Due to a security vulnerability the import of graphql-java in Sling Graphql Core needs to be upgraded to at least 17.4 or higher. That said as of now any applicable version of graphql-java is not usable by Sling due to:

Both of these issues are fixed in the latest code base of graphql-java master branch which is slated to be released somewhere in April as version 20.1. As of now master branch also contains another issue:

This issue can be prevent by disabling the Lambda Use Factory which is added to the Sling Graphql Core.

The graphql-java team told me that they do not consider releases of back ports except for security issues but that will take time anyhow.

Current State (March 1st, 2023)

This is the current state of graphql-java is:

Sling Graphql Core Module

I upgraded Sling Graphql Core to graphql-java 20.0 in this branch: https://github.com/apache/sling-org-apache-sling-graphql-core/tree/issue/SLING-10900-200

This does compile but it will fail the Jenkins tests.

Next Steps

Any upgrade to a fixed release of graphql-java (17.4, 18.3, 19.3 and 20.0) will break the Jenkins tests due to the first two issues (see PR: https://github.com/apache/sling-org-apache-sling-graphql-core/pull/34) but this module is not used in Sling Starter.

In order to test the upgrade of graphql-java with Sling we would need to do the following:

  1. Create a private release of graphql-java on 20.0 that has all 3 issues fixed
  2. Create a private release of Sling Graphql Core updated to graphql-java 20.x
    1. Note: all graphql-java releases require the same changes except for testing
  3. Test GraphQL both on a local AEM instance and in the cloud

Beside Peregrine CMS and AEM I am not aware of another platform using Sling Graphql Core.