Nhost

[email protected] scope: constellation Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 10h API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

authentication backend backend-as-a-service database firebase flutter

+12 more

graphql hasura javascript nextjs nhost postgresql react serverless serverless-functions storage typescript vue

Affected surfaces

auth

Summary

AI summary

Updates constellation, 🐛 Bug Fixes, and 🚀 Features across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Support aggregate relationship order_by Support aggregate relationship order_by Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Reject bad distinct_on and negative limit/offset values Reject bad distinct_on and negative limit/offset values Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Cap GraphQL request body size Cap GraphQL request body size Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Expire JWT WebSocket sessions after inactivity Expire JWT WebSocket sessions after inactivity Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Emit enum types for mutation‑only inputs Emit enum types for mutation‑only inputs Source: granite4.1:30b@2026-06-03-audit Confidence: low	—
Bugfix
Bugfix	Medium	Treat null top‑level `where` as no filter, matching Hasura behavior Treat null top‑level `where` as no filter, matching Hasura behavior Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Run insert‑check after INSERT when payload omits referenced columns Run insert‑check after INSERT when payload omits referenced columns Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Partition multi‑parent nested array inserts per parent CTE Partition multi‑parent nested array inserts per parent CTE Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Apply defaults in mixed multi‑row inserts Apply defaults in mixed multi‑row inserts Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Partition object‑rel nested inserts per parent Partition object‑rel nested inserts per parent Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Harden JWT and admin‑secret authentication mechanisms Harden JWT and admin‑secret authentication mechanisms Source: llm_adapter@2026-06-03 Confidence: low	—
Bugfix	Medium	Enforce upsert update permissions Enforce upsert update permissions Source: granite4.1:30b@2026-06-03-audit Confidence: low	—
Bugfix	Medium	Harden stream cursors and introspection responses Harden stream cursors and introspection responses Source: granite4.1:30b@2026-06-03-audit Confidence: low	—
Bugfix	Low	Resolve where variables in queries Resolve where variables in queries Source: granite4.1:30b@2026-06-03-audit Confidence: low	—
Bugfix	Low	Preserve x-hasura literals in subscriptions Preserve x-hasura literals in subscriptions Source: granite4.1:30b@2026-06-03-audit Confidence: low	—
Bugfix	Low	Honor @skip/@include and root fragments/__typename directives Honor @skip/@include and root fragments/__typename directives Source: granite4.1:30b@2026-06-03-audit Confidence: low	—

Full changelog

[[email protected]] - 2026-06-03

🚀 Features

(constellation) Support aggregate relationship order_by (#4403)
(constellation) Reject bad distinct_on & negative limit/offset (#4405)
(constellation) Cap GraphQL request bodies (#4418)
(constellation) Expire JWT WebSocket sessions (#4416)

🐛 Bug Fixes

(constellation) Treat null top-level where as no filter, matching Hasura (#4382)
(constellation) Run insert-check after INSERT when payload omits referenced cols (#4384)
(constellation) Partition multi-parent nested array inserts per parent CTE (#4389)
(constellation) Apply defaults in mixed multi-row inserts (#4388)
(constellation) Partition multi-parent object-rel nested inserts per parent (#4392)
(constellation) Resolve where variables (#4398)
(constellation) Preserve x-hasura literals in subscriptions (#4399)
(constellation) Harden JWT and admin-secret authentication (#4400)
(constellation) Honor field aliases at every aggregate scope (#4407)
(constellation) Support function default args (#4404)
(constellation) Partition object-rel nested inserts per parent (#4401)
(constellation) Resolve nested returning relationships from insert CTEs (#4414)
(constellation) Apply remote-schema presets under non-default root types (#4415)
(constellation) Preserve x-hasura literals in subscriptions (#4422)
(constellation) Resolve where variables (#4423)
(constellation) Enforce upsert update permissions (#4419)
(constellation) Honor @skip/@include and root fragments/__typename (#4434)
(constellation) Emit enum types for mutation-only inputs (#4438)
(constellation) Harden stream cursors and introspection responses (#4439)

⚙️ Miscellaneous Tasks

(nixops) Drop nix-filter input in favor of pkgs.lib.fileset (#4377)
(nixops) Fix repo after bumping nixpkgs (#4394)

Security Fixes

Harden JWT and admin-secret authentication in constellation (#4400)
Harden stream cursors and introspection responses in constellation (#4439)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Nhost

Get notified when new releases ship.

About Nhost

The Open Source Firebase Alternative with GraphQL.

All releases →