Due to a security vulnerability the import of graphql-java in Sling Graphql Core needs to be upgraded to at least 17.4 or higher. That said as of now any applicable version of graphql-java is not usable by Sling due to:
Both of these issues are fixed in the latest code base of graphql-java master branch which is slated to be released somewhere in April as version 20.1. As of now master branch also contains another issue:
This issue can be prevent by disabling the Lambda Use Factory which is added to the Sling Graphql Core.
The graphql-java team told me that they do not consider releases of back ports except for security issues but that will take time anyhow.
This is the current state of graphql-java is:
I upgraded Sling Graphql Core to graphql-java 20.0 in this branch: https://github.com/apache/sling-org-apache-sling-graphql-core/tree/issue/SLING-10900-200
This does compile but it will fail the Jenkins tests.
Any upgrade to a fixed release of graphql-java (17.4, 18.3, 19.3 and 20.0) will break the Jenkins tests due to the first two issues (see PR: https://github.com/apache/sling-org-apache-sling-graphql-core/pull/34) but this module is not used in Sling Starter.
In order to test the upgrade of graphql-java with Sling we would need to do the following:
Beside Peregrine CMS and AEM I am not aware of another platform using Sling Graphql Core.