This bug fix version of graphql-java provides new limits to help prevent Denial Of Service attacks induced by over parsing and validation.

Attackers can craft queries that consume lot of resources to parse and validate, which which ultimately invalid can deny real queries from being serviced.

https://github.com/graphql-java/graphql-java/pull/2549

https://github.com/graphql-java/graphql-java/pull/2553

There are new limits imposed by default. Parsing will be terminated after 1500 tokens and only 100 validation errors will be captured.

We chose to put in defaults so that people will get some amount of bad query parse and validate DOS protection out of the box.

There are JVM wide methods to change the default on these if that's problematic for your implementation.

There is also a small fix in the ValueResolver

https://github.com/graphql-java/graphql-java/commit/8530366f24ba316075a63402473cb2a38ca36ab3