This week's Java roundup for September 9th, 2024, features news highlighting: the September 2024 Payara Platform, Piranha Cloud and Micrometer releases, Spring Framework 6.2.0-RC1, Spring Data 2024.1.0-M1, JBang 0.118.0 and Groovy 5.0.0-alpha-10.
JDK 23
Build 37 remains the current build in the JDK 23 early-access builds. Further details on this release may be found in the release notes and details on the new JDK 23 features may be found in this InfoQ news story.
JDK 24
Build 15 of the JDK 24 early-access builds was made available this past week featuring updates from Build 14 that include fixes for various issues. More details on this release may be found in the release notes.
For JDK 23 and JDK 24, developers are encouraged to report bugs via the Java Bug Database.
GraalVM
Oracle Labs has released version 0.10.3 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides notable changes such as: a refactor of the MergeAgentFilesMojo
class (and related classes) to remove the macro from the merger
init
command and throw a more informative message from the MojoExecutionException
if the command doesn't exist; a resolution to incorrect results while parsing command-line arguments due to the presence of whitespaces in the Windows file system; and a resolution to the nativeTest
command unable to be executed when using JUnit 5.11.0-M2. More details on this release may be found in the changelog.
Spring Framework
The first release candidate of Spring Framework 6.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: an instance of the ResponseBodyEmitter
now allows the registration of multiple state listeners; a rename of some class names for improved consistency in the org.springframework.http.client
package due to the recent introduction of the ReactorNettyClientRequestFactory
class; and a refactor of the ETag
record class for improved comparison logic and exposing it on methods defined in the HttpHeaders
class. More details on this release may be found in the release notes and what's new page.
Similarly, Spring Framework 6.1.13 has also been released providing bug fixes, improvements in documentation, dependency upgrades and new features such as: errors thrown from the stop()
method, defined in the SmartLifeycle
interface, results in an unnecessary wait for the shutdown timeout; and an end to logging the value of result
after changes made to the WebAsyncManager
class as it was decided to allow applications to do so via other classes. More details on this release may be found in the release notes.
The Spring Framework team has disclosed CVE-2024-38816, Path Traversal Vulnerability in Functional Web Frameworks, a vulnerability in which an attacker can create a malicious HTTP request to obtain any file on the file system that is also accessible to the process on the running Spring application. The resolution was implemented in version 6.1.3 and backported to versions 6.0.4 and 5.3.40.
Versions 2024.1.0-M1, 2024.0.4 and 2023.1.10 of Spring Data have been released feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.4.0-M1, 3.3.4 and 3.2.10; Spring Data MongoDB 4.4.0-M1, 4.3.4 and 4.2.10; Spring Data Elasticsearch 5.4.0-M1, 5.3.4 and 5.2.10; and Spring Data Neo4j 7.4.0-M1, 7.3.4 and 7.2.10. These versions may be consumed by the upcoming releases of Spring Boot 3.4.0-M3, 3.3.4 and 3.2.10, respectively.
Version 4.25.0 of Spring Tools has been released with notable changes such as: improvements to Microsoft Visual Studio Code with the addition of code lenses to explain SPEL expressions and AOP annotations with Copilot, and syntax highlighting and validation for CRON expressions inside the Spring Framework @Scheduled
annotation. More details on this release may be found in the release notes.
Open Liberty
IBM has released version 24.0.0.9 of Open Liberty featuring: support for the MicroProfile Telemetry 2.0 specification that now includes observability with metrics; the continued use of third-party cookies in Google Chrome with Cookies Having Independent Partitioned State (CHIPS); and a resolution to CVE-2023-50314, a vulnerability in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.8 that would allow an attacker, with access to the network, to conduct spoofing attacks resulting in obtaining a certificate issued by a trusted authority to obtain sensitive information.
Payara
Payara has released their September 2024 edition of the Payara Platform that includes Community Edition 6.2024.9 and Enterprise Edition 6.18.0 and Enterprise Edition 5.67.0. Along with bug fixes and dependency upgrades, all three releases primarily address security issues, namely: an attacker having the ability to inject a malicious URL via a Host header allowing an HTML page generated by the REST interface to target the /management/domain
endpoint; and an exposure in which a new password being logged via the admin GUI when the logging is set to the FINEST
level. Further details on these releases may be found in the release notes for Community Edition 6.2024.9 and Enterprise Edition 6.18.0 and Enterprise Edition 5.67.0.
Micronaut
The Micronaut Foundation has released version 4.6.2 of the Micronaut Framework featuring Micronaut Core 4.6.5, bug fixes, improvements in documentation and updates to modules: Micronaut Data Micronaut OpenAPI/Swagger Support, Micronaut SQL Libraries, Micronaut JAX-RS, Micronaut Cache, Micronaut Views and Micronaut Security. Further details on this release may be found in the release notes.
Quarkus
Quarkus 3.14.3, the second maintenance release (the first one was skipped) delivers bug fixes, dependency upgrades and a new feature that provides initial support for a Software Bill of Materials (SBOM) using the CycloneDX standard. More details on this release may be found in the changelog.
Micrometer
The third milestone release of Micrometer Metrics 1.14.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: no registration of metrics from the CaffeineCacheMetrics
class (and related classes) when statistics are not enabled; and a resolution to metrics not being collected when an instance of the Java ExecutorService
interface, wrapped in the monitor()
method, defined in the ExecutorServiceMetrics
class, shuts down. More details on this release may be found in the release notes.
Similarly, versions 1.13.4 and 1.12.10 of Micrometer Metrics feature notable bug fixes: a situation where Spring Boot configuration specifying metric percentiles in a standard application.yaml
file are being overwritten; and a non-resolvable dependency, io.micrometer:concurrency-tests
, incorrectly added to the Bill of Materials (BOM). Further details on these releases may be found in the release notes for version 1.13.4 and version 1.12.10.
Versions 1.4.0-M3, 1.3.4 and 1.2.10 of Micrometer Tracing 1.4.0 provide dependency upgrades and a resolution to a dependency convergence error when trying to use the io.micrometer:micrometer-tracing-bridge-otel
dependency after upgrading to Micrometer Tracing 1.3.1. Further details on these releases may be found in the release notes for version 1.4.0-M3, version 1.3.4 and version 1.2.10.
Apache Software Foundation
Versions 11.0.0-M25, 10.1.29 and 9.0.94 of Apache Tomcat deliver bug fixes, dependency upgrades and notable changes such as: ensure that any instance of the Jakarta Servlet ReadListener
interface is notified via a call to the onError()
method if an HTTP/2 client resets a stream before the servlet request body is fully written; and an improvement in exception handling with methods annotated with the Jakarta WebSocket @OnMessage
annotation that avoids the connection to automatically close. More details on these releases may be found in the release notes for version 11.0.0-M25, version 10.1.29 and version 9.0.94.
A regression affecting these versions, shortly after they were released, was reported and confirmed with configurations using HTTP/2. The Apache Tomcat team recommends a temporary fix by setting the property, discardRequestsAndResponses
, to true
on instances of the UpgradeProtocol
element for HTTP/2. The Tomcat team plans to release a fix for this regression during the week of September 16, 2024.
The tenth alpha release of Apache Groovy 5.0.0 delivers bug fixes, dependency upgrades and improvements that support: method references and method pointers in annotations; and the use of multiple @Requires
, @Ensures
and @Invariant
annotations, located in the groovy-contracts
package, that enable class-invariants, pre- and post-conditions. More details on this release may be found in the release notes.
Similarly, the release of Apache Groovy 4.0.23 features bug fixes and dependency upgrades. More details on this release may be found in the release notes.
Project Reactor
The sixth milestone release of Project Reactor 2024.0.0 provides dependency upgrades to reactor-core 3.7.0-M6
. There was also a realignment to version 2024.0.0-M6 with the reactor-netty 1.2.0-M5
, reactor-pool 1.1.0-M5
, reactor-addons 3.6.0-M2
, reactor-kotlin-extensions 1.3.0-M2
and reactor-kafka 1.4.0-M1
artifacts that remain unchanged. Further details on this release may be found in the changelog.
Next, Project Reactor 2023.0.10, the tenth maintenance release, provides dependency upgrades to reactor-core 3.6.10
. There was also a realignment to version 2023.0.10 with the reactor-netty 1.1.22
, reactor-pool 1.0.8
, reactor-addons 3.5.2
, reactor-kotlin-extensions 1.2.3
and reactor-kafka 1.3.23
artifacts that remain unchanged. More details on this release may be found in the changelog.
Finally, Project Reactor 2022.0.22, the twenty-second maintenance release, provides dependency upgrades to reactor-core 3.5.20
and reactor-netty 1.1.22
and reactor-pool 1.0.8
, reactor-addons 3.5.2
and reactor-kotlin-extensions 1.2.3
. There was also a realignment to version 2022.0.22 with the reactor-kafka 1.3.23
artifacts that remain unchanged. Further details on this release may be found in the changelog. This version is also the last in the 2022.0 release train as per the OSS support schedule.
Piranha Cloud
The release of Piranha 24.9.0 delivers notable changes such as: TCK updates in the Piranha Core Profile to support a number of Jakarta EE specifications (Jakarta Annotations 2.1.1, Jakarta Dependency Injection 2.0.2, Jakarta JSON Binding 3.0.0, etc.); and updates in their Arquillian adapter for improved deployment and un-deployment, and expose the ability to set the HTTP port and JVM arguments. Further details on this release may be found in their documentation and issue tracker.
JHipster
The release of JHipster Lite 1.18.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features/enhancements such as: a new class, OpenApiContractApplicationService
, part of a new API that checks for backwards incompatible changes to OpenAPI contracts; and a refactor of the vue-core
module for improved testing. There was also removal of deprecated code that may cause a breaking change. More details on this release may be found in the release notes.
JBang
Version 0.118.0 of JBang provides bug fixes and a new linuxdistro
provider that searches a developer's /usr/lib/jvm
folder to detect JDKs that have already been installed. More details on this release may be found in the release notes.
JetBrains Ktor
The first release candidate of Ktor 3.0.0 delivers bug fixes and new features such as: support for Kotlin 2.0.0; an improved staticZip
utility that watches for changes and reloading of ZIP files; and support for handling HTTP errors. More details on this release may be found in the release notes.
Gradle
Gradle 8.10.1, the first maintenance release, provides resolutions to issues: a performance degradation with version 8.10.0 due to dependency resolutions with detached configurations; an instance of the LifecycleAwareProject
class is equal, via the equals()
method, to an instance of it corresponding DefaultProject
class, but not the other way around; and Gradle validating isolated projects when the configuration cache is disabled. More details on this release may be found in the release notes.