A weekly newsletter of the best news, articles and projects about GraphQL


Fixing 13 most common GraphQL Vulnerabilities to make your API production ready

With the increased adoption of GraphQL, the emphasis on security has also increased. Jens Neuse talks about 13 of the most common GraphQL security vulnerabilities and possible solutions in this article. The author further suggests that by rethinking your approach to GraphQL, you can ensure improved security along with other benefits.

GraphQL at PayPal: An Adoption Story

In this article, Shruti Kapoor explains the journey of Paypal in adopting GraphQL, the motivation behind the change and various challenges they faced along the way. Today, GraphQL is being used by several production apps across PayPal. It is now a default pattern to use GraphQL for building new UI apps, and many existing apps are in the process of migrating to GraphQL.

Lessons learned from running GraphQL at scale.

Dream11 is a fantasy sports platform with over 110 million users. Shrey Mehta and Kaushik Barodiya talk about adopting GraphQL to create a unified presentation layer for their back-end microservices in this very in-depth article. Follow along to understand many of the techniques they used to identify and resolve performance bottlenecks along with various other challenges.


Best Practices for Versioning REST and GraphQL APIs

A thought-provoking article about the different approaches for maintaining backward compatibility and their impact on the development lifecycle of APIs. Kay Ploesser provides a thorough comparison between the continuous evolution approach favored by GraphQL with the versioned approach often used in REST APIs.


Our Journey in Adopting Federated GraphQL at SSENSE

Over the last six months, SSENSE developed a federated gateway to their presentational micro-services (commonly referred to as the back-of-the-front-end). During this period, they also planned and migrated a single code path on the website to use the newly minted gateway. In this article, Quinn Langille gives a brief look into how and why they chose this pattern to evolve their consumer applications at SSENSE.

Solving the double (quintuple) declaration Problem in GraphQL Applications

If you are using Typescript, it can be a problem having to keep your GraphQL Operations (e.g. Query or Mutation) in sync with the type definitions. Jens Neuse talks about solving this problem as well as about how to keep the database schema, API schema and User Interface Components in sync.

Benchling’s double-writes approach to incrementally adopting GraphQL

Benchling is a platform for life sciences R&D with a highly customizable and extensible data model. In this article, Damon Doucet talks about how Benchling incrementally adopted GraphQL, along with key takeaways and learnings from this process.


GraphQL Observability with Hasura

Diagnosing performance issues in GraphQL can be difficult. In this article, Gavin Ray goes through some of the tools that are available in Hasura, as well as common pitfalls and useful tips to help get better visibility over the performance of an API.

Announcing the Release of Neo4j GraphQL Library 2.0.0

Neo4j helps build intelligent applications and machine learning workflows in GraphQL. In this article, Darrell Warde talks through some of the new features released as part of version 2.0.0.

Why GraphQL should not be in WordPress core

GraphQL makes it easy to query data across multiple sources. This can expose protected data if not configured correctly. In this article, Leonardo Losoviz explains why, as the creator of a GraphQL plugin for Wordpress, it should not be included in Wordpress Core.

Deeply Understand the GraphQL N+1 Issue and DataLoader

GraphQL helps reduce the over-fetching of unnecessary data, however, poorly constructed, deep queries can cause multiple, expensive trips to the database. In this article, Vanessa Lutz explains the N+1 issue, and how this can be solved with tooling.

Common GraphQL Misconceptions: A rant

Is GraphQL secure? In this article, SecurityGOAT clears up some misconceptions about GraphQL, and talks through how some of its convenience features could make it vulnerable to attacks.


SwiftGraphQL - A GraphQL client for Swift

SwiftGraphQL is a lightweight GraphQL client for the Swift programming language. In this article, Matic Zavadlal gives a brief introduction of the project and its goals, and demonstrates how easy it is to get started.

Why Your Organization Needs a Federated Graph Interface

Microservices help to encapsulate functionality into small, single responsibility pieces. This can reduce dependencies across teams, but may make querying data more complex. In this article, Nicolas Bohorquez argues the importance of a Federated GraphQL architecture and explains how Apollo can help to aggregate data across multiple data sources.


Exploring promising new feature proposals for the GraphQL Spec

The GraphQL specification is an ongoing work in progress. It is fueled by a vibrant community of awesome individuals, who regularly assess new potential features and guidelines to improve the spec. In this article, Leonardo Losoviz picks five proposed feature requests from the GraphQL Spec GitHub repo, and demonstrates how these could be used to drive the spec forward.

Introduction to the Node.js reference architecture, Part 4: GraphQL in Node.js

The Node.js reference architecture is a collection of documents from Red Hat and IBM, that aims to provide some guidance on developing Node.js applications. In part four of this series, Wojciech Trocki steps through some of the discussions the team had about implementing a GraphQL server - accompanied by comical illustrations.

Introducing Apollo Server 3

Apollo Server is one of the easiest ways to create a GraphQL API. Join Vivek Ravishankar, as he steps through some of the "under the hood" improvements the team have been working on, that will improve Apollo's ability to build better, more extensible features over time.

Introducing Envelop - The GraphQL Plugin System

Envelop is The Guild's new plugin system for GraphQL. In this article, Dotan Simha steps through why GraphQL needs a plugin system, and how Envelop solves this problem.


Analyzing public data from Google Trends, StackOverflow, GitHub and HackerNews

Is the GraphQL hype over? In this article, WunderGraph uses BigQuery to compare datasets from Google Trends, HackerNews, GitHub and StackOverflow, in an attempt to determine whether interest in GraphQL is in decline.

Using GraphQL to ship features before they’re done

GraphQL represents a fundamental shift in how developers build features. In this article, Joe Staller hypothesizes how a decoupled schema can provide the kind of flexibility that enables a zero-downtime migration - allowing partially-complete features to be shipped.

Securing a GraphQL API using rate and depth limits

GraphQL makes writing queries across related datasets super convenient. Unfortunately, this can lead to computationally expensive queries that slow down the server. In this article, Kumar Abhirup looks at how implementing rate and depth limiting can help to reduce the complexity of queries - significantly improving the performance of a GraphQL server, and reducing the impact of malicious attacks.

Modeling an Instagram clone using GraphQL and Dgraph Cloud

GraphQL helps to encapsulate the interconnected relationship between entities in an application. In this article, Abu Sakib steps through modeling the schema for an Instagram clone, and how this could be implemented using Dgraphql Cloud.

Why you can't replace REST with GraphQL

Is GraphQL actually a replacement for REST? In this article, Suhas Deshpande explains how Courier are using a combination of both to serve their customers, and why it might not be as simple as implementing one option or the other.


The Do's and Don’ts of Testing Apollo in React

Writing tests is essential for any application that aims to be scalable, robust and allow its developers to sleep at night. In this article, Adam Hannigan explains how React Testing Library can be used to test a GraphQL API, and help improve the confidence and quality of releases.

On scaling graphql subscriptions

GraphQL is a superb technology. But as with all technologies, you may end up shooting yourself in the foot. In this article Alexandre Gaudencio explains how Slite designed their first real-time GraphQL implementation, how it ended up DDOS-ing their system, and how they fixed it.


Build a serverless, real-time application with modern APIs: The GraphQL Real-time Race

AWS has some powerful tools for building real-time applications. In this tutorial, Mark Ramrattan documents his experience completing the AWS GraphQL Real-time Race Workshop, and steps through how to use AWS AppSync, AWS Amplify, Amazon Location Service to build a real-time Formula 1 tracking application.

GraphQL Exploitation - Part 3- Injection attacks and XSS attacks

Like any API technology, GraphQL is vulnerable to malicious attacks, and needs to be configured correctly to avoid being compromised. In this article, Manmeet explores how a default GraphQL configuration could be vulnerable to injection attacks and cross-site scripting (XSS).

Collecting GraphQL Live Query Resource Identifier with GraphQL Tools

GraphQL live queries can be a more elegant solution for handling real-time updates than subscriptions. In this article, Laurin Quast investigates whether subscribing to changes in data, rather than events, could allow for more efficient queries and reduce unnecessary updates to the client's cache.


Rate Limiting GraphQL APIs by Calculating Query Complexity

GraphQL opens new possibilities for rate limiting APIs In this article, Guilherme Vieira shows how we can leverage GraphQL to address limitations of methods commonly used in REST APIs. He also explores how Shopify calculates query complexity that adapts to the data API clients need while providing a more predictable load on servers. Follow along with Guilherme to find out more about query complexity in GraphQL.

The Spec, Simplified: Validation & Execution

The Spec, Simplified is a series by Loren Sands-Ramshaw that explores the GraphQL spec in-depth. In this last installment, Loren shows how GraphQL servers validate and execute requests, and how they format the response data and errors.

Designing a URL-based query syntax for GraphQL

Caching in GraphQL can be difficult. Currently, if we want to use HTTP caching in GraphQL, we must use a GraphQL server that supports persisted queries. That’s because the persisted query will already have the GraphQL query stored in the server. As such, we do not need to provide this information in our request. In this article, Leonardo Losoviz looks at how a URL-based query syntax plays into caching.

The joy of end to end type safety

In building large scale TypeScript applications, we have seen the benefits of types. They elevate our quality, eliminating whole categories of bugs and they enrich the development experience. In this tutorial, Craig Sullivan shows how to accomplish end-to-end type safety using GraphQL.


GraphCDN – The GraphQL CDN with edge caching, analytics and security protection

Tim Suchanek and Max Stoiber officially launched GraphCDN on ProductHunt today. GraphCDN is a GraphQL edge cache that sits in front of your GraphQL API as a gateway and caches your queries in 58 worldwide data centers. You can invalidate specific objects (e.g. <code>purgeUser(id: 5)</code>) and GraphCDN will purge any cached query result that contains that data. On top of that, they also give you powerful analytics about your queries and mutations and protect your GraphQL API with features like DDOS protection and query depth limiting.

The Spec, Simplified: The Type System

Most people who use GraphQL haven’t read the spec, often because it sounds or looks intimidating. In this post, Loren Sands-Ramshaw goes over the essentials of the query language section of the spec, including the schema, types, descriptions, scalars, enums, and more. Follow along with Loren to learn more about the GraphQL spec.

Querying Strategies for GraphQL Clients

As more clients rely on GraphQL to query data, we witness performance and scalability issues emerging. Queries are getting bigger and slower, and net-new roll-outs are challenging. The web & mobile development teams working on Orders & Fulfillments spent some time exploring and documenting our approaches. On mobile, our goal was to consistently achieve a sub one second page load on a reliable network. After two years of scaling up our Order screen in terms of features, it was time to re-think the foundation on which we were operating to achieve our goal. We ran a few experiments in mobile and web clients to develop strategies around those pain points. These strategies are still a very open conversation internally, but we wanted to share what we’ve learned and encourage more developers to play with GraphQL at scale in their web and mobile clients. In this post, I’ll go through some of those strategies based on an example query and build upon it to scale it up.

Using GraphQL with Axios and Redux

In this article, Hetav Desai shows how you can use GraphQL with Axios and Redux, including error handling. A basic understanding of how GraphQL, Axios, and Redux work will be helpful as you follow along with the tutorial. Follow along with Hetav to learn more about how GraphQL, Axios, and Redux can be used together.

GraphQL, the Universal Query Protocol, and the Free TON Blockchain

In short, GraphQL is a protocol that defines an algorithm for searching information in a database. It was born in the depths of good old Facebook as a response to the request of users and developers. The challenge faced by the creators was to optimize the algorithm for processing search queries on the platform.


How to Build a GraphQL API Using Laravel

In this article, Tamerlan Gudabayev walks through how to set up your own GraphQL API using PHP and Laravel. Tamerlan covers migrations and models, seeding a database, defining types, schemas, mutation classes, and more. Follow along to learn more about how to use GraphQL with PHP using Laravel.

How to Build a Task Manager Application Using React, Airtable and GraphQL

Jesus Manuel Olivas recently prototyped a low-code proof-of-concept using React, Airtable, BaseQL, GraphQL and ClerkDev. In this article, Jesus walks through the setup and how to tie all the pieces together. Follow along to learn more about how to use GraphQL in a low-code context.

Polyglot persistence for PostgreSQL & MySQL using GraphQL & TypeScript

Should you use PostgreSQL or MySQL for your next project? Are you moving cloud providers and don't have both options available? Maybe you'd like to start with one option and be able to make the switch later on. Why decide now when you can have both options without any tradeoffs?


What happens if we treat GraphQL Queries as the API definition?

When you ask someone about their API definition in the context of GraphQL, the obvious answer is "the Schema". But what if instead, we use GraphQL Queries as the API definition?

GraphQL: cloud to autonomous yard truck connectivity

More and more GraphQL usage is showing up in applications everywhere as developers recognize the benefits over developing REST and other HTTP-based APIs. However, due to its relatively young age, it lacks a broad range of support across toolkits and libraries. This makes it harder to adapt legacy applications or clients to this new way of communicating. At Outrider, we’re modernizing a critical step in the supply chain and at the same time modernizing communication channels by encouraging the use of our GraphQL API. These integrations enable a live and holistic view into yard operations, in which historically data has been stale and siloed.

The GraphQL Spec, Simplified

The GraphQL Spec, Simplified is a 3-part series starting with the query language, including definitions of the document, operations, selection sets, named and inline fragments, built-in directives, and more. Follow along with Loren Sands-Ramshaw to learn more about the GraphQL spec in an easy-to-understand way.

Making Dgraph a truly GraphQL-native database

From a time of no GraphQL support, to supporting GraphQL natively with as good speed as DQL, Dgraph has improved a lot in the past year. If you compare the v21.03 release with the v20.03 release, you would find that your GraphQL queries are magically ~33% faster. In this article, Abhimanyu Singh Gaur talks about how Dgraph is now a truly GraphQL-native database and why it matters for performance.


GraphQL vs REST—Can GraphQL replace REST?

While REST has been (and still is) a popular way of exposing data to applications, the growing complexity and evolution of development has made it less viable in a range of scenarios. In this post, Abu Sakib talks about how GraphQL can be a suitable replacement for REST and be a game-changer in the API ecosystem. Follow along with Abu to find out more about how GraphQL can replace REST.

That single GraphQL issue that you keep missing

With the increasing popularity of GraphQL, it's important to think about security vulnerabilities. GraphQL implementations are often affected by CSRF. In this article, Tomasz Swiadek and Andrea Brancaleoni go in-depth on how GraphQL is vulnerable to CSRF attacks and what can be done to solve it. Follow along to find out more about the vulnerabilities that might exist in your GraphQL app and how you can protect them.


The most powerful GraphQL Client for the web in just 2kb

Over the last couple of years, we've seen a constant evolution of GraphQL tooling. Developers try to get the maximum out of the constraints they've set for themselves. WunderGraph breaks with these rules to make room for something new. This post describes how the next generation of GraphQL clients change the way we can think about GraphQL as a technology.

GraphQL requests made easy with React Query and TypeScript

Given on a GraphQL schema, we can automatically create TypeScript types for the entire API on the frontend. What’s more is we can easily autogenerate fully-typed custom React hooks for a data-fetching library like React Query. In this article, Iva Kop shows how to set up a GraphQL project with TypeScript and React Query and demonstrates how to autogenerate types.

Stored Procedures, ORMs, and GraphQL

In this article, Steve Smith provides the background and history of ORMs and stored procedures and makes the case that GraphQL is really a new kind of ORM. He goes into detail about thick/smart clients, how APIs serve as stored procedures, and more.

Demystifying GraphQL Queries

In this tutorial, Jaden Baptista provides an overview of what GraphQL is and how it compares to REST. Jaden goes into detail about types, queries, and more to show how GraphQL isn't magic once it's understood. Follow along with Jaden to learn more about GraphQL from the ground up.

5 Headless CMS That You Can You Use To Distribute Content Freely

Lahaul Seth has put together a list of five headless content management systems that can be used for free. GraphQL can be used with many of those listed, including Strapi, Graph CMS, and Sanity. Check out the list for more information on these great free options and choose one for your next project.


Announcing the Neo4j GraphQL Library: Build Low-Code GraphQL APIs Faster

Neo4j has just announced the general availability of the Neo4j GraphQL Library. The library is extensible, low-code, and open source and is designed for building API-driven, intelligent applications faster by tapping into the power of connected data. Read the announcement article to learn more about Neo4j and how to use it in GraphQL with their Neo4j GraphQL Library.

Supercharging file-based content with GraphQL

Tina GraphQL gateway brings reliability to Git-based content management. It acts as an essential piece to provide robust structured content while allowing for portability. In this article, Jeff See demonstrates how to create a blog with Next.js and GraphQL using Tina GraphQL gateway. Follow along to find out more about how you can use your filesystem as a CMS with confidence.

I built a chat app using React and GraphQL

In this tutorial, Abdou Ouahib shows how to build a realtime chat application using React and GraphQL. The front end technologies used include Redux, MaterialUI, and Apollo Client. On the backend, Abdou uses Node, Apollo Server, TypeGraphQL, and PostgreSQL. The app features include user authentication, profiles, friends, notifications, and more.

Graphql Exploitation - Part 2- Unauthorized Execution Of Queries

Like all APIs, those built with GraphQL are not immune to potential exploitation. GraphQL also has some unique features that open up attack vectors that must be considered for any real world app. In this follow-up article, Manmeet shows how unauthorized queries can be executed in GraphQL and how this and other vulnerabilities might be exploited. Follow along with Manmeet to learn more about how you can secure your GraphQL API.