Skip to content

Fix valueFromAST variable own-property checks#4652

Merged
yaacovCR merged 3 commits into
graphql:16.x.xfrom
abishekgiri:fix-value-from-ast-own-property-check
Apr 18, 2026
Merged

Fix valueFromAST variable own-property checks#4652
yaacovCR merged 3 commits into
graphql:16.x.xfrom
abishekgiri:fix-value-from-ast-own-property-check

Conversation

@abishekgiri
Copy link
Copy Markdown
Contributor

@abishekgiri abishekgiri commented Apr 2, 2026
edited
Loading

Summary

Fixes an issue in valueFromAST where own-property checks were not properly enforced, which could lead to incorrect handling of inherited properties.

Changes

  • Updated own-property checks to ensure only direct properties are considered
  • Prevent unintended prototype chain access

Testing

  • Verified behavior manually with edge cases
  • Existing tests pass locally

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 2, 2026

@abishekgiri is attempting to deploy a commit to the The GraphQL Foundation Team on Vercel.

A member of the Team first needs to authorize it.

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Apr 2, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: abishekgiri / name: Abishek Kumar Giri (702e107)
  • ✅ login: abishekgiri / name: giria660 (89efacc, c620dcf)

@abishekgiri @gemini-code-assist
Update src/utilities/valueFromAST.ts
702e107 
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
@abishekgiri
Copy link
Copy Markdown
Contributor Author

abishekgiri commented Apr 2, 2026

Status update

  • Fixed valueFromAST() to use own-property checks when deciding whether a variable was provided.
  • Added regression coverage for omitted prototype-colliding names like toString across scalar, list, and input-object cases.
  • Results: targeted mocha, eslint, and prettier checks passed for this change.
  • tsc in this environment still reports existing external errors from ../node_modules/@types/react-dom, which are outside this PR.

yaacovCR
yaacovCR reviewed Apr 13, 2026
View reviewed changes
Comment thread src/utilities/valueFromAST.ts Outdated
@yaacovCR
Copy link
Copy Markdown
Contributor

yaacovCR commented Apr 13, 2026

@abishekgiri this looks to me like a legitimate bug fix, although seemingly for a longstanding bug. Thanks for this contribution! Made a small suggestion above, and there is a lint/prettier issue.

@abishekgiri
Copy link
Copy Markdown
Contributor Author

abishekgiri commented Apr 13, 2026

@yaacovCR Pushed a follow-up update addressing the review feedback. This keeps the own-property fix for prototype-colliding names, restores the previous behavior for variables explicitly set to undefined, and adds regression tests for those cases. Targeted mocha, eslint, and prettier checks are passing on the updated branch.

@abishekgiri abishekgiri requested a review from yaacovCR April 13, 2026 22:57
@yaacovCR
Copy link
Copy Markdown
Contributor

yaacovCR commented Apr 16, 2026

@abishekgiri

This seems right to me. valueFromAST is deprecated in v17, but it has not been removed, and this seems like an opportunity for an additional PR to forward-port. Let me know if you have time, otherwise I will try to take care of it. In v17 we can use Object.hasOwn, but otherwise it should be pretty similar.

@abishekgiri
Copy link
Copy Markdown
Contributor Author

abishekgiri commented Apr 16, 2026

@yaacovCR Thanks, that sounds good to me. I’m glad the 16.x.xfix looks right as-is. I also checked the current17.x.xbranch and the samevalueFromAST own-property issue still appears to be present there, so a small forward-port PR makes sense. I can put that together if helpful; otherwise I’m also happy for you to handle that follow-up.

@yaacovCR
Copy link
Copy Markdown
Contributor

yaacovCR commented Apr 18, 2026

Check was apparently dropped back in #553 !

@yaacovCR yaacovCR merged commit db2987c into graphql:16.x.x Apr 18, 2026
19 of 20 checks passed
@yaacovCR yaacovCR added the PR: bug fix 🐞 requires increase of "patch" version number label Apr 18, 2026
yaacovCR pushed a commit to yaacovCR/graphql-js that referenced this pull request Apr 18, 2026
@abishekgiri @yaacovCR
fix(valueFromAST): restore variable own-property checks (graphql#4652)
c3769a7
@yaacovCR yaacovCR mentioned this pull request Apr 18, 2026
Merged
yaacovCR added a commit that referenced this pull request Apr 18, 2026
@yaacovCR @abishekgiri
fix(valueFromAST): restore variable own-property checks (#4671)
b4c1624 
forward port of #4652

Co-authored-by: Abishek Kumar Giri <giriabishekkumar5@gmail.com>
@yaacovCR
Copy link
Copy Markdown
Contributor

yaacovCR commented Apr 18, 2026

forward-ported in #4671 => thanks @abishekgiri !!!

@abishekgiri abishekgiri deleted the fix-value-from-ast-own-property-check branch April 19, 2026 00:29
@yaacovCR yaacovCR mentioned this pull request May 6, 2026
Merged
yaacovCR added a commit that referenced this pull request May 6, 2026
@yaacovCR
chore(release): v16.14.0 (#4720)
57b385b 
## v16.14.0 (2026-05-03)

#### New Feature 🚀
* [#4317](#4317) Allow configuration of the `ofType` introspection depth ([@Nols1000](https://github.com/Nols1000))
* [#4521](#4521) Add experimental support for directives on directive definitions ([@BoD](https://github.com/BoD))

#### Bug Fix 🐞
* [#4652](#4652) Fix valueFromAST variable own-property checks
([@abishekgiri](https://github.com/abishekgiri))

#### Docs 📝
* [#4706](#4706) Fix mistake in GraphQLError guidance ([@benjie](https://github.com/benjie))

#### Committers: 4
* Abishek Kumar Giri([@abishekgiri](https://github.com/abishekgiri))
* Benjie([@benjie](https://github.com/benjie))
* Benoit 'BoD' Lubek([@BoD](https://github.com/BoD))
* Nils-Börge Margotti([@Nols1000](https://github.com/Nols1000))
@yaacovCR yaacovCR mentioned this pull request May 7, 2026
Merged
yaacovCR added a commit that referenced this pull request May 7, 2026
@yaacovCR
chore(release): v17.0.0-beta.0
3b1c877 
## v17.0.0-beta.0 (2026-05-07)

#### Breaking Change 💥
* [#4634](#4634) Use Object.create(null) over {} to avoid prototype issues ([@benjie](https://github.com/benjie))
* [#4700](#4700) Demote createSourceEventStream to helper taking ValidatedExecutionArgs ([@yaacovCR](https://github.com/yaacovCR))
* [#4703](#4703) rename executeQueryOrMutationOrSubscriptionEvent to executeRootSelectionSet ([@yaacovCR](https://github.com/yaacovCR))
* [#4708](#4708) fix(variables): treat undefined as absent with respect to variables ([@yaacovCR](https://github.com/yaacovCR))
* [#4710](#4710) fix: ignore undefined-valued unknown fields in input objects ([@yaacovCR](https://github.com/yaacovCR))

#### New Feature 🚀
* [#4658](#4658) feat(execution): expose asyncWorkFinished execution hook ([@yaacovCR](https://github.com/yaacovCR))
* [#4674](#4674) feat(execution): expose partial result on abort errors ([@yaacovCR](https://github.com/yaacovCR))
* [#4701](#4701) export validateExecutionArgs helper ([@yaacovCR](https://github.com/yaacovCR))
* [#4702](#4702) feat: add ValidatedSubscriptionArgs and validateSubscriptionArgs ([@yaacovCR](https://github.com/yaacovCR))

#### Bug Fix 🐞
* [#4637](#4637) refactor(queue): replace stopped promise with onStop handlers ([@yaacovCR](https://github.com/yaacovCR))
* [#4641](#4641) refactor(incremental): close stream iterator only on abnormal stop ([@yaacovCR](https://github.com/yaacovCR))
* [#4642](#4642) fix(incremental): await async incremental cleanup ([@yaacovCR](https://github.com/yaacovCR))
* [#4644](#4644) fix(withConcurrentAbruptClose): do not close unnecessarily ([@yaacovCR](https://github.com/yaacovCR))
* [#4645](#4645) fix(cancellablePromise): handle rejection when cancelling already-aborted promise ([@yaacovCR](https://github.com/yaacovCR))
* [#4643](#4643) fix(execute): handle list promise rejections ([@yaacovCR](https://github.com/yaacovCR))
* [#4646](#4646) fix(execute): handle defaultTypeResolver promise rejections ([@yaacovCR](https://github.com/yaacovCR))
* [#4648](#4648) refactor(executor): separate finish/abort orchestration ([@yaacovCR](https://github.com/yaacovCR))
* [#4655](#4655) fix(execution): finish executors before publishing responses ([@yaacovCR](https://github.com/yaacovCR))
* [#4661](#4661) fix: bubbling sync errors need not become async ([@yaacovCR](https://github.com/yaacovCR))
* [#4663](#4663) fix(executor): let aborted async paths reach finish ([@yaacovCR](https://github.com/yaacovCR))
* [#4657](#4657) refactor(execution): track pending work ([@yaacovCR](https://github.com/yaacovCR))
* [#4664](#4664) fix(perf): hoist error creation ([@yaacovCR](https://github.com/yaacovCR))
* [#4665](#4665) execution: reduce parent executor retention in incremental callbacks ([@yaacovCR](https://github.com/yaacovCR))
* [#4671](#4671) fix(valueFromAST): forward port #4652 ([@yaacovCR](https://github.com/yaacovCR))
* [#4672](#4672) fix(execution): convert all promise-like results to promises ([@yaacovCR](https://github.com/yaacovCR))
* [#4518](#4518) Fix TypeInfo.getInputType() for custom scalar list literals. ([@yuchenshi](https://github.com/yuchenshi))
* [#4692](#4692) fix incremental label null validation ([@jbellenger](https://github.com/jbellenger))
* [#4711](#4711) fix(coerceInputLiteral): null variable input object fields should override defaults ([@yaacovCR](https://github.com/yaacovCR))
* [#4712](#4712) fix: name fragment variables as such in execution errors ([@yaacovCR](https://github.com/yaacovCR))
* [#4714](#4714) fix: enhance runtime invalid default value error messages ([@yaacovCR](https://github.com/yaacovCR))
* [#4715](#4715) unify OneOf non-null and count error messages ([@yaacovCR](https://github.com/yaacovCR))
* [#4716](#4716) fix(OneOf): fail coercion when two fields are provided "pre-coercion-only" ([@yaacovCR](https://github.com/yaacovCR))
* [#4717](#4717) fix(valueFromAST): reject unknown input object fields ([@yaacovCR](https://github.com/yaacovCR))
* [#4718](#4718) fix(OneOf): count only known fields for one-of validation ([@yaacovCR](https://github.com/yaacovCR))
* [#4719](#4719) fix(OneOf): fail coercion for OneOf is the single field is invalidly provided by a default ([@yaacovCR](https://github.com/yaacovCR))

#### Polish 💅
<details>
<summary> 19 PRs were merged </summary>

* [#4635](#4635) polish: remove a few superfluous awaits ([@yaacovCR](https://github.com/yaacovCR))
* [#4636](#4636) allow forwarding of cancellation reasons within computations/queues ([@yaacovCR](https://github.com/yaacovCR))
* [#4638](#4638) test(queue): cover async onStop cleanup ([@yaacovCR](https://github.com/yaacovCR))
* [#4639](#4639) refactor(computation): rename cancel to abort ([@yaacovCR](https://github.com/yaacovCR))
* [#4640](#4640) refactor(workqueue): propagate async computation abort cleanup ([@yaacovCR](https://github.com/yaacovCR))
* [#4647](#4647) refactor(executor): rename finished state to aborted ([@yaacovCR](https://github.com/yaacovCR))
* [#4649](#4649) refactor(cancellablePromise): extract withCancellation ([@yaacovCR](https://github.com/yaacovCR))
* [#4650](#4650) refactor(executor): replace internal abort signal with lightweight version ([@yaacovCR](https://github.com/yaacovCR))
* [#4656](#4656) refactor(execution): introduce shared execution context ([@yaacovCR](https://github.com/yaacovCR))
* [#4653](#4653) fix: avoid prototype-colliding names in execution values ([@abishekgiri](https://github.com/abishekgiri))
* [#4673](#4673) refactor(execution): separate response construction from finish checks ([@yaacovCR](https://github.com/yaacovCR))
* [#4675](#4675) polish(execution): remove obsolete abort async checks ([@yaacovCR](https://github.com/yaacovCR))
* [#4686](#4686) refactor(benchmark): extract shared mean stats helper ([@yaacovCR](https://github.com/yaacovCR))
* [#4687](#4687) polish(benchmark): handle theoretical stats errors ([@yaacovCR](https://github.com/yaacovCR))
* [#4693](#4693) polish: add expectToThrow test helper ([@yaacovCR](https://github.com/yaacovCR))
* [#4694](#4694) polish: add expectPromise.toReject helper ([@yaacovCR](https://github.com/yaacovCR))
* [#4695](#4695) polish: clean up stream tests ([@yaacovCR](https://github.com/yaacovCR))
* [#4696](#4696) polish: introduce spy test helper ([@yaacovCR](https://github.com/yaacovCR))
* [#4704](#4704) refactor: add executionMode/serially argument to executeRootSelectionSet ([@yaacovCR](https://github.com/yaacovCR))
</details>

#### Internal 🏠
<details>
<summary> 17 PRs were merged </summary>

* [#4676](#4676) chore(deps): upgrade to ts v6 ([@yaacovCR](https://github.com/yaacovCR))
* [#4677](#4677) internal: refactor benchmark runner structure ([@yaacovCR](https://github.com/yaacovCR))
* [#4678](#4678) internal: run benchmarks through worker files ([@yaacovCR](https://github.com/yaacovCR))
* [#4679](#4679) internal: read benchmark names through dedicated worker ([@yaacovCR](https://github.com/yaacovCR))
* [#4680](#4680) internal: separate benchmark timing and memory sampling ([@yaacovCR](https://github.com/yaacovCR))
* [#4681](#4681) fix(benchmark): use node flags only for memory sampling ([@yaacovCR](https://github.com/yaacovCR))
* [#4682](#4682) internal: use mitata for benchmark timing ([@yaacovCR](https://github.com/yaacovCR))
* [#4683](#4683) refactor(benchmark): integrate run + sampling files ([@yaacovCR](https://github.com/yaacovCR))
* [#4684](#4684) benchmark: perform timing tests in rounds to reduce variance ([@yaacovCR](https://github.com/yaacovCR))
* [#4685](#4685) benchmark: stop timing after stable pairwise comparisons ([@yaacovCR](https://github.com/yaacovCR))
* [#4688](#4688) benchmark: cache revision archives ([@yaacovCR](https://github.com/yaacovCR))
* [#4689](#4689) benchmark: report paired benchmark comparisons ([@yaacovCR](https://github.com/yaacovCR))
* [#4690](#4690) benchmark: add async object field benchmark ([@yaacovCR](https://github.com/yaacovCR))
* [#4697](#4697) internal: add runtime option to benchmark ([@yaacovCR](https://github.com/yaacovCR))
* [#4713](#4713) benchmark: add benchmark for schema validation ([@yaacovCR](https://github.com/yaacovCR))
* [#4722](#4722) internal: npm release:prepare should set publishTag ([@yaacovCR](https://github.com/yaacovCR))
* [#4723](#4723) fix(changelog): ignore open associated PRs ([@yaacovCR](https://github.com/yaacovCR))
</details>

#### Committers: 5
* Abishek Kumar Giri([@abishekgiri](https://github.com/abishekgiri))
* Benjie([@benjie](https://github.com/benjie))
* James Bellenger([@jbellenger](https://github.com/jbellenger))
* Yaacov Rydzinski ([@yaacovCR](https://github.com/yaacovCR))
* Yuchen Shi([@yuchenshi](https://github.com/yuchenshi))
@claude claude Bot mentioned this pull request May 21, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaacovCR yaacovCR Awaiting requested review from yaacovCR

Assignees

No one assigned

Labels

PR: bug fix 🐞 requires increase of "patch" version number

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abishekgiri @yaacovCR