1.6.11

We are happy to announce the eleventh bug fix release of the 1.6 series.

Hibernate ORM 6.4 compatibility

So far, the Hibernate ORM 6 integration was tested against Hibernate ORM 6.4.0.CR1.
The integration was adapted due to a slight change in 6.4.0.Final,
which unfortunately prevented the use of Blaze-Persistence with that version.

Spring Framework 6.1 compatibility

Spring Framework 6.1 apparently removed methods that were previously marked as deprecated, which our Spring Data integration unfortunately was still using. This was causing NoSuchMethodError to be thrown, but is now fixed.

Security fix for Spring Data integration

This release contains a fix for a security issue in the Spring Data integration which was recently reported by Nelson Neto.
Since every version of Blaze-Persistence is affected, every user of the Spring Data integration is strongly advised to update immediately.
The issue could potentially lead to a data leak. There is no known reproducer or attack yet, but know that this is a high severity issue.

In short, the problem is that Sort.Order is assumed to be safe, but it is usually untrusted user input,
usually being parsed by the Spring Data WebMvc/WebFlux integration from a query parameter.

Any Spring Data repository method is affected that:

• accepts a Sort parameter directly, or indirectly through Pageable/PageRequest or KeysetPageable/KeysetPageRequest
• Returns an entity view type explicitly or through a dynamic projection

Calling such repository methods with untrusted Sort inputs allows for JPQL.next injection,
which ultimately is SQL injection.

Regular Spring Data JPA repositories only allow sorting by attribute paths relative to the query root,
which is ensured by construction i.e. Spring Data JPA tries to find attributes based on the entity metamodel.

Entity view based Spring Data repositories allow sorting by entity view attribute paths and
additionally also allow to sort by entity attribute paths. Until Blaze-Persistence 1.6.11
entity attribute paths were not validated to be relative to the query root.
In fact, any valid JPQL.next expression was accepted, which essentially leads to a SQL injection vulnerability.

If updating to the latest version of Blaze-Persistence is not possible for some reason,
the security issue can be mitigated by validating the Sort e.g.

Pattern validCharsPattern = Pattern.compile("[\\w.]+");
for (Sort.Order order : sort) {
    if (!validCharsPattern.matcher(order.getProperty()).matches()) {
        throw new IllegalArgumentException("Attempted SQL injection");
    }
}

Various bug fixes

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.10

We are happy to announce the tenth bug fix release of the 1.6 series.

Hibernate ORM 6.3 and 6.4 support

The Hibernate 6.2 integration now also supports Hibernate ORM 6.3 and 6.4.
During testing we uncovered some bugs in Hibernate ORM which have been reported and will be fixed in the upcoming releases.

Java 21 support

Since Java 21 will be the next LTS release, we decided that ensuring that version works is vital and made sure it works by regularly testing with this version on CI.

Various bug fixes

As always, this release comes with quite a few bug fixes, so we recommend you update soon!

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.9

We are happy to announce the ninth bug fix release of the 1.6 series.

Hibernate 6.2 support

Hibernate 6.2 was not really backwards compatible to 6.1 with respect to our integration, so we had the need for a new integration.
We uncovered quite a few bugs during testing of Hibernate 6 and only as of Hibernate 6.2.5.Final,
enough bugs were fixed so that we could comfortably call our integration production ready.
This and the fact that only Hibernate 6.2+ is maintained at this point drove us to the decision to drop the old hibernate-6 integration module
and instead create a new module blaze-persistence-integration-hibernate-6.2.
When updating to Blaze-Persistence 1.6.9 and replacing the integration dependency, don't forget to also update your Hibernate version to at least 6.2.5.Final.

Spring Framework 6 / Boot 3.1 support

A big thank you goes out to Eugen Mayer who worked hard on the new Spring integration.
Why no support for Spring Boot 3.0 you ask? Because that still depends on Hibernate 6.1 and we do not want to publish an integration for that version.
Everyone is encouraged to update to 3.1 directly which supports Hibernate 6.2, though at this point you also have to bump the Hibernate version to at least 6.2.5.Final.
At the time of writing, there is no Spring release yet that includes the new Hibernate version.

Note that there are new integration artifacts:

• blaze-persistence-integration-entity-view-spring-6.0 - Scanning support for Spring Framework 6+
• blaze-persistence-integration-spring-data-3.1 - Support for Spring Data 3.1+
• blaze-persistence-integration-spring-data-webmvc-jakarta - Support for Spring WebMvc 3.1+
• blaze-persistence-integration-spring-hateoas-webmvc-jakarta - Support for Spring HATEOAS 2+

Quarkus 3.1 support

This release introduces a new integration blaze-persistence-integration-quarkus-3 which supports Quarkus 3.1.1+.
Quarkus 3.1.2+ will ship with Hibernate 6.2.5+, but if you want to work with Quarkus 3.1.1 for now,
you will have to manually update the Hibernate version to 6.2.5.Final in you dependencies.

GraphQL enhancements

Two new Netflix DGS integrations have been added. One for DGS version 5.5 - 6.x (blaze-persistence-integration-graphql-dgs) and one for version 7.x+ (blaze-persistence-integration-graphql-dgs-7.0).
DGS 7.x+ is for Spring Boot 3.x+ only, so we had to create separate integrations, due to the Jakarta namespace rename that happened in Spring Boot 3.
It is important to note though that the DGS integration now comes with support for updatable entity views as mutations out of the box!

Various bug fixes

As always, this release comes with quite a few bug fixes, so we recommend you update soon!

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.8

We are happy to announce the eighth bug fix release of the 1.6 series.

GraphQL enhancements

The GraphQL integration was significantly enhanced and now properly interprets various non-null, ignore and naming annotations.
It also supports exposing getters as GraphQL fields, which are unknown to Entity Views.

Spring Data enhancements

After a few reports about boot errors with the Spring Data integrations for 2.5 and 2.6,
saying that some methods weren't implemented, after updating to a newer Spring Data bugfix version,
we decided to create dedicated integration modules for every Spring Data version and try to keep up to date
with the latest bug fix versions from now on, to avoid these issues in the future.

Various bug fixes

As always, this release comes with quite a few bug fixes, so we recommend you update soon!

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.7

We are happy to announce the seventh bug fix release of the 1.6 series.

Hibernate 6 support

The long awaited Hibernate 6 integration is finally finished. It took longer than anticipated for various reasons.
Hibernate 6 changed quite a lot under the hood, and since Blaze-Persistence integrates so deeply with it,
it ran into a lot of the early regressions which first had to be fixed in Hibernate 6.

With Hibernate 6.1.1.Final being released, we were finally able to also release the Hibernate 6 integration,
as that version has all the fixes and SPIs needed for Blaze-Persistence to work again.

New Spring Data integrations

After a few reports about boot errors with the Spring Data integrations for 2.5 and 2.6,
saying that some methods weren't implemented, after updating to a newer Spring Data bugfix version,
we decided to create dedicated integration modules for every Spring Data version and try to keep up to date
with the latest bug fix versions from now on, to avoid these issues in the future.

In addition to that, we also added an integration for Spring Data 2.7.

If you have been using the Spring Data 2.4 integration previously on Spring Data 2.5, 2.6 or 2.7,
please switch to the new integration modules for the respective versions.

New Java version support

The previous version already worked with Java 16 and 17, but now we also added proper continuous integration
matrix entries for Java 16, 17, 18 and 19-EA to make sure everything still works fine with the latest JDKs.

Various bug fixes

Apart from the new integrations, this release comes with quite a few bug fixes in the QueryDSL integration,
as well as one parsing issue where the multiplication operator has higher precedence than the division operator.
We highly advise updating to this latest version to avoid running into this nasty parser bug.

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.6

We are happy to announce the sixth bug fix release of the 1.6 series.

Quarkus integration with Hibernate 5.6 native image fixes

In the last release we introduced a dedicated integration module for Hibernate 5.6 because version 5.6.2.Final changed some SPIs that we relied on in a way that required a new integration module.
Due to earlier test failures because of the Hibernate version update in Quarkus latest, we didn't immediately realize that there was an issue with the reflection registration in native mode with the new integration.

This release fixes the missing reflection registrations in the Quarkus integration.

Spring Boot/Data 2.6 and HATEOAS

Thanks to Gilles Robert for making us aware of the fact that Spring Boot 2.6 updated the Spring HATEOAS version, which came with some changes that needed adaptions in the integration.
While fixing the issue for the Spring HATEOAS integration, we also made sure to add a test profile for Spring Boot/Data 2.6 and can now say with confidence, that version 2.6 is supported.

Blaze-Persistence coming to Apiman

Marc Savy announced within a bug report that the next version of the Apiman project will switch from the JPA Criteria API to Blaze-Persistence for some queries.
From what I understand, the great support for keyset pagination and the fluent API which makes queries understandable for a wider audience are the major driving factors for this decision.

With this release, the blocker issue Marc ran into was fixed and so we welcome the Apiman team to the Blaze-Persistence community!

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.5

We are happy to announce the fifth bug fix release of the 1.6 series.

Hibernate 5.6.2.Final+ support

Hibernate ORM 5.6.2.Final unfortunately changed SPIs in a backwards incompatible way which was only fixed with the recently released version 5.6.4.Final.
To leverage the new SPI methods we had to create a new integration module specific for Hibernate 5.6 though.

So with this version, Blaze-Persistence now also comes with explicit integration modules for 5.5 and 5.6:

<dependency>
    <groupId>com.blazebit</groupId>
    <artifactId>blaze-persistence-integration-hibernate-5.5-jakarta</artifactId>
    <version>1.6.5</version>
</dependency>
<dependency>
    <groupId>com.blazebit</groupId>
    <artifactId>blaze-persistence-integration-hibernate-5.6-jakarta</artifactId>
    <version>1.6.5</version>
</dependency>

or if you are still working with Java EE APIs:

<dependency>
    <groupId>com.blazebit</groupId>
    <artifactId>blaze-persistence-integration-hibernate-5.5</artifactId>
    <version>1.6.5</version>
</dependency>
<dependency>
    <groupId>com.blazebit</groupId>
    <artifactId>blaze-persistence-integration-hibernate-5.6</artifactId>
    <version>1.6.5</version>
</dependency>

If you were using the 5.3 or 5.4 integration so far for Hibernate 5.5 or 5.6 we would like to ask you to switch to the respective integration module to avoid running into issues.

Quarkus improvements/fixes

Thanks to Guillaume Smet for helping us fix issues with the Quarkus metadata in our integration which prevented using the Quarkus Dev UI with the Blaze-Persistence integration.

While working on that and verifying everything works smoothly, we also added support for firing a CriteriaBuilderConfiguration CDI event on application start and documented this new way of customizing Blaze-Persistence within the Quarkus documentation.

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.4

We are happy to announce the fourth bug fix release of the 1.6 series. This release again contains not only bug fixes, but also some new features and bug fixes that I would like to highlight.

Jakarta artifacts

As of this release, we are publishing artifact variants with an artifact id suffix -jakarta which, as the name suggests, are Jakarta EE compatible.
This means that these artifacts depend on and use the jakarta.* namespace. We will most likely continue to ship separate artifacts for Jakarta EE compatibility until version 2.0.
With version 2.0 we will switch our main artifacts to use the jakarta namespace and instead produce -javaee artifacts for some time.

Ordered Set-Aggregate functions

Blaze-Persistence now supports ordered set-aggregate functions and the JPQL.Next language was extended to support the WITHIN GROUP clause syntax.
We added support for the PERCENTILE_CONT, PERCENTILE_DISC and MODE ordered set-aggregate functions and most importantly,
we also added a function for the SQL standard LISTAGG ordered set-aggregate function as alternative to GROUP_CONCAT
which we emulate on all major databases that have a supported vendor specific variant of the string aggregation, just like we did for GROUP_CONCAT before.

Have fun with string aggregations like LISTAGG(e.name, ', ') WITHIN GROUP (ORDER BY e.name)

JPA Criteria extensions

A great addition was made in the JPA Criteria module which now supports defining a WINDOW, analogously to the SQL WINDOW clause.
A WINDOW can be applied to window functions, as well as aggregate functions which are then used as window functions, and ordered set-aggregate functions.
Another nice addition is the possibility to specify a FILTER clause predicate for aggregate and ordered set-aggregate functions.

Here is a quick example that aggregates cat names that have an age greater than 10 as comma separated list, grouped by owner.

BlazeCriteriaBuilder cb = BlazeCriteria.get(criteriaBuilderFactory);
BlazeCriteriaQuery<Tuple> tupleQuery = cb.createTupleQuery();
BlazeRoot<Cat> cat = tupleQuery.from(Cat.class, "c");
tupleQuery.multiselect(
	cb.listagg(cat.get(Cat_.name), cb.literal(", "))
		.filter(cb.greaterThan(cat.get(Cat_.age), 10L))
		.withinGroup(cb.asc(cat.get(Cat_.name)))
);
tupleQuery.groupBy(cat.get(Cat_.owner));

Tuple actual = tupleQuery.createCriteriaBuilder(em).getResultList().get(0);

New GraphQL integrations

While helping a user to get started with SPQR, a GraphQL framework that is popular in the Spring ecosystem, a SPQR example application was developed.
Since the integration with SPQR was non-trivial, we introduced a new module that serves as integration between Blaze-Persistence and SPQR named blaze-persistence-integration-graphql-spqr
along with a new documentation section describing the setup.
The user wanted to go further and make use of updatable entity-views through GraphQL mutations, which we didn't have experience with so far.
It was very interesting to get into this and we are pretty happy with the way the integration turned out.

TLDR, GraphQL mutations are now supported for all GraphQL integration modules except for Netflix DGS, which can only be supported until version 4.6,
as the 4.6 release removed support for customizing the deserialization. Please help us convince the maintainers of DGS to consider adding an SPI by commenting and voting on the GitHub discussion

Take a look into the example applications to get a sense for how this can work out with your favorite framework!

Entity-View deserialization through JSONB

Since SmallRye GraphQL, the most popular implementation of MicroProfile GraphQL, relies on JSONB and we wanted to add support for GraphQL mutations for all GraphQL integration modules,
we decided to develop an entity-view integration for JSONB as well. Unlike Jackson, JSONB unfortunately doesn't provide support for registering deserializer object per type,
but instead requires to register a deserializer class per type, which means we have to generate these deserializer classes before registration.
The unfortunate consequence of this is, that this is currently a JVM only feature. We have plans to create an SPI that allows influencing code generation, which will solve this problem.

See the documentation for details about the setup of the JSONB integration.

While working on the JSONB integration, we noticed that our assumption about Jackson being the de-facto standard JSON framework for JAX-RS to be wrong,
as JSONB the only supported JSON serialization framework on MicroProfile GraphQL. This lead to a small breaking change.

JAX-RS integration split

Due to the addition of the JSONB integration, which also required a dedicated JAX-RS integration variant, we decided to split the blaze-persistence-integration-jaxrs artifact
and move out the Jackson framework specific parts into a separate module blaze-persistence-integration-jaxrs-jackson.

We are sorry for the inconvenience, but when updating to 1.6.4 you now have to additionally add the Jackson module dependency, as the blaze-persistence-integration-jaxrs now only contains the API classes.

Quarkus improvements/fixes

Just like in the CDI integration, we now fire a EntityViewConfiguration event that allows customization of configuration, registration of custom basic types etc.

We were informed that JSON serialization for entity views didn't work for native images which was now fixed. Thanks for the report!

Merry Christmas and a happy new year

We hope you enjoy this late Christmas present and wish you all a happy new year!

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.3

We are happy to announce the third bug fix release of the 1.6 series. This release again contains not only bug fixes, but also some new features that I would like to highlight.

Yet again, thanks to the extensive testing of Eugen Mayer from KontextWork we polished the GraphQL integration even further.
The integration now supports inferring nullability of entity view attributes for the generated GraphQL schema based on the mapping expression.
On top of that, he also helped us fix an issue with the "single valued association id access optimization" for non primary key based foreign keys, which now also avoids producing a join.

We fixed a few bugs and lifted certain limitations for entity views:

• Fix pagination issues when JOIN fetching for a collection and SUBSELECT fetching was used
• Support SUBSELECT fetching when main query builder uses LIMIT/OFFSET and/or ORDER BY clauses
• Validate more uses of MULTISET fetching for proper type support to avoid runtime errors
• Validate mapping index expressions properly regarding their typing
• Fix issues with setter determination in entity views when same named methods with different arguments exist
• Fix concurrency issue in entity view annotation processor leading to strange errors

Thanks to our awesome community we fixed:

• JPA Criteria bug regarding joins over embeddables and parameter handling issues
• Fix compatibility with Quarkus 2.1+ by registering ValuesEntity in deployment integration
• Fix base URI determination in Spring HATEOAS integration to be compatible with Spring HATEOAS 1.3.4
• Fix parsing of LIKE predicate with parameter in ESCAPE
• Fix literal parsing issues with a single backslash to match the requirements of the JPA spec
• Fix rendering of literals in JPA Criteria and introduce configuration option to control value rendering
• Make sure LIMIT/OFFSET is respected when generating a count query

The changes we had to do to in the string literal parsing and rendering to match the expectation of the JPA spec unvealed a non-standard compliant behavior of PostgreSQL,
which uses a backslash as default escape character in a LIKE predicate when no escape character is given.
We automatically escape the LIKE pattern now to guarantee the same behavior across databases, but this escaping might lead to double escaping if you already did escaping for PostgreSQL.

Make sure to remove your escaping i.e. replace("\\", "\\\\") from your code when updating to Blaze-Persistence 1.6.3.

Another thing to watch out in this release is the stricter type validation in entity views. Previously we didn't properly type validate all mapping expressions,
which could have lead to some runtime exceptions. Now that we do type validation, you might see startup failures though due to unsafe expressions.
A prime example of a possible issue is the comparison of an enum attribute with a string or integer i.e. the SQL representation.
A expression like case when type = 'KEY' then ... should be replaced with case when type = package.MyEnum.KEY then ... so that the comparison has matching types.

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!

1.6.2

We are happy to announce the second bug fix release of the 1.6 series. This release contains not only bug fixes, but also quite a few new features/integrations that I would like to highlight.

I'm very happy that Eugen Mayer from KontextWork did some extensive testing of the GraphQL integration (which obviously uncovered some bugs)
and prototyped the support for newer graphql-java versions as required for integrating with the Netflix DGS runtime.
Thanks to his help, we now also have an example that showcases how our GraphQL integration can be used with Netflix DGS. On top of that, we also added support for SmallRye GraphQL through the Microprofile GraphQL API,
as well as added an example application for that and updated the documentation by describing the necessary steps to setup the integration for the various runtimes.

The support for Spring Boot/Data 2.5 is now also ensured and verified as we added a new profile for testing the new version.

Thanks a lot to Jan-Willem Gmelig Meyling for his great work for the support for QueryDSL 5.0, the new FunctionContributor SPI
and the support for chunk-processing results through the new Stream<T> getResultStream() method that was also introduced with JPA 2.2 on javax.persistence.Query.

Take a look into the changelog for a full list of changes and improvements.

Enjoy the release and stay tuned for the next one!