From graphql-inspector
Validates GraphQL operations, queries, mutations, fragments against a schema using GraphQL Inspector CLI. Checks errors, depth, alias/directive counts, complexity, federation.
npx claudepluginhub thebushidocollective/han --plugin graphql-inspectorThis skill is limited to using the following tools:
Expert knowledge of GraphQL Inspector's validate command for checking operations and documents against a schema with configurable rules.
Audits GraphQL operations using GraphQL Inspector CLI for query depth, alias count, directive usage, token count, and complexity to identify performance issues.
Audits GraphQL schemas, resolvers, and servers for vulnerabilities like unbounded query depth, production introspection, and batch/alias attacks. Suggests fixes for Apollo Server, graphql-yoga, Strawberry, and gqlgen.
Develops type-safe GraphQL APIs with schema design, resolver optimization, Apollo Server implementation, query performance tuning, and federation architecture.
Share bugs, ideas, or general feedback.
Expert knowledge of GraphQL Inspector's validate command for checking operations and documents against a schema with configurable rules.
The validate command checks GraphQL operations (queries, mutations, subscriptions) and fragments against a schema. It catches errors like undefined fields, wrong argument types, and invalid fragment spreads before runtime.
# Validate operations against schema
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql'
# Validate operations from TypeScript files
npx @graphql-inspector/cli validate './src/**/*.tsx' './schema.graphql'
# Validate with glob patterns
npx @graphql-inspector/cli validate './**/*.{graphql,gql}' './schema.graphql'
# Apollo Federation V1
npx @graphql-inspector/cli validate './operations/**/*.graphql' './schema.graphql' \
--federation
# Apollo Federation V2
npx @graphql-inspector/cli validate './operations/**/*.graphql' './schema.graphql' \
--federationV2
# AWS AppSync directives
npx @graphql-inspector/cli validate './operations/**/*.graphql' './schema.graphql' \
--aws
Prevent deeply nested queries that could cause performance issues:
# Fail if query depth exceeds 10
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql' \
--maxDepth 10
Example violation:
# Depth of 8 - might exceed limit
query DeepQuery {
user { # 1
posts { # 2
author { # 3
followers { # 4
posts { # 5
comments { # 6
author { # 7
name # 8
}
}
}
}
}
}
}
}
Limit alias usage to prevent response explosion:
# Max 5 aliases per operation
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql' \
--maxAliasCount 5
Example violation:
# 6 aliases - exceeds limit of 5
query TooManyAliases {
user1: user(id: "1") { name }
user2: user(id: "2") { name }
user3: user(id: "3") { name }
user4: user(id: "4") { name }
user5: user(id: "5") { name }
user6: user(id: "6") { name } # Exceeds limit
}
Limit directives to prevent abuse:
# Max 10 directives per operation
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql' \
--maxDirectiveCount 10
Limit query complexity by token count:
# Max 1000 tokens per operation
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql' \
--maxTokenCount 1000
Calculate and limit query complexity:
# Max complexity score of 100
npx @graphql-inspector/cli validate './src/**/*.graphql' './schema.graphql' \
--maxComplexityScore 100
Create .graphql-inspector.yaml:
validate:
schema: './schema.graphql'
documents: './src/**/*.graphql'
# Validation limits
maxDepth: 10
maxAliasCount: 5
maxDirectiveCount: 10
maxTokenCount: 1000
maxComplexityScore: 100
# Federation support
federation: false
federationV2: false
aws: false
Error: Cannot query field "unknownField" on type "User".
Fix: Check field name spelling or add field to schema.
Error: Argument "id" has invalid value "123".
Expected type "ID!", found "123" (String).
Fix: Use correct type for argument.
Error: Field "user" argument "id" of type "ID!" is required.
Fix: Provide required argument.
Error: Fragment "UserFields" cannot be spread here as objects of
type "Post" can never be of type "User".
Fix: Ensure fragment type matches spread location.
Warning: Fragment "UnusedFragment" is never used.
Fix: Remove or use the fragment.
name: Validate Operations
user-invocable: false
on:
pull_request:
paths:
- 'src/**/*.graphql'
- 'src/**/*.tsx'
- 'schema.graphql'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Inspector
run: npm install -g @graphql-inspector/cli
- name: Validate operations
run: |
graphql-inspector validate \
'src/**/*.graphql' \
schema.graphql \
--maxDepth 10 \
--maxAliasCount 5
{
"husky": {
"hooks": {
"pre-commit": "graphql-inspector validate 'src/**/*.graphql' schema.graphql"
}
}
}
GraphQL Inspector can extract operations from various file types:
// Operations in template literals are detected
const GET_USER = gql`
query GetUser($id: ID!) {
user(id: $id) {
name
email
}
}
`;
// Tagged template literals in React files
import { gql } from '@apollo/client';
const USER_QUERY = gql`
query UserQuery {
currentUser {
id
name
}
}
`;
.graphql filesFor monorepos with multiple schemas:
# Validate against specific service schema
npx @graphql-inspector/cli validate \
'./packages/app/src/**/*.graphql' \
'./packages/api/schema.graphql'
# Validate against federated supergraph
npx @graphql-inspector/cli validate \
'./packages/web/src/**/*.graphql' \
'./supergraph.graphql' \
--federationV2
Start permissive, add stricter rules over time:
# Phase 1: Basic validation only
validate:
schema: './schema.graphql'
documents: './src/**/*.graphql'
# Phase 2: Add depth limiting
validate:
schema: './schema.graphql'
documents: './src/**/*.graphql'
maxDepth: 15
# Phase 3: Add complexity limits
validate:
schema: './schema.graphql'
documents: './src/**/*.graphql'
maxDepth: 10
maxAliasCount: 10
maxComplexityScore: 200
--federation or --federationV2 for Federation directives--aws for AppSync directivesgql\...``)