL-core 3, in addition to using mypy as type checker.
Graphene is a more high-level framework for building GraphQL APIs in Python, and there is already a whole ecosystem of libraries, server integrations and tools built on top of Graphene. Most of this Graphene ecosystem has also been created by Syrus Akbary, who meanwhile has handed over the maintenance and future development to members of the GraphQL-Python community.
Graphene 3 is now using Graphql-core 3 as core library for much of the heavy lifting.
Ariadne is a Python library for implementing GraphQL servers using schema-first approach created by Mirumee Software.
Ariadne is also using GraphQL-core 3 as its GraphQL implementation.
Strawberry, created by Patrick Arminio, is a new GraphQL library for Python 3, inspired by dataclasses, that is also using GraphQL-core 3 as underpinning.
Changes are tracked as GitHub releases.
The GraphQL-core 3 library
Please watch the recording of Lee Byron's short keynote on the history of GraphQL at the open source leadership summit 2019 to better understand how and why GraphQL was created at Facebook and then became open sourced and ported to many different programming languages.
GraphQL-core 3 is MIT-licensed, just like GraphQL.js.
FAQs
GraphQL implementation for Python, a port of GraphQL.js, the JavaScript reference implementation for GraphQL.
We found that graphql-core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.