Changes for version 0.900001 - 2026-07-12

  • Security fix.
  • Security
    • Fix SQL injection (CWE-89) in the orderBy.field argument of the plural allXs queries. The field was passed unvalidated into the DBIO order_by clause; under default DBIO storage identifiers are emitted unquoted into ORDER BY, so a client could inject arbitrary SQL in that position. orderBy.field is now validated against the source's columns (has_column) and rejected if it is not a known column, matching the column check the filter path already applies. Reported by Olaf via CPANSec's coordinated disclosure process.
  • Fixes
    • Filter's _compile_column guard used column_info() + an unless($info) die, but core's column_info throws "No such column" before that check could run, so the intended "DBIO::GraphQL::Filter: unknown column ..." message was unreachable. Switched to has_column (returns false instead of throwing), mirroring the orderBy fix above, so the clean GraphQL-level error message actually fires. karr #3.
  • Dependencies
    • Requires core DBIO >= 0.900001 (family-wide version alignment)
  • Project
    • Added SECURITY.md (CPAN Security Group guidelines v1.5.0)

Documentation

Modules

Auto-generate a GraphQL schema from a DBIO schema
Per-source GraphQL filter InputObject with adapter seam
No-op filter adapter - disables filtering entirely
Default filter adapter - per-source nested-DBIO-style filter
Build createX / updateX / deleteX GraphQL field per source
Resolve GraphQL relationship fields from a DBIO source
Map DBIO column data_types to GraphQL scalars