String scalar in output has no minimum length defined

Issue ID: graphql-data-output-string-scalar-min-needed

Description

A string scalar used in an output position has no minimum length specified. While GraphQL ensures that the value is a string, it does not specify whether empty or trivially short values are acceptable.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without a defined minLength or equivalent constraint, the API contract does not clearly communicate whether empty strings are valid responses. If no minimum length constraint is defined, the API may return empty strings ("") or values consisting only of whitespace.

Although this issue rarely leads to direct security exploitation, it may result in:

Contract ambiguity for API consumers
Inconsistent behavior across services
Client-side validation errors
Reduced data quality

Remediation

Define minimum length constraints for output string scalars where business logic requires non-empty values. We recommend that you:

Use minLength: 1 or equivalent constraint when empty strings are not valid business values
Combine minLength with maxLengthfor stronger contract definition
Align constraints with documented API guarantees
Maintain consistent scalar definitions across subgraphs in federated APIs

Explicit minimum constraints improve schema precision, contract clarity and response consistency, and it makes API response expectations explicit.