Ariadne 0.12.0

August 4, 2020

This one took us a while, but Ariadne 0.12 is now available!

Ariadne 0.12 is a feature release that adds support for custom query validators, adds query cost validator that enables developers to limit maximum complexity of GraphQL query that can be executed by the server, and adds an option for disabling the GraphQL introspection and the GraphQL Playground IDE on servers.

This release also locks required GraphQL core version at 3.0. Support for 3.1 is coming in future version.

Finally, this release also adds extensions support to the Django view, and fixes a reported bug in ScalarType default parse_literal producing an error when GraphQL query contained both literal and query variables.

Custom query validators and query cost validator

It is now possible to implement custom GraphQL query validators. This is an advanced feature intended for developers who need to block malicious GraphQL queries from being executed by their server.

Out of the box, Ariadne includes a query cost validator that enables developers to assign costs values to GraphQL fields in the schema and limit size or complexity of a single GraphQL query that may be executed by the server.

Added introspection option in ASGI, WSGI apps and Django view

One of the most requested features of Ariadne was an option to disable GraphQL Playground. This request had its basis on security concerns, however, disabling GraphQL Playground in Ariadne would not prevent malicious users from using a local GraphQL API client like Insomnia or the desktop version of GraphQL Playground to continue interacting with the API.

This is because when users request the ability to disable GraphQL Playground, they in fact seek an option to disable introspection, a GraphQL feature enabling clients to query a GraphQL server to learn what types, fields, and mutations are implemented by its schema.

Thanks to a contribution from the community, Ariadne's ASGI app, the WSGI app, and the Django view now support an introspection argument. Setting this option to False will result in GraphQL Playground becoming unavailable and will also prevent any introspection queries from being executed by the server.

Fixed default parse_literal implementation in ScalarType

GraphQL.js reference which is used in development of Ariadne didn't document that scalar's parse_literal method takes two arguments instead of one, with second argument being present when scalar's literal value was used in query that was also called with variable values.

We've re-tested default behavior of GraphQL-Core library and found it already provides default parse_literal implementation mirroring Ariadne's one. In light of this we have removed default parse_literal from Ariadne's codebase and updated scalars documentation to skip parse_literal. At later date we will follow up with new documentation exploring scenarios when custom parse_literal is useful.

Notice about ariadne.contrib.django

Ariadne ships with the ariadne.contrib package which, amongst different useful utils, includes a django package that implements a Django app complete with a GraphQL view and a few scalars specific to Django.

Today we would like to notify the community about our plan to split ariadne.contrib.django into a separate package. Ariadne 0.13 will be final Ariadne release to ship with ariadne.contrib.django.

We are doing this to separate Ariadne releases from ariadne.contrib.django and also to set an example on how we are envisioning packages providing Ariadne integration with 3rd party web frameworks.

CHANGELOG

• Added validation_rules option to query executors as well as ASGI and WSGI apps and Django view that allow developers to include custom query validation logic in their APIs.
• Added introspection option to ASGI and WSGI apps, allowing developers to disable GraphQL introspection on their server.
• Added validation.cost_validator query validator that allows developers to limit maximum allowed query cost/complexity.
• Removed default literal parser from ScalarType because GraphQL already provides one.
• Added extensions and introspection configuration options to Django view.
• Updated requirements list to require graphql-core 3.