⚠️

This is the documentation for the old GraphQL Mesh version v0. We recommend upgrading to the latest GraphQL Mesh version v1.

Migrate to GraphQL Mesh v1

Query Depth Limiting

Sometimes persisted operations cannot be used. E.g. if you are building an API that is used by third party users. However, we can still apply some protection.

The maxDepth plugin allows a maximum nesting level an operation is allowed to have.

Getting Started

Install the plugin first;

npm i @escape.tech/graphql-armor-max-depth

pnpm add @escape.tech/graphql-armor-max-depth

yarn add @escape.tech/graphql-armor-max-depth

bun add @escape.tech/graphql-armor-max-depth

Then configure it in your .meshrc.yml file.

.meshrc.yml

plugins:
  - maxDepth:
      n: 10 # Number of depth allowed

This can prevent malicious API users executing GraphQL operations with deeply nested selection sets. You need to tweak the maximum depth an operation selection set is allowed to have based on your schema and needs, as it could vary between users.

A handy tool for analyzing your existing GraphQL operations and finding the best defaults is graphql-inspector.

Learn more about graphql-inspector audit here.

Reject Malicious Operation Documents Block Field Suggestions