{"package":"HotChocolate.Language","ecosystem":"nuget","latest_version":"16.1.0-p.1.9","description":"Contains the Hot Chocolate GraphQL parser and lexer. Also included are syntax visitor and syntax rewriter base classes.","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://chillicream.com/","repository":"https://chillicream.com/","downloads_weekly":321656,"health":{"score":46,"risk":"high","breakdown":{"maintenance":0,"popularity":14,"security":15,"maturity":15,"community":2},"deprecated":false,"max_score":100},"vulnerabilities":{"count":1,"critical":1,"high":0,"medium":0,"low":0,"details":[{"vuln_id":"CVE-2026-40324","severity":"critical","summary":"ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents","affected_versions":"<12.22.7|>=13.0.0,<13.9.16|>=14.0.0,<14.3.1|>=15.0.0,<15.1.14|=0.1.0|=0.1.1|=0.1.2|=0.1.3|=0.1.4|=0.2.0|=0.2.1|=0.2.2|=0.2.3|=0.3.0|=0.3.0-preview-1|=0.3.0-preview-2|=0.3.1|=0.3.2|=0.4.0|=0.4.0-preview-1|=0.4.0-preview-2|=0.4.0-preview-3|=0.4.1|=0.4.2|=0.4.3|=0.4.4|=0.4.5|=0.4.5-preview-1|=0.4.5-preview-2|=0.4.5-preview-3|=0.4.6|=0.5.0|=0.5.0-preview-1|=0.5.0-preview-2|=0.5.0-preview-3|=0.5.0-preview-4|=0.5.0-preview-5|=0.5.0-preview-6|=0.5.0-preview-7|=0.5.1|=0.5.2|=0.5.3-preview-1|=0.6.0|=0.6.0-preview-2|=0.6.0-preview-3|=0.6.0-preview-4|=0.6.0-preview-5|=0.6.0-preview-6|=0.6.0-preview-7|=0.6.0-preview-8|=0.6.0-preview-9|=0.6.0-rc-1|=0.6.1|=0.6.10|=0.6.11|=0.6.2|=0.6.3|=0.6.4|=0.6.5|=0.6.6|=0.6.7|=0.6.8|=0.6.9|=0.7.0|=0.8.0|=0.8.1|=0.8.2|=1.0.0-alpha10|=1.0.0-alpha6|=1.0.0-alpha7|=1.0.0-alpha8|=1.0.0-alpha9|=1.0.0-preview-0001|=1.0.0-preview-0002|=1.0.0-preview-0003|=1.0.0-preview-0004|=1.0.0-preview-0005|=1.0.0-preview-0006|=1.0.0-preview-0007|=1.0.0-preview-0008|=1.0.0-preview-0009|=1.0.0-preview-0010|=1.0.0-preview-0011|=1.0.0-preview-0012|=1.0.0-preview-0013|=1.0.0-preview-0014|=1.0.0-preview-0015|=1.0.0-preview-0016|=1.0.0-preview-0017|=1.0.0-preview-0019|=1.0.0-preview-0020|=1.0.0-preview-0021|=1.0.0-preview-0022|=1.0.0-preview-0023|=1.0.0-preview-0024|=10.0.0|=10.0.1|=10.1.0|=10.1.1|=10.2.0|=10.3.0|=10.3.1|=10.3.2|=10.3.3|=10.3.4|=10.3.5|=10.3.6|=10.4.0|=10.4.1|=10.4.2|=10.4.3|=10.5.0|=10.5.1|=10.5.2|=10.5.3|=10.5.4|=10.5.5|=11.0.0|=11.0.1|=11.0.2|=11.0.3|=11.0.4|=11.0.5|=11.0.6|=11.0.7|=11.0.8|=11.0.9|=11.1.0|=11.2.0|=11.2.1|=11.2.2|=11.3.0|=11.3.1|=11.3.2|=11.3.3|=11.3.4|=11.3.5|=11.3.6|=11.3.7|=11.3.8|=12.0.0|=12.0.1|=12.1.0|=12.1.1|=12.10.0|=12.11.0|=12.11.1|=12.12.0|=12.12.1|=12.13.0|=12.13.1|=12.13.2|=12.14.0|=12.15.0|=12.15.1|=12.15.2|=12.15.3|=12.15.4|=12.16.0|=12.16.2|=12.17.0|=12.18.0|=12.19.2|=12.2.0|=12.2.1|=12.2.2|=12.20.0|=12.21.0|=12.22.0|=12.22.1|=12.22.2|=12.22.3|=12.22.4|=12.22.5|=12.22.6|=12.3.0|=12.3.1|=12.3.2|=12.4.0|=12.4.1|=12.5.0|=12.6.0|=12.6.1|=12.6.2|=12.7.0|=12.8.0|=12.8.1|=12.8.2|=12.9.0|=9.0.0|=9.0.1|=9.0.2|=9.0.3|=9.0.4|=13.0.0|=13.0.1|=13.0.2|=13.0.3|=13.0.4|=13.0.5|=13.1.0|=13.2.0|=13.2.1|=13.3.0|=13.3.1|=13.3.2|=13.3.3|=13.4.0|=13.5.0|=13.5.1|=13.6.0|=13.6.1|=13.7.0|=13.8.0|=13.8.1|=13.9.0|=13.9.1|=13.9.10|=13.9.11|=13.9.12|=13.9.13|=13.9.14|=13.9.15|=13.9.2|=13.9.3|=13.9.4|=13.9.5|=13.9.6|=13.9.7|=13.9.8|=13.9.9|=14.0.0|=14.1.0|=14.2.0|=14.3.0|=15.0.0|=15.0.1|=15.0.2|=15.0.3|=15.1.0|=15.1.1|=15.1.10|=15.1.11|=15.1.12|=15.1.13|=15.1.2|=15.1.3|=15.1.4|=15.1.5|=15.1.6|=15.1.7|=15.1.8|=15.1.9","fixed_version":"15.1.14","source":"osv","published_at":"2026-04-16T21:09:40Z","in_kev":false,"epss_prob":0.00043,"epss_percentile":0.13035,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"16.1.0-p.1.9","total_count":1898,"recent":["16.0.0-rc.1.32","16.0.0-rc.1.33","16.0.0-rc.1.34","16.0.0-rc.1.35","16.0.0-rc.1.36","16.0.0-rc.1.37","16.0.0-rc.1.38","16.0.0-rc.1.39","16.0.0-rc.1.40","16.0.0-rc.1.41","16.0.0-rc.1.42","16.0.0-rc.1.43","16.1.0-p.1.1","16.1.0-p.1.2","16.1.0-p.1.3","16.1.0-p.1.4","16.1.0-p.1.5","16.1.0-p.1.6","16.1.0-p.1.7","16.1.0-p.1.9"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1,"first_published":null,"last_published":"1900-01-01T00:00:00+00:00","dependencies_count":4,"dependencies":["HotChocolate.Language.SyntaxTree","HotChocolate.Language.Utf8","HotChocolate.Language.Visitors","HotChocolate.Language.Web"]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 critical vulnerabilities"],"use_version":"16.1.0-p.1.9","version_hint":"Update to >= 15.1.14 to fix known vulnerabilities","summary":"HotChocolate.Language has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":46139,"avg_days_between_releases":null,"release_velocity":"stale"}}