From cc64042dc18df64c7542dc70f2ac5f17068be2b3 Mon Sep 17 00:00:00 2001
From: hainenber <dotronghai96@gmail.com>
Date: Tue, 29 Oct 2024 23:23:08 +0700
Subject: [PATCH 1/2] fix(sec): set default maximum batching size to 1000 to
 prevent Denial of Service

Signed-off-by: hainenber <dotronghai96@gmail.com>
---
 .changeset/silent-cooks-visit.md | 5 +++++
 README.md                        | 2 +-
 src/index.d.ts                   | 2 +-
 src/index.js                     | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/silent-cooks-visit.md

diff --git a/.changeset/silent-cooks-visit.md b/.changeset/silent-cooks-visit.md
new file mode 100644
index 0000000..40d5b93
--- /dev/null
+++ b/.changeset/silent-cooks-visit.md
@@ -0,0 +1,5 @@
+---
+'dataloader': minor
+---
+
+set default maximum batching size to 1000 to prevent Denial of Service.
diff --git a/README.md b/README.md
index 664a043..c228ff4 100644
--- a/README.md
+++ b/README.md
@@ -395,7 +395,7 @@ Create a new `DataLoader` given a batch loading function and options.
 | Option Key        | Type     | Default                                   | Description                                                                                                                                                                                |
 | ----------------- | -------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | `batch`           | Boolean  | `true`                                    | Set to `false` to disable batching, invoking `batchLoadFn` with a single load key. This is equivalent to setting `maxBatchSize` to `1`.                                                    |
-| `maxBatchSize`    | Number   | `Infinity`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
+| `maxBatchSize`    | Number   | `1000`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
 | `batchScheduleFn` | Function | See [Batch scheduling](#batch-scheduling) | A function to schedule the later execution of a batch. The function is expected to call the provided callback in the immediate future.                                                     |
 | `cache`           | Boolean  | `true`                                    | Set to `false` to disable memoization caching, creating a new Promise and new key in the `batchLoadFn` for every load of the same key. This is equivalent to setting `cacheMap` to `null`. |
 | `cacheKeyFn`      | Function | `key => key`                              | Produces cache key for a given load key. Useful when objects are keys and two objects should be considered equivalent.                                                                     |
diff --git a/src/index.d.ts b/src/index.d.ts
index 136ad88..7ba9bcc 100644
--- a/src/index.d.ts
+++ b/src/index.d.ts
@@ -95,7 +95,7 @@ declare namespace DataLoader {
     batch?: boolean;
 
     /**
-     * Default `Infinity`. Limits the number of items that get passed in to the
+     * Default `1000`. Limits the number of items that get passed in to the
      * `batchLoadFn`. May be set to `1` to disable batching.
      */
     maxBatchSize?: number;
diff --git a/src/index.js b/src/index.js
index 997d85a..80b2b8c 100644
--- a/src/index.js
+++ b/src/index.js
@@ -412,7 +412,7 @@ function getValidMaxBatchSize(options: ?Options<any, any, any>): number {
   }
   const maxBatchSize = options && options.maxBatchSize;
   if (maxBatchSize === undefined) {
-    return Infinity;
+    return 1000;
   }
   if (typeof maxBatchSize !== 'number' || maxBatchSize < 1) {
     throw new TypeError(

From b176a9b954e6c255fdf53065941084637d8bf4e5 Mon Sep 17 00:00:00 2001
From: hainenber <dotronghai96@gmail.com>
Date: Wed, 30 Oct 2024 00:29:29 +0700
Subject: [PATCH 2/2] chore(sec): reduce default maxBatchSize to 500

Signed-off-by: hainenber <dotronghai96@gmail.com>
---
 .changeset/silent-cooks-visit.md | 2 +-
 README.md                        | 2 +-
 src/index.d.ts                   | 2 +-
 src/index.js                     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.changeset/silent-cooks-visit.md b/.changeset/silent-cooks-visit.md
index 40d5b93..de156c4 100644
--- a/.changeset/silent-cooks-visit.md
+++ b/.changeset/silent-cooks-visit.md
@@ -2,4 +2,4 @@
 'dataloader': minor
 ---
 
-set default maximum batching size to 1000 to prevent Denial of Service.
+Set default maximum batching size to 500 to prevent Denial of Service.
diff --git a/README.md b/README.md
index c228ff4..5b8adcd 100644
--- a/README.md
+++ b/README.md
@@ -395,7 +395,7 @@ Create a new `DataLoader` given a batch loading function and options.
 | Option Key        | Type     | Default                                   | Description                                                                                                                                                                                |
 | ----------------- | -------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | `batch`           | Boolean  | `true`                                    | Set to `false` to disable batching, invoking `batchLoadFn` with a single load key. This is equivalent to setting `maxBatchSize` to `1`.                                                    |
-| `maxBatchSize`    | Number   | `1000`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
+| `maxBatchSize`    | Number   | `500`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
 | `batchScheduleFn` | Function | See [Batch scheduling](#batch-scheduling) | A function to schedule the later execution of a batch. The function is expected to call the provided callback in the immediate future.                                                     |
 | `cache`           | Boolean  | `true`                                    | Set to `false` to disable memoization caching, creating a new Promise and new key in the `batchLoadFn` for every load of the same key. This is equivalent to setting `cacheMap` to `null`. |
 | `cacheKeyFn`      | Function | `key => key`                              | Produces cache key for a given load key. Useful when objects are keys and two objects should be considered equivalent.                                                                     |
diff --git a/src/index.d.ts b/src/index.d.ts
index 7ba9bcc..ee7dae0 100644
--- a/src/index.d.ts
+++ b/src/index.d.ts
@@ -95,7 +95,7 @@ declare namespace DataLoader {
     batch?: boolean;
 
     /**
-     * Default `1000`. Limits the number of items that get passed in to the
+     * Default `500`. Limits the number of items that get passed in to the
      * `batchLoadFn`. May be set to `1` to disable batching.
      */
     maxBatchSize?: number;
diff --git a/src/index.js b/src/index.js
index 80b2b8c..a58ceae 100644
--- a/src/index.js
+++ b/src/index.js
@@ -412,7 +412,7 @@ function getValidMaxBatchSize(options: ?Options<any, any, any>): number {
   }
   const maxBatchSize = options && options.maxBatchSize;
   if (maxBatchSize === undefined) {
-    return 1000;
+    return 500;
   }
   if (typeof maxBatchSize !== 'number' || maxBatchSize < 1) {
     throw new TypeError(