Changelog
This is a patch release for v2.49.
Bug fixes and improvements
Server
- Fix a high-severity security issue: https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh . Users are strongly encouraged to upgrade.
- Prior to v2.49.1 control characters in (malformed) request json could erroneously make their way into parsed json strings. v2.49.1 made such malformed json an error. This change translates all control characters to spaces before json parsing, attempting to preserve the old behavior for dodgy clients who were relying on injected literal whitespace as a whitespace delimiter in graphql payloads. Valid json bodies are unaffected by this change.
- Fixed a bug where a transient connection failure to a data connector (NDC) agent during engine startup or
reload_metadatacould leave a source that uses that connector permanently inconsistent (Data connector named '<name>' was not found in the data connector backend info) until metadata was manually reloaded. The engine now retries the agent capabilities fetch with bounded backoff before giving up, and the resulting error message is more actionable.
CLI
- (cli) Add per-migration transaction control. Running
hasura migrate apply --per-migration-transaction(or settingHASURA_GRAPHQL_PER_MIGRATION_TRANSACTION=true) enables a mode where individual SQL migrations can opt out of transactions by placing-- hasura:no-transactionas the first line of the file. This allows statements likeCREATE INDEX CONCURRENTLYto coexist with fully transactional migrations in the same project, without requiring the global--no-transactionflag. The marker is ignored and behavior is unchanged when the flag is not set.