Hasura

Changelog

This is a patch release for v2.45.

Bug fixes and improvements

Server

• Fix a high-severity security issue: https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh . Users are strongly encouraged to upgrade.
• Prior to v2.49.1 control characters in (malformed) request json could erroneously make their way into parsed json strings. v2.49.1 made such malformed json an error. This change translates all control characters to spaces before json parsing, attempting to preserve the old behavior for dodgy clients who were relying on injected literal whitespace as a whitespace delimiter in graphql payloads. Valid json bodies are unaffected by this change.
• Fixed a bug where a transient connection failure to a data connector (NDC) agent during engine startup or reload_metadata could leave a source that uses that connector permanently inconsistent (Data connector named '<name>' was not found in the data connector backend info) until metadata was manually reloaded. The engine now retries the agent capabilities fetch with bounded backoff before giving up, and the resulting error message is more actionable.
• Fix a bug where event triggers could prevent prompt server shutown; now we correctly only pause for actual in-flight processing
• Fix a bug where, with multiple sources, in-flight event triggers which were stuck during shutdown may not have been unlocked in the database before shutdown
• Mitigate two assymetrical DoS vectors.
• Improvements to schema memory usage.

Data Connector

• Fix MariaDB `update`/`delete` mutations still failing with `Table 'temp_table_xxx' doesn't exist` on v2.48.15. The previous fix (#11473) ran the temp-table CREATE outside the transaction, which made the CREATE and the mutation body race over pooled connections; MariaDB temp tables are session-scoped, so when the mutation body got a different pooled connection the temp table was invisible. The full CREATE / mutation / DROP lifecycle now runs pinned to one JDBC connection. (Enterprise/cloud only)