chore(deps): bump graphql-request from 7.1.2 to 7.3.5

[dependabot]

Bumps graphql-request from 7.1.2 to 7.3.5.

Release notes

Sourced from graphql-request's releases.

graphql-request@7.3.4

Bug Fixes

• Fixed #1281: GraphQL errors and data are now accessible from 4xx/5xx HTTP responses
• Fixed #1461: ClientError is properly returned for non-2xx responses with malformed bodies
• Fixed #1462: ClientError is properly returned for non-2xx responses with unsupported content types

Changes

• Non-2xx HTTP responses now parse the response body first to extract GraphQL errors/data when available
• Non-2xx responses with valid GraphQL bodies return ClientError with errors and data accessible
• Non-2xx responses with invalid bodies still return ClientError (not generic Error) for backwards compatibility
• This release reverts PRs #1457 and #1459 which introduced regressions, then reapplies a minimal fix for #1281

Breaking Changes

None - this release maintains backwards compatibility while adding support for accessing GraphQL errors from 4xx/5xx responses.

graphql-request@7.3.3

Bug Fixes

• Non-JSON Error Response Handling: Fixed regression in 7.3.2 where servers returning HTTP 4xx/5xx status codes with non-JSON response bodies (HTML, plain text) would throw an unhelpful error: "Invalid execution result: result is not object or array" (#1459, closes #1458)
  • Added safe JSON parsing fallback for responses without proper Content-Type headers
  • Returns descriptive error messages with response body preview for non-JSON responses
  • Handles common production scenarios: load balancer errors (502/503 HTML pages), CDN errors, WAF/firewall responses, misconfigured servers
  • Maintains backward compatibility for servers that omit Content-Type but return valid JSON
  • Added comprehensive test coverage for HTML, plain text, and missing Content-Type scenarios

What Changed

Version 7.3.2 introduced a bug where the ELSE branch in parseResultFromResponse would pass raw strings (HTML, plain text) to a parser expecting objects/arrays. This only surfaced when:

1. Server returns 4xx/5xx status code
2. Content-Type header is missing or non-JSON (e.g., text/html, text/plain)
3. Response body is not valid JSON

This is now fixed with graceful error handling and clear error messages.

graphql-request@7.3.2

Bug Fixes

• HTTP Error Handling: Fixed regression from v6 to v7 where HTTP 4xx/5xx responses would not include GraphQL errors from response body in ClientError (#1457, closes #1281)

  • Response body is now parsed before checking HTTP status
  • Users can access GraphQL errors via error.response.errors even with non-2xx status codes
  • Common use case: authentication errors (422), server errors (500)

• graphql-codegen Compatibility: Added support for TypedDocumentString from @graphql-codegen when using documentMode: 'string' (#1456, closes #1453)

  • Handles boxed String objects created by TypedDocumentString class
  • Normalizes document input to prevent crashes when passing to GraphQL operations

graphql-request@7.3.1

... (truncated)

Commits

• 599c487 chore: bump version to 7.3.5
• dbac13d fix: add TypedDocumentString to accepted document types (#1468)
• 2b4cd54 chore: bump version to 7.3.4
• 657b126 Fix: parse GraphQL errors from 4xx/5xx responses (#1281) (#1465)
• 280e294 Revert PRs #1457 and #1459 - will reimplement properly (#1463)
• a9f94c1 chore: bump ver
• 97d9822 Fix: handle non-JSON error responses gracefully (#1459)
• cc99d03 chore: bump version to 7.3.2
• 7a1ee76 fix: parse GraphQL errors from response body on HTTP 4xx/5xx status codes (#1...
• 0f60a64 fix: support TypedDocumentString from graphql-codegen (#1456)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	graphql-request@​7.1.2 ⏵ 7.3.5

View full report