Security Fix

This release addresses an issue where authenticated user data (such as draft posts, private content, or other permission-restricted data) could be incorrectly cached and served to public users when using the Object Cache feature.
Users with Object Cache enabled should update immediately.

What was happening?

When an authenticated user (e.g., an admin logged into WordPress) made a GraphQL request, WPGraphQL core calls wp_set_current_user(0) during authentication validation after the query has already executed. This caused WPGraphQL Smart Cache to incorrectly identify the request as unauthenticated and cache the response—including any permission-restricted content the authenticated user could see.

Subsequent unauthenticated requests could then be served this cached response containing data they shouldn't have access to.

The Fix

• #306: fix: prevent authenticated request data from being cached and served to public users
  • Uses AppContext->viewer (which is set at request initialization and remains stable) instead of is_user_logged_in() for authentication state detection
  • Adds Cache-Control: no-store header for authenticated requests to prevent network/CDN caching
  • Ensures cache key generation uses the stable viewer context

Chores

• ci: update deprecated GitHub Actions (actions/checkout, actions/cache) to v4
• ci: fix Gherkin test compatibility by pinning behat/gherkin < 4.9
• chore: update "Tested up to" WordPress 6.9

Full Changelog: v2.0.0...v2.0.1

BREAKING CHANGE

This updates a few methods that were changed in graphql-php and were updated as part of the WPGraphQL v2.0 release.

• docs: Update Supported Hosts by @moonmeister in #297
• fix: [BREAKING] update dependencies for WPGraphQL v2.0 compatibility by @jasonbahl in #299

NOTE: WPGraphQL Smart Cache must be updated to v2.0+ in order to use it with WPGraphQL v2.0+ (and vice versa).

New Contributors

• @moonmeister made their first contribution in #297

Full Changelog: v1.3.3...v2.0.0

Release Notes

Chores / Bugfixes

• #294: fix: queryid not returning X-GraphQL-Keys headers
• #292: chore: update test workflow to use docker compose instead of docker-compose
• #291: fix: restore whitespace rules for PHPCBF
• #286: chore: update .wordpress-org assets
• #284: chore: Note that hosts might set a limit on caching

New Contributors

• @josephfusco made their first contribution in #284
• @missionmike made their first contribution in #291

Full Changelog: v1.3.2...v1.3.3

Release Notes

Chores / Bugfixes

• #278: ci: Update tests to run against WordPress 6.5

Full Changelog: v1.3.1...v1.3.2

Release Notes

Chores / Bugfixes

• #273: fix: improve clarity on Cache settings page
• #272: fix: invalidate caches for menu items

Full Changelog: v1.3.0...v1.3.1

Release Notes

New Features

• #270: feat: force enable query analyzer. This fixes a regression to WPGraphQL Smart Cache users caused by the WPGraphQL v1.20.0 release, where the Query Analyzer became optional and defaulted to "off". WPGraphQL Smart Cache now force-enables the Query Analyzer to support Cache tagging and tag-based cache invalidation.

Full Changelog: v1.2.1...v1.3.0

Release Notes

Chores / Bugfixes

• #266: ci: update tests to run against WordPres 6.4
• #266: fix: ensure store_content() is passed a string to adhere to phpstan standards
• #262: fix: remove invalid namespaces from autoloading. Thanks @szepeviktor!
• #251: ci: add WP 6.3 to test matrix
• #258: ci: add build-plugin command to set up no-dev

New Contributors

• @szepeviktor made their first contribution in #262

Full Changelog: v1.2.0...v1.2.1

Release Notes

Upgrade Notice

Code Removal

This release removes some code specific to WP Engine that's been moved to WP Engine's MU Plugins.

Updating to WPGraphQL Smart Cache v1.2.0 or newer should be done at the same time as updating to WPGraphQL v1.16.0
otherwise some caches might not evict properly in response to data changes.

Garbage Collection of GraphQL Documents

When using "Automated Persisted Queries", documents are stored in the "GraphQL Document" post type and as client queries change over time an excess of persisted queries can be stored.

Garbage collection allows for documents to be purged after a certain amount of time.

You can enable "Garbage Collection" under "GraphQL > Settings > Saved Queries" and checking the option to "Delete Old Queries".

When enabling this feature, documents that are not associated with a "Group" will be purged after xx amount of days according to the settings.

Before enabling this setting, we recommend going through your saved GraphQL Documents and assigning a "group" to any that you want to skip garbage collection.

Groups are like bookmarks or collections for your GraphQL Documents. You can use them for whatever reason you like, but if a document is grouped, it will not be automatically garbage collected.

New Features

• #227: feat: add garbage collection for graphql_documents (see upgrade notice)

Chores / Bugfixes

• #244: fix: handle errors when editing graphql documents in the admin
• #253: ci: add varnish docker image. Update docs.
• #247: fix: remove wpengine specific code (see upgrade notice).
• #257: ci: use .distignore when building plugin for github release

Release Notes

Chores / Bugfixes

• #237 fix: when creating a new query, do not show "something is wrong with form data" error
• #242 ci: increase phpstan to level 7
• #241 ci: increase phpstan to level 5,6
• #240 ci: increase phpstan to level 3,4
• #239 ci: increase phpstan to level 2
• #236 ci: add phpstan workflow to check code quality
• #234 fix: do not cache mutations to object cache results
• #235 ci: tests failing after wpgraphql v1.14.5 release

Release Notes:

Chores / Bugfixes**

• #230 fix: disable cache maps when "Use Object Cache" is disabled.