You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by GitBox <gi...@apache.org> on 2022/09/16 21:08:22 UTC

[GitHub] [sling-org-apache-sling-graphql-schema-aggregator] dependabot[bot] opened a new pull request, #3: Bump graphql-java from 15.0 to 17.4

dependabot[bot] opened a new pull request, #3:
URL: https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/pull/3

   Bumps [graphql-java](https://github.com/graphql-java/graphql-java) from 15.0 to 17.4.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a href="https://github.com/graphql-java/graphql-java/releases">graphql-java's releases</a>.</em></p>
   <blockquote>
   <h2>17.4</h2>
   <p>This is a security bugfix release containing only one PR: <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2902">graphql-java/graphql-java#2902</a></p>
   <p>GraphQL Java has a max token limit per request preventing DOS attacks. But in some circumstances it was not enough to prevent malicious requests. This release fixes this problem.</p>
   <p>All details can be found here: <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2892">graphql-java/graphql-java#2892</a></p>
   <h2>17.3</h2>
   <p>This bug fix version of graphql-java provides new limits to help prevent Denial Of Service attacks induced by over parsing and validation.</p>
   <p>Attackers can craft queries that consume lot of resources to parse and validate, which which ultimately invalid can deny real queries from being serviced.</p>
   <p><a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2549">graphql-java/graphql-java#2549</a></p>
   <p><a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/pull/2553">graphql-java/graphql-java#2553</a></p>
   <p>There are new limits imposed by default.  Parsing will be terminated after 1500 tokens and only 100 validation errors will be captured.</p>
   <p>We chose to put in defaults so that people will get some amount of bad query parse and validate DOS protection out of the box.</p>
   <p>There are JVM wide methods to change the default on these if that's problematic for your implementation.</p>
   <p>There is also a small fix in the ValueResolver</p>
   <p><a href="https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3">https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3</a></p>
   <h2>17.2</h2>
   <p>This is a bugfix release which contains the following changes:</p>
   <p><a href="https://github.com/graphql-java/graphql-java/milestone/36?closed=1">https://github.com/graphql-java/graphql-java/milestone/36?closed=1</a></p>
   <h2>17.1</h2>
   <h1>Upgrade to DataLoader 3.1.0</h1>
   <p>This release upgrade the DataLoader library to <code>3.1.0</code> which adds the ability to have an external value cache in place during data loader batch calls.</p>
   <p>You can use it to model access to external caches like REDIS amd even do batch &quot;cache gets&quot;.</p>
   <h2>17.0</h2>
   <p>We are happy to announce v17.0 of graphql-java</p>
   <p><a href="https://github.com/graphql-java/graphql-java/milestone/31?closed=1">https://github.com/graphql-java/graphql-java/milestone/31?closed=1</a></p>
   <h1><code>@deprecated</code> supported on input fields</h1>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/cb88645bec5778c1a90f81e58bd394bdc605c166"><code>cb88645</code></a> 17.x port - Stop DOS attacks by making the lexer stop early on evil input (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2">#2</a>...</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/bf4e324e208dca669a6ab6f15fcf8b01f329df58"><code>bf4e324</code></a> Fixing master test</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/7f27a046c1cb133ede2fa64ffe5a499ad4c0b223"><code>7f27a04</code></a> Help prevent DOS attacks on graphql servers (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2549">#2549</a>)</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/23d352f1eae5b68dd353f817255ef3df764e6a2d"><code>23d352f</code></a> Support Max validation errors being produced (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2553">#2553</a>)</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/84984aa4ce51473e2fd59ed9de1f54064ae1fdb5"><code>84984aa</code></a> Added a named SDL definition (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2538">#2538</a>)</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/ba2a29a4e5bce778c8b572abecd0be92c606a506"><code>ba2a29a</code></a> minor performance improvement (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2532">#2532</a>)</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3"><code>8530366</code></a> This fixes a Bug in the ValueResolver  (<a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2531">#2531</a>)</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/27b11d99d4885e81b0047a58ea88dd99b5a5b40f"><code>27b11d9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2513">#2513</a> from graphql-java/fix_glob_matching_on_window</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/45b590159e831a612a5193bce0552e3190a93d85"><code>45b5901</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/graphql-java/graphql-java/issues/2520">#2520</a> from schenkman/instrumentation_field_errors</li>
   <li><a href="https://github.com/graphql-java/graphql-java/commit/8ca743dc72f54e7e99aeff1ce6ca3fb8a380b4b7"><code>8ca743d</code></a> inline variable</li>
   <li>Additional commits viewable in <a href="https://github.com/graphql-java/graphql-java/compare/v15.0...v17.4">compare view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.graphql-java:graphql-java&package-manager=maven&previous-version=15.0&new-version=17.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
   - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
   - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
   - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
   
   You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/network/alerts).
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@sling.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [sling-org-apache-sling-graphql-schema-aggregator] sonarcloud[bot] commented on pull request #3: Bump graphql-java from 15.0 to 17.4

Posted by GitBox <gi...@apache.org>.

sonarcloud[bot] commented on PR #3:
URL: https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/pull/3#issuecomment-1249825218

   Kudos, SonarCloud Quality Gate passed!&nbsp; &nbsp; [![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3)
   
   [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG)  
   [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY)  
   [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT)  
   [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL)
   
   [![No Coverage information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png 'No Coverage information')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=coverage&view=list) No Coverage information  
   [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=new_duplicated_lines_density&view=list)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@sling.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [sling-org-apache-sling-graphql-schema-aggregator] sonarcloud[bot] commented on pull request #3: Bump graphql-java from 15.0 to 17.4

Posted by "sonarcloud[bot] (via GitHub)" <gi...@apache.org>.

sonarcloud[bot] commented on PR #3:
URL: https://github.com/apache/sling-org-apache-sling-graphql-schema-aggregator/pull/3#issuecomment-1497968771

   Kudos, SonarCloud Quality Gate passed!&nbsp; &nbsp; [![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3)
   
   [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=BUG)  
   [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=VULNERABILITY)  
   [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=SECURITY_HOTSPOT)  
   [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&resolved=false&types=CODE_SMELL)
   
   [![No Coverage information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png 'No Coverage information')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=coverage&view=list) No Coverage information  
   [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-graphql-schema-aggregator&pullRequest=3&metric=new_duplicated_lines_density&view=list)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@sling.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org