Release 🍓 0.257.0

botberry · botberry · commit 1e0e1efe4b10 · 2025-01-09T18:30:53.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,32 @@
 CHANGELOG
 =========
 
+0.257.0 - 2025-01-09
+--------------------
+
+The common `node: Node` used to resolve relay nodes means we will be relying on
+is_type_of to check if the returned object is in fact a subclass of the Node
+interface.
+
+However, integrations such as Django, SQLAlchemy and Pydantic will not return
+the type itself, but instead an alike object that is later resolved to the
+expected type.
+
+In case there are more than one possible type defined for that model that is
+being returned, the first one that replies True to `is_type_of` check would be
+used in the resolution, meaning that when asking for `"PublicUser:123"`,
+strawberry could end up returning `"User:123"`, which can lead to security
+issues (such as data leakage).
+
+In here we are introducing a new `strawberry.cast`, which will be used to mark
+an object with the already known type by us, and when asking for is_type_of that
+mark will be used to check instead, ensuring we will return the correct type.
+
+That `cast` is already in place for the relay node resolution and pydantic.
+
+Contributed by [Thiago Bellini Ribeiro](https://github.com/bellini666) via [PR #3749](https://github.com/strawberry-graphql/strawberry/pull/3749/)
+
+
 0.256.1 - 2024-12-23
 --------------------
 
diff --git a/RELEASE.md b/RELEASE.md
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,7 +1,7 @@
 [tool.poetry]
 name = "strawberry-graphql"
 packages = [ { include = "strawberry" } ]
-version = "0.256.1"
+version = "0.257.0"
 description = "A library for creating GraphQL APIs"
 authors = ["Patrick Arminio <patrick.arminio@gmail.com>"]
 license = "MIT"
