From 762a491117d13013bb299cd05d3f93d2924026d5a8b7ce0f844d6060df9131f4 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Fri, 1 Sep 2023 11:19:17 +0000 Subject: [PATCH] Accepting request 1108436 from home:urbic:branches:Java:packages - Update to v21.0 * Breaking Changes + Upgraded to Java 11. graphql-java now requires Java 11 as a minimum version. See the blog announcing the change. For those who need time to upgrade to Java 11, keep in mind we will support graphql-java 20.x (with Java 8) for a short period as per our release policy. If you are wondering why we are not on a later version, graphql-java has always been conservative on its base JVM version to allow the widest possible set of consumers. + Reverted stricter scalar parseValue coercion, added monitoring and interceptor callback. v20.0 introduced a stricter set of scalar parseValue coercions - for example previously an Integer would accept a string if it parsed into a number but that was removed and a more strict system was put in place. While technically more correct, and consistent with the graphql-js reference implementation, in practice this proved problematic for some consumers. So this more stricter parseValue coercion was reverted in v20.3. We would like to re-introduce this more strict scalar parseValue conversion in the future and to that end we have introduced a graphql.execution.values.InputInterceptor callback that allows you to observe what values you are receiving and potentially do special tweaking of those values. A graphql.execution.values.legacycoercing.LegacyCoercingInputInterceptor implementation will convert old less strict values into then more strict values for example. If you had problems with scalar values we urge you to use the new InputInterceptor to learn what less strict values are coming into your systems and fix them up. That way, when a future version re-introduces the more strict (and more correct) coercion then you will be prepared. + Static recordLike() methods no longer supported. In v20, the PropertyDataFetcher would read property values from recordLike() methods on objects even if they were static methods. This caused problems for some users and after considering how to fix it and talking to some our major consumers like the Spring team, we decided to remove this behavior. On balance we think this will lead to a better outcome over the long term. This is a breaking change for those who might have relied on a static recordLike() method being called for a property. * Removal of old deprecated methods and classes + The following PRs removed old deprecated methods and class. The changes are breaking ones but these have been deprecated for a long time. ~ #3232 ~ #3231 + Other small breaking changes. A very minor breaking change is that graphql.execution.ExecutionStrategy had a protected method protected Iterable toIterable(Object result) which really is a utility method and not designed for overriding. graphql.util.FpKit#toIterable is the preferred replacement. * What's new in v21 + ExecutableNormalisedXXX is now public API. The graphql.normalized.ExecutableNormalizedOperation and graphql.normalized.ExecutableNormalizedField code is now public API. This API allows you to represent what MAY be executed given a schema and a valid GraphQL query. This code is not intended for general consumption but perhaps you are writing a framework based on graphql-java and need to have a powerful representation of what would be executed, then these classes are for you. This allows you to write specialized code (such as a new execution engine or perhaps a federated GraphQL engine like say Nadel) based on these tree like representations of a normalized and executable query. + Building extensions in data fetchers. There is a new graphql.extensions.ExtensionsBuilder that allows data fetcher callbacks to add extension values into the final result. Since extensions are a map and there could be merge conflicts on values, a graphql.extensions.ExtensionsMerger interface is provided to handle these conflicts and a default graphql.extensions.DefaultExtensionsMerger is provided. This is available via the graphql.GraphQLContext and is put in there by default so data fetchers can rely on it being present. At the end of the request the ExtensionsBuilder is called to build out a final map of extensions which is placed in the graphql.ExecutionResult. + A smarter schema visitor API. A new graphql.schema.visitor.GraphQLSchemaVisitor has been created that is more domain specific around visiting GraphQL schemas. The old graphql.schema.GraphQLTypeVisitor worked however it is very generic in nature and is not domain specific to schemas. The new API improves how you can visit schemas and the callbacks have better schema domain information provided on them. Also the graphql.schema.visitor.GraphQLSchemaVisitorEnvironment is better than older alternative with clearer return methods like changeNode() or deleteNode() and so on for controlling how the visitor works. This is an adaptor to GraphQLTypeVisitor and hence can be used by the existing graphql.schema.SchemaTraverser and graphql.schema.SchemaTransformer classes (which expect a GraphQLTypeVisitor) via a small call to graphql.schema.visitor.GraphQLSchemaVisitor#toTypeVisitor. + Performance improvements. As always, we have tried to include some performance improvements in the release. One area of note is avoiding unnecessary CompletableFuture allocations when they are not needed. + Other things. The QueryComplexity calculator has been broken out into its own class and can be used outside the original graphql.analysis.MaxQueryComplexityInstrumentation context. The graphql.execution.DataFetcherResult#map method was added to allow better functional mapping of results. * All Changes + Correct diff when argument is "moved" and the type is changed by @gnawf in #3156 + Check for default value changes by @gnawf in #3157 + Bump com.google.guava:guava from 31.0.1-jre to 31.1-jre by @dependabot in #3134 + Bump biz.aQute.bnd.builder from 6.3.1 to 6.4.0 by @dependabot in #3135 + Better javadoc on how code is found during SchemaGeneration by @bbakerman in #3162 + Fix edge case with bad argument renamed by @gnawf in #3164 + Bump actions/setup-java from 1 to 3 by @dependabot in #3124 + Upgrade to Java 11 (round 2) by @dondonz in #3165 + Bump com.github.javafaker:javafaker from 0.13 to 1.0.2 by @dependabot in #3167 + cleanup schema diffing code, add comments by @andimarek in #3170 + upgrade to gradle 8.0.2 by @andimarek in #3171 + Bump io.github.gradle-nexus.publish-plugin from 1.1.0 to 1.3.0 by @dependabot in #3137 + Bump com.github.johnrengelman.shadow from 7.1.2 to 8.1.1 by @dependabot in #3152 + Bump org.testng:testng from 6.1.1 to 7.7.1 by @dependabot in #3127 + Remove long deprecated method by @dondonz in #3092 + Bump org.awaitility:awaitility-groovy from 3.1.6 to 4.2.0 by @dependabot in #3166 + Bump org.openjdk.jmh:jmh-core from 1.35 to 1.36 by @dependabot in #3178 + Bump com.fasterxml.jackson.core:jackson-databind from 2.13.1 to 2.14.2 by @dependabot in #3179 + Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 by @dependabot in #3177 + Fix description changes causing renames by @gnawf in #3182 + Bump org.openjdk.jmh:jmh-generator-annprocess from 1.35 to 1.36 by @dependabot in #3176 + The ability to get query directives in ENF land by @bbakerman in #3048 + Allow DataFetcherResult to set extension values during execution by @bbakerman in #3123 + Bump org.eclipse.jetty:jetty-server from 9.4.26.v20200117 to 11.0.14 by @dependabot in #3180 + Revert stricter scalar parseValue coercion by @dondonz in #3186 + Bump org.eclipse.jetty:jetty-server from 11.0.14 to 11.0.15 by @dependabot in #3189 + Bump me.champeau.jmh from 0.7.0 to 0.7.1 by @dependabot in #3190 + improve schema diffing performance by @andimarek in #3172 + Schema diff optimizing by @andimarek in https://git... - Update to v20.4 * This is a special release with only one commit: updating the version of Guava to 32.0.0 to address CVE-2023-2976. graphql-java shades in selected classes of Guava. Although this library does not use any of the code described in the CVE, we received reports in #3239 that the Guava POM inside the jar was incorrectly triggering security scanners. We'd prefer to keep those security scanners happy and upgrade the Guava version. * What's Changed + Update Guava version for v20 by @dondonz in #3245 - Update to v20.3 * This is a special release with only one commit: reverting stricter parseValue scalar coercion. It is a backport of #3186 We received feedback that the stricter coercion was difficult without a migration pathway. The next release will include an input interceptor to enable monitoring and/or custom modification of inputs. * What's Changed + Add backport of scalar coercion reversion PR #3186 by @dondonz in #3230 OBS-URL: https://build.opensuse.org/request/show/1108436 OBS-URL: https://build.opensuse.org/package/show/Java:packages/graphql-java?expand=0&rev=3 --- graphql-java-20.2.tar.gz | 3 - ...hql-java-20.2.pom => graphql-java-21.0.pom | 4 +- graphql-java-21.0.tar.gz | 3 + graphql-java.changes | 179 ++++++++++++++++++ graphql-java.spec | 5 +- 5 files changed, 187 insertions(+), 7 deletions(-) delete mode 100644 graphql-java-20.2.tar.gz rename graphql-java-20.2.pom => graphql-java-21.0.pom (96%) create mode 100644 graphql-java-21.0.tar.gz diff --git a/graphql-java-20.2.tar.gz b/graphql-java-20.2.tar.gz deleted file mode 100644 index 1ec242b..0000000 --- a/graphql-java-20.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ae7eae6b5fc87a77f18f48c0b78231d202dd78ace79278c7d9d6bbec282822b9 -size 2083643 diff --git a/graphql-java-20.2.pom b/graphql-java-21.0.pom similarity index 96% rename from graphql-java-20.2.pom rename to graphql-java-21.0.pom index 0bc8935..28a8e03 100644 --- a/graphql-java-20.2.pom +++ b/graphql-java-21.0.pom @@ -3,7 +3,7 @@ 4.0.0 com.graphql-java graphql-java - 20.2 + 21.0 com.graphql-java @@ -20,7 +20,7 @@ org.slf4j slf4j-api - 1.7.35 + 2.0.7 runtime diff --git a/graphql-java-21.0.tar.gz b/graphql-java-21.0.tar.gz new file mode 100644 index 0000000..1fdb7a3 --- /dev/null +++ b/graphql-java-21.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:782b6f6e5e98d2427e5a90cf439323dd20abdd8e6b9f4d15fa69434acaa761fa +size 2109945 diff --git a/graphql-java.changes b/graphql-java.changes index 3a7bf52..06a7f4b 100644 --- a/graphql-java.changes +++ b/graphql-java.changes @@ -1,3 +1,182 @@ +------------------------------------------------------------------- +Fri Jul 14 13:48:23 UTC 2023 - Anton Shvetz + +- Update to v21.0 + * Breaking Changes + + Upgraded to Java 11. graphql-java now requires Java 11 as a + minimum version. See the blog announcing the change. For + those who need time to upgrade to Java 11, keep in mind we + will support graphql-java 20.x (with Java 8) for a short + period as per our release policy. If you are wondering why we + are not on a later version, graphql-java has always been + conservative on its base JVM version to allow the widest + possible set of consumers. + + Reverted stricter scalar parseValue coercion, added + monitoring and interceptor callback. v20.0 introduced a + stricter set of scalar parseValue coercions - for example + previously an Integer would accept a string if it parsed into + a number but that was removed and a more strict system was + put in place. While technically more correct, and consistent + with the graphql-js reference implementation, in practice + this proved problematic for some consumers. So this more + stricter parseValue coercion was reverted in v20.3. We would + like to re-introduce this more strict scalar parseValue + conversion in the future and to that end we have introduced a + graphql.execution.values.InputInterceptor callback that + allows you to observe what values you are receiving and + potentially do special tweaking of those values. A + graphql.execution.values.legacycoercing.LegacyCoercingInputInterceptor + implementation will convert old less strict values into then + more strict values for example. If you had problems with + scalar values we urge you to use the new InputInterceptor to + learn what less strict values are coming into your systems + and fix them up. That way, when a future version + re-introduces the more strict (and more correct) coercion + then you will be prepared. + + Static recordLike() methods no longer supported. In v20, the + PropertyDataFetcher would read property values from + recordLike() methods on objects even if they were static + methods. This caused problems for some users and after + considering how to fix it and talking to some our major + consumers like the Spring team, we decided to remove this + behavior. On balance we think this will lead to a better + outcome over the long term. This is a breaking change for + those who might have relied on a static recordLike() method + being called for a property. + * Removal of old deprecated methods and classes + + The following PRs removed old deprecated methods and class. + The changes are breaking ones but these have been deprecated + for a long time. + ~ #3232 + ~ #3231 + + Other small breaking changes. A very minor breaking change is + that graphql.execution.ExecutionStrategy had a protected + method protected Iterable toIterable(Object result) + which really is a utility method and not designed for + overriding. graphql.util.FpKit#toIterable is the preferred + replacement. + * What's new in v21 + + ExecutableNormalisedXXX is now public API. The + graphql.normalized.ExecutableNormalizedOperation and + graphql.normalized.ExecutableNormalizedField code is now + public API. This API allows you to represent what MAY be + executed given a schema and a valid GraphQL query. This code + is not intended for general consumption but perhaps you are + writing a framework based on graphql-java and need to have a + powerful representation of what would be executed, then these + classes are for you. This allows you to write specialized + code (such as a new execution engine or perhaps a federated + GraphQL engine like say Nadel) based on these tree like + representations of a normalized and executable query. + + Building extensions in data fetchers. There is a new + graphql.extensions.ExtensionsBuilder that allows data fetcher + callbacks to add extension values into the final result. + Since extensions are a map and there could be merge conflicts + on values, a graphql.extensions.ExtensionsMerger interface is + provided to handle these conflicts and a default + graphql.extensions.DefaultExtensionsMerger is provided. This + is available via the graphql.GraphQLContext and is put in + there by default so data fetchers can rely on it being + present. At the end of the request the ExtensionsBuilder is + called to build out a final map of extensions which is placed + in the graphql.ExecutionResult. + + A smarter schema visitor API. A new + graphql.schema.visitor.GraphQLSchemaVisitor has been created + that is more domain specific around visiting GraphQL schemas. + The old graphql.schema.GraphQLTypeVisitor worked however it + is very generic in nature and is not domain specific to + schemas. The new API improves how you can visit schemas and + the callbacks have better schema domain information provided + on them. Also the + graphql.schema.visitor.GraphQLSchemaVisitorEnvironment is + better than older alternative with clearer return methods + like changeNode() or deleteNode() and so on for controlling + how the visitor works. This is an adaptor to + GraphQLTypeVisitor and hence can be used by the existing + graphql.schema.SchemaTraverser and + graphql.schema.SchemaTransformer classes (which expect a + GraphQLTypeVisitor) via a small call to + graphql.schema.visitor.GraphQLSchemaVisitor#toTypeVisitor. + + Performance improvements. As always, we have tried to include + some performance improvements in the release. One area of + note is avoiding unnecessary CompletableFuture allocations + when they are not needed. + + Other things. The QueryComplexity calculator has been broken + out into its own class and can be used outside the original + graphql.analysis.MaxQueryComplexityInstrumentation context. + The graphql.execution.DataFetcherResult#map method was added + to allow better functional mapping of results. + * All Changes + + Correct diff when argument is "moved" and the type is changed + by @gnawf in #3156 + + Check for default value changes by @gnawf in #3157 + + Bump com.google.guava:guava from 31.0.1-jre to 31.1-jre by + @dependabot in #3134 + + Bump biz.aQute.bnd.builder from 6.3.1 to 6.4.0 by @dependabot + in #3135 + + Better javadoc on how code is found during SchemaGeneration + by @bbakerman in #3162 + + Fix edge case with bad argument renamed by @gnawf in #3164 + + Bump actions/setup-java from 1 to 3 by @dependabot in #3124 + + Upgrade to Java 11 (round 2) by @dondonz in #3165 + + Bump com.github.javafaker:javafaker from 0.13 to 1.0.2 by + @dependabot in #3167 + + cleanup schema diffing code, add comments by @andimarek in + #3170 + + upgrade to gradle 8.0.2 by @andimarek in #3171 + + Bump io.github.gradle-nexus.publish-plugin from 1.1.0 to + 1.3.0 by @dependabot in #3137 + + Bump com.github.johnrengelman.shadow from 7.1.2 to 8.1.1 by + @dependabot in #3152 + + Bump org.testng:testng from 6.1.1 to 7.7.1 by @dependabot in + #3127 + + Remove long deprecated method by @dondonz in #3092 + + Bump org.awaitility:awaitility-groovy from 3.1.6 to 4.2.0 by + @dependabot in #3166 + + Bump org.openjdk.jmh:jmh-core from 1.35 to 1.36 by + @dependabot in #3178 + + Bump com.fasterxml.jackson.core:jackson-databind from 2.13.1 + to 2.14.2 by @dependabot in #3179 + + Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 by + @dependabot in #3177 + + Fix description changes causing renames by @gnawf in #3182 + + Bump org.openjdk.jmh:jmh-generator-annprocess from 1.35 to + 1.36 by @dependabot in #3176 + + The ability to get query directives in ENF land by @bbakerman + in #3048 + + Allow DataFetcherResult to set extension values during + execution by @bbakerman in #3123 + + Bump org.eclipse.jetty:jetty-server from 9.4.26.v20200117 to + 11.0.14 by @dependabot in #3180 + + Revert stricter scalar parseValue coercion by @dondonz in + #3186 + + Bump org.eclipse.jetty:jetty-server from 11.0.14 to 11.0.15 + by @dependabot in #3189 + + Bump me.champeau.jmh from 0.7.0 to 0.7.1 by @dependabot in + #3190 + + improve schema diffing performance by @andimarek in #3172 + + Schema diff optimizing by @andimarek in https://git... +- Update to v20.4 + * This is a special release with only one commit: updating the + version of Guava to 32.0.0 to address CVE-2023-2976. + graphql-java shades in selected classes of Guava. Although this + library does not use any of the code described in the CVE, we + received reports in #3239 that the Guava POM inside the jar was + incorrectly triggering security scanners. We'd prefer to keep + those security scanners happy and upgrade the Guava version. + * What's Changed + + Update Guava version for v20 by @dondonz in #3245 +- Update to v20.3 + * This is a special release with only one commit: reverting + stricter parseValue scalar coercion. It is a backport of #3186 + We received feedback that the stricter coercion was difficult + without a migration pathway. The next release will include an + input interceptor to enable monitoring and/or custom + modification of inputs. + * What's Changed + + Add backport of scalar coercion reversion PR #3186 by + @dondonz in #3230 + ------------------------------------------------------------------- Sun Apr 9 22:17:48 UTC 2023 - Anton Shvetz diff --git a/graphql-java.spec b/graphql-java.spec index 7b04664..9518525 100644 --- a/graphql-java.spec +++ b/graphql-java.spec @@ -17,7 +17,7 @@ Name: graphql-java -Version: 20.2 +Version: 21.0 Release: 0 Summary: GraphQL Java implementation License: MIT @@ -25,6 +25,7 @@ Group: Development/Libraries/Java URL: https://graphql-java.com/ Source0: https://github.com/%{name}/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://repo1.maven.org/maven2/com/%{name}/%{name}/%{version}/%{name}-%{version}.pom +BuildRequires: java-devel >= 11 BuildRequires: maven-local BuildRequires: mvn(com.google.guava:guava) BuildRequires: mvn(com.graphql-java:java-dataloader) @@ -79,7 +80,7 @@ cp %{SOURCE1} pom.xml mv src/main/antlr src/main/antlr4 %build -%{mvn_build} -f -- -Dmaven.compiler.{source,target}=8 +%{mvn_build} -f -- -Dmaven.compiler.{source,target}=11 %install %mvn_install