ghost
commented
1 year ago Specifically, here's the error we were seeing:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQL': Cannot resolve reference to bean 'graphQLSchema' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQLSchemaGenerator': Cannot resolve reference to bean 'graphQLTypeManager' while setting bean property 'typeManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQLTypeManager': Bean instantiation via constructor failed; nested exception is java.lang.NoSuchFieldError: GraphQLLong
Attempting a workaround now of defining our own TypeManager that uses types from graphql-java 20.2.
gorm-graphql 2.0.1 pulls in graphql-java 14.1 which has multiple CVEs against it.
Even on the 3.0.x branch, it still only pulls in graphql-java 17.3 which still has the 2023 CVE against it.
Unfortunately here are breaking changes between graphql-java 14.x and the versions needed to fix these vulnerabilities, so forcing the version difference doesn't seem to be an option.