Skip to content

Update dependency graphql to v2.4.13 [SECURITY]#132

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/rubygems-graphql-vulnerability
Open

Update dependency graphql to v2.4.13 [SECURITY]#132
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/rubygems-graphql-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Apr 5, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
graphql (source, changelog) 2.4.9 -> 2.4.13 age confidence

GitHub Vulnerability Alerts

CVE-2025-27407

Summary

Loading a malicious schema definition in GraphQL::Schema.from_introspection (or GraphQL::Schema::Loader.load) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection.

Release Notes

rmosolgo/graphql-ruby (graphql)

v2.4.13

Compare Source

v2.4.12

Compare Source

Breaking changes
  • Remove InvalidNullError#value which is always nil #​5256
New features
  • validate_timeout is 3 seconds by default #​5258
Bug fixes
  • New Relic: reimplement skipping scalars by default #​5271
  • Resolver: revert inheriting overridden graphql_name #​5260
  • Analysis: manually implement timeout to handle I/O better #​5263
  • Parser: properly handle extra token at the end of the query string #​5267
  • Validation: fix conflicting aliases inside fragment #​5268

v2.4.11

Compare Source

Breaking changes
  • Enums: enum value accessor methods have been switched to opt-in. Add value_methods(true) to your base enum class to opt back in. #​5255
New features
  • InvalidNullError: Improve default handling to add path and locations #​5257
  • DetailedTrace: Add a sampling profiler for creating detailed traces #​5244
Bug fixes
  • InvalidNullError: use GraphQL::Error as a base class #​5248
  • CI: test on Mongoid 8 and 9 #​5251

v2.4.10

Compare Source

New features
  • Dataloader: improve built-in Rails integration #​5213
Bug fixes
  • NewRelicTrace: don't double-count time waiting on Dataloader fibers
  • Fix possible type memberships inherited from superclass #​5236
  • Visibility: properly use configured contexts for visibility profiles #​5235
  • Enum: reduce needless value_method warnings #​5230 #​5220
  • Backtrace: fix error handling with rescue_from #​5227
  • Parser: return a proper error when variable type is missing #​5225

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/rubygems-graphql-vulnerability branch from 28c440c to c41459a Compare August 10, 2025 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants