refactor: Bump @graphql-tools/utils from 10.8.6 to 11.0.0

[mtrezza]

Closes #10375

---

Dependency Updates

Package	From	To
@graphql-tools/utils	10.8.6	11.0.0
@graphql-tools/merge	9.0.24	9.1.7
@graphql-tools/schema	10.0.23	10.0.31

Co-dependent packages @graphql-tools/merge and @graphql-tools/schema are upgraded together because their latest versions require @graphql-tools/utils@^11.0.0.

Breaking Change Analysis

@graphql-tools/utils 11.0.0 (MAJOR)

The only breaking change is in federation/subgraph schema handling: schemas without defined operation types now preserve extend schema directives as extensions rather than converting them to schema {} definitions. This affects federation-style subgraph schemas only.

Impact on parse-server: None. Parse-server uses mapSchema, getDirective, MapperKind (from utils), mergeSchemas (from schema), and mergeTypeDefs (from merge). None of these APIs are affected by the breaking change. Parse-server does not use federation features.

@graphql-tools/merge 9.0.24 to 9.1.7 (MINOR)

• Added support for repeatable @link-ed federation directives
• Fixed merging non-identical repeatable directives
• Security fix: prevent prototype polluting assignment
• Fixed "Named export 'OperationTypeNode' not found" error
• Dependency updates only

@graphql-tools/schema 10.0.23 to 10.0.31 (PATCH)

• Dependency updates only (tracking utils and merge versions)

Risk Assessment

Low — The breaking change is narrow (federation subgraph schema handling) and does not affect any API used by parse-server.

Summary by CodeRabbit

• Chores
  • Updated GraphQL Tools dependencies (@graphql-tools/merge, @graphql-tools/schema, @graphql-tools/utils) to latest stable versions
  • Removed unused dset dependency to streamline package dependencies
  • Updated package metadata and license information

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca4cda82-8141-4f93-ac63-d8e07999a002

📥 Commits

Reviewing files that changed from the base of the PR and between 225a4bb and c771470.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Updates GraphQL Tools dependency versions across package.json and package-lock.json: @graphql-tools/utils from 10.8.6 to 11.0.0 (major version bump), @graphql-tools/merge from 9.0.24 to 9.1.7, and @graphql-tools/schema from 10.0.23 to 10.0.31. Also removes dset as a transitive dependency and bumps @whatwg-node/promise-helpers.

Changes

Cohort / File(s)	Summary
Package Manifest package.json	Updated GraphQL Tools dependencies to latest versions: @graphql-tools/utils (10.8.6 → 11.0.0), @graphql-tools/merge (9.0.24 → 9.1.7), @graphql-tools/schema (10.0.23 → 10.0.31).
Dependency Lock File package-lock.json	Updated resolved URLs, integrity hashes, and transitive dependency constraints for GraphQL Tools packages; removed dset dependency entries; updated @whatwg-node/promise-helpers (1.2.4 → 1.3.2); added license: "MIT" field for cross-inspect.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• refactor: Upgrade @graphql-tools/utils from 10.8.4 to 10.8.6 #9699: Previously bumped @graphql-tools/utils to 10.8.6; this PR continues with the major version upgrade to 11.0.0 and related package updates.

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	Cannot verify engagement with review feedback due to lack of access to GitHub PR interface where feedback comments are documented.	Access to GitHub PR discussion thread and review comments (#10377) is required to determine if reviewers provided feedback and whether the author engaged.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title begins with the required 'refactor:' prefix and clearly describes the main change: bumping @graphql-tools/utils dependency version.
Description check	✅ Passed	The PR description provides detailed dependency update information, breaking change analysis, and risk assessment. While it doesn't follow the template structure exactly, it comprehensively documents the changes.
Linked Issues check	✅ Passed	The PR successfully fulfills the linked issue #10375 objective to bump @graphql-tools/utils from 10.8.6 to 11.0.0, plus coordinated updates to dependent packages.
Out of Scope Changes check	✅ Passed	All changes are scoped to dependency version updates in package.json and package-lock.json; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	Security analysis confirms no new vulnerabilities; @graphql-tools/merge 9.1.7 update includes critical security fix preventing prototype-pollution attacks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-04-01 16:37:11,769 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 16:37:11,771 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 16:37:11,777 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 16:37:11,825 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

[MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-04-01 16:37:11,890 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.53%. Comparing base (225a4bb) to head (c771470).
⚠️ Report is 7 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10377      +/-   ##
==========================================
+ Coverage   92.52%   92.53%   +0.01%     
==========================================
  Files         192      192              
  Lines       16568    16568              
  Branches      231      231              
==========================================
+ Hits        15329    15331       +2     
+ Misses       1217     1215       -2     
  Partials       22       22              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.7.1-alpha.3