chore(deps-dev): Bump com.graphql-java:graphql-java from 25.0 to 26.0

[dependabot]

Bumps com.graphql-java:graphql-java from 25.0 to 26.0.

Release notes

Sourced from com.graphql-java:graphql-java's releases.

26.0

This is the 26.0 release of graphql-java. Highlights are summarized below; the full list of merged PRs is at the end.

⚠️ Breaking Changes

Query complexity limits are now enforced by default

New QueryComplexityLimits validation checks maxDepth (default 100) and maxFieldsCount (default 100,000) as part of standard validation. Queries exceeding these limits will now fail with new MaxQueryDepthExceeded / MaxQueryFieldsExceeded validation errors.

• Set custom limits via GraphQLContext using QueryComplexityLimits.KEY.
• Disable entirely with QueryComplexityLimits.NONE.

Introduced in #4256.

Validation rule filtering API changed

In #4228 the rule-filter predicate changed from Predicate<Class<?>> to Predicate<OperationValidationRule> in Validator.validateDocument(...) and ParseAndValidate.parseAndValidate(...). Callers that filtered by class (e.g. rule -> rule != NoUnusedFragments.class) must migrate to the enum (rule -> rule != OperationValidationRule.NO_UNUSED_FRAGMENTS). The @Internal classes AbstractRule and RulesVisitor were removed.

Built-in directive handling consolidated (#4229)

• DirectiveInfo was removed. Replace usages:
  • DirectiveInfo.isGraphqlSpecifiedDirective(...) → Directives.isBuiltInDirective(...)
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVES → Directives.BUILT_IN_DIRECTIVES
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVE_MAP → Directives.BUILT_IN_DIRECTIVES_MAP
• Directive ordering is now consistent: all 7 built-in directives appear first, followed by user-defined directives.
• GraphQLSchema.Builder.clearDirectives() was initially removed then re-added in #4276 with new semantics — it clears all additionalDirectives, but built-in directives are always re-added automatically at build time.

OneOf inhabitability validation (#4248)

New validator rejects OneOf input types that cannot be populated with a finite value (e.g. input A @oneOf { a: A }). Schemas that previously validated may now be rejected.

Non-null field validation for code-built schemas (#4194)

Code-built schemas now perform the same deprecated-on-non-null field validation as SDL-built ones. Schemas relying on the gap may now fail validation.

GraphQLSchema.getCodeRegistry() is no longer @Nullable (#4247)

The return type was incorrectly annotated nullable. Callers may now drop redundant null checks; downstream nullness tooling will reflect the change.

JSpecify nullability annotations rolled out broadly

Waves 2 and 3 (#4184, #4274) plus many individual PRs annotated hundreds of classes across graphql.analysis, graphql.execution, graphql.language, graphql.schema and others with @NullMarked/@NullUnmarked/@Nullable. Kotlin and other null-aware callers will now see stricter nullability contracts; code that relied on previously-permissive signatures may need adjustment.

✨ New Features

• GraphQLSchema.FastBuilder (#4197) — a more restrictive but ~5× faster schema builder that reduces both time and memory for large schemas.
• Query complexity limits (#4256) — depth/field-count guardrails baked into validation (see breaking changes above for the enforcement side).
• QueryAppliedDirective on operations and documents (#4297) — directives applied at the operation/document level are now exposed as QueryAppliedDirectives.
• New instrumentation hook for post-exception-handling results (#4206, #4207) — observe the DataFetcherResult after DataFetcherExceptionHandler has mapped exceptions to errors. ChainedInstrumentation delegates the new hook correctly.
• Generic DataFetcherResult.newBuilder(T data) (#4254) — removes the need for explicit type witnesses on the common DataFetcherResult.<T>newResult().data(x)... pattern.
• Re-added GraphQLSchema.Builder.clearDirectives() (#4276) — useful with GraphQLSchema.transform to rewrite non-built-in directives; built-ins are always re-added.
• toString() on AST directives holders (#4195).

⚡ Performance

• Incremental @defer execution starts earlier (#4174) — begins processing deferred payloads as soon as the first incremental call is detected instead of waiting for the initial result to complete.
• Validation consolidation (#4228) — all operation validation rules run in a single OperationValidator pass, significantly cutting validation overhead.

... (truncated)

Commits

• See full diff in compare view

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

[github-actions]

🧪 CI tested the following changed modules:

• parent

✅ POM dependency changes: targeted tests included

Changed properties: graphql-java-version

Modules affected by dependency changes (1)

• :camel-graphql

All tested modules (2 modules)

• Camel :: GraphQL
• Camel :: Parent

---

⚙️ View full build and test results