Closed slady closed 1 year ago
@kaqqao Could you evaluate if an update of the minor version of graphql-java breaks anything? If not, could we get this "security patches" until the release for Spring Boot 3.X is ready?
For me personally, I am using this wonderful framework in my company and this type of fixes would be important. If you tell me, you're not able to do that, I will try to manually exclude the transitive dependency and include the newest one for "graphql-java" via gradle dependency mangement.
Fixed via https://github.com/leangen/graphql-spqr/pull/449
Release coming in a day or two, at max.
There is a new known security vulnerability in graphql-java library with a high severity.
Attackers can cause Stack-based Buffer Overflow.
More details about this vulnerability were described in SNYK at this address: https://security.snyk.io/vuln/SNYK-JAVA-COMGRAPHQLJAVA-5291199
All users of SPQR library are impacted by this vulnerability.
The graphql-java library is used as a dependency of SPQR.
Can you please upgrade the dependency to a higher version of the graphql-java library where this vulnerability was fixed?