Releases: graphql-java/graphql-java
19.9
21.2
This is a release with new features and bugfixes. There are no breaking changes.
Thanks to everyone who contributed to this release. Thanks for your code contributions, for reporting issues, and contributing to discussions.
@oneOf
directive
We've implemented the @oneOf
directive for input objects. From the RFC:
OneOf Input Objects are a special variant of Input Objects where the type system asserts that exactly one of the fields must be set and non-null, all others being omitted
This will soon be a new built-in directive in the GraphQL specification.
The directive is currently labelled as experimental inside graphql-java while we wait for the RFC to be formally approved. The final step before the RFC is approved is your feedback! If you're using @oneOf
, please share your thoughts on the RFC on the GraphQL Working Group repository.
DataLoader version 3.2.1 released
We've released a new version of java-dataloader including a new ticker mode and predicates per dataloader. See the release notes for more details.
What's Changed
- Add max depth option to ExecutableNormalizedOperationFactory by @gnawf in #3268
- Handle repeated query directives by @gnawf in #3270
- Update readme by @dondonz in #3273
- Wrap NumberFormatException by @arthurscchan in #3282
- Bump org.openjdk.jmh:jmh-core from 1.36 to 1.37 by @dependabot in #3289
- Bump com.google.guava:guava from 32.1.1-jre to 32.1.2-jre by @dependabot in #3284
- Bump org.openjdk.jmh:jmh-generator-annprocess from 1.36 to 1.37 by @dependabot in #3290
- deprecated default value method produces bad results by @bbakerman in #3286
- write query directives from ENF to AST by @russellyou in #3295
- Add SchemaPrinter AST comments support by @vadimofd in #3287
- Bug 3276 - default values not being used correctly during validation by @bbakerman in #3278
- Experimental - oneOf directive support by @bbakerman in #3275
- add directiveName as property to AppliedDirectiveLocationDetail by @faizan-siddiqui in #3297
- Schema Printer - add deprecation reason printing and fix missing deprecated directive on argument by @vadimofd in #3298
- Added support for async create state in instrumentmentations by @bbakerman in #3302
- The last Java unit test by @bbakerman in #3305
- Permit parent restricted nodes to map to isolated nodes by @gnawf in #3304
- Bump org.codehaus.groovy:groovy from 3.0.18 to 3.0.19 by @dependabot in #3307
- Use the non deprecated method in InstrumentationExamples.java by @appreciated in #3265
- Update security policy by @dondonz in #3316
- guava version fix for master by @bbakerman in #3321
- Bump actions/checkout from 3 to 4 by @dependabot in #3325
- ES errors test to lock in current behavior by @bbakerman in #3327
- Fix OSGi bundle manifest by @geichelberger in #3313
- Allow schema diff to use SDL document to enforce directives by @ndejaco2 in #3344
- The ability to get the source location of a schema element by @bbakerman in #3340
- Bump com.fasterxml.jackson.core:jackson-databind from 2.15.2 to 2.15.3 by @dependabot in #3350
- Build cache fixes by @Duhemm in #3335
- Issue 3332 - overlapping aliases should be prevented by @bbakerman in #3334
- #3267 clear directives schema usage bug fix by @bbakerman in #3272
- removed synchronised from code base as much as possible for VT by @bbakerman in #3317
- Update DataLoader to 3.2.1 by @dondonz in #3351
New Contributors
- @arthurscchan made their first contribution in #3282
- @vadimofd made their first contribution in #3287
- @faizan-siddiqui made their first contribution in #3297
- @appreciated made their first contribution in #3265
- @geichelberger made their first contribution in #3313
- @ndejaco2 made their first contribution in #3344
- @Duhemm made their first contribution in #3335
Full Changelog: v21.0...v21.2
21.1
This is a bugfix release, which includes two recent default value fixes.
What's Changed
- 21.x Cherry pick pull request #3286 by @dondonz in #3315
- 21.x cherry pick of #3278 default value bugfix by @dondonz in #3314
- guava version fix for 21.x by @bbakerman in #3322
Full Changelog: v21.0...v21.1
20.6
This 20.6 release includes a critical Guava fix.
The 20.5 release had a problem where Guava classes were not shaded due to a configuration error. Do not use version 20.5 and please use this version 20.6 instead.
What's Changed
- guava version fix for 20.x by @bbakerman in #3320
Full Changelog: v20.5...v20.6
19.8
This version 19.8 release includes a critical Guava fix.
The 19.7 release had a problem where Guava classes were not shaded due to a configuration error. Do not use version 19.7 and please use this version 19.8 instead.
What's Changed
- guava version fix for 19.x by @bbakerman in #3319
Full Changelog: v19.7...v19.8
20.5
Do not use version 20.5. Please use version 20.6 instead.
Version 20.5 contains a problem where Guava files were not shaded due to a configuration error. This is fixed in 20.6.
This is a bugfix release which backports two default value fixes.
This release also updates Guava to keep security scanners happy. Some security scanners had incorrectly flagged an earlier patched version of Guava as still vulnerable to CVE-2023-2976. To avoid incorrect security alerts, we have updated Guava to a version that all scanners will accept as patched. More details in #3279 and #3263.
What's Changed
- 20.x Guava update by @dondonz in #3279
- 20.x backport of #3286 null default value bugfix by @dondonz in #3293
- 20.x backport of #3278 default value bugfix by @dondonz in #3309
Full Changelog: v20.4...v20.5
19.7
Do not use version 19.7. Please use version 19.8 instead.
Version 19.7 contains a problem where Guava files were not shaded due to a configuration error. This is fixed in 19.8.
This is a bugfix release which backports two default value fixes.
This release also updates Guava to keep security scanners happy. Some security scanners had incorrectly flagged an earlier patched version of Guava as still vulnerable to CVE-2023-2976. To avoid incorrect security alerts, we have updated Guava to a version that all scanners will accept as patched. More details in #3280 and #3263.
What's Changed
- 19.x Guava update again by @dondonz in #3280
- 19.x backport of #3286 null default value bugfix by @dondonz in #3294
- 19.x backport of #3278 default value bugfix by @dondonz in #3310
Full Changelog: v19.6...v19.7
18.7
This is a special release with only one change, which updates the Guava version to v32.1.1.
This release does not change any code in graphql-java. It is only to keep security scanners happy.
graphql-java shades in selected classes of Guava. graphql-java never used the classes affected by CVE-2023-2976, but nevertheless the Guava version number appears in metadata, which is read by security scanners. While we previously released a version of graphql-java with the patched Guava version, this initial patched version had an issue with the Windows release. This caused some security scanners to still consider the initial patched version as "vulnerable". This release updates the Guava version to 32.1.1 which does not have the Windows release problem.
More details: #3263
21.0
We are pleased to announce the release of graphql-java v21.0. This is a breaking change release.
Thanks to everyone in the community who contributed to the release, whether that was code, helping to report issues, or participating in discussions.
And Happy 8th Birthday to graphql-java, who celebrated their birthday last week!
Breaking Changes
Upgraded to Java 11
graphql-java now requires Java 11 as a minimum version. See the blog announcing the change.
For those who need time to upgrade to Java 11, keep in mind we will support graphql-java 20.x (with Java 8) for a short period as per our release policy.
If you are wondering why we are not on a later version, graphql-java has always been conservative on its base JVM version to allow the widest possible set of consumers.
Reverted stricter scalar parseValue
coercion, added monitoring and interceptor callback
v20.0 introduced a stricter set of scalar parseValue
coercions - for example previously an Integer
would accept a string if it parsed into a number but that was removed and a more strict system was put in place.
While technically more correct, and consistent with the graphql-js reference implementation, in practice this proved problematic for some consumers. So this more stricter parseValue
coercion was reverted in v20.3.
We would like to re-introduce this more strict scalar parseValue
conversion in the future and to that end we have introduced a graphql.execution.values.InputInterceptor
callback that allows you to observe what values you are receiving and potentially do special tweaking of those values.
A graphql.execution.values.legacycoercing.LegacyCoercingInputInterceptor
implementation will convert old less strict values into then more strict values for example.
If you had problems with scalar values we urge you to use the new InputInterceptor
to learn what less strict values are coming into your systems and fix them up. That way, when a future version re-introduces the more strict (and more correct) coercion then you will be prepared.
Static recordLike() methods no longer supported
In v20, the PropertyDataFetcher
would read property values from recordLike()
methods on objects even if they were static methods. This caused problems for some users and after considering how to fix it and talking to some our major consumers like the Spring team, we decided to remove this behavior. On balance we think this will lead to a better outcome over the long term.
This is a breaking change for those who might have relied on a static recordLike()
method being called for a property.
Removal of old deprecated methods and classes
The following PRs removed old deprecated methods and class. The changes are breaking ones but these have been deprecated for a long time.
Other small breaking changes
A very minor breaking change is that graphql.execution.ExecutionStrategy
had a protected method protected Iterable<Object> toIterable(Object result)
which really is a utility method and not designed for overriding. graphql.util.FpKit#toIterable
is the preferred replacement.
What's new in v21
ExecutableNormalisedXXX is now public API
The graphql.normalized.ExecutableNormalizedOperation
and graphql.normalized.ExecutableNormalizedField
code is now public API.
This API allows you to represent what MAY be executed given a schema and a valid GraphQL query.
This code is not intended for general consumption but perhaps you are writing a framework based on graphql-java and need to have a powerful representation of what would be executed, then these classes are for you.
This allows you to write specialized code (such as a new execution engine or perhaps a federated GraphQL engine like say Nadel) based on these tree like representations of a normalized and executable query.
Building extensions in data fetchers
There is a new graphql.extensions.ExtensionsBuilder
that allows data fetcher callbacks to add extension values into the final result. Since extensions are a map and there could be merge conflicts on values, a graphql.extensions.ExtensionsMerger
interface is provided to handle these conflicts and a default graphql.extensions.DefaultExtensionsMerger
is provided.
This is available via the graphql.GraphQLContext
and is put in there by default so data fetchers can rely on it being present. At the end of the request the ExtensionsBuilder
is called to build out a final map of extensions which is placed in the graphql.ExecutionResult
.
A smarter schema visitor API
A new graphql.schema.visitor.GraphQLSchemaVisitor
has been created that is more domain specific around visiting GraphQL schemas. The old graphql.schema.GraphQLTypeVisitor
worked however it is very generic in nature and is not domain specific to schemas.
The new API improves how you can visit schemas and the callbacks have better schema domain information provided on them. Also the graphql.schema.visitor.GraphQLSchemaVisitorEnvironment
is better than older alternative with clearer return methods like changeNode()
or deleteNode()
and so on for controlling how the visitor works.
This is an adaptor to GraphQLTypeVisitor
and hence can be used by the existing graphql.schema.SchemaTraverser
and graphql.schema.SchemaTransformer
classes (which expect a GraphQLTypeVisitor
) via a small call to graphql.schema.visitor.GraphQLSchemaVisitor#toTypeVisitor
.
Performance improvements
As always, we have tried to include some performance improvements in the release. One area of note is avoiding unnecessary CompletableFuture allocations when they are not needed.
Other things
The QueryComplexity calculator has been broken out into its own class and can be used outside the original graphql.analysis.MaxQueryComplexityInstrumentation
context.
The graphql.execution.DataFetcherResult#map
method was added to allow better functional mapping of results.
All Changes
- Correct diff when argument is "moved" and the type is changed by @gnawf in #3156
- Check for default value changes by @gnawf in #3157
- Bump com.google.guava:guava from 31.0.1-jre to 31.1-jre by @dependabot in #3134
- Bump biz.aQute.bnd.builder from 6.3.1 to 6.4.0 by @dependabot in #3135
- Better javadoc on how code is found during SchemaGeneration by @bbakerman in #3162
- Fix edge case with bad argument renamed by @gnawf in #3164
- Bump actions/setup-java from 1 to 3 by @dependabot in #3124
- Upgrade to Java 11 (round 2) by @dondonz in #3165
- Bump com.github.javafaker:javafaker from 0.13 to 1.0.2 by @dependabot in #3167
- cleanup schema diffing code, add comments by @andimarek in #3170
- upgrade to gradle 8.0.2 by @andimarek in #3171
- Bump io.github.gradle-nexus.publish-plugin from 1.1.0 to 1.3.0 by @dependabot in #3137
- Bump com.github.johnrengelman.shadow from 7.1.2 to 8.1.1 by @dependabot in #3152
- Bump org.testng:testng from 6.1.1 to 7.7.1 by @dependabot in #3127
- Remove long deprecated method by @dondonz in #3092
- Bump org.awaitility:awaitility-groovy from 3.1.6 to 4.2.0 by @dependabot in #3166
- Bump org.openjdk.jmh:jmh-core from 1.35 to 1.36 by @dependabot in #3178
- Bump com.fasterxml.jackson.core:jackson-databind from 2.13.1 to 2.14.2 by @dependabot in #3179
- Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 by @dependabot in #3177
- Fix description changes causing renames by @gnawf in #3182
- Bump org.openjdk.jmh:jmh-generator-annprocess from 1.35 to 1.36 by @dependabot in #3176
- The ability to get query directives in ENF land by @bbakerman in #3048
- Allow DataFetcherResult to set extension values during execution by @bbakerman in #3123
- Bump org.eclipse.jetty:jetty-server from 9.4.26.v20200117 to 11.0.14 by @dependabot in #3180
- Revert stricter scalar parseValue coercion by @dondonz in #3186
- Bump org.eclipse.jetty:jetty-server from 11.0.14 to 11.0.15 by @dependabot in #3189
- Bump me.champeau.jmh from 0.7.0 to 0.7.1 by @dependabot in #3190
- improve schema diffing performance by @andimarek in #3172
- Schema diff optimizing by @andimarek in https://git...
20.4
This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.
graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.
What's Changed
Full Changelog: v20.3...v20.4