Due to a security vulnerability the import of graphql-java in Sling Graphql Core needs to be upgraded to at least 17.4 or higher. That said as of now any applicable version of graphql-java is not usable by Sling due to:

  • Import of package sun.misc in the Manifest 
  • MANIFEST.MF not the first entry in the bundle

Both of these issues are fixed in the latest code base of graphql-java master branch which is slated to be released somewhere in April as version 20.1. As of now master branch also contains another issue:

  • Pagination leads to a Class Loading failure with GenericConnection

This issue can be prevent by disabling the Lambda Use Factory which is added to the Sling Graphql Core.

The graphql-java team told me that they do not consider releases of back ports except for security issues but that will take time anyhow.

Current State (March 1st, 2023)

This is the current state of graphql-java is:

  • 17.4, 18.3 and 19.3 all seems to work just fine when the first two issues are fixed
  • I created a PR for 19.3 but was told that they are only doing a new release for security issues
  • Master branch contains fixes for the first two issues
  • There is a pending PR against Master branch that fixes the class loading issues
    • This fix still can negatively affect performance for pagination
  • All fixed versions used inside Adobe AEM work just fine including persistent queries, pagination, indexing and sorting

Sling Graphql Core Module

I upgraded Sling Graphql Core to graphql-java 20.0 in this branch: https://github.com/apache/sling-org-apache-sling-graphql-core/tree/issue/SLING-10900-200

This does compile but it will fail the Jenkins tests.

Next Steps

Any upgrade to a fixed release of graphql-java (17.4, 18.3, 19.3 and 20.0) will break the Jenkins tests due to the first two issues (see PR: https://github.com/apache/sling-org-apache-sling-graphql-core/pull/34) but this module is not used in Sling Starter.

In order to test the upgrade of graphql-java with Sling we would need to do the following:

  1. Create a private release of graphql-java on 20.0 that has all 3 issues fixed
  2. Create a private release of Sling Graphql Core updated to graphql-java 20.x
    1. Note: all graphql-java releases require the same changes except for testing
  3. Test GraphQL both on a local AEM instance and in the cloud

Beside Peregrine CMS and AEM I am not aware of another platform using Sling Graphql Core.

  • No labels