Update dependency graphql to v1.12.25 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
graphql (source, changelog)	'1.12.19' → '1.12.25'

---

graphql allows remote code execution when loading a crafted GraphQL schema

CVE-2025-27407 / GHSA-q92j-grw3-h492

More information

Details

Summary

Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.

Severity

• CVSS Score: 9.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
• https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
• https://nvd.nist.gov/vuln/detail/CVE-2025-27407
• https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
• https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
• https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
• https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
• https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
• https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
• https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
• https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
• https://github.com/github-community-projects/graphql-client
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphql/CVE-2025-27407.yml
• https://lists.debian.org/debian-lts-announce/2025/08/msg00002.html
• https://github.com/advisories/GHSA-q92j-grw3-h492

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rmosolgo/graphql-ruby (graphql)

v1.12.25

Compare Source

v1.12.24

Compare Source

Bug fixes

• SDL: fix parsing schemas where types have multiple directives #​3886

v1.12.23

Compare Source

Bug fixes

• FieldUsage analyzer: handle arguments that raise an error during prepare: #​3795

v1.12.22

Compare Source

Bug fixes

• Static validation: fix regression and improve performance of fields_will_merge validation #​3761

v1.12.21

Compare Source

Bug fixes

• Validators: Fix format:/allow_blank: true to correctly accept a blank string #​3726
• Generators: generate a correct Schema.type_error hook #​3722

v1.12.20

Compare Source

New Features

• Static validation: improve error messages when fields won't merge #​3698
• Generators: improve id_from_object and type_error suggested implementations #​3710
• Connections: make the new connections module fall back to old connections #​3704

Bug fixes

• Dataloader: re-enqueue sources when one call to yield didn't satisfy their pending requests #​3707
• Subscriptions: Fix when JSON-typed arguments are used #​3705

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

/opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/error.rb:105:in '<class:Thor>': uninitialized constant DidYouMean::SPELL_CHECKERS (NameError)

    DidYouMean::SPELL_CHECKERS.merge!(
              ^^^^^^^^^^^^^^^^
Did you mean?  DidYouMean::SpellChecker
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/error.rb:1:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/base.rb:3:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/base.rb:3:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor.rb:2:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor.rb:2:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendored_thor.rb:8:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/vendored_thor.rb:8:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/friendly_errors.rb:3:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/lib/bundler/friendly_errors.rb:3:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/exe/bundle:29:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/exe/bundle:29:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/exe/bundler:4:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/gems/bundler-2.1.4/exe/bundler:4:in '<top (required)>'
	from /opt/containerbase/tools/ruby/4.0.4/lib/ruby/4.0.0/rubygems.rb:305:in 'Kernel#load'
	from /opt/containerbase/tools/ruby/4.0.4/lib/ruby/4.0.0/rubygems.rb:305:in 'Gem.activate_and_load_bin_path'
	from /opt/containerbase/tools/bundler/2.1.4/4.0.4/bin/bundler:25:in '<main>'