Change8

v2.49.2

📦 hasura-authView on GitHub →
2 features🐛 3 fixes🔧 1 symbols

Summary

This patch release addresses a high-severity security vulnerability and introduces granular transaction control for SQL migrations via the CLI. It also adjusts how malformed JSON containing control characters is handled to maintain compatibility for some legacy clients.

Migration Steps

  1. Users relying on the previous behavior regarding control characters in malformed JSON should test their payloads, as they might now see spaces instead of the original characters.
  2. If using per-migration transaction control, add `-- hasura:no-transaction` as the first line of any SQL migration file that requires statements not supported within a transaction (e.g., `CREATE INDEX CONCURRENTLY`).

✨ New Features

  • Added per-migration transaction control via `hasura migrate apply --per-migration-transaction` or setting `HASURA_GRAPHQL_PER_MIGRATION_TRANSACTION=true`.
  • Introduced a mechanism for individual SQL migrations to opt out of transactions by placing `-- hasura:no-transaction` as the first line of the file, allowing statements like `CREATE INDEX CONCURRENTLY`.

🐛 Bug Fixes

  • Fixed a high-severity security issue (GHSA-r27x-gc74-qmxh).
  • Modified behavior for control characters in malformed request JSON: they are now translated to spaces before JSON parsing to attempt to preserve old behavior for clients relying on injected literal whitespace as a delimiter. Valid JSON bodies are unaffected.
  • Fixed an issue where a transient connection failure to an NDC agent during startup or metadata reload could leave a source permanently inconsistent; the engine now retries agent capabilities fetch with bounded backoff.

Affected Symbols