Release v2.49.2 · hasura/graphql-engine

Changelog

This is a patch release for v2.49.

Fix a high-severity security issue: https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh . Users are strongly encouraged to upgrade.
Prior to v2.49.1 control characters in (malformed) request json could erroneously make their way into parsed json strings. v2.49.1 made such malformed json an error. This change translates all control characters to spaces before json parsing, attempting to preserve the old behavior for dodgy clients who were relying on injected literal whitespace as a whitespace delimiter in graphql payloads. Valid json bodies are unaffected by this change.
Fixed a bug where a transient connection failure to a data connector (NDC) agent during engine startup or reload_metadata could leave a source that uses that connector permanently inconsistent (Data connector named '<name>' was not found in the data connector backend info) until metadata was manually reloaded. The engine now retries the agent capabilities fetch with bounded backoff before giving up, and the resulting error message is more actionable.

(cli) Add per-migration transaction control. Running hasura migrate apply --per-migration-transaction (or setting HASURA_GRAPHQL_PER_MIGRATION_TRANSACTION=true) enables a mode where individual SQL migrations can opt out of transactions by placing -- hasura:no-transaction as the first line of the file. This allows statements like CREATE INDEX CONCURRENTLY to coexist with fully transactional migrations in the same project, without requiring the global --no-transaction flag. The marker is ignored and behavior is unchanged when the flag is not set.