conveyal / gtfs-lib

A library for loading and saving GTFS feeds of arbitrary size with disk-backed storage
BSD 2-Clause "Simplified" License
71 stars 38 forks source link

chore(deps): bump graphql-java from 11.0 to 17.4 #364

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 2 years ago

Bumps graphql-java from 11.0 to 17.4.

Release notes

Sourced from graphql-java's releases.

17.4

This is a security bugfix release containing only one PR: graphql-java/graphql-java#2902

GraphQL Java has a max token limit per request preventing DOS attacks. But in some circumstances it was not enough to prevent malicious requests. This release fixes this problem.

All details can be found here: graphql-java/graphql-java#2892

17.3

This bug fix version of graphql-java provides new limits to help prevent Denial Of Service attacks induced by over parsing and validation.

Attackers can craft queries that consume lot of resources to parse and validate, which which ultimately invalid can deny real queries from being serviced.

graphql-java/graphql-java#2549

graphql-java/graphql-java#2553

There are new limits imposed by default. Parsing will be terminated after 1500 tokens and only 100 validation errors will be captured.

We chose to put in defaults so that people will get some amount of bad query parse and validate DOS protection out of the box.

There are JVM wide methods to change the default on these if that's problematic for your implementation.

There is also a small fix in the ValueResolver

https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3

17.2

This is a bugfix release which contains the following changes:

https://github.com/graphql-java/graphql-java/milestone/36?closed=1

17.1

Upgrade to DataLoader 3.1.0

This release upgrade the DataLoader library to 3.1.0 which adds the ability to have an external value cache in place during data loader batch calls.

You can use it to model access to external caches like REDIS amd even do batch "cache gets".

17.0

We are happy to announce v17.0 of graphql-java

https://github.com/graphql-java/graphql-java/milestone/31?closed=1

@deprecated supported on input fields

... (truncated)

Commits
  • cb88645 17.x port - Stop DOS attacks by making the lexer stop early on evil input (#2...
  • bf4e324 Fixing master test
  • 7f27a04 Help prevent DOS attacks on graphql servers (#2549)
  • 23d352f Support Max validation errors being produced (#2553)
  • 84984aa Added a named SDL definition (#2538)
  • ba2a29a minor performance improvement (#2532)
  • 8530366 This fixes a Bug in the ValueResolver (#2531)
  • 27b11d9 Merge pull request #2513 from graphql-java/fix_glob_matching_on_window
  • 45b5901 Merge pull request #2520 from schenkman/instrumentation_field_errors
  • 8ca743d inline variable
  • Additional commits viewable in compare view


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/conveyal/gtfs-lib/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

br648 commented 1 year ago

I've had to make a couple of changes so this compiles and doesn't break CI.