19.6

This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.

graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.

What's Changed

• Update Guava version for v19 by @dondonz in #3244

Full Changelog: v19.5...v19.6

18.6

This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.

graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.

What's Changed

• Upgrade v18 to patched version of Guava by @dondonz in #3243

Full Changelog: v18.5...v18.6

20.3

This is a special release with only one commit: reverting stricter parseValue scalar coercion. It is a backport of #3186

We received feedback that the stricter coercion was difficult without a migration pathway. The next release will include an input interceptor to enable monitoring and/or custom modification of inputs.

What's Changed

• Add backport of scalar coercion reversion PR #3186 by @dondonz in #3230

Full Changelog: v20.2...v20.3

19.5

This is a security bugfix release containing only one PR: #3158

This adds a limit to the number of characters used in an operation.

Full details can be found here: #3148

What's Changed

• This is the backport of the max characters in a parse to the 19.x branch by @bbakerman in #3158

Full Changelog: v19.4...v19.5

18.5

This is a security bugfix release containing only one PR: #3159

This adds a limit to the number of characters used in an operation.

Full details can be found here: #3148

What's Changed

• Backport max characters to 18.x by @dondonz in #3159

Full Changelog: v18.4...v18.5

17.6

This is a security bugfix release containing only one PR: #3160

This adds a limit to the number of characters used in an operation.

Full details can be found here: #3148

What's Changed

• Backport max chars fix to v17 by @dondonz in #3160

Full Changelog: v17.5...v17.6

20.2

This is a security bugfix release containing #3148, which adds a limit to the number of characters used in an operation.

There are no breaking changes in this release.

What's Changed

• Diffing fixes 2 by @gnawf in #3146
• Fix argument added to new type by @gnawf in #3150
• Show test failures in builds by @bbakerman in #3151
• Fix applied argument deleted on field by @gnawf in #3154
• Have a limit on how many characters are presented to the Parser by @bbakerman in #3148

Full Changelog: v20.1...v20.2

18.4

This is a security bugfix release containing only one PR: #3144

This adds a limit to the depth of grammar rules, to prevent stack overflow.

Full details can be found here: #3112

What's Changed

• Add backport of rule depth rule to 18.x by @dondonz in #3144

Full Changelog: v18.3...v18.4

17.5

This is a security bugfix release containing only one PR: #3139

This adds a limit to the depth of grammar rules, to prevent stack overflow.

Full details can be found here: #3112

What's Changed

• Backported deep DOS parse attack into 17.x branch by @bbakerman in #3139

Full Changelog: v17.4...v17.5

20.1

This is a feature and bugfix release. There are no breaking changes in this release. This release continues to use Java 8.

Thanks to everyone in the community for helping us with this release. Thanks for your PRs, issues, and discussions!

Security fix

This release includes a security fix #3112 which adds a limit to the depth of grammar rules, to prevent stack overflow.

Highlights

#3095 improves resiliency to class loader problems with LambdaMetafactory.

#3049 adds an extensions builder and merger.

Release policy

We have formalised our release schedule to give the community a better idea of when to expect releases, what will be contained within them, and when important fixes will be backported. See the full details at https://www.graphql-java.com/blog/release-policy

What's Changed

• docs: update badges for v20 release by @setchy in #3047
• Update FieldValidationInstrumentation.java by @kfwerf in #3066
• Update vulnerability reporting instructions by @dondonz in #3070
• Fix extend schema directives ANTLR rule by @dondonz in #3071
• Allow users to disable MultiSourceReader trackData through ParserOptions by @AntaresS in #3062
• Add missing getter and fix name consistency by @gnawf in #3073
• use toolchain to specify the java version by @andimarek in #3075
• Fix isNameChanged by @gnawf in #3076
• Update instrumentation example in documentation by @dondonz in #3078
• Reuse ExecutionStrategyInstrumentationContext.NOOP in DataLoaderDispatcherInstrumentation by @dfa1 in #3068
• Add missing this keyword for readability by @cookieMr in #3067
• defaulting the deprecated methods in Coercing by @bbakerman in #3063
• Add missing detail by @gnawf in #3079
• Updating the JavaDoc http links by @bbakerman in #3083
• An Extensions Builder by @bbakerman in #3049
• Use ImmutableList.builderWithExpectedSize in ImmutableKit.mapAndDropNulls too by @dfa1 in #3081
• Resolve TypeReferences in schema applied directives by @kaqqao in #3054
• Remove sun.misc.* from MANIFEST.MF by @dondonz in #3091
• Replace javax nullable annotations with JetBrains equivalent by @dondonz in #3093
• Ensured that the MANIFEST.MF files is the first entry in the JAR File by @schaefa in #3097
• Fix type change and directive deletion problems in schema diffing by @gnawf in #3102
• Handle enum value rename by @gnawf in #3103
• Bugfix: do not use default operation name types if not included in schema definition block by @dondonz in #3088
• Adding ExtensionsBuilder in the graphql context by default by @bbakerman in #3085
• Meta Lambda failures - make the code more resilient to class loader challenges by @bbakerman in #3095
• Gracefully returning null in cases of UnresolvedTypeException by @ahmadizm in #3122
• Add dependabot configuration by @yeikel in #3115
• Bump org.jetbrains:annotations from 23.0.0 to 24.0.1 by @dependabot in #3125
• Remove unused dependencies by @dondonz in #3132
• Bump actions/checkout from 1 to 3 by @dependabot in #3126
• Bump google-github-actions/auth from 0.4.0 to 1.0.0 by @dependabot in #3129
• Bump org.codehaus.groovy:groovy from 3.0.9 to 3.0.16 by @dependabot in #3131
• Add manual stop on schema diffing algorithm by @gnawf in #3119
• Preventing stack overflow exceptions via limiting the depth of the parser rules by @bbakerman in #3112
• UniqueObjectFieldName validation rule (#1806) by @ashatch in #3094

New Contributors

• @kfwerf made their first contribution in #3066
• @AntaresS made their first contribution in #3062
• @ahmadizm made their first contribution in #3122
• @yeikel made their first contribution in #3115
• @dependabot made their first contribution in #3125
• @ashatch made their first contribution in #3094

Full Changelog: v20.0...v20.1