Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump graphql-java from 15.0 to 17.4 #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Sep 16, 2022

Bumps graphql-java from 15.0 to 17.4.

Release notes

Sourced from graphql-java's releases.

17.4

This is a security bugfix release containing only one PR: graphql-java/graphql-java#2902

GraphQL Java has a max token limit per request preventing DOS attacks. But in some circumstances it was not enough to prevent malicious requests. This release fixes this problem.

All details can be found here: graphql-java/graphql-java#2892

17.3

This bug fix version of graphql-java provides new limits to help prevent Denial Of Service attacks induced by over parsing and validation.

Attackers can craft queries that consume lot of resources to parse and validate, which which ultimately invalid can deny real queries from being serviced.

graphql-java/graphql-java#2549

graphql-java/graphql-java#2553

There are new limits imposed by default. Parsing will be terminated after 1500 tokens and only 100 validation errors will be captured.

We chose to put in defaults so that people will get some amount of bad query parse and validate DOS protection out of the box.

There are JVM wide methods to change the default on these if that's problematic for your implementation.

There is also a small fix in the ValueResolver

graphql-java/graphql-java@8530366

17.2

This is a bugfix release which contains the following changes:

https://github.com/graphql-java/graphql-java/milestone/36?closed=1

17.1

Upgrade to DataLoader 3.1.0

This release upgrade the DataLoader library to 3.1.0 which adds the ability to have an external value cache in place during data loader batch calls.

You can use it to model access to external caches like REDIS amd even do batch "cache gets".

17.0

We are happy to announce v17.0 of graphql-java

https://github.com/graphql-java/graphql-java/milestone/31?closed=1

@deprecated supported on input fields

... (truncated)

Commits
  • cb88645 17.x port - Stop DOS attacks by making the lexer stop early on evil input (#2...
  • bf4e324 Fixing master test
  • 7f27a04 Help prevent DOS attacks on graphql servers (#2549)
  • 23d352f Support Max validation errors being produced (#2553)
  • 84984aa Added a named SDL definition (#2538)
  • ba2a29a minor performance improvement (#2532)
  • 8530366 This fixes a Bug in the ValueResolver (#2531)
  • 27b11d9 Merge pull request #2513 from graphql-java/fix_glob_matching_on_window
  • 45b5901 Merge pull request #2520 from schenkman/instrumentation_field_errors
  • 8ca743d inline variable
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [graphql-java](https://github.com/graphql-java/graphql-java) from 15.0 to 17.4.
- [Release notes](https://github.com/graphql-java/graphql-java/releases)
- [Commits](graphql-java/graphql-java@v15.0...v17.4)

---
updated-dependencies:
- dependency-name: com.graphql-java:graphql-java
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants