Web API: update `graphql-java` 13.0 dependency to newest stable one #2181

jhou-pro · 2024-02-09T17:12:57Z

Description

Our current graphql-java dependency has vulnerabilities. Also GraphQL specification has been evolved. We need to update our Web API implementation to conform to most recent specification and non-vulnerable internals.

Specification does not support Long / BigDecimal scalars -- define custom ones to support TG types (e.g. as for Money / Date)
ValuesResolver made more private and API changed -- sync with these changes
Fetching of entity-typed subproperty of collectional property don't work on most recent stable 21.3 graphql-java
to be continued...

Expected outcome

Up-to-date TG Web API GraphQL-based implementation with no vulnerabilities.

The text was updated successfully, but these errors were encountered:

…version.

… logic. Static imports, jdocs.

…they have been moved from graphql-java.

… as in graphql-java. This is to be able to change it as per additional requirements.

@ignore

At this stage we prefer pojo-like 'is/get' property accessors (aka getters) in TG. The same principle should be used for Web API field value resolving from internally fetched entities. These tests are needed to formalise this. In fact, current version of graphql-java's PropertyDataFetcher prefers record-like accessors pojo-like 'is/get' accessors and thus some of these tests fail. Two @ignore tests and two stubs were added for potential future cases: 1. if we move from 'is/get' pojo-like getters to record-like, potentially autocompiled, accessors 2. if we support record-typed properties in TG and its Web API.

…erifier. This is to be more consistent with widely used Reflector.obtainPropertyAccessor. This will only affect boolean props that may have both 'get' and 'is' accessors (there are no constraints in this regard).

… only). This is to be more consistent with widely used Reflector.obtainPropertyAccessor. This will only affect boolean props that may have both 'get' and 'is' accessors (there are no constraints in this regard).

This is to be more consistent with widely used Reflector.obtainPropertyAccessor. This will only affect boolean props that may have both 'get' and 'is' accessors (there are no constraints in this regard).

…ike ones (TG way). This change is covered by WebApiPropertyDataFetcherTest. Also previously failing WebApiCollectionalFieldTest are now passing. There User.roles() record-like accessor returned totally different data than User.getRoles() accessor.

…rsion.

jhou-pro added Security P1 - urgent In progress Web API Vulnerabilities dependencies Pull requests that update a dependency file labels Feb 9, 2024

jhou-pro self-assigned this Feb 9, 2024

jhou-pro added a commit that referenced this issue Feb 9, 2024

#2181 Used latest graphql-java dependency.

a5f9fe2

jhou-pro added a commit that referenced this issue Feb 9, 2024

#2181 Provided GraphQlContext as it is mandatory now during value con…

ba597c5

…version.

jhou-pro added a commit that referenced this issue Feb 12, 2024

#2181 Added also Locale from fetching environment for value resolving…

7a97f8e

… logic. Static imports, jdocs.

01es added Technology upgrade P2 - important and removed P1 - urgent labels Feb 13, 2024

jhou-pro added a commit that referenced this issue Feb 13, 2024

#2181 Used BigDecimal / Long scalars from external library, to where …

e527a39

…they have been moved from graphql-java.

jhou-pro added a commit that referenced this issue Feb 21, 2024

Merge branch 'develop' of github.com:fieldenms/tg into Issue-#2181

17ff5f4

jhou-pro added a commit that referenced this issue Feb 22, 2024

Merge branch 'develop' of github.com:fieldenms/tg into Issue-#2181

7e1c7c7

jhou-pro added a commit that referenced this issue Apr 11, 2024

Merge branch 'develop' of github.com:fieldenms/tg into Issue-#2181

517bdde

jhou-pro added a commit that referenced this issue Apr 13, 2024

#2181 Adjusted test exception type as per new graphql-java dependency.

1c7f0de

jhou-pro added a commit that referenced this issue Apr 13, 2024

#2181 Added (and used) exactly same impl of default property resolver…

ab7eaa3

… as in graphql-java. This is to be able to change it as per additional requirements.

jhou-pro added a commit that referenced this issue Apr 18, 2024

#2181 Avoid closed streams.

2a1d3b3

jhou-pro added a commit that referenced this issue Apr 18, 2024

#2181 Updated graphql-java dependencies to most recent stable 22.0 ve…

6107ea2

…rsion.

jhou-pro added a commit that referenced this issue Apr 18, 2024

#2181 Brought up changes from upstream 22.0 version changes.

921d7c5

jhou-pro added a commit that referenced this issue Apr 30, 2024

Merge branch 'develop' of github.com:fieldenms/tg into Issue-#2181

9b88b61

jhou-pro added a commit that referenced this issue May 16, 2024

Merge branch 'refs/heads/develop' into Issue-#2181

fd74c45

jhou-pro added a commit that referenced this issue May 16, 2024

#2181 Always report query errors to a server log.

0c6e30f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Web API: update `graphql-java` 13.0 dependency to newest stable one #2181

Web API: update `graphql-java` 13.0 dependency to newest stable one #2181

jhou-pro commented Feb 9, 2024 •

edited

Web API: update graphql-java 13.0 dependency to newest stable one #2181

Web API: update graphql-java 13.0 dependency to newest stable one #2181

Comments

jhou-pro commented Feb 9, 2024 • edited

Description

Expected outcome

Web API: update `graphql-java` 13.0 dependency to newest stable one #2181

Web API: update `graphql-java` 13.0 dependency to newest stable one #2181

jhou-pro commented Feb 9, 2024 •

edited