Changelog

Bug fixes and improvements

Server

• Don't attempt to CREATE EXTENSION pgcrypto if it already exists, so users on Azure using an unprivileged Postgres user in Hasura can create the extension manually prior to startup.
• Add new HASURA_GRAPHQL_REDIS_NO_FAIL_ON_STARTUP option, allowing the engine to start up normally, but with rate limiting and caching disabled, if there are errors with redis during startup. (Enterprise edition only)

Console

• Fix connection template and Dynamic Routing settings being reset when editing database in Connection Details page. (Cloud / Enterprise edition only)

CLI

• Add a flag --no-transaction to migrate apply command.

Build

• Update libpq version in UBI9 base image.

Security fixes

Server

Fixed Nested Inherited Roles Permission Propagation

Fixed an issue where permissions were not properly propagated through multiple levels of role inheritance. This affects both queries and mutations:

• For Queries: Previously, when Role D inherited from Role C, which inherited from Roles A and B, the row filters and column restrictions from Role A were not properly applied to Role D. This could allow Role D to access data that should have been restricted.

• For Mutations: Mutations using nested inherited roles now correctly enforce permission constraints. For example:

  If Role A restricts "salary" with {"user_id": "X-Hasura-User-Id"}
  Role D (inheriting from Role C, which inherits from Role A)
  now requires X-Hasura-User-Id when filtering on salary:

  mutation {
    delete_employees(where: {salary: {_gt: 100000}}) {
      affected_rows
    }
  }

Note: If you're using nested inherited roles in your application, you may need to update mutations to include the appropriate session variables that were previously bypassed.

For more details on how inherited roles work, see the documentation.

Changelog

This is a patch release for v2.45.

Bug fixes and improvements

Server

• Add optional no_transaction flag (default false) to run_sql API (Postgres) to execute SQL statements outside transaction blocks, with support for splitting multiple statements. Useful for operations like CREATE INDEX CONCURRENTLY.

Console

• Fix connection template and Dynamic Routing settings being reset when editing database in Connection Details page.

Security fixes

Server

Fixed Nested Inherited Roles Permission Propagation

Fixed an issue where permissions were not properly propagated through multiple levels of role inheritance. This affects both queries and mutations:

• For Queries: Previously, when Role D inherited from Role C, which inherited from Roles A and B, the row filters and column restrictions from Role A were not properly applied to Role D. This could allow Role D to access data that should have been restricted.

• For Mutations: Mutations using nested inherited roles now correctly enforce permission constraints. For example:

  If Role A restricts "salary" with {"user_id": "X-Hasura-User-Id"}
  Role D (inheriting from Role C, which inherits from Role A)
  now requires X-Hasura-User-Id when filtering on salary:

  mutation {
    delete_employees(where: {salary: {_gt: 100000}}) {
      affected_rows
    }
  }

Note: If you're using nested inherited roles in your application, you may need to update mutations to include the appropriate session variables that were previously bypassed.

For more details on how inherited roles work, see the documentation.

Changelog

Bug fixes and improvements

Server

• Don't attempt to CREATE EXTENSION pgcrypto if it already exists, so users on Azure using an unprivileged Postgres user in Hasura can create the extension manually prior to startup.
• Add new HASURA_GRAPHQL_REDIS_NO_FAIL_ON_STARTUP option, allowing the engine to start up normally, but with rate limiting and caching disabled, if there are errors with redis during startup. (Enterprise edition only)

Console

• Fix connection template and Dynamic Routing settings being reset when editing database in Connection Details page. (Cloud / Enterprise edition only)

CLI

• Add a flag --no-transaction to migrate apply command.

Build

• Update libpq version in UBI9 base image.

Changelog

This is a patch release for v2.36

Bug fixes and improvements

Build

• Update Ubuntu Jammy base image and RH image to get the latest security updates.

Changelog

Bug fixes and improvements

Server

• Fix an issue where Postgres reset JSON parameters to empty strings after a transaction, causing event trigger failures when executing mutations outside Hasura. The insert_event_log trigger function now correctly handles empty strings.
• Attempt to set Haskell runtime threads based on cgroup CPU limits, when present, for better automatic sizing in Docker and Kubernetes environments. Users with small CPU limits on servers with many cores should expect to see somewhat lower memory usage and possibly improved performance.
• Add optional no_transaction flag (default false) to run_sql API (Postgres) to execute SQL statements outside transaction blocks, with support for splitting multiple statements. Useful for operations like CREATE INDEX CONCURRENTLY.
• Fix the hasura_active_subscriptions metric becoming inconsistent (e.g. showing a negative value).
• Fix an issue where a source's metadata would be erased if the source was inconsistent and then a source update was performed.
• Mark remote schemas as inconsistent when type conflicts occur with the existing schema.
• Only show internal actions errors in logs if HASURA_GRAPHQL_DEV_MODE or HASURA_GRAPHQL_ADMIN_INTERNAL_ERRORS are switched on.
• Increase upper bound of execution time metrics to 100s. (Cloud / Enterprise edition only)
• Add metrics hasura_events_fetch_query_time and hasura_events_fetched_total. (Cloud / Enterprise edition only)
• Fix metrics label for DB with non-standard URI. (Cloud / Enterprise edition only)

Changelog

Bug fixes and improvements

Server

• Fix an issue where Postgres reset JSON parameters to empty strings after a transaction, causing event trigger failures when executing mutations outside Hasura. The insert_event_log trigger function now correctly handles empty strings.
• Attempt to set Haskell runtime threads based on cgroup CPU limits, when present, for better automatic sizing in Docker and Kubernetes environments. Users with small CPU limits on servers with many cores should expect to see somewhat lower memory usage and possibly improved performance.
• Add optional no_transaction flag (default false) to run_sql API (Postgres) to execute SQL statements outside transaction blocks, with support for splitting multiple statements. Useful for operations like CREATE INDEX CONCURRENTLY.
• Fix an issue where a source's metadata would be erased if the source was inconsistent and then a source update was performed.
• Mark remote schemas as inconsistent when type conflicts occur with the existing schema.
• Only show internal actions errors in logs if HASURA_GRAPHQL_DEV_MODE or HASURA_GRAPHQL_ADMIN_INTERNAL_ERRORS are switched on.
• Fix the hasura_active_subscriptions metric becoming inconsistent (e.g. showing a negative value). (Cloud / Enterprise edition only)
• Increase upper bound of execution time metrics to 100s. (Cloud / Enterprise edition only)
• Add metrics hasura_events_fetch_query_time and hasura_events_fetched_total. (Cloud / Enterprise edition only)
• Fix metrics label for DB with non-standard URI. (Cloud / Enterprise edition only)

Changelog

This is a patch release for v2.45.

Bug fixes and improvements

Server

• Fix ConnectionClosed error during metadata apply, and silence some other websockets related messages incorrectly logged as errors and report-as-bugs.

Console

• Fix Model Summary for MongoDB databases in the data tab.
• Fix email alerts modal crash in Schema Registry. (Cloud only)

Build

• Update RH, Quarkus, Kotlin and Snowflake to get the latest security updates.
• Update Ubuntu Jammy base image and ubi9 image to get the latest security updates.

Changelog

This is a patch release for v2.45.

Bug fixes and improvements

CLI

• Allow migration directories with 14 digit numeric prefixes to be picked up when running hasura scripts update-project-v3.

Changelog

This is a patch release for v2.44.

Bug fixes and improvements

Console

• Add support for session variables for the _in and _nin operators while creating permissions in data tab performance mode.

Build

• Update ubi9 image for security vulnerabilities for GraphQL engine.

Changelog

Bug fixes and improvements

Server

• Fix issue where websocket connections did not time out when clients failed to initialize the protocol.
• When using GraphQL schema introspection to introspect directives, the isRepeatable field now returns a valid value instead of null.
• Update --http-log-query-only-on-error flag / HASURA_GRAPHQL_HTTP_LOG_QUERY_ONLY_ON_ERROR env var behavior to include operationName in the query field of http-log for successful requests when set to true.
• Add --http-log-query-only-on-error flag / HASURA_GRAPHQL_HTTP_LOG_QUERY_ONLY_ON_ERROR env var (default false) to include query field in http-log only when the request results in an error.
• Only show internal actions errors in logs if HASURA_GRAPHQL_DEV_MODE or HASURA_GRAPHQL_ADMIN_INTERNAL_ERRORS are switched on.
• Add hasura_postgres_connection_error_total metric to count the number of Postgres connection errors. (Cloud / Enterprise edition only)
• Fix Postgres URI label in metrics. (Cloud / Enterprise edition only)

Console

• Fix permission builder crash while using relationships defined via composite foreign-keys.
• Add support for session variables for the _in and _nin operators while creating permissions in data tab performance mode.