This week's Java roundup for November 27th, 2023, features news from OpenJDK, JDK 22, Jakarta Data 1.0-M2, JNoSQL 1.0.3, LibericaJDK, Spring CVEs, Spring Shell 3.2.0-RC1, Quarkus 3.6, Open Liberty 23.0.12-beta, Helidon 4.0.1, Hibernate Reactive 2.2, Hibernate Search 7.1-A1, Grails 5.3.4, Groovy 5.0.0-A3, Camel Quarkus 3.6, Maven 3.9.6, JDKMon 21, PrimeFaces 12.0.7, Jupyter for Java and Gradle 8.5.
OpenJDK
After its review concluded, JEP 463, Implicitly Declared Classes and Instance Main Methods (Second Preview), has been promoted from Proposed to Target to Targeted for JDK 22. Formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), this JEP incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to "evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs." This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.
After its review concluded, JEP 462, Structured Concurrency (Second Preview), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP will propose to re-preview the API in JDK 22, without change, in order to gain more feedback from the previous round of preview: JEP 453, Structured Concurrency (Preview), delivered in JDK 21. This feature simplifies concurrent programming by introducing structured concurrency to "treat groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability."
After its review concluded, JEP 461, Stream Gatherers (Preview), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to enhance the Stream API to support custom intermediate operations. "This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations." Further details on this JEP may be found in the original design document written by Viktor Klang, software architect, Java Platform Group at Oracle.
After its review has concluded, JEP 458, Launch Multi-File Source-Code Programs, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to enhance the Java Launcher to execute an application supplied as one or more files of Java source code. This allows a more gradual transition from small applications to larger ones by postponing a full-blown project setup.
After its review concluded, JEP 457, Class-File API (Preview), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to provide an API for parsing, generating, and transforming Java class files. This will initially serve as an internal replacement for ASM, the Java bytecode manipulation and analysis framework, in the JDK, with plans to have it opened as a public API. Brian Goetz, Java language architect at Oracle, characterized ASM as "an old codebase with plenty of legacy baggage" and provided background information on how this draft will evolve and ultimately replace ASM.
After its review concluded, JEP 423, Region Pinning for G1, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to reduce GC latency by implementing region pinning to the G1 garbage collector. This will extend G1 so that arbitrary regions may be pinned during both major and minor collection operations so that disabling the garbage collection process may be avoided while implementing JNI critical regions.
JEP 464, Scoped Values (Second Preview), has been promoted from its JEP Draft 8318898 to Candidate status, then quickly promoted to Proposed to Target for JDK 22. Formerly known as Extent-Local Variables (Incubator), this JEP proposes to re-preview the API in JDK 22, without change, in order to gain additional experience and feedback from the previous round of preview, JEP 446, Scoped Values (Preview), delivered in JDK 21, and JEP 429, Scoped Values (Incubator), delivered in JDK 20. This feature enables sharing of immutable data within and across threads. This is preferred to thread-local variables, especially when using large numbers of virtual threads. The review is expected to conclude on December 7, 2023.
JDK 22
Build 26 of the JDK 22 early-access builds was made available this past week featuring updates from Build 25 that include fixes to various issues. More details on this build may be found in the release notes.
For JDK 22, developers are encouraged to report bugs via the Java Bug Database.
Jakarta EE
The second milestone release of Jakarta Data 1.0.0 provides: a rename of artifact names, e.g., jakarta-data-api to jakarta.data-api, to align with all the Jakarta EE specifications; delay implementation of the static metamodel to further work out issues related to reflection and annotation processors; and a refinement on the copyright document to bind values with placeholders. Further details on this release may be found in the release notes.
Version 1.0.3 of Eclipse JNoSQL, the compatible implementation of the Jakarta NoSQL specification, has been released featuring key database upgrades such as: MongoDB driver 4.11.1; Hazelcast 5.3.6; Apache Solr 9.4.0; Couchbase Library 3.4.11; and ArangoDB Library 7.2.0. There were also enhancements implemented in the update methods for improved overall project functionality. More details on this release may be found in the release notes.
BellSoft
BellSoft has released versions 17 and 21 of their Liberica JDK, their downstream distribution of OpenJDK, with Coordinated Restore at Checkpoint (CRaC) that enable developers to build running application snapshots and reduce the startup and warmup time of Java applications. These new builds will be available for x86_64 and AArch64 CPU architectures and Linux operating systems.
Spring Framework
VMware has disclosed two vulnerabilities: CVE-2023-34053, Spring Framework Server Web Observations DoS Vulnerability; and CVE-2023-34055, Spring Boot Server Web Observations DoS Vulnerability, that affect Spring Framework versions 6.0.0 to 6.0.13 and Spring Boot versions 3.1.0 to 3.1.5, 3.0.0 to 3.0.12 and 2.7.0 to 2.7.17. Both of these vulnerabilities allow an attacker to provide specially crafted HTTP requests that may cause a denial-of-service under the following conditions:
- The application uses Spring MVC or Spring WebFlux.
- The
io.micrometer:micrometer-coreartifact is on the classpath. - An implementation of the Micrometer
ObservationRegistryinterface is configured in the application to record observations.
Developers are therefore encouraged to upgrade to Spring Framework 6.0.14 and Spring Boot 2.7.18, 3.0.13 and 3.1.6.
Versions 3.2.0-RC1, 3.1.6, 3.0.10 and 2.1.15 of Spring Shell have been released featuring bug fixes and dependency upgrades to Spring Boot 3.2.0, 3.1.6, 3.0.13 and 2.7.18, respectively. The 3.0 and 2.1 release trains have been declared as end-of-life in conjunction with their Spring Boot counterparts. New features in version 3.2.0-RC1 and 3.1.6 include: support for zsh completions and modal views; and minor changes to the Terminal UI. Further details on this release may be found in the release notes for version 3.2.0-RC1, version 3.1.6, version 3.0.10 and version 2.1.15.
Quarkus
Red Hat has released version 3.6.0 of Quarkus featuring notable changes such as: support for custom authorization schemes for OIDC bearer tokens; improvements to server-sent events (SSEs) that allow a REST client to return the entire SSE event and for these events to be filtered; and support for expressions in the @SecureField annotation similar to that of the Jakarta Annotations @RolesAllowed annotation. More details on this release may be found in the changelog.
Red Hat has also announced that JDK 17 will be the minimal version for the upcoming release of Quarkus 3.7, scheduled to be released at the end of January 2024. InfoQ will follow up with a more detailed news story.
Open Liberty
IBM has released version 23.0.0.12-beta of Open Liberty featuring support for Jakarta Data 1.0.0-M1 that includes: a new BasicRepository interface for basic repository methods; new insert() and update() methods in CrudRepository interface; and new @Insert, @Update, @Delete and @Save annotations. This release also delivers a configurable quiesce timeout stage when the shutdown time of the Liberty runtime takes longer than the default of 30 seconds. This allows for services that need more time to finish processing requests.
Helidon
Helidon 4.0.1, the first maintenance release, delivers notable changes such as: support for the Proxy Protocol for the Helidon Web Server component; performance improvements to the WebServer interface; and the enabled() method defined in the CrossOriginConfig.Builder class now returns an Optional<Boolean> instead of boolean to resolve a CORS issue. Further details on this release may be found in the changelog.
Similarly, the release of Helidon 3.2.4 provides dependency upgrades and notable changes such as: a collection of new classes for lazy OCI Vault configurations; a migration of OpenTracing-related classes and interfaces to the Helidon Tracing API; and a resolution to correctly handle IPv6 addresses for a requested URL. More details on this release may be found in the changelog.
Hibernate
The release of Hibernate Reactive 2.2.0.Final ships with compatibility with Hibernate ORM 6.4.0.Final and Vert.x SQL driver 4.5.0. Red Hat has also provided versions 2.2.1.Final and 2.0.7.Final that are compatible with Hibernate ORM versions 6.3.2.Final and 6.2.13.Final, respectively. Further details on this release may be found in the release notes.
The first alpha release of Hibernate Search 7.1.0 provides an incubating feature that allows a vector search in the Apache Lucene backend and provides tools to search over binary or text data. Also, Hibernate Search will no longer fail to boot when reading nested JARs in Spring Boot 3.2+. More details on this release may be found in the release notes.
Grails Foundation
The release of Grails 5.3.4 delivers dependency upgrades and notable changes such as: enable the GitHub CodeQL workflow for all main branches; the addition of a SnakeYAML bill of materials (BOM) to to override the SpringBoot BOM; and a cleanup of the JavaDocs to include escaping of special chars in Javadoc, refactoring of code, define explicit types and remove unnecessary uses of variables. Further details on this release may be found in the release notes.
Apache Software Foundation
The third alpha release of Apache Groovy 5.0.0 ships with bug fixes, dependency upgrades and improvements such as: support for JDK 22; implementation of missing features from the library compiler in the groovyc command line; and a new indexOf(element) extension methods for array types. More details on this release may be found in the release notes.
Similarly, the release of Apache Groovy 4.0.16 also provides bug fixes, dependency upgrades and improvements such as: support for JDK 22; and a new allThreads() method defined in the DefaultGroovyStaticMethods class to complement the existing currentThread() method defined in the Java Thread class. Further details on this release may be found in the release notes.
To maintain alignment with Quarkus, Camel Quarkus 3.6.0 has been released featuring resolved issues such as: an intermittent AssertionFailedError upon executing the QuartzQuarkusSchedulerAutowiredWithSchedulerBeanTest class; and a cleanup of usage of hard coded hosts in tests that use containers. More details on this release may be found in the release notes.
The release of Apache Maven 3.9.6 provides dependency upgrades and the ability to exclude plugins from validation. Further details on this release may be found in the release notes.
JDKMon
Versions 21.0.0 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version features full support for JDK 21 by moving all dependencies to the latest LTS version.
PrimeFaces
Versions 12.0.7, 11.0.13, 10.0.20 and 8.0.25 of PrimeFaces have been released featuring an upgrade to JSON in Java 20231013 to resolve CVE-2023-5072, a vulnerability that allows an attacker to take advantage of a bug in the JSON parser such that an input string of modest size can lead to indefinite amounts of memory being used and cause a denial of service. More details on these releases may be found in the release notes for version 12.0.7, version 11.0.13, version 10.0.20 and version 8.0.25.
Jupyter for Java
Jupyter for Java, a new GitHub organization created to simplify the discovery of various ways to use Java with Jupyter notebooks. Created by Max Rydahl Andersen, distinguished engineer at Red Hat, this project currently contains five repositories that provide resources and examples.
Gradle
The release of Gradle 8.5.0 delivers new features such as: full support for compiling, testing and running on JDK 21; improvements in the Kotlin DSL that include faster first use and version catalog support in precompiled Kotlin script plugins; and improved reporting of errors and warnings. Further details on this release may be found in the release notes.