dependabot[bot] opened a new pull request, #3: URL: https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/pull/3
Bumps [graphql-java](https://github.com/graphql-java/graphql-java) from 15.0 to 17.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/graphql-java/graphql-java/releases";>graphql-java's releases</a>.</em></p> <blockquote> <h2>17.4</h2> <p>This is a security bugfix release containing only one PR: <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2902";>graphql-java/graphql-java#2902</a></p> <p>GraphQL Java has a max token limit per request preventing DOS attacks. But in some circumstances it was not enough to prevent malicious requests. This release fixes this problem.</p> <p>All details can be found here: <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2892";>graphql-java/graphql-java#2892</a></p> <h2>17.3</h2> <p>This bug fix version of graphql-java provides new limits to help prevent Denial Of Service attacks induced by over parsing and validation.</p> <p>Attackers can craft queries that consume lot of resources to parse and validate, which which ultimately invalid can deny real queries from being serviced.</p> <p><a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2549";>graphql-java/graphql-java#2549</a></p> <p><a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2553";>graphql-java/graphql-java#2553</a></p> <p>There are new limits imposed by default. Parsing will be terminated after 1500 tokens and only 100 validation errors will be captured.</p> <p>We chose to put in defaults so that people will get some amount of bad query parse and validate DOS protection out of the box.</p> <p>There are JVM wide methods to change the default on these if that's problematic for your implementation.</p> <p>There is also a small fix in the ValueResolver</p> <p><a href="https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3";>https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3</a></p> <h2>17.2</h2> <p>This is a bugfix release which contains the following changes:</p> <p><a href="https://github.com/graphql-java/graphql-java/milestone/36?closed=1";>https://github.com/graphql-java/graphql-java/milestone/36?closed=1</a></p> <h2>17.1</h2> <h1>Upgrade to DataLoader 3.1.0</h1> <p>This release upgrade the DataLoader library to <code>3.1.0</code> which adds the ability to have an external value cache in place during data loader batch calls.</p> <p>You can use it to model access to external caches like REDIS amd even do batch "cache gets".</p> <h2>17.0</h2> <p>We are happy to announce v17.0 of graphql-java</p> <p><a href="https://github.com/graphql-java/graphql-java/milestone/31?closed=1";>https://github.com/graphql-java/graphql-java/milestone/31?closed=1</a></p> <h1><code>@deprecated</code> supported on input fields</h1> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/graphql-java/graphql-java/commit/cb88645bec5778c1a90f81e58bd394bdc605c166";><code>cb88645</code></a> 17.x port - Stop DOS attacks by making the lexer stop early on evil input (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2";>#2</a>...</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/bf4e324e208dca669a6ab6f15fcf8b01f329df58";><code>bf4e324</code></a> Fixing master test</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/7f27a046c1cb133ede2fa64ffe5a499ad4c0b223";><code>7f27a04</code></a> Help prevent DOS attacks on graphql servers (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2549";>#2549</a>)</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/23d352f1eae5b68dd353f817255ef3df764e6a2d";><code>23d352f</code></a> Support Max validation errors being produced (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2553";>#2553</a>)</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/84984aa4ce51473e2fd59ed9de1f54064ae1fdb5";><code>84984aa</code></a> Added a named SDL definition (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2538";>#2538</a>)</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/ba2a29a4e5bce778c8b572abecd0be92c606a506";><code>ba2a29a</code></a> minor performance improvement (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2532";>#2532</a>)</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3";><code>8530366</code></a> This fixes a Bug in the ValueResolver (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2531";>#2531</a>)</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/27b11d99d4885e81b0047a58ea88dd99b5a5b40f";><code>27b11d9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2513";>#2513</a> from graphql-java/fix_glob_matching_on_window</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/45b590159e831a612a5193bce0552e3190a93d85";><code>45b5901</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2520";>#2520</a> from schenkman/instrumentation_field_errors</li> <li><a href="https://github.com/graphql-java/graphql-java/commit/8ca743dc72f54e7e99aeff1ce6ca3fb8a380b4b7";><code>8ca743d</code></a> inline variable</li> <li>Additional commits viewable in <a href="https://github.com/graphql-java/graphql-java/compare/v15.0...v17.4";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
