fix: cost-limit ignore only Field Node named __schema

[M0ngi]

This PR fixes a bypass to the cost-limit plugin (in default settings) by skipping only nodes of type Field when ignoreIntrospection is set.

This will fix the following type of bypasses:

query  {
  ...__schema
}

fragment __schema on Query {
  books {
    title
    author
  }
}

query __schema {
  books {
    title
    author
  }
}

[changeset-bot]

⚠️ No Changeset found

Latest commit: ab7d466

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.82%. Comparing base (11c682d) to head (ab7d466).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #772      +/-   ##
==========================================
+ Coverage   91.73%   91.82%   +0.08%     
==========================================
  Files          17       17              
  Lines         375      379       +4     
  Branches      126      130       +4     
==========================================
+ Hits          344      348       +4     
  Misses         31       31              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lkuechler]

Thanks for fixing this.
I noticed that no new release including this fix is available for the @escape.tech/graphql-armor-cost-limit package. Is there still something missing that needs support?

[lkuechler]

Looks like the release job ran but did not create a new version: https://github.com/Escape-Technologies/graphql-armor/actions/runs/14613041188/job/40994870116

[charsleysa]

@Gby56 can a release please be generated with this fix?

[Gby56]

Hi everyone! Sorry for the delay yes, we're planning to release the package today.

[Gby56]

@charsleysa @lkuechler @jozefsukovsky released !
https://www.npmjs.com/package/@escape.tech/graphql-armor-cost-limit
https://www.npmjs.com/package/@escape.tech/graphql-armor

[Gby56]

@lkuechler it looks like the pushed version on npm is empty we're looking into it, can you confirm ?

[lkuechler]

@Gby56 I think you are correct. It looks like it is missing the dist folder: https://www.npmjs.com/package/@escape.tech/graphql-armor-cost-limit/v/2.4.1?activeTab=code

[Gby56]

It looks like the latest auto-release had failed https://github.com/Escape-Technologies/graphql-armor/actions/runs/14727157621/job/41332468774 and we tried publishing manually. Any idea with this ?

[charsleysa]

@Gby56 the initial release failed to complete successfully. However since the version was created in NPM, the files in that version cannot be changed. You need to bump the version again and release a new version.

[Gby56]

Ok will do that asap, hopefully the pipeline succeeds, we're not clear why this happened.
Should we deprecate https://www.npmjs.com/package/@escape.tech/graphql-armor/v/3.1.4 and https://www.npmjs.com/package/@escape.tech/graphql-armor-cost-limit/v/2.4.1 ?
It looks like unpublish is not working

[charsleysa]

Yes, I believe you cannot unpublish due to NPM policy of not allowing unpublishing of public packages relied on by others so deprecation is the only option.
https://docs.npmjs.com/policies/unpublish

[Gby56]

We've deprecated the broken builds sadly, and then tried to push new bumped version, the pipeline still seems broken. We're looking into this, the 404 is suspicious and the URL too.

https://github.com/Escape-Technologies/graphql-armor/actions/runs/14728954373/job/41338324273

[Gby56]

@charsleysa we're all good now, turns out the release pipeline broke due to the npm auth

[alfaproject]

@Gby56 is there any chance this can be back ported to the v1.7 release? We can't update because we are still using Apollo 3 and won't be able to upgrade any time soon )':