# yireo/magento2-custom-graph-ql-query-limiter > Magento 2 module to sync a GraphQL session with the regular session `composer require yireo/magento2-custom-graph-ql-query-limiter` Canonical URL: https://packagento.com/yireo/magento2-custom-graph-ql-query-limiter ## At a glance - **Vendor**: yireo (https://packagento.com/yireo.md) - **Latest version**: 0.0.6 — released 2025-08-14 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/yireo/magento2-custom-graph-ql-query-limiter and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require yireo/magento2-custom-graph-ql-query-limiter:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Magento 2 module to sync a GraphQL session with the regular session ## README Magento 2 module to customize settings for the GraphQL Query Limiter to enhance performance and security of your headless Magento. #### Installation Install via composer (`composer require yireo/magento2-custom-graph-ql-query-limiter`), enable the module `Yireo_CustomGraphQlQueryLimiter`, refresh caching and do your magic with DI compilation, static content and database upgrades. #### Usage The [Yireo CustomGraphQlQueryLimiter](CustomGraphQlQueryLimiter) module allows you to modify the query depth and the query complexity in an easy way, by simply letting you change these values from the **Magento Admin Panel**. Simply navigate to the **Store Configuration** in your backend and then to **Yireo > Yireo CustomGraphQlQueryLimiter > Settings** and set the desired values. Additionally, it also enables these settings in the Developer Mode, while Magento by default only enables this in Production Mode. It makes it easier to test things, instead of bumping into potential issues early. Once you update the settings, make sure to test this with an entire client-side app including complexer GraphQL queries, mutations and fragments (for instance, within Magento PWA Studio), because it potentially break your app. #### Introduction Magento 2.3+ ships with a GraphQL API that allows you to make simple queries like these: ```graphql { products(filter: {name: {match: "jacket"}}) { items { sku } } } ``` Based upon the same kind of query, you can also create a recursive lookup of products and categories, which might be looking like this: ```graphql { products(filter: {name: {match: "jacket"}}) { items { sku categories { products { items { sku categories { products { items { sku categories { products { items { sku } } } } } } } } } } } } ``` In my development environment, this quickly leads to timeouts, proofing that this type of query might not be benefiting a production environment, to put it lightly. Magento 2 its GraphQL system is based on the [Webonyx GraphQL PHP library](https://github.com/webonyx/graphql-php/), which offers a couple of security mechanisms to prevent this kind of query from being handled: Query depth and query complexity. The Magento 2 core uses a DI type to set values for this, which could be overridden using your own DI type: ```xml 20 300 ``` Looking at the culprit query above, the depth is 10: Simply counting the opening curly braces `{` from the start of the return statement (`items`). By setting the `queryDepth` to 7 or 8, the query would generate an error instead: ```json { "errors": [ { "message": "Max query depth should be 7 but got 10.", "extensions": { "category": "graphql" } } ] } ``` #### Setting the complexity The complexity could be modified as well. Looking at the culprit query above, the complexity is 15. It proves that the complexity of a GraphQL query might be quite low, but still the impact could be high. However, setting the complexity to 300 seems rather high. Perhaps in your case, setting it to 50 might be a better idea. The Webonyx library also allows you to add a complexity function to a specific field definition. Theoretically, this is something that would need to be customized per query (`categories`, `products`). What makes a specific query less performant and would therefore need to be labeled as *complex*? Note that setting an empty value on either query depth or complexity in the database, will make the value to be skipped. At that moment, the original DI configuration is taken into account. ## Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ### [Unreleased] ### [0.0.6] - 14 August 2025 #### Fixed - Switch $source type from string to DocumentNode|string ### [0.0.5] - 12 August 2025 #### Fixed - Fix implicit nullables for PHP 8.4 - PHP 8.2 upgrades - Upgrade PHPStan workflow ### [0.0.4] - 12 April 2024 #### Fixed - Changed method arguments in M 2.4.7 ### [0.0.3] - 9 February 2022 #### Fixed - Fixed issue with new validateFieldCount() in 2.4.3 (issued by @youanden) - Removed `setup_version` from module.xml ### [0.0.2] - 29 July 2020 #### Added - Magento 2.4 compatibility ### [0.0.1] - Undocumented ## Recent Versions | Version | Released | |---|---| | 0.0.6 | 2025-08-14 | | 0.0.5 | 2025-08-12 | | 0.0.4 | 2024-04-12 | | 0.0.3 | 2022-02-09 | | 0.0.2 | 2021-02-18 | ## Dependencies ### Require | Package | Constraint | |---|---| | magento/framework | ^100.1\|^101.0\|^102.0\|^103.0 | | magento/module-checkout | ^100.1 | | magento/module-quote | ^100.1\|^101.0 | | php | ^8.0 | ### Require (dev) | Package | Constraint | |---|---| | phpunit/phpunit | * | | yireo/magento2-integration-test-helper | @dev | ## Quality Latest release (0.0.6) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Pass | 0 | | | PHPMD | Warning | 1 | 1 rule violation (UnusedFormalParameter:1) | | Cpd | Pass | 0 | | | Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 2 | 2 | – | – | | 2.4.8 | – | 2 | 2 | – | | 2.4.9 | – | – | 2 | 2 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Error | Error | – | – | | 2.4.8 | – | Error | not tested | – | | 2.4.9 | – | – | Error | not tested | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["yireo/magento2-custom-graph-ql-query-limiter"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor yireo is a Magento 2 vendor on Packagento. See https://packagento.com/yireo.md for their full catalogue.