Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency com.graphql-java:graphql-java to v20.9 [SECURITY] #184

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 31, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.graphql-java:graphql-java 20.2 -> 20.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-40094

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.


Release Notes

graphql-java/graphql-java (com.graphql-java:graphql-java)

v20.9: 20.9

Compare Source

This is a special release to add further limits to introspection queries.

This release contains a backport of PR #​3539.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.8...v20.9

v20.8: 20.8

Compare Source

This is a special release to help control introspection queries.

This release adds a default check for introspection queries, to check that they are sensible. This feature is a backport of https://github.com/graphql-java/graphql-java/pull/3526 and https://github.com/graphql-java/graphql-java/pull/3527.

This release also adds an optional maximum result nodes limit, which is a backport of https://github.com/graphql-java/graphql-java/pull/3525.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.7...v20.8

v20.7: 20.7

Compare Source

This is a small bugfix release which includes a backport of PR #​3334, which fixes a type unwrapping bug.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.6...v20.7

v20.6: 20.6

Compare Source

This 20.6 release includes a critical Guava fix.

The 20.5 release had a problem where Guava classes were not shaded due to a configuration error. Do not use version 20.5 and please use this version 20.6 instead.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.5...v20.6

v20.5: 20.5

Compare Source

Do not use version 20.5. Please use version 20.6 instead.

Version 20.5 contains a problem where Guava files were not shaded due to a configuration error. This is fixed in 20.6.


This is a bugfix release which backports two default value fixes.

This release also updates Guava to keep security scanners happy. Some security scanners had incorrectly flagged an earlier patched version of Guava as still vulnerable to CVE-2023-2976. To avoid incorrect security alerts, we have updated Guava to a version that all scanners will accept as patched. More details in #​3279 and #​3263.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.4...v20.5

v20.4: 20.4

Compare Source

This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.

graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #​3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.3...v20.4

v20.3: 20.3

Compare Source

This is a special release with only one commit: reverting stricter parseValue scalar coercion. It is a backport of https://github.com/graphql-java/graphql-java/pull/3186

We received feedback that the stricter coercion was difficult without a migration pathway. The next release will include an input interceptor to enable monitoring and/or custom modification of inputs.

What's Changed

Full Changelog: graphql-java/graphql-java@v20.2...v20.3


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants