Java News Roundup: JDK 20 Released, Spring Releases, Quarkus, Helidon, Micronaut, Open Liberty
MMS • Michael Redlich
Article originally posted on InfoQ. Visit InfoQ
This week’s Java roundup for March 20th, 2023 features news from OpenJDK, JDK 20, JDK 21, Amazon Corretto 20, BellSoft Liberica JDK 20, multiple Spring milestone and point releases, Quarkus 3.0.0.Beta1 and 2.16.5, Helidon 3.2.0, Open Liberty 23.0.0.3-beta, Micronaut 4.0.0-M1, Camel Quarkus 3.0.0-M1, JBang 0.105.1, Failsafe 3.3.1, Maven 3.9.1 and Gradle 8.1-RC1.
OpenJDK
JEP 431, Sequenced Collections, has been promoted from Proposed to Target to Targeted status for JDK 21. This JEP proposes to introduce “a new family of interfaces that represent the concept of a collection whose elements are arranged in a well-defined sequence or ordering, as a structural property of the collection.” Motivation was due to a lack of a well-defined ordering and uniform set of operations within the Collections Framework. More details on JEP 431 may be found in this InfoQ news story.
JEP 443, Unnamed Patterns and Variables (Preview), was promoted from JEP Draft 8294349 to Candidate status this past week. This preview JEP proposes to “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y)
and r instanceof _
.
JDK 20
Oracle has released version 20 of the Java programming language and virtual machine, which ships with a final feature set of seven JEPs. More details may be found in this InfoQ news story.
JDK 21
Build 15 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 14 that include fixes to various issues. Further details on this build may be found in the release notes.
For JDK 20 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.
Amazon Corretto
Amazon has released Amazon Corretto 20, their downstream distribution of OpenJDK 20, which is available on Linux, Windows, and macOS. Developers may download this latest version from this site.
Liberica JDK
Similarly, BellSoft has released Liberica JDK 20, their downstream distribution of OpenJDK 20. Developers may download this latest version from this site.
Spring Framework
It was a very busy week over at Spring as the project teams delivered milestone and point releases of Spring Boot, Spring Framework, Spring Data, Spring Integration, Spring Vault, Spring for GraphQL, Spring Authorization Server, Spring HATEOAS and Spring Modulith. Some of these release address these Common Vulnerabilities and Exposures (CVEs):
The release of Spring Boot 3.0.5 delivers improvements in documentation, dependency upgrades and notable bug fixes such as: the EmbeddedWebServerFactoryCustomizerAutoConfiguration
class should not be invoked when the embedded web server is not configured; the @ConfigurationProperties
annotation no longer works on mutable Kotlin data classes; and the use of the @EntityScan
annotation causes an AOT instance supplier code generation error. More details on this release may be found in the release notes.
Similarly, the release of Spring Boot 2.7.10 ships with improvements in documentation, dependency upgrades and notable bug fixes such as: loading an application.yml
file fails with a NoSuchMethodError
exception when using SnakeYAML 2.0; an instance of the StandardConfigDataResource
class can import the same file twice if the classpath includes the ‘.
‘ character; and a Maven plugin uses a timezone-local timestamps when the project.build.outputTimestamp
property is used. Further details on this release may be found in the release notes.
The second release candidate of Spring Boot 3.1.0 provides new features such as: a new method, withSanitizedValue()
, in the SanitizableData
class that returns a new instance with a sanitized value; support for auto-configuration of GraphQL pagination and sorting; and support for Spring Authorization Server. More details on this release may be found in the release notes.
Versions 6.0.7 and 5.3.26 of Spring Framework have been released to primarily address the aforementioned CVE-2023-20860 and CVE-2023-20861 vulnerabilities. Both versions also deliver new features such as: improved diagnostics in SpEL for the matches
operator and repeated text; updates to the HandlerMappingIntrospector
class; and allow SnakeYaml 2.0 runtime compatibility. Further details on these releases may be found in the release notes for version 6.0.7 and version 5.3.26.
The release of Spring Framework 5.2.23 also addresses the CVE-2023-20861 vulnerability and provides the same new SpEL features as Spring Framework 5.3.26. More details on this release may be found in the release notes.
Versions 2023.0-M1, codenamed Ullman, 2022.0.4 and 2021.2.10 of Spring Data have been released this past week. The service releases include bug fixes and improvements in documentation, and may be consumed in Spring Boot 3.0.5 and 2.7.10, respectively. New features in the milestone release include: a new scroll API to support offset and key-based pagination; improvements in JPA query parsing for HQL and JPQL; support for explicit field level encryption in MongoDB; and aggregate reference request parameters in Spring Data REST. Further details on the milestone release may be found in the release notes.
Versions 6.1.0-M2, 6.0.4 and 5.5.17 of Spring Integration have been released featuring notable changes such as: improvements in the LockRegistryLeaderInitiator
class such calling a target lock provider is delayed if the current thread has been interrupted; improvements to the AbstractRemoteFileStreamingMessageSource
class for remote calls; and fix the relationship between the code coverage tools, Sonar and JaCoCo. More details on these releases may be found in the release notes for version 6.1.0-M2, version 6.0.4 and version 5.5.17.
Versions 3.0.2 and 2.3.3 of Spring Vault have been released to address the aforementioned CVE-2023-20859 vulnerability and new features such as: refine logging after token revocation failure; allow reuse of library-specific configuration code in the ClientHttpRequestFactoryFactory
and ClientHttpConnectorFactory
classes; and add AWS IAM Authentication to the EnvironmentVaultConfiguration
class. Further details on these releases may be found in the release notes for version 3.0.2 and version 2.3.3.
The first milestone release of Spring for GraphQL 1.2.0 that delivers new features such as: support for pagination return values and pagination requests in methods defined in the @SchemaMapping
annotation; support for custom instances of the HandlerMethodArgumentResolver
interface; and a dependency upgrade to GraphQL Java 20.0. More details on this release may be found in the release notes.
Versions 1.1.3 and 1.0.4 of Spring for GraphQL have been released with new features: access request attributes and cookies in the WebGraphQlInterceptor
interface; a fix in which an instance of the ContextDataFetcherDecorator
class ignores subscriptions when their name has changed. These releases will also be consumed in Spring Boot 3.0.5 and 2.7.10, respectively. Further details on these releases may be found in the release notes for version 1.1.3 and version 1.0.4.
The second milestone release of Spring Authorization Server 1.1.0 ships with bug fixes, dependency upgrades and new features: an implementation of RFC 8628, OAuth 2.0 Device Authorization Grant; and enable the upgradeEncoding()
method defined in the PasswordEncoder
interface for OAuth2 client secrets. More details on this release may be found in the release notes.
Versions 2.1-M1, 2.0.3 and 1.5.4 of Spring HATEOAS have been released this past week. The service releases include improvements in documentation and dependency upgrades. The milestone release features: support for property metadata on forms using the @Size
annotation as defined in JSR-303, Bean Validation; and a new SlicedModel
class, a simplified version of PagedModel
class, to navigate slices, but not calculate a total. Further details on these releases may be found in the release notes for version 2.1-M1, version 2.0.3 and version 1.5.4.
The release of Spring Modulith 0.5.1 provides a significant bug fix in which the spring-modulith-runtime
module accidentally contained a Logback configuration file that was only intended for test usage. There was also a dependency upgrade to Spring Boot 3.0.5. More details on this release may be found in the release notes.
The Spring Data JPA team has introduced HQL and JPQL query parsers for developers to more easily customize queries in Spring Data JPA applications in conjunction with the @Query
annotation.
Quarkus
The first beta release of Quarkus 3.0.0 features support for a management interface that exposes selected routes, i.e., management routes, to a different HTTP server that avoids exposing these routes on the main HTTP server, which could lead to leaks and undesired access to these endpoints. Further details on this release may be found in the changelog.
Quarkus 2.16.5.Final, the fifth maintenance release with notable changes such as: filter out a RESTEasy-related warning from executing the test class, ProviderConfigInjectionWarningsTest
; a fix for the NullPointerException
upon loading workspace modules; and prevent server-side events from the MessageBodyWriter
potentially writing an accumulation of headers. More details on this release may be found in the changelog.
Helidon
Oracle has released Helidon 3.2.0 that shis with changes such as: a fix on the overloaded create()
methods defined in the WriteableMultiPart
class; a fix for erroneous behavior closing a database connection within the JtaConnection
class; an a dependency upgrade to SnakeYAML 2.0. It is important to note that there are breaking changes in SnakeYAML 2.0. A Helidon application may be impacted if SnakeYAML is used directly. It is still possible, however, that an application may still be upgraded to Helidon 3.2.0 with a downgraded SnakeYAML 1.3.2. Further details on this release may be found in the release notes.
Open Liberty
IBM has released Open Liberty 23.0.0.3-beta featuring support for JDK 20, Jakarta EE 10 Platform and MicroProfile 6.0.
Micronaut
The Micronaut foundation has provided the first milestone release Micronaut Framework 4.0.0 featuring: experimental support for Kotlin Symbol Processing; support for virtual threads; improved error messages for missing beans; and support for filter methods.
Apache Software Foundation
As disclosed by the Apache Tomcat team, CVE-2023-28708, a vulnerability in which using the RemoteIpFilter
class, with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to HTTPS, session cookies created by Tomcat did not include the secure
attribute. This vulnerability could result in an attacker transmitting a session cookie over an insecure channel. Tomcat versions affected by this vulnerability include: 11.0.0-M1 to 11.0.0-M2; 10.1.0-M1 to 10.1.5; 9.0.0-M1 to 9.0.71; and 8.5.0 to 8.5.85.
The first milestone release of Camel Quarkus 3.0.0, containing Quarkus 3.0.0.Alpha5 and Camel 4.0.0-M2, is the first Camel Quarkus release featuring a baseline of JDK 17 and Jakarta EE 10. Other notable changes include: deprecation of the ReflectiveClassBuildItem
class; a fix for the exception thrown using the PerfRegressionIT
class while testing with Camel 4 and Quarkus 3; and a split of Infinispan testing into separate modules for the Quarkus- and Camel-managed clients. More details on this release may be found in the release notes.
JBang
Versions 0.105.1 and 0.105.2 of JBang deliver notable changes such as: an improved jbang edit
command in which it assumes one of the supported JBang IDE plugins is installed; continued improvements using modulepath over classpath; The jbang export jlink
command is now an option that allows developers to export a JBang application or script with an embedded Java runtime; and a fix for the Apple Silicon VSCodium download.
Failsafe
Failsafe, a lightweight, zero-dependency library for handling failures in Java 8+, has released version 3.3.1 featuring API changes such as: the addition of full Java module descriptors to the Failsafe JARs; and the release of execution references inside instances of the CompletableFuture
class provided by Failsafe. Further details on this release may be found in the changelog.
Maven
Maven 3.9.1 has been released with improvements such as: an improved “missing dependency” error message; performance enhancement by replacing any non regular expression patterns in the replaceAll()
method with the replace()
method or use precompiled patterns; and deprecate the Mojo plugin parameter expression, ${localRepository}
, because an instance of the ArtifactFactory
interface injected by ${localRepository}
is not compatible with the Maven Resolver interface, LocalRepositoryManager
, due lack of context.
Gradle
The first release candidate of Gradle 8.1 delivers: continued improvements in the configuration cache, now considered stable; continued improvements in the Kotlin DSL, an alternative to the Groovy DSL, that includes an experimental simple property assignment in Kotlin DSL scripts; and support for JDK 20. More details on this release may be found in the release notes.