CVE-2023-28867 and CVE-2022-37734

[ghost]

gorm-graphql 2.0.1 pulls in graphql-java 14.1 which has multiple CVEs against it.

Even on the 3.0.x branch, it still only pulls in graphql-java 17.3 which still has the 2023 CVE against it.

Unfortunately here are breaking changes between graphql-java 14.x and the versions needed to fix these vulnerabilities, so forcing the version difference doesn't seem to be an option.

[ghost]

Specifically, here's the error we were seeing:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQL': Cannot resolve reference to bean 'graphQLSchema' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQLSchemaGenerator': Cannot resolve reference to bean 'graphQLTypeManager' while setting bean property 'typeManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'graphQLTypeManager': Bean instantiation via constructor failed; nested exception is java.lang.NoSuchFieldError: GraphQLLong

Attempting a workaround now of defining our own TypeManager that uses types from graphql-java 20.2.