This release fixes two security vulnerabilities in the WebSocket subscription
handlers (CVE-2026-35526, CVE-2026-35523).

CVE-2026-35526 - Authentication bypass in graphql-ws: The legacy
graphql-ws protocol handler didn't verify that the connection_init
handshake was completed before accepting start messages, allowing clients
to bypass any authentication logic in on_ws_connect. The connection is now
closed with 4401 Unauthorized if the handshake hasn't been completed.

CVE-2026-35523 - Unbounded subscriptions per connection: Both WebSocket
protocol handlers allowed unlimited concurrent subscriptions on a single
connection, making it possible for a malicious client to exhaust server
resources. A new max_subscriptions_per_connection parameter has been added
to all views (default: 100). Set it to None to disable the limit.

Example:

import strawberry
from strawberry.fastapi import GraphQLRouter

schema = strawberry.Schema(query=Query, subscription=Subscription)

# default is 100, set to None to disable the limit
graphql_app = GraphQLRouter(schema, max_subscriptions_per_connection=50)

Releases contributed by @patrick91 via #4344

Fix compatibility with Starlette 1.0.0 in the dev server by replacing
removed add_route/add_websocket_route methods with Route/WebSocketRoute
objects passed to the Starlette constructor.

Releases contributed by @bellini666 via #4328

Fix Annotated metadata being lost on optional union types

When using Annotated[A | B | None, strawberry.union("MyUnion")],
the custom union name and other metadata would be dropped during None stripping, causing the schema to fall back to an auto-generated name
(e.g. "AB" instead of "MyUnion").

Releases contributed by @GabrielTDS-dev via #4321

strawberry.asdict now recursively unwraps Some() container values and removes keys with the UNSET value.

Releases contributed by @GriceTurrble via #4320

Fix UnallowedReturnTypeForUnion when using a generic type with a union
TypeVar (e.g. Collection[A | B]) inside an outer union
(Collection[A | B] | Error).

Releases contributed by @bellini666 via #4302

Fix TypeError: unhashable type: 'EnumAnnotation' when using Annotated enums as resolver parameter types (e.g., Annotated[Color, strawberry.enum()]).

Releases contributed by @bellini666 via #4305

This release fixes an InvalidStateError crash in the DataLoader when a batch
load function raises an exception and some futures in the batch have already been
cancelled (e.g. due to client disconnection).

The error handler in dispatch_batch now skips cancelled futures before calling
set_exception, matching the guard that already exists in the success path
(added in #2339).

Releases contributed by @ben-xo via #4300

Enums can now be registered via Annotated. The preferred way is still using
@strawberry.enum as a decorator, but when you need to expose an existing enum
under a different name or alias, Annotated works as a proper type alias in all
type checkers:

from typing import Annotated
from enum import Enum
import strawberry


class IceCreamFlavour(Enum):
    VANILLA = "vanilla"
    STRAWBERRY = "strawberry"
    CHOCOLATE = "chocolate"


MyIceCreamFlavour = Annotated[
    IceCreamFlavour, strawberry.enum(description="Ice cream flavours")
]


@strawberry.type
class Query:
    @strawberry.field
    def flavour(self) -> MyIceCreamFlavour:
        return IceCreamFlavour.VANILLA

Releases contributed by @bellini666 via #4293

The strawberry mypy plugin has been restored with minimal support for
strawberry.experimental.pydantic types. If you use pydantic integration,
add the plugin to your mypy configuration:

[mypy]
plugins = pydantic.mypy, strawberry.ext.mypy_plugin

Releases contributed by @bellini666 via #4292

Fix sync execution crash with graphql-core 3.3 where execute_sync() would return a coroutine
instead of an ExecutionResult, causing RuntimeError: There is no current event loop,
because graphql-core 3.3's is_async_iterable default treats objects with __aiter__
(like Django QuerySets) as async iterables.

Now passes is_async_iterable=lambda _x: False during sync execution to prevent this.

Note: graphql-core >= 3.3.0a12 is now the minimum required version for the 3.3.x series.

Releases contributed by @bellini666 via #4267