keystone
keystone copied to clipboard
keystonejs
Multiple instances of graphql
It seems the recent release of the 19th August 2022 upgraded graphql dependency to fix a security vulnerability, yet the @keystone-6/auth package did not and this now causes issues with build. To replicate... Upgrade keystone dependencies to the below as per recent release.
"@keystone-6/auth": "4.0.1",
"@keystone-6/core": "2.2.0",
"@keystone-6/document-renderer": "1.1.1",
"@keystone-6/fields-document": "4.1.0",
"@keystone-ui/fields": "7.1.1",
Try and run yarn. You will see....
Error: Cannot use GraphQLScalarType "{ name: "String", description: "The `String` scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.", specifiedByURL: undefined, serialize: [function serialize], parseValue: [function parseValue], parseLiteral: [function parseLiteral], extensions: {}, astNode: undefined, extensionASTNodes: [] }" from another module or realm.
Ensure that there is only one instance of "graphql" in the node_modules
directory. If different versions of "graphql" are the dependencies of other
relied on modules, use "resolutions" to ensure only one version is installed.
https://yarnpkg.com/en/docs/selective-version-resolutions
Duplicate "graphql" modules cannot be used at the same time since different
versions may have different capabilities and behavior. The data from one
version used in the function from another could produce confusing and
spurious results.
at instanceOf (/Users/skin/Projects/activeProjects/0197_LL_SiteRebuild/lokalliving-stack/keystone6/node_modules/@keystone-6/core/node_modules/graphql/jsutils/instanceOf.js:35:13)
...
On inspection of the dependency tree we can see this is true.
├─┬ @keystone-6/[email protected]
│ └── [email protected]
├─┬ @keystone-6/[email protected]
│ ├─┬ @apollo/[email protected]
│ │ ├─┬ @graphql-typed-document-node/[email protected]
│ │ │ └── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected]
│ ├─┬ @graphql-tools/[email protected]
│ │ ├─┬ @graphql-tools/[email protected]
│ │ │ └── [email protected] deduped
│ │ ├─┬ @graphql-tools/[email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @graphql-ts/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ @graphql-ts/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ @types/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ @apollo/[email protected]
│ │ │ ├─┬ @apollo/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ @apollo/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ @apollo/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ @apollo/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ @apollo/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├─┬ @apollographql/[email protected]
│ │ │ └── [email protected] deduped
│ │ ├─┬ @graphql-tools/[email protected]
│ │ │ └── [email protected] deduped
│ │ ├─┬ @graphql-tools/[email protected]
│ │ │ ├─┬ @graphql-tools/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ @graphql-tools/[email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ └── [email protected]
└─┬ @keystone-6/[email protected]
└── [email protected]
This can be also confirmed by inspecting the source code packages/auth/package.json
It seems auth package missed the upgrade. This is actually a non issue for me as I have built my own Auth and Access extension based on the original so I not longer need the @keystone-6/auth package, yet others are going to experience this problem I believe.
Ah, it seems that although I do have my own Auth extension in my local code base I am still using the Signin and Init jsx pages from the auth package, so I do infact need it the auth package until I resolve those myself.
For others facing this issue you can apply a temporary work around. In the package.json of your project add...
"resolutions": {
"graphql": "16.6.0"
},
This will force the auth package to use this latest version and provide a means to continue development / releases until this is fixed.
Additional discussion here about how the most recent update breaks using npm entirely (but you can just use yarn in the mean time).
Thanks for the in-depth report and work-around @skindc, we'll be looking to fix this tomorrow.
Problem explanation and recommended workaround
As pointed out by @skindc in the OP, we upgraded graphql-upload in the following pull request
- https://github.com/keystonejs/keystone/pull/7803
We upgraded that package to resolve a security vulnerability in one the transitive dependencies of that package. Unfortunately, we didn't notice that the maintainer of graphql-upload had previously bumped to "graphql": ^16, and as a peer dependency. Many of our dependencies tend to depend on graphql using a range, something typically akin to 14 - 16 or ^15.0.0 || >= ^16.0.0.
This has resulted in the following outcomes
- If you use
npm, npm will automatically installpeerDependencies, which will result in two versions ofgraphql,graphql@15for Keystone, andgraphql@16for packages that accepted^16within their range. - If you use
yarn, yarn will not automatically install thepeerDependencies, and you will be left with what resolves using the package ranges, which is^15.8.0as required by Keystone.
As we use yarn to maintain the project, we did not notice this discrepancy as part of our testing suite.
What now
This leaves us between a rock and a hard place, we can either:
- Revert to the vulnerable version of
graphql-upload, or - Recommend a workaround until we upgrade to 16 (https://github.com/keystonejs/keystone/pull/7817), a breaking change
In reviewing the graphql-upload changes, we understand that changing that package to resolve to graphql@^15.8.0 should only reduce the verbosity of some GraphQL error messages, in the interim.
As an example, you may, when submitting an invalid graphql-upload request, be presented with
"message": "Upload literal unsupported.",
"extensions": {
"code": "GRAPHQL_VALIDATION_FAILED"
}
And not
"message": "Upload literal unsupported.",
"locations": [
{
"line": 2,
"column": 29
}
],
"extensions": {
"code": "GRAPHQL_VALIDATION_FAILED"
}
Recommended workaround using npm install
For now, with the knowledge of the estimated impact of this recommendation, our recommended workaround is for npm users to force their npm to resolve graphql to graphql@^15.8.0, by running npm install graphql@^15.8.0 in your project.
This will present the following npm WARN messages:
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/graphql
npm WARN graphql@"15" from the root project
npm WARN 30 more (@apollo/client, @apollo/utils.dropunuseddefinitions, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer graphql@"^16.3.0" from [email protected]
npm WARN node_modules/graphql-upload
npm WARN graphql-upload@"^15.0.2" from @keystone-6/[email protected]
npm WARN node_modules/@keystone-6/core
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/graphql
npm WARN peer graphql@"^16.3.0" from [email protected]
npm WARN node_modules/graphql-upload
npm WARN graphql-upload@"^15.0.2" from @keystone-6/[email protected]
npm WARN node_modules/@keystone-6/core
What about yarn?
yarn users shouldn't need to change anything, but we will recommend upgrading when the new Keystone 6 major version is released.
Alternative resolutions
An alternative approach is as suggested by @skindc, which is to resolve graphql yourself.
However for compatibility with keystone-6/*, and as we only support version 15 at this time, is to instead resolve to ^15.8.0 as shown below.
"resolutions": {
"graphql": "^15.8.0"
},
We endeavor to fix this with a major update in the near future, but hopefully this helps everyone who runs into this problem in the short interim.
Alternative overrides
Thanks @jlarmstrongiv
Thank you for a very immediate response. Sorry for suggesting the resolution for forward dependency upgrade, I thought this was the intention.
Thanks for reporting the issue @skindc! No worries about the recommendation, we're all trying to help :blue_heart:
Yes, I was surprised by this error running npx create-keystone-app followed by npm commands. You can also workaround this issue via npm overrides:
{
"overrides": {
"[email protected]": {
"graphql": "^15.8.0"
}
}
}
I’m very happy to see all the dependency updates! Upgrading jest and other deps helped solve a lot of problems for me. I see that prisma@4 was merged, and I’m looking forward to updating to graphql@16 too.
but you can just use yarn in the mean time
Unfortunately, that’s not a viable option for me.
I’m very happy to see all the dependency updates! Upgrading jest and other deps helped solve a lot of problems for me. I see that prisma@4 was merged, and I’m looking forward to updating to graphql@16 too.
Oh yes! Waiting for graphql@16 upgrade too :)
This has been resolved with the newest major release :package:.
Please don't forget to remove your resolutions or overrides when upgrading.
Thanks for hanging in there everyone :pray:
This is still not fixed. It fails with both npm and yarn with the same error. when I try to install used both npx and yarn.
Duplicate "graphql" modules cannot be used at the same time since different
node version 16.18
@eaglestorm can you please show your steps to reproduce?
all i did was the initial npx create command and it failed with Error: Cannot use GraphQLObjectType "Post" from another module or realm. not really any steps.
@eaglestorm run npm ls graphql to view what is installing a different version of graphql somewhere in your node_modules.
shows all the same graphql version
+-- @keystone-6/[email protected]
| -- [email protected] deduped +-- @keystone-6/[email protected] | +-- @apollo/[email protected] | | +-- [email protected] | | | -- [email protected] deduped
| | -- [email protected] deduped | +-- @graphql-ts/[email protected] | | -- [email protected] deduped
| +-- @graphql-ts/[email protected]
| | -- [email protected] deduped | +-- @graphql-typed-document-node/[email protected] | | -- [email protected] deduped
| +-- @types/[email protected]
| | +-- @apollo/[email protected]
| | | -- [email protected] deduped | | -- [email protected] deduped
| +-- [email protected]
| | +-- @apollo/[email protected]
| | | +-- @apollo/[email protected]
| | | | -- [email protected] deduped | | | +-- @apollo/[email protected] | | | | -- [email protected] deduped
| | | +-- @apollo/[email protected]
| | | | -- [email protected] deduped | | | +-- @apollo/[email protected] | | | | -- [email protected] deduped
| | | +-- @apollo/[email protected]
| | | | -- [email protected] deduped | | | -- [email protected] deduped
| | +-- @apollographql/[email protected]
| | | -- [email protected] deduped | | +-- @graphql-tools/[email protected] | | | +-- @graphql-tools/[email protected] | | | | +-- @graphql-tools/[email protected] | | | | | -- [email protected] deduped
| | | | -- [email protected] deduped | | | +-- @graphql-tools/[email protected] | | | | -- [email protected] deduped
| | | -- [email protected] deduped | | +-- @graphql-tools/[email protected] | | | +-- @graphql-tools/[email protected] | | | | +-- @graphql-tools/[email protected] | | | | | -- [email protected] deduped
| | | | -- [email protected] deduped | | | +-- @graphql-tools/[email protected] | | | | -- [email protected] deduped
| | | -- [email protected] deduped | | +-- [email protected] | | | -- [email protected] deduped
| | -- [email protected] deduped | +-- [email protected] | | -- [email protected] deduped
| +-- [email protected]
| | -- [email protected] deduped | +-- [email protected] | | -- [email protected] deduped
| +-- [email protected]
| | -- [email protected] deduped | +-- [email protected] | | -- [email protected] deduped
| -- [email protected] deduped +-- @keystone-6/[email protected] | -- [email protected] deduped
`-- [email protected]
@eaglestorm can you please open a different issue with any relevant information. I don't think your issue is related to this.
I am still getting this issue unfortunately after upgrading to the latest packages - getting this error with npm ls graphql
invalid: "^16.3.0" from node_modules/graphql-upload
Node version: 16.4.2
Dependency versions:
"@graphql-tools/schema": "^9.0.9",
"@keystone-6/auth": "5.0.0",
"@keystone-6/core": "3.0.2",
"@keystone-6/fields-document": "5.0.1",
@ttbarnes could you please open a different issue and increase the verbosity of your report? What error are your receiving, et cetera