Update dependency com.graphql-java:graphql-java to v20.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.graphql-java:graphql-java	20.0 -> 20.1

GitHub Vulnerability Alerts

CVE-2023-28867

In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

---

Release Notes

graphql-java/graphql-java

v20.1: 20.1

Compare Source

This is a feature and bugfix release. There are no breaking changes in this release. This release continues to use Java 8.

Thanks to everyone in the community for helping us with this release. Thanks for your PRs, issues, and discussions!

Security fix

This release includes a security fix #​3112 which adds a limit to the depth of grammar rules, to prevent stack overflow.

Highlights

#​3095 improves resiliency to class loader problems with LambdaMetafactory.

#​3049 adds an extensions builder and merger.

Release policy

We have formalised our release schedule to give the community a better idea of when to expect releases, what will be contained within them, and when important fixes will be backported. See the full details at https://www.graphql-java.com/blog/release-policy

What's Changed

• docs: update badges for v20 release by @​setchy in https://github.com/graphql-java/graphql-java/pull/3047
• Update FieldValidationInstrumentation.java by @​kfwerf in https://github.com/graphql-java/graphql-java/pull/3066
• Update vulnerability reporting instructions by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3070
• Fix extend schema directives ANTLR rule by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3071
• Allow users to disable MultiSourceReader trackData through ParserOptions by @​AntaresS in https://github.com/graphql-java/graphql-java/pull/3062
• Add missing getter and fix name consistency by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3073
• use toolchain to specify the java version by @​andimarek in https://github.com/graphql-java/graphql-java/pull/3075
• Fix isNameChanged by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3076
• Update instrumentation example in documentation by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3078
• Reuse ExecutionStrategyInstrumentationContext.NOOP in DataLoaderDispatcherInstrumentation by @​dfa1 in https://github.com/graphql-java/graphql-java/pull/3068
• Add missing this keyword for readability by @​cookieMr in https://github.com/graphql-java/graphql-java/pull/3067
• defaulting the deprecated methods in Coercing by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3063
• Add missing detail by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3079
• Updating the JavaDoc http links by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3083
• An Extensions Builder by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3049
• Use ImmutableList.builderWithExpectedSize in ImmutableKit.mapAndDropNulls too by @​dfa1 in https://github.com/graphql-java/graphql-java/pull/3081
• Resolve TypeReferences in schema applied directives by @​kaqqao in https://github.com/graphql-java/graphql-java/pull/3054
• Remove sun.misc.* from MANIFEST.MF by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3091
• Replace javax nullable annotations with JetBrains equivalent by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3093
• Ensured that the MANIFEST.MF files is the first entry in the JAR File by @​schaefa in https://github.com/graphql-java/graphql-java/pull/3097
• Fix type change and directive deletion problems in schema diffing by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3102
• Handle enum value rename by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3103
• Bugfix: do not use default operation name types if not included in schema definition block by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3088
• Adding ExtensionsBuilder in the graphql context by default by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3085
• Meta Lambda failures - make the code more resilient to class loader challenges by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3095
• Gracefully returning null in cases of UnresolvedTypeException by @​ahmadizm in https://github.com/graphql-java/graphql-java/pull/3122
• Add dependabot configuration by @​yeikel in https://github.com/graphql-java/graphql-java/pull/3115
• Bump org.jetbrains:annotations from 23.0.0 to 24.0.1 by @​dependabot in https://github.com/graphql-java/graphql-java/pull/3125
• Remove unused dependencies by @​dondonz in https://github.com/graphql-java/graphql-java/pull/3132
• Bump actions/checkout from 1 to 3 by @​dependabot in https://github.com/graphql-java/graphql-java/pull/3126
• Bump google-github-actions/auth from 0.4.0 to 1.0.0 by @​dependabot in https://github.com/graphql-java/graphql-java/pull/3129
• Bump org.codehaus.groovy:groovy from 3.0.9 to 3.0.16 by @​dependabot in https://github.com/graphql-java/graphql-java/pull/3131
• Add manual stop on schema diffing algorithm by @​gnawf in https://github.com/graphql-java/graphql-java/pull/3119
• Preventing stack overflow exceptions via limiting the depth of the parser rules by @​bbakerman in https://github.com/graphql-java/graphql-java/pull/3112
• UniqueObjectFieldName validation rule (#​1806) by @​ashatch in https://github.com/graphql-java/graphql-java/pull/3094

New Contributors

• @​kfwerf made their first contribution in https://github.com/graphql-java/graphql-java/pull/3066
• @​AntaresS made their first contribution in https://github.com/graphql-java/graphql-java/pull/3062
• @​ahmadizm made their first contribution in https://github.com/graphql-java/graphql-java/pull/3122
• @​yeikel made their first contribution in https://github.com/graphql-java/graphql-java/pull/3115
• @​dependabot made their first contribution in https://github.com/graphql-java/graphql-java/pull/3125
• @​ashatch made their first contribution in https://github.com/graphql-java/graphql-java/pull/3094

Full Changelog: graphql-java/graphql-java@v20.0...v20.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.