v2.0.4

⚠️ Security fixes

This release fixes 3 "High" CVEs:

• CVE-2026-41699: Unsafe Deserialization in Spring GraphQL
• CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL
• CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability

⭐ New Features

• Provide more flexibility in JsonKeysetCursorStrategy collections types #1445

🐞 Bug Fixes

• Argument annotations are ignored on handler methods in generic interfaces #1469
• configureBinder method is unusable #1468
• Allow custom Origins when upgrading to WebSocket transport #1452
• Observations not closed when DataLoader returns null values #1448
• WebSocket keepalive PING not emitted for all idle concurrent sessions #1447
• Missing @Nullable on type parameter of GraphQlTester.Request#variables(Map<String, Object>) #1435
• JSON syntax error in graphiql XSRF header support #1434
• Memory leak in WebFlux WebSocket support when client disconnects #1293

🔨 Dependency Upgrades

• Upgrade to Kotlin 2.3.20 #1460
• Upgrade to Micrometer 1.16.6 and Tracing 1.6.6 #1462
• Upgrade to Reactor 2025.0.6 #1461
• Upgrade to Spring Data 2025.1.6 #1463
• Upgrade to Spring Framework 7.0.8 #1459
• Upgrade to Spring Security 7.0.6 #1464