build(deps): bump com.graphql-java:graphql-java from 22.3 to 26.0

[dependabot]

Bumps com.graphql-java:graphql-java from 22.3 to 26.0.

Release notes

Sourced from com.graphql-java:graphql-java's releases.

26.0

This is the 26.0 release of graphql-java. Highlights are summarized below; the full list of merged PRs is at the end.

⚠️ Breaking Changes

Query complexity limits are now enforced by default

New QueryComplexityLimits validation checks maxDepth (default 100) and maxFieldsCount (default 100,000) as part of standard validation. Queries exceeding these limits will now fail with new MaxQueryDepthExceeded / MaxQueryFieldsExceeded validation errors.

• Set custom limits via GraphQLContext using QueryComplexityLimits.KEY.
• Disable entirely with QueryComplexityLimits.NONE.

Introduced in #4256.

Validation rule filtering API changed

In #4228 the rule-filter predicate changed from Predicate<Class<?>> to Predicate<OperationValidationRule> in Validator.validateDocument(...) and ParseAndValidate.parseAndValidate(...). Callers that filtered by class (e.g. rule -> rule != NoUnusedFragments.class) must migrate to the enum (rule -> rule != OperationValidationRule.NO_UNUSED_FRAGMENTS). The @Internal classes AbstractRule and RulesVisitor were removed.

Built-in directive handling consolidated (#4229)

• DirectiveInfo was removed. Replace usages:
  • DirectiveInfo.isGraphqlSpecifiedDirective(...) → Directives.isBuiltInDirective(...)
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVES → Directives.BUILT_IN_DIRECTIVES
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVE_MAP → Directives.BUILT_IN_DIRECTIVES_MAP
• Directive ordering is now consistent: all 7 built-in directives appear first, followed by user-defined directives.
• GraphQLSchema.Builder.clearDirectives() was initially removed then re-added in #4276 with new semantics — it clears all additionalDirectives, but built-in directives are always re-added automatically at build time.

OneOf inhabitability validation (#4248)

New validator rejects OneOf input types that cannot be populated with a finite value (e.g. input A @oneOf { a: A }). Schemas that previously validated may now be rejected.

Non-null field validation for code-built schemas (#4194)

Code-built schemas now perform the same deprecated-on-non-null field validation as SDL-built ones. Schemas relying on the gap may now fail validation.

GraphQLSchema.getCodeRegistry() is no longer @Nullable (#4247)

The return type was incorrectly annotated nullable. Callers may now drop redundant null checks; downstream nullness tooling will reflect the change.

JSpecify nullability annotations rolled out broadly

Waves 2 and 3 (#4184, #4274) plus many individual PRs annotated hundreds of classes across graphql.analysis, graphql.execution, graphql.language, graphql.schema and others with @NullMarked/@NullUnmarked/@Nullable. Kotlin and other null-aware callers will now see stricter nullability contracts; code that relied on previously-permissive signatures may need adjustment.

✨ New Features

• GraphQLSchema.FastBuilder (#4197) — a more restrictive but ~5× faster schema builder that reduces both time and memory for large schemas.
• Query complexity limits (#4256) — depth/field-count guardrails baked into validation (see breaking changes above for the enforcement side).
• QueryAppliedDirective on operations and documents (#4297) — directives applied at the operation/document level are now exposed as QueryAppliedDirectives.
• New instrumentation hook for post-exception-handling results (#4206, #4207) — observe the DataFetcherResult after DataFetcherExceptionHandler has mapped exceptions to errors. ChainedInstrumentation delegates the new hook correctly.
• Generic DataFetcherResult.newBuilder(T data) (#4254) — removes the need for explicit type witnesses on the common DataFetcherResult.<T>newResult().data(x)... pattern.
• Re-added GraphQLSchema.Builder.clearDirectives() (#4276) — useful with GraphQLSchema.transform to rewrite non-built-in directives; built-ins are always re-added.
• toString() on AST directives holders (#4195).

⚡ Performance

• Incremental @defer execution starts earlier (#4174) — begins processing deferred payloads as soon as the first incremental call is detected instead of waiting for the initial result to complete.
• Validation consolidation (#4228) — all operation validation rules run in a single OperationValidator pass, significantly cutting validation overhead.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)