Critical

ariadne/validation/query_cost.py (lines 103-107) [behavior_change]: The cost-validator is a security control (DoS / query-complexity limiting). Silently falling back to field_args = {} when self.variables is None means any variable-driven multiplier is simply not counted — a client can send $count=10000 and the validator computes cost as if the argument were absent. The documented design (see docs/06-Extensions/03-query-validators.md lines 131–152) deliberately surfaces this as an error and provides a callable pattern so callers explicitly forward per-request variables; degrading silently instead removes the incentive to apply that pattern and allows variable-based cost inflation to bypass the limit undetected.

Warning

docs/06-Extensions/03-query-validators.md (line 131) [doc_conflict]: The section "Exposing query variables to cost_validator" (lines 129–152) now describes deprecated behaviour as current: the stated invariant ("will raise an error") is no longer true, and the callable-workaround example exists solely to avoid that error. After this PR the section is misleading and the recommended workaround is no longer necessary for the common case — the docs must be updated to reflect the new semantics and any remaining reason to prefer the callable form (accurate cost accounting when multipliers are variable-driven).