GraphQL Java implementation
This is a release with new features and bugfixes. There are no breaking changes.
Thanks to everyone who contributed to this release. Thanks for your code contributions, for reporting issues, and contributing to discussions.
@oneOf directiveWe've implemented the @oneOf directive for input objects. From the RFC:
OneOf Input Objects are a special variant of Input Objects where the type system asserts that exactly one of the fields must be set and non-null, all others being omitted
This will soon be a new built-in directive in the GraphQL specification.
The directive is currently labelled as experimental inside graphql-java while we wait for the RFC to be formally approved. The final step before the RFC is approved is your feedback! If you're using @oneOf, please share your thoughts on the RFC on the GraphQL Working Group repository.
We've released a new version of java-dataloader including a new ticker mode and predicates per dataloader. See the release notes for more details.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v21.0...v21.2
This version 19.8 release includes a critical Guava fix.
The 19.7 release had a problem where Guava classes were not shaded due to a configuration error. Do not use version 19.7 and please use this version 19.8 instead.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.7...v19.8
This 20.6 release includes a critical Guava fix.
The 20.5 release had a problem where Guava classes were not shaded due to a configuration error. Do not use version 20.5 and please use this version 20.6 instead.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v20.5...v20.6
This is a bugfix release, which includes two recent default value fixes.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v21.0...v21.1
Version 20.5 contains a problem where Guava files were not shaded due to a configuration error. This is fixed in 20.6.
This is a bugfix release which backports two default value fixes.
This release also updates Guava to keep security scanners happy. Some security scanners had incorrectly flagged an earlier patched version of Guava as still vulnerable to CVE-2023-2976. To avoid incorrect security alerts, we have updated Guava to a version that all scanners will accept as patched. More details in #3279 and #3263.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v20.4...v20.5
Version 19.7 contains a problem where Guava files were not shaded due to a configuration error. This is fixed in 19.8.
This is a bugfix release which backports two default value fixes.
This release also updates Guava to keep security scanners happy. Some security scanners had incorrectly flagged an earlier patched version of Guava as still vulnerable to CVE-2023-2976. To avoid incorrect security alerts, we have updated Guava to a version that all scanners will accept as patched. More details in #3280 and #3263.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.6...v19.7
This is a special release with only one change, which updates the Guava version to v32.1.1.
This release does not change any code in graphql-java. It is only to keep security scanners happy.
graphql-java shades in selected classes of Guava. graphql-java never used the classes affected by CVE-2023-2976, but nevertheless the Guava version number appears in metadata, which is read by security scanners. While we previously released a version of graphql-java with the patched Guava version, this initial patched version had an issue with the Windows release. This caused some security scanners to still consider the initial patched version as "vulnerable". This release updates the Guava version to 32.1.1 which does not have the Windows release problem.
More details: https://github.com/graphql-java/graphql-java/issues/3263
We are pleased to announce the release of graphql-java v21.0. This is a breaking change release.
Thanks to everyone in the community who contributed to the release, whether that was code, helping to report issues, or participating in discussions.
And Happy 8th Birthday to graphql-java, who celebrated their birthday last week!
graphql-java now requires Java 11 as a minimum version. See the blog announcing the change.
For those who need time to upgrade to Java 11, keep in mind we will support graphql-java 20.x (with Java 8) for a short period as per our release policy.
If you are wondering why we are not on a later version, graphql-java has always been conservative on its base JVM version to allow the widest possible set of consumers.
parseValue coercion, added monitoring and interceptor callbackv20.0 introduced a stricter set of scalar parseValue coercions - for example previously an Integer would accept a string if it parsed into a number but that was removed and a more strict system was put in place.
While technically more correct, and consistent with the graphql-js reference implementation, in practice this proved problematic for some consumers. So this more stricter parseValue coercion was reverted in v20.3.
We would like to re-introduce this more strict scalar parseValue conversion in the future and to that end we have introduced a graphql.execution.values.InputInterceptor callback that allows you to observe what values you are receiving and potentially do special tweaking of those values.
A graphql.execution.values.legacycoercing.LegacyCoercingInputInterceptor implementation will convert old less strict values into then more strict values for example.
If you had problems with scalar values we urge you to use the new InputInterceptor to learn what less strict values are coming into your systems and fix them up. That way, when a future version re-introduces the more strict (and more correct) coercion then you will be prepared.
In v20, the PropertyDataFetcher would read property values from recordLike() methods on objects even if they were static methods. This caused problems for some users and after considering how to fix it and talking to some our major consumers like the Spring team, we decided to remove this behavior. On balance we think this will lead to a better outcome over the long term.
This is a breaking change for those who might have relied on a static recordLike() method being called for a property.
The following PRs removed old deprecated methods and class. The changes are breaking ones but these have been deprecated for a long time.
A very minor breaking change is that graphql.execution.ExecutionStrategy had a protected method protected Iterable<Object> toIterable(Object result) which really is a utility method and not designed for overriding. graphql.util.FpKit#toIterable is the preferred replacement.
The graphql.normalized.ExecutableNormalizedOperation and graphql.normalized.ExecutableNormalizedField code is now public API.
This API allows you to represent what MAY be executed given a schema and a valid GraphQL query.
This code is not intended for general consumption but perhaps you are writing a framework based on graphql-java and need to have a powerful representation of what would be executed, then these classes are for you.
This allows you to write specialized code (such as a new execution engine or perhaps a federated GraphQL engine like say Nadel) based on these tree like representations of a normalized and executable query.
There is a new graphql.extensions.ExtensionsBuilder that allows data fetcher callbacks to add extension values into the final result. Since extensions are a map and there could be merge conflicts on values, a graphql.extensions.ExtensionsMerger interface is provided to handle these conflicts and a default graphql.extensions.DefaultExtensionsMerger is provided.
This is available via the graphql.GraphQLContext and is put in there by default so data fetchers can rely on it being present. At the end of the request the ExtensionsBuilder is called to build out a final map of extensions which is placed in the graphql.ExecutionResult.
A new graphql.schema.visitor.GraphQLSchemaVisitor has been created that is more domain specific around visiting GraphQL schemas. The old graphql.schema.GraphQLTypeVisitor worked however it is very generic in nature and is not domain specific to schemas.
The new API improves how you can visit schemas and the callbacks have better schema domain information provided on them. Also the graphql.schema.visitor.GraphQLSchemaVisitorEnvironment is better than older alternative with clearer return methods like changeNode() or deleteNode() and so on for controlling how the visitor works.
This is an adaptor to GraphQLTypeVisitor and hence can be used by the existing graphql.schema.SchemaTraverser and graphql.schema.SchemaTransformer classes (which expect a GraphQLTypeVisitor) via a small call to graphql.schema.visitor.GraphQLSchemaVisitor#toTypeVisitor.
As always, we have tried to include some performance improvements in the release. One area of note is avoiding unnecessary CompletableFuture allocations when they are not needed.
The QueryComplexity calculator has been broken out into its own class and can be used outside the original graphql.analysis.MaxQueryComplexityInstrumentation context.
The graphql.execution.DataFetcherResult#map method was added to allow better functional mapping of results.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v20.2...v21.0
This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.
graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v20.3...v20.4
This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976.
graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version.
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.5...v19.6