This week's Java roundup for March 20th, 2023, features news from OpenJDK, JDK 20, JDK 21, Amazon Corretto 20, BellSoft Liberica JDK 20, multiple Spring milestone and point releases, Quarkus 3.0.0.Beta1 and 2.16.5, Helidon 3.2.0, Open Liberty 23.0.0.3-beta, Micronaut 4.0.0-M1, Camel Quarkus 3.0.0-M1, JBang 0.105.1, Failsafe 3.3.1, Maven 3.9.1 and Gradle 8.1-RC1.
OpenJDK
JEP 431, Sequenced Collections, has been promoted from Proposed to Target to Targeted status for JDK 21. This JEP proposes to introduce "a new family of interfaces that represent the concept of a collection whose elements are arranged in a well-defined sequence or ordering, as a structural property of the collection." Motivation was due to a lack of a well-defined ordering and uniform set of operations within the Collections Framework. More details on JEP 431 may be found in this InfoQ news story.
JEP 443, Unnamed Patterns and Variables (Preview), was promoted from JEP Draft 8294349 to Candidate status this past week. This preview JEP proposes to "enhance the language with unnamed patterns, which match a record component without stating the component's name or type, and unnamed variables, which can be initialized but not used." Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.
JDK 20
Oracle has released version 20 of the Java programming language and virtual machine, which ships with a final feature set of seven JEPs. More details may be found in this InfoQ news story.
JDK 21
Build 15 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 14 that include fixes to various issues. Further details on this build may be found in the release notes.
For JDK 20 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.
Amazon Corretto
Amazon has released Amazon Corretto 20, their downstream distribution of OpenJDK 20, which is available on Linux, Windows, and macOS. Developers may download this latest version from this site.
Liberica JDK
Similarly, BellSoft has released Liberica JDK 20, their downstream distribution of OpenJDK 20. Developers may download this latest version from this site.
Spring Framework
It was a very busy week over at Spring as the project teams delivered milestone and point releases of Spring Boot, Spring Framework, Spring Data, Spring Integration, Spring Vault, Spring for GraphQL, Spring Authorization Server, Spring HATEOAS and Spring Modulith. Some of these release address these Common Vulnerabilities and Exposures (CVEs):
- CVE-2023-20859, Insertion of Sensitive Information into Log Sourced from Failed Revocation of Tokens, a vulnerability in which an application is open to the insertion of sensitive information into a log file when it attempts to revoke a Spring Vault batch token.
- CVE-2023-20860, Security Bypass With Un-Prefixed Double Wildcard Pattern, a vulnerability in which using '
**' as a pattern in Spring Security configuration with theMvcRequestMatcherclass creates a mismatch in pattern matching between Spring Security and Spring MVC with the potential for a security bypass. - CVE-2023-20861, Spring Expression DoS Vulnerability, a vulnerability in which an attacker can provide a specially crafted Spring Expression Language (SpEL) expression that may lead to a Denial-of-Service condition.
The release of Spring Boot 3.0.5 delivers improvements in documentation, dependency upgrades and notable bug fixes such as: the EmbeddedWebServerFactoryCustomizerAutoConfiguration class should not be invoked when the embedded web server is not configured; the @ConfigurationProperties annotation no longer works on mutable Kotlin data classes; and the use of the @EntityScan annotation causes an AOT instance supplier code generation error. More details on this release may be found in the release notes.
Similarly, the release of Spring Boot 2.7.10 ships with improvements in documentation, dependency upgrades and notable bug fixes such as: loading an application.yml file fails with a NoSuchMethodError exception when using SnakeYAML 2.0; an instance of the StandardConfigDataResource class can import the same file twice if the classpath includes the '.' character; and a Maven plugin uses a timezone-local timestamps when the project.build.outputTimestamp property is used. Further details on this release may be found in the release notes.
The second release candidate of Spring Boot 3.1.0 provides new features such as: a new method, withSanitizedValue(), in the SanitizableData class that returns a new instance with a sanitized value; support for auto-configuration of GraphQL pagination and sorting; and support for Spring Authorization Server. More details on this release may be found in the release notes.
Versions 6.0.7 and 5.3.26 of Spring Framework have been released to primarily address the aforementioned CVE-2023-20860 and CVE-2023-20861 vulnerabilities. Both versions also deliver new features such as: improved diagnostics in SpEL for the matches operator and repeated text; updates to the HandlerMappingIntrospector class; and allow SnakeYaml 2.0 runtime compatibility. Further details on these releases may be found in the release notes for version 6.0.7 and version 5.3.26.
The release of Spring Framework 5.2.23 also addresses the CVE-2023-20861 vulnerability and provides the same new SpEL features as Spring Framework 5.3.26. More details on this release may be found in the release notes.
Versions 2023.0-M1, codenamed Ullman, 2022.0.4 and 2021.2.10 of Spring Data have been released this past week. The service releases include bug fixes and improvements in documentation, and may be consumed in Spring Boot 3.0.5 and 2.7.10, respectively. New features in the milestone release include: a new scroll API to support offset and key-based pagination; improvements in JPA query parsing for HQL and JPQL; support for explicit field level encryption in MongoDB; and aggregate reference request parameters in Spring Data REST. Further details on the milestone release may be found in the release notes.
Versions 6.1.0-M2, 6.0.4 and 5.5.17 of Spring Integration have been released featuring notable changes such as: improvements in the LockRegistryLeaderInitiator class such calling a target lock provider is delayed if the current thread has been interrupted; improvements to the AbstractRemoteFileStreamingMessageSource class for remote calls; and fix the relationship between the code coverage tools, Sonar and JaCoCo. More details on these releases may be found in the release notes for version 6.1.0-M2, version 6.0.4 and version 5.5.17.
Versions 3.0.2 and 2.3.3 of Spring Vault have been released to address the aforementioned CVE-2023-20859 vulnerability and new features such as: refine logging after token revocation failure; allow reuse of library-specific configuration code in the ClientHttpRequestFactoryFactory and ClientHttpConnectorFactory classes; and add AWS IAM Authentication to the EnvironmentVaultConfiguration class. Further details on these releases may be found in the release notes for version 3.0.2 and version 2.3.3.
The first milestone release of Spring for GraphQL 1.2.0 that delivers new features such as: support for pagination return values and pagination requests in methods defined in the @SchemaMapping annotation; support for custom instances of the HandlerMethodArgumentResolver interface; and a dependency upgrade to GraphQL Java 20.0. More details on this release may be found in the release notes.
Versions 1.1.3 and 1.0.4 of Spring for GraphQL have been released with new features: access request attributes and cookies in the WebGraphQlInterceptor interface; a fix in which an instance of the ContextDataFetcherDecorator class ignores subscriptions when their name has changed. These releases will also be consumed in Spring Boot 3.0.5 and 2.7.10, respectively. Further details on these releases may be found in the release notes for version 1.1.3 and version 1.0.4.
The second milestone release of Spring Authorization Server 1.1.0 ships with bug fixes, dependency upgrades and new features: an implementation of RFC 8628, OAuth 2.0 Device Authorization Grant; and enable the upgradeEncoding() method defined in the PasswordEncoder interface for OAuth2 client secrets. More details on this release may be found in the release notes.
Versions 2.1-M1, 2.0.3 and 1.5.4 of Spring HATEOAS have been released this past week. The service releases include improvements in documentation and dependency upgrades. The milestone release features: support for property metadata on forms using the @Size annotation as defined in JSR-303, Bean Validation; and a new SlicedModel class, a simplified version of PagedModel class, to navigate slices, but not calculate a total. Further details on these releases may be found in the release notes for version 2.1-M1, version 2.0.3 and version 1.5.4.
The release of Spring Modulith 0.5.1 provides a significant bug fix in which the spring-modulith-runtime module accidentally contained a Logback configuration file that was only intended for test usage. There was also a dependency upgrade to Spring Boot 3.0.5. More details on this release may be found in the release notes.
The Spring Data JPA team has introduced HQL and JPQL query parsers for developers to more easily customize queries in Spring Data JPA applications in conjunction with the @Query annotation.
Quarkus
The first beta release of Quarkus 3.0.0 features support for a management interface that exposes selected routes, i.e., management routes, to a different HTTP server that avoids exposing these routes on the main HTTP server, which could lead to leaks and undesired access to these endpoints. Further details on this release may be found in the changelog.
Quarkus 2.16.5.Final, the fifth maintenance release with notable changes such as: filter out a RESTEasy-related warning from executing the test class, ProviderConfigInjectionWarningsTest; a fix for the NullPointerException upon loading workspace modules; and prevent server-side events from the MessageBodyWriter potentially writing an accumulation of headers. More details on this release may be found in the changelog.
Helidon
Oracle has released Helidon 3.2.0 that ships with changes such as: a fix on the overloaded create() methods defined in the WriteableMultiPart class; a fix for erroneous behavior closing a database connection within the JtaConnection class; and a dependency upgrade to SnakeYAML 2.0. It is important to note that there are breaking changes in SnakeYAML 2.0. A Helidon application may be impacted if SnakeYAML is used directly. It is still possible, however, that an application may still be upgraded to Helidon 3.2.0 with a downgraded SnakeYAML 1.3.2. Further details on this release may be found in the release notes.
Open Liberty
IBM has released Open Liberty 23.0.0.3-beta featuring support for JDK 20, Jakarta EE 10 Platform and MicroProfile 6.0.
Micronaut
The Micronaut foundation has provided the first milestone release Micronaut Framework 4.0.0 featuring: experimental support for Kotlin Symbol Processing; support for virtual threads; improved error messages for missing beans; and support for filter methods.
Apache Software Foundation
As disclosed by the Apache Tomcat team, CVE-2023-28708, a vulnerability in which using the RemoteIpFilter class, with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to HTTPS, session cookies created by Tomcat did not include the secure attribute. This vulnerability could result in an attacker transmitting a session cookie over an insecure channel. Tomcat versions affected by this vulnerability include: 11.0.0-M1 to 11.0.0-M2; 10.1.0-M1 to 10.1.5; 9.0.0-M1 to 9.0.71; and 8.5.0 to 8.5.85.
The first milestone release of Camel Quarkus 3.0.0, containing Quarkus 3.0.0.Alpha5 and Camel 4.0.0-M2, is the first Camel Quarkus release featuring a baseline of JDK 17 and Jakarta EE 10. Other notable changes include: deprecation of the ReflectiveClassBuildItem class; a fix for the exception thrown using the PerfRegressionIT class while testing with Camel 4 and Quarkus 3; and a split of Infinispan testing into separate modules for the Quarkus- and Camel-managed clients. More details on this release may be found in the release notes.
JBang
Versions 0.105.1 and 0.105.2 of JBang deliver notable changes such as: an improved jbang edit command in which it assumes one of the supported JBang IDE plugins is installed; continued improvements using modulepath over classpath; The jbang export jlink command is now an option that allows developers to export a JBang application or script with an embedded Java runtime; and a fix for the Apple Silicon VSCodium download.
Failsafe
Failsafe, a lightweight, zero-dependency library for handling failures in Java 8+, has released version 3.3.1 featuring API changes such as: the addition of full Java module descriptors to the Failsafe JARs; and the release of execution references inside instances of the CompletableFuture class provided by Failsafe. Further details on this release may be found in the changelog.
Maven
Maven 3.9.1 has been released with improvements such as: an improved "missing dependency" error message; performance enhancement by replacing any non regular expression patterns in the replaceAll() method with the replace() method or use precompiled patterns; and deprecate the Mojo plugin parameter expression, ${localRepository}, because an instance of the ArtifactFactory interface injected by ${localRepository} is not compatible with the Maven Resolver interface, LocalRepositoryManager, due lack of context.
Gradle
The first release candidate of Gradle 8.1 delivers: continued improvements in the configuration cache, now considered stable; continued improvements in the Kotlin DSL, an alternative to the Groovy DSL, that includes an experimental simple property assignment in Kotlin DSL scripts; and support for JDK 20. More details on this release may be found in the release notes.