How to disable GraphQL mutation/query name suggestions?

[sandorvasas]

I know it's a question, but I suspect they are cannot be disabled. They're also a security issue.
Our app has been subject to penetration testing and the following issue came up:

e.g. https://HOSTNAME/graphql?query={user_} results in GraphQL API suggesting mutations and queries which have a similar name to ”user_”.

I already disabled introspection with the graphql-disable-introspection npm module, but I can't find a setting to get rid of the query/mutation suggestions.

See related article:
https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/#tools--clairvoyance

[trevor-scheer]

This is a known issue in the graphql-js library itself. For now, one solution might be to strip these out of the errors via formatError or a custom Apollo Server plugin.

Also, introspection can be disabled via configuration of Apollo Server, no additional npm module needed.

[glasser]

Duplicate of #3919