List in output has no minimum number of items defined

Issue ID: graphql-data-outs

Description

A list used in an output position does not define a minimum number of items it must have. GraphQL allows resolvers to return empty arrays unless explicitly constrained.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without a minItems or equivalent constraint, the API contract does not specify whether an empty list is a valid response. If no minimum constraint is defined, the API may return:

Empty lists when at least one element is expected
Unexpected “no data” responses
Ambiguous results for consumers

Although this does not typically introduce a direct security vulnerability, it may lead to:

Contract ambiguity
Inconsistent behavior across services
Client-side logic errors
Reduced clarity of business guarantees

Defining minimum list size constraints strengthens the API contract and makes response expectations explicit.

Remediation

Define explicit minimum size constraints for output list types where business logic requires at least one element. We recommend that you:

Use minItems: 1 or equivalent only when business logic guarantees at least one element
Avoid artificially forcing minimums if empty results are legitimate
Combine minItems and maxItems for clearer contract definition
Maintain consistency across federated subgraphs

Explicit list bounds improve contract precision and data consistency.