0.314.1

This release attaches error details to Apollo Federation inline tracing (FTV1) trace nodes. This was missing in the original FTV1 addition made in 0.314.0.

When a resolver raises an exception, the error message, location, and path are now included in the corresponding trace node, allowing Apollo Studio to display error information alongside timing data.

This release was contributed by @FineAndDanD in #4351

Additional contributors: @bellini666

0.314.0

This release adds support for Apollo Federation inline tracing (FTV1).

When a request includes the apollo-federation-include-trace: ftv1 header, Strawberry now records per-resolver timing information and includes it in the response under extensions.ftv1 as a base64-encoded protobuf message, following the Apollo Federation trace format. This allows an Apollo Gateway to aggregate subgraph traces and report them to Apollo Studio.

Install the new optional extra to pull in the required protobuf dependency:

pip install 'strawberry-graphql[apollo-federation]'

Use the async extension for async schemas:

import strawberry
from strawberry.extensions.tracing import ApolloFederationTracingExtension


@strawberry.type
class Query:
    @strawberry.field
    def hello(self) -> str:
        return "Hello, world!"


schema = strawberry.Schema(
    query=Query,
    extensions=[ApolloFederationTracingExtension],
)

Or the sync version when running outside of an async context:

from strawberry.extensions.tracing import ApolloFederationTracingExtensionSync

schema = strawberry.Schema(
    query=Query,
    extensions=[ApolloFederationTracingExtensionSync],
)

Security: any client can send the apollo-federation-include-trace: ftv1 header unless you restrict it. Tracing payloads expose resolver timing details, so make sure only a trusted Apollo Gateway (or other internal traffic) can request traces — for example by enforcing authentication, network policy, or stripping the header from public requests at the edge.\

Release contributed by @bellini666 via #4136

🍓 0.313.0

Add PydanticErrorExtension to format validation errors into structured GraphQL error extensions.

Includes:

• Structured validation_errors output
• Support for Pydantic v1 and v2

Releases contributed by @peehu-k via #4342

🍓 0.312.4

Fix a memory leak in the graphql-transport-ws WebSocket handler where completed
task objects would accumulate in a list between messages. Task cleanup now uses
asyncio.Task.add_done_callback for immediate cleanup instead of deferred reaping.

Releases contributed by @bellini666 via #4345

🍓 0.312.3

This release fixes two security vulnerabilities in the WebSocket subscription
handlers (CVE-2026-35526, CVE-2026-35523).

CVE-2026-35526 - Authentication bypass in graphql-ws: The legacy
graphql-ws protocol handler didn't verify that the connection_init
handshake was completed before accepting start messages, allowing clients
to bypass any authentication logic in on_ws_connect. The connection is now
closed with 4401 Unauthorized if the handshake hasn't been completed.

CVE-2026-35523 - Unbounded subscriptions per connection: Both WebSocket
protocol handlers allowed unlimited concurrent subscriptions on a single
connection, making it possible for a malicious client to exhaust server
resources. A new max_subscriptions_per_connection parameter has been added
to all views (default: 100). Set it to None to disable the limit.

Example:

import strawberry
from strawberry.fastapi import GraphQLRouter

schema = strawberry.Schema(query=Query, subscription=Subscription)

# default is 100, set to None to disable the limit
graphql_app = GraphQLRouter(schema, max_subscriptions_per_connection=50)

Releases contributed by @patrick91 via #4344

🍓 0.312.2

Fix compatibility with Starlette 1.0.0 in the dev server by replacing
removed add_route/add_websocket_route methods with Route/WebSocketRoute
objects passed to the Starlette constructor.

Releases contributed by @bellini666 via #4328

🍓 0.312.1

Fix Annotated metadata being lost on optional union types

When using Annotated[A | B | None, strawberry.union("MyUnion")],
the custom union name and other metadata would be dropped during None stripping, causing the schema to fall back to an auto-generated name
(e.g. "AB" instead of "MyUnion").

Releases contributed by @GabrielTDS-dev via #4321

🍓 0.312.0

strawberry.asdict now recursively unwraps Some() container values and removes keys with the UNSET value.

Releases contributed by @GriceTurrble via #4320

🍓 0.311.3

Fix UnallowedReturnTypeForUnion when using a generic type with a union
TypeVar (e.g. Collection[A | B]) inside an outer union
(Collection[A | B] | Error).

Releases contributed by @bellini666 via #4302

🍓 0.311.2

Fix TypeError: unhashable type: 'EnumAnnotation' when using Annotated enums as resolver parameter types (e.g., Annotated[Color, strawberry.enum()]).

Releases contributed by @bellini666 via #4305