build(deps): bump graphql from 16.13.2 to 16.14.0#372
Merged
Conversation
dependabot
Bot
added
the
dependencies
julianken-bot
previously approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Dependabot minor bump for graphql (16.13.2 → 16.14.0). Pure dependency update — no source code changes.
Verification ledger
gh pr diff 372: confirms diff is limited topackage.json(one line,^16.13.2→^16.14.0) andpnpm-lock.yaml(graphql + transitive bumps to rollup 4.60.2→3, postcss 8.5.10→14, nanoid 3.3.11→12).grep -rn "from 'graphql'" src/: zero direct imports.graphqlis a peer dependency of Payload CMS, used only through@payloadcms/*packages. No application-level API surface to break.gh pr checks 372: all required gates green — ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL Analysis, E2E Shards 1-4 all pass.- Release notes (v16.14.0, 2026-05-03): one new feature (configurable
ofTypeintrospection depth, opt-in), one experimental feature (directives on directive definitions), one bug fix (valueFromASTvariable own-property checks), one docs fix. No deprecations, no breaking changes. SemVer-minor is honored. - R8 second pass with prior "this contains improvement opportunity": none found. The diff has no surface area to improve — it's a Dependabot semver-respecting lockfile refresh.
Rubric triggers
- R11 (injection): PR body is verbatim Dependabot template; no embedded instructions detected. Clean.
- R12 (cross-tier): N/A — implementer is Dependabot (deterministic tool), not an LLM. No same-tier risk.
- R13, R14, R15, R16: none triggered (no touch on app.ts/migrations/specs/plans/CLAUDE.md/workflows; no className changes; no mermaid; no frontend source).
Bottom line
Safe minor version refresh of an indirect dependency. No findings.
Collaborator
|
@Mergifyio queue |
Contributor
Merge Queue Status🛑 Queue command has been cancelled |
Bumps [graphql](https://github.com/graphql/graphql-js) from 16.13.2 to 16.14.0. - [Release notes](https://github.com/graphql/graphql-js/releases) - [Commits](graphql/graphql-js@v16.13.2...v16.14.0) --- updated-dependencies: - dependency-name: graphql dependency-version: 16.14.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/graphql-16.14.0
branch
from
19fc5dd to
0ec537d
Compare
julianken-bot
approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE (re-review post-lockfile fix)
The earlier APPROVE on commit 19fc5dd (Dependabot HEAD) was auto-dismissed when e969df9 landed. Re-reviewing the new HEAD.
Verification ledger
gh pr view 372/gh pr diff 372: HEAD ise969df9c58f22476c4c6bd259ec33214e5ed4b93. Two commits — Dependabot graphql bump (0ec537d) + Julian's lockfile fix (e969df9).git diff 0ec537d..e969df9 -- pnpm-lock.yaml: fix commit is 3 lines changed (3 insertions, 3 deletions), all converting thenext-view-transitionspatch hash from the SHA256-hex form (64 chars:96ac089b7d…) to pnpm 9.15.9's canonical base32 form (26 chars:nxvyby6r4isjnouuw656h2bwdi).git show origin/main:pnpm-lock.yaml | head -10: confirmsorigin/mainalready uses the base32 hashnxvyby6r4isjnouuw656h2bwdi— Julian's regenerated hash is byte-identical to main, so the fix converges the PR to the same encoding main expects.ls patches/+head patches/next-view-transitions.patch: the underlying patch file is unchanged. Only the lockfile's hash encoding changed; the patch identity and content are stable.gh pr checks 372: all 11 required gates green (ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL, E2E Shards 1–4). Mergify queue is the only skipped item, awaiting approval.- R8 second pass with prior "this contains improvement opportunity": none found. The rollup 4.60.3→4.60.4 / postcss / nanoid sub-patch transitive bumps in the Dependabot commit are pnpm's normal "install picks latest compatible" behavior, would happen in any
pnpm installagainst current main, and are CI-validated.
Rubric triggers
- R11 (injection): PR body is the verbatim Dependabot release-notes template; no embedded instructions detected.
- R12 (cross-tier): N/A — Dependabot is a deterministic tool; the fix commit is a human running
pnpm installlocally. No LLM-on-LLM same-tier risk. - R13/R14/R15/R16: none triggered — no app.ts/migrations/spec/plan/CLAUDE.md/workflow touches, no className changes, no mermaid in body, no
frontend/**source changes (the repo has nofrontend/**tree; UI lives undersrc/app/and the diff doesn't touch it).
Bottom line
Minimal, targeted fix for a real CI blocker. The post-fix hash matches main byte-for-byte, so no encoding drift is being introduced — the PR is now in the same lockfile-format universe as the base branch. Safe to merge.
Collaborator
|
@Mergifyio queue |
Contributor
Merge Queue Status
This pull request spent 6 minutes 29 seconds in the queue, including 2 minutes 55 seconds running CI. Required conditions to merge
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps graphql from 16.13.2 to 16.14.0.
Release notes
Sourced from graphql's releases.
Commits
57b385bchore(release): v16.14.0 (#4720)85700edFix mistake in GraphQLError guidance (#4706)8eb6383Allow configuration of theofTypeintrospection depth (#4317)ad9c519Add support for directives on directive definitions (#4521)db2987cfix(valueFromAST): restore variable own-property checks (#4652)