Author: Michael Redlich

There was a flurry of activity in the Spring ecosystem during the week of October 21st, 2024, highlighting first release candidates of: Spring Boot, Spring Security, Spring Authorization Server, Spring Integration, Spring Modulith, Spring Batch, Spring AMQP, Spring for Apache Kafka and Spring for Apache Pulsar.

Spring Boot

The first release candidate of Spring Boot 3.4.0 delivers bug fixes, improvements in documentation, dependency upgrades and many new features such as: improved support for the Spring Framework ClientHttpRequestFactory interface with new builders and additional customization; and support for ARM and x86 architectures in the Paketo Buildpack for Spring Boot. More details on this release may be found in the release notes.

Similarly, the release of Spring Boot 3.3.5 and 3.2.11 provide improvements in documentation, dependency upgrades and resolutions to notable bug fixes such as: removal of the printing the stack trace to the error stream from the driverClassIsLoadable() method, defined in the DataSourceProperties class, upon exception as it was determined to be unnecessary; and an instance of the ArtemisConnectionFactoryFactory class failing when building a native image. More details on this release may be found in the release notes for version 3.3.5 and version 3.2.11.

Spring Framework

In conjunction with the release of Spring Boot 3.4.0-RC1, the third release candidate of Spring Framework 6.2.0 ships with bug fixes, improvements in documentation and new features such as: removal of the proxyTargetAware attribute in the new @MockitoSpyBean annotation as it was deemed unnecessary; and a refactor of the retrieve() method, defined in the RestClient interface, to execute a request and extract the response as necessary, eliminating the need for two method calls in this workflow. More details on this release may be found in the release notes.

Spring Security

The first release candidate of Spring Security 6.4.0 delivers bug fixes, dependency upgrades and new features such as: support for Passkeys; a new authorize() method that replaces the now-deprecated check() method, defined in the AuthorizationManager interface, that returns an instance of the AuthorizationResult interface; and a refactored publishAuthorizationEvent(Supplier, T, AuthorizationDecision) method, defined in the AuthorizationEventPublisher interface, that now accepts an instance of the AuthorizationResult interface, replacing the AuthorizationDecision class in the parameter list. More details on this release may be found in the release notes and what’s new page.

Similarly, versions 6.3.4, 6.2.7 and 5.8.15 of Spring Security have been released featuring build updates, dependency upgrades and resolutions to notable bug fixes such as: erasures of credentials on custom instances of the AuthenticationManager interface despite the eraseCredentialsAfterAuthentication field being set to false; and methods annotated with @PostFilter are processed twice by the PostFilterAuthorizationMethodInterceptor class. More details on these releases may be found in the release notes for version 6.3.4, version 6.2.7 and version 5.8.15.

Spring Authorization Server

The first release candidate of Spring Authorization Server 1.4.0 provides dependency upgrades and new features such as: a replacement of the DelegatingAuthenticationConverter class with the similar DelegatingAuthenticationConverter class defined in Spring Security; and a simplification of configuring a dedicated authorization server using the with() method, defined in the Spring Security HttpSecurity class. More details on this release may be found in the release notes.

Similarly, versions 1.3.3 and 1.2.7 of Spring Authorization Server have been released featuring dependency upgrades and a fix for more efficiently registering AOT contributions with subclasses defined from the JdbcOAuth2AuthorizationService class. More details on these releases may be found in the release notes for version 1.3.3 and version 1.2.7.

Spring for GraphQL

Versions 1.3.3 and 1.2.9 of Spring for GraphQL have been released ship with bug fixes, improvements in documentation, dependency upgrades and new features such as: the ability to set a timeout value for server-side events; and methods annotated with @BatchMapping should pass the localContext field, defined in the GraphQL for Java DataFetcherResult class, from an instance of the BatchLoaderEnvironment class.More details on these releases may be found in the release notes for version 1.3.3 and version 1.2.9.

Spring Integration

The first release candidate of Spring Integration 6.4.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: an instance of the RedisLockRegistry class may now be configured via an instance of the Spring Framework TaskScheduler interface for renewal of automatic locks in the store; and a migration of Python scripts to support Python 3 and GraalPy. More details on this release may be found in the release notes and what’s new page.

Similarly, versions 6.3.5 and 6.2.10 of Spring Integration have been released with bug fixes, dependency upgrades and new features: the addition of a new property, idleBetweenTries, to the aforementioned RedisLockRegistry class to specify a duration to sleep in between lock attempts; and improved support for the JUnit @Nested annotation when using the @SpringIntegrationTest annotation. More details on this release may be found in the release notes for version 6.3.5 and version 6.2.10.

Spring Modulith

The first release candidate of Spring Modulith 1.3.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: support for the Oracle database type in the JDBC event publication registry; and support for the MariaDB database driver. More details on this release may be found in the release notes.

Similarly, versions 1.2.5 and 1.1.10 of Spring Modulith have been released featuring bug fixes, dependency upgrades and various improvements in the reference documentation. More details on this release may be found in the release notes for version 1.2.5 and version 1.1.10.

Spring Batch

The first release candidate of Spring Batch 5.2.0 ships with bug fixes, improvements in documentation, dependency upgrades and a new feature that allows the CompositeItemReader class to be subclassed to allow generics to be less strict. More details on this release may be found in the release notes.

Spring AMQP

The first release candidate of Spring AMQP 3.2.0 provides improvements in documentation, dependency upgrades and new features such as: additional Open Telemetry semantic tags that are exposed via an instance of the RabbitTemplate class and @RabbitListener annotation; and a new method, getBeforePublishPostProcessors(), in the RabbitTemplate class that complements the existing addBeforePublishPostProcessors() method that allows developers to dynamically access and modify these processors. More details on this release may be found in the release notes.

Spring for Apache Kafka

The first release candidate of Spring for Apache Kafka 3.3.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a new KafkaMetricsSupport class for improved metrics support; and the ability to use the Java @Override annotation on the createAdmin() method, defined in the KafkaAdmin class, to use another type of class implementing the Apache Kafka Admin interface. This release also provides full integration with Spring Boot 3.4.0-RC1. More details on this release may be found in the release notes.

Spring for Apache Pulsar

The first release candidate for Spring for Apache Pulsar 1.2.0 provides dependency upgrades and improvements such as: ensure that all uses of the toLowerCase() and toUpperCase() methods, defined in the Java String class, specify an instance of a Java Locale class with a default of Locale.ROOT; and a new log to warn developers when lambda producer customizers are used for increased awareness. More details on this release may be found in the release notes.

Similarly, versions 1.1.5 and 1.0.11 of Spring for Apache Pulsar have been released featuring dependency upgrades and the aforementioned use of the toLowerCase() and toUpperCase() methods. More details on this release may be found in the release notes for version 1.1.5 and version 1.0.11.

There was a flurry of activity in the OpenJDK ecosystem during the week of October 21st, 2024, highlighting: JEPs that have been Targeted and Proposed to Target for JDK 24; and drafts that have been promoted to Candidate status. JEP 485, Stream Gatherers, is the fifth JEP confirmed for JDK 24. Four JEPs have been Proposed to Target and will be under review during the week of October 28, 2024.

Targeted

After its review had concluded, JEP 485, Stream Gatherers, has been promoted from Proposed to Target to Targeted for JDK 24. This JEP proposes to finalize this feature after two rounds of preview, namely: JEP 473: Stream Gatherers (Second Preview), delivered in JDK 23; and JEP 461, Stream Gatherers (Preview), delivered in JDK 22. This feature was designed to enhance the Stream API to support custom intermediate operations that will “allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.” More details on this JEP may be found in the original design document and this InfoQ news story.

Proposed to Target

JEP 490, ZGC: Remove the Non-Generational Mode, has been promoted from Candidate to Proposed to Target for JDK 24. This JEP proposes to remove the non-generational mode of the Z Garbage Collector (ZGC). The generational mode is now the default as per JEP 474, ZGC: Generational Mode by Default, delivered in JDK 23. By removing the non-generational mode of ZGC, it eliminates the need to maintain two modes and improves development time of new features for the generational mode. The review is expected to conclude on October 29, 2024.

JEP 487, Scoped Values (Fourth Preview), has been promoted from Candidate to Proposed to Target for JDK 24. Formerly known as Extent-Local Variables (Incubator), proposes a fourth preview, with one change, in order to gain additional experience and feedback from one round of incubation and three rounds of preview, namely: JEP 481, Scoped Values (Third Preview), delivered in JDK 23; JEP 464, Scoped Values (Second Preview), delivered in JDK 22; JEP 446, Scoped Values (Preview), delivered in JDK 21; and JEP 429, Scoped Values (Incubator), delivered in JDK 20. This feature enables sharing of immutable data within and across threads. This is preferred to thread-local variables, especially when using large numbers of virtual threads. The only change from the previous preview is the removal of the callWhere() and runWhere() methods from the ScopedValue class that leaves the API fluent. The ability to use one or more bound scoped values is accomplished via the call() and run() methods defined in the ScopedValue.Carrier class. The review is expected to conclude on October 30, 2024.

JEP 478, Key Derivation Function API (Preview), has been promoted from Candidate to Proposed to Target for JDK 24. This JEP proposes to introduce an API for Key Derivation Functions (KDFs), cryptographic algorithms for deriving additional keys from a secret key and other data, with goals to: allow security providers to implement KDF algorithms in either Java or native code; and enable the use of KDFs in implementations of JEP 452, Key Encapsulation Mechanism. The review is expected to conclude on October 31, 2024.

JEP 404, Generational Shenandoah (Experimental), has been promoted from Candidate to Proposed to Target for JDK 24. Originally targeted for JDK 21, JEP 404 was officially removed from the final feature set due to the “risks identified during the review process and the lack of time available to perform the thorough review that such a large contribution of code requires.” The Shenandoah team decided to “deliver the best Generational Shenandoah that they can” and target a future release. The review is expected to conclude on October 30, 2024.

New JEP Candidates

JEP 495, Simple Source Files and Instance Main Methods (Fourth Preview), has been promoted from its JEP Draft 8335984 to Candidate status. This JEP proposes a fourth preview without change (except for a second name change), after three previous rounds of preview, namely: JEP 477, Implicitly Declared Classes and Instance Main Methods (Third Preview), delivered in JDK 23; JEP 463, Implicitly Declared Classes and Instance Main Methods (Second Preview), delivered in JDK 22; and JEP 445, Unnamed Classes and Instance Main Methods (Preview), delivered in JDK 21. This feature aims to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.

JEP 494, Module Import Declarations (Second Preview), has been promoted from its JEP Draft 8335987 to Candidate status.This JEP proposes a second preview after the first round of preview, namely: JEP 476, Module Import Declarations (Preview), delivered in JDK 23. This feature will enhance the Java programming language with the ability to succinctly import all of the packages exported by a module with a goal to simplify the reuse of modular libraries without requiring to import code to be in a module itself. Changes from the first preview include: remove the restriction that a module is not allowed to declare transitive dependencies on the java.base module; revise the declaration of the java.se module to transitively require the java.base module; and allow type-import-on-demand declarations to shadow module import declarations. These changes mean that importing the java.se module will import the entire Java SE API on demand.

JEP 493, Linking Run-Time Images without JMODs, has been promoted from its JEP Draft 8333799 to Candidate status. This JEP proposes to “reduce the size of the JDK by approximately 25% by enabling the jlink tool to create custom run-time images without using the JDK’s JMOD files.” This feature must explicitly be enabled upon building the JDK. Developers are now allowed to link a run-time image from their local modules regardless where those modules exist.

JDK 24 Release Schedule

The JDK 24 release schedule, as approved by Mark Reinhold, Chief Architect, Java Platform Group at Oracle, is as follows:

• Rampdown Phase One (fork from main line): December 5, 2024
• Rampdown Phase Two: January 16, 2025
• Initial Release Candidate: February 6, 2025
• Final Release Candidate: February 20, 2025
• General Availability: March 18, 2025

For JDK 24, developers are encouraged to report bugs via the Java Bug Database.

This week’s Java roundup for October 14th, 2024, features news highlighting: the release of WildFly 34; JEP 485, Stream Gatherers, proposed to target for JDK 24; Oracle Critical Patch Update for October 2024; and a potential leak in the SmallRye and Quarkiverse release processes.

OpenJDK

JEP 485, Stream Gatherers, has been promoted from Candidate to Proposed to Target for JDK 24. This JEP proposes to finalize this feature after two rounds of preview, namely: JEP 473: Stream Gatherers (Second Preview), delivered in JDK 23; and JEP 461, Stream Gatherers (Preview), delivered in JDK 22. This feature was designed to enhance the Stream API to support custom intermediate operations that will “allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.” More details on this JEP may be found in the original design document and this InfoQ news story. The review is expected to conclude on October 23, 2024.

Oracle has released versions 23.0.1, 21.0.5, 17.0.13, 11.0.25, and 8u431 of the JDK as part of the quarterly Critical Patch Update Advisory for October 2024. More details on this release may be found in the release notes for version 23.0.1, version 21.0.5, version 17.0.13, version 11.0.25 and version 8u431.

Version 7.5.0 of the Regression Test Harness for the JDK, jtreg, has been released and ready for integration in the JDK. The most significant changes include: the restoration of the jtdiff tool; and support for a LIBRARY.properties file located in the directory specified in the @library tag and read when jtreg compiles classes in that library. There was also a dependency upgrade to JUnit 5.11.0. Further details on this release may be found in the release notes.

JDK 24

Build 20 of the JDK 24 early-access builds was made available this past week featuring updates from Build 19 that include fixes for various issues. Further details on this release may be found in the release notes.

For JDK 24, developers are encouraged to report bugs via the Java Bug Database.

Jakarta EE 11

In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, provided an update on Jakarta EE 11, writing:

GlassFish now passes 84% of the tests in the refactored TCK for Jakarta EE 11. The remaining tests are mainly related to the Application Client Container. The Jakarta EE Platform Project is proposing to deprecate the Application Container in Jakarta EE 12. There are ongoing discussions about how much importance these tests should be given to Jakarta EE 11.

The Jakarta EE 11 Core Profile TCK has been staged, and both Open Liberty and WildFly are passing (or very close to passing) it. So it looks like we will be able to release Jakarta EE 11 Core Profile ahead of Jakarta EE 11 Platform and Jakarta EE 11 Web Profile.

The road to Jakarta EE 11 included four milestone releases with the potential for release candidates as necessary before the GA release in 4Q2024.

BellSoft

Concurrent with Oracle’s Critical Patch Update (CPU) for October 2024, BellSoft has released CPU patches for versions 21.0.4.0.1, 17.0.12.0.1, 11.0.24.0.1, 8u431, 7u441 and 6u441 of Liberica JDK, their downstream distribution of OpenJDK, to address this list of CVEs. In addition, Patch Set Update (PSU) versions 23.0.1, 21.0.5, 17.0.13, 11.0.25 and 8u432, containing CPU and non-critical fixes, have also been released.

With an overall total of 1169 fixes and backports, BellSoft states that they have participated in eliminating 18 issues in all releases.

Spring Framework

The second release candidate of Spring Framework 6.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and many new features such as: a rename of the OverrideMetadata class to BeanOverrideHandler to align with the existing naming convention of the other classes, interfaces and annotations defined in the org.springframework.test.context.bean.override package; and the addition of the messageConverters() method to the RestClient.Builder interface to allow setting converters of the RestClient interface without initializing the default one. This version will be included in the upcoming release of Spring Boot 3.4.0-RC1. More details on this release may be found in the release notes.

Similarly, the release of version 6.1.14 of Spring Framework also provides bug fixes, improvements in documentation, dependency upgrades and new features such as: the removal of support for relative paths in the ResourceHandlerUtils class that eliminates security issues; and ensure proper exception handling from the isCorsRequest() method, defined in the CorsUtils class, upon encountering a malformed Origin header. This version will be included in the upcoming releases of Spring Boot and 3.3.5 and 3.2.11. More details on this release may be found in the release notes.

The Spring Framework team has also disclosed two Common Vulnerabilities and Exposures (CVEs):

• CVE-2024-38819, a path traversal vulnerability in the Spring Web MVC and Spring WebFlux functional web frameworks in which an attacker can create a malicious HTTP request to obtain any file on the file system that is also accessible to the process on the running Spring application. This CVE is follow up from CVE-2024-38816, Path Traversal Vulnerability in Functional Web Frameworks, that used different malicious input.
• CVE-2024-38820: a vulnerability in which the toLowerCase() method, defined in the Java String class, had some Locale class-dependent exceptions that could potentially result in fields not being protected as expected. This is a result of the resolution for CVE-2022-22968 that made patterns of the disallowedFields field, defined in DataBinder class, case insensitive.

These CVEs affect Spring Framework versions 5.3.0 – 5.3.40, 6.0.0 – 6.0.24 and 6.1.0 – 6.1.13.

The first release candidate of Spring Data 2024.1.0 delivers expanded support for Spring Data Value Expressions where property-placeholders may be leveraged in repository query methods annotated with @Query. There were also updates to sub-projects such as: Spring Data Commons 3.4.0-RC1, Spring Data MongoDB 4.4.0-RC1, Spring Data Elasticsearch 5.4.0-RC1 and Spring Data Neo4j 7.4.0-RC1. More details on this release may be found in the release notes.

Similarly, the release of Spring Data 2024.0.5 and 2023.1.11 ship with bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.3.5 and 3.2.11; Spring Data MongoDB 4.3.5 and 4.2.11; Spring Data Elasticsearch 5.3.5 and 5.2.11; and Spring Data Neo4j 7.3.5 and 7.2.11. These versions will be included in the upcoming releases of Spring Boot and 3.3.5 and 3.2.11.

WildFly

The release of WildFly 34 primarily focuses on WildFly Preview, a technical preview variant of the WildFly server. New features include: support for Jakarta Data 1.0, MicroProfile Rest Client 4.0 and MicroProfile Telemetry 2.0; a new Bill of Materials for WildFly Preview; and four new system properties (backlog, connection-high-water, connection-low-water and no-request-timeout) for configuration in the HTTP management interface. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

Quarkus

The Quarkus team has disclosed that they recently discovered a potential leak in their Quarkiverse and SmallRye release processes and reported that there was no damage.

Clement Escoffier, Distinguished Engineer at Red Hat, summarized the issue, writing:

We’ve uncovered a security flaw in the release process for Quarkiverse and SmallRye that could have allowed malicious actors to impersonate projects and publish compromised artifacts.

We’ve implemented a new, more secure release pipeline to address this. If you’re a maintainer, you’ve received a pull request to migrate to the new process. Quarkus itself is not affected by this issue, only SmallRye and Quarkiverse.

As a result, they have implemented a more secure release process and wanted to share the details with the Java community. InfoQ will follow up with a more detailed news story.

Micrometer

The first release candidate of Micrometer Metrics 1.14.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: expose an instance of the TestObservationRegistry class via the assertThat() method from the AssertJ Assertions class; expand metrics to include virtual threads data; and improved performance with the initialization of the Tags class from already sorted array of unique tags. More details on this release may be found in the release notes.

Similarly, versions 1.13.6 and 1.12.11 of Micrometer Metrics also feature bug fixes, improvements in documentation and a new feature that improves the memory usage of the StepBucketHistogram class by eliminating an internal field of the buckets that can be acquired from an instance of the FixedBoundaryHistogram class when needed. Further details on these releases may be found in the release notes for version 1.13.6 and version 1.12.11.

The first release candidate of Micrometer Tracing 1.4.0 ships with dependency upgrades and new features: support for list values in tags in the Span and SpanCustomizer interfaces; and make the OtelSpan class public instead of private to eliminate use of reflection to act upon the underlying OpenTelemetry Span interface. More details on this release may be found in the release notes.

Similarly, version 1.3.5 and 1.2.11 of Micrometer Tracing 1.4.0 simply provide dependency upgrades. Further details on these releases may be found in the release notes for version 1.3.5 and version 1.2.11.

Project Reactor

The first release candidate of Project Reactor 2024.0.0 provides dependency upgrades to reactor-core 3.7.0-RC1, reactor-netty 1.2.0-RC1, reactor-pool 1.1.0-RC1, reactor-addons 3.6.0-RC1, reactor-kotlin-extensions 1.3.0-RC1 and reactor-kafka 1.4.0-RC1. Based on the Spring Calendar, it is anticipated that the GA version of Project 2024.0.0 will be released in November 2024. Further details on this release may be found in the changelog.

Next, Project Reactor 2023.0.11, the eleventh maintenance release, provides dependency upgrades to reactor-core 3.6.11 and reactor-netty 1.1.23. There was also a realignment to version 2023.0.11 with the reactor-pool 1.0.8, reactor-addons 3.5.2, reactor-kotlin-extensions 1.2.3 and reactor-kafka 1.3.23 artifacts that remain unchanged. More details on this release may be found in the changelog.

Piranha Cloud

The release of Piranha 24.10.0 delivers bug fixes and notable changes such as: ensure that an instance of the Eclipse Jersey InjecteeSkippingAnalyzer class is installed when needed; and use of the Java PrintStream class or the isWriterAcquired() method, defined in the in the DefaultWebApplicationResponse class, in the DefaultServletRequestDispatcher class as a response to a top-level exception. Further details on this release may be found in their documentation and issue tracker.

Apache Software Foundation

The third milestone release of Apache TomEE 10.0.0 provides bugs fixes, dependency upgrades and new features such as: an improved import of data sources and entity managers that obsoletes the use of the ImportSql class; and a new RequestNotActiveException class, that replaces throwing a NullPointerException, when an instance of a Jakarta Servlet HttpServletRequest is invoked on a thread with no active servlet request. More details on this release may be found in the release notes.

JobRunr

The release of JobRunr 7.3.1 provides new features such as: an instance of the JobDetails class is now cacheable when injecting an interface instead of an implementation; and an enhanced JobRunr Dashboard that includes tips for diagnosing severe JobRunr exceptions for improved clarity of notifications. Further details on this release may be found in the release notes.

Keycloak

Keycloak 26.0.1 has been released with bug fixes and enhancements: a clarification of the behavior of multiple versions of Keycloak Operator installed in the same cluster operator; and improved error logging during a transaction commit. More details on this release may be found in the release notes.

JDKUpdater

Version 14.0.59+79 of JDKUpdater, a new utility that provides developers the ability to keep track of updates related to builds of OpenJDK and GraalVM. Introduced in mid-March by Gerrit Grunwald, principal engineer at Azul, this release resolves an issue with the calculation of the next update and the next release date of the JDK. More details on this release may be found in the release notes.

Gradle

The first release candidate of Gradle 8.11.0 delivers new features such as: improved performance in the configuration cache with an opt-in parallel loading and storing of cache entries; the C++ and Swift plugins now compatible with the configuration cache; and improved error and warning reporting in which Java compilation errors are now displayed at the end of the build output. More details on this release may be found in the release notes.

This week’s Java roundup for October 7th, 2024, features news highlighting: JEP 489, Vector API (Ninth Incubator), and JEP 484, Class-File API, targeted for JDK 24; the release of Apache projects, Tomcat 11.0.0 and Cassandra 5.0.0; the release of EclipseStore 2.0.0; the October 2024 Payara Platform release; and the release of Ktor 3.0.0.

OpenJDK

After its review had concluded, JEP 489, Vector API (Ninth Incubator), has been promoted from Proposed to Target to Targeted for JDK 24. This JEP incorporates enhancements in response to feedback from the previous eight rounds of incubation, namely: JEP 469, Vector API (Eighth Incubator), delivered in JDK 23; JEP 460, Vector API (Seventh Incubator), delivered in JDK 22; JEP 448, Vector API (Sixth Incubator), delivered in JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. Originally slated to be a re-incubation by reusing the original Incubator status, it was decided to keep enumerating. The Vector API will continue to incubate until the necessary features of Project Valhalla become available as preview features. At that time, the Vector API team will adapt the Vector API and its implementation to use them, and will promote the Vector API from Incubation to Preview.

After its review had concluded, JEP 484, Class-File API, has been promoted from Proposed to Target to Targeted for JDK 24. This JEP proposes to finalize this feature in JDK 24 after two rounds of preview, namely: JEP 466, Class-File API (Second Preview), delivered in JDK 23; and JEP 457, Class-File API (Preview), delivered in JDK 22. This feature provides an API for parsing, generating, and transforming Java class files. This will initially serve as an internal replacement for ASM, the Java bytecode manipulation and analysis framework, in the JDK with plans to have it opened as a public API. Goetz has characterized ASM as “an old codebase with plenty of legacy baggage” and provided background information on how this feature will evolve and ultimately replace ASM.

JEP 490, ZGC: Remove the Non-Generational Mode, was promoted from its JEP Draft 8335850 to Candidate status. This JEP proposes to remove the non-generational mode of the Z Garbage Collector (ZGC). The generational mode is now the default as per JEP 474, ZGC: Generational Mode by Default, delivered in JDK 23. By removing the non-generational mode of ZGC, it eliminates the need to maintain two modes and improves development time of new features for the generational mode.

JDK 24

Build 19 of the JDK 24 early-access builds was made available this past week featuring updates from Build 18 that include fixes for various issues. Further details on this release may be found in the release notes.

With less than two months before Rampdown Phase One, four JEPs are currently targeted for JDK 24:

For JDK 24, developers are encouraged to report bugs via the Java Bug Database.

Project Loom

Build 24-loom+8-78 of the Project Loom early-access builds was made available to the Java community this past week and is based on Build 18 of the JDK 24 early-access builds. This build improves the implementation of Java monitors (synchronized methods) for enhanced interoperability with virtual threads.

Jakarta EE

In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, provided an update on the upcoming release of Jakarta EE 11, writing:

The refactoring of the Jakarta EE TCK continues. It looks like we will be able to release Jakarta EE 11 Core Profile pretty soon with Open Liberty as a ratifying implementation. For the Platform and Web Profile, we will have to wait a little longer. It still looks like it will be possible to release in time for JakartaOne Livestream on December 3, 2024.

The road to Jakarta EE 11 included four milestone releases with the potential for release candidates as necessary before the GA release in 4Q2024.

Spring Framework

The second milestone release of Spring Cloud 2024.0.0, codenamed Moorgate, features bug fixes and notable updates to sub-projects: Spring Cloud Kubernetes 3.2.0-M2; Spring Cloud Function 4.2.0-M2; Spring Cloud OpenFeign 4.2.0-M2; Spring Cloud Stream 4.2.0-M2; and Spring Cloud Gateway 4.2.0-M2. This release provides compatibility with Spring Boot 3.4.0-M3. More details on this release may be found in the release notes.

The third milestone release of Spring AI 1.0.0 provides new features such as: improvements to their Spring Advisors API; a new ToolContext class that replaces using Map for function callbacks; and support for additional observability models that include: Azure OpenAI, Google Vertex AI, and MiniMax AI.

The second milestone release of Spring Batch 5.2.0 provides new features such as: support for MongoDB as an implementation of the JobRepository interface; a new CompositeItemReader class to complement the existing CompositeItemWriter and CompositeItemProcessor classes. Further details on this release may be found in the release notes.

Following-up from the recent plan to release Spring Framework 7.0 and Spring Boot 4.0 in November 2025, the Spring Cloud Data Flow (SCDF) team has prepared its own plan to release version 3.0 in November 2025. The intent to align the SCDF projects (such as: SCDF server components, Composed Task Runner, and SCDF UI) with Spring Framework 7.0 and Spring Boot 4.0.

Payara

Payara has released their October 2024 edition of the Payara Platform that includes Community Edition 6.2024.10 and Enterprise Edition 6.19.0 and Enterprise Edition 5.68.0. Along with bug fixes and dependency upgrades, all three releases primarily address CVE-2024-8215, a cross-site scripting vulnerability that allows an attacker to remotely execute code via the Payara Management REST interface. These releases also feature an integration of the EclipseLink interruption enhancements to the WriteLockManager class to improve performance in database operations. More details on these releases may be found in the release notes for Community Edition 6.2024.10 and Enterprise Edition 6.19.0 and Enterprise Edition 5.68.0.

Open Liberty

IBM has released version 24.0.0.10 of Open Liberty featuring: support for JDK 23; and new versionless features that support the MicroProfile Context Propagation, MicroProfile GraphQL, MicroProfile Reactive Messaging and MicroProfile Reactive Streams Operators specifications.

Micronaut

The Micronaut Foundation has released version 4.6.3 of the Micronaut Framework featuring Micronaut Core 4.6.6 and updates to modules: Micronaut Security, Micronaut Test Resources, Micronaut MQTT, Micronaut Data, Micronaut gRPC, Micronaut Oracle Cloud and Micronaut Security. Further details on this release may be found in the release notes.

EclipseStore

The release of EclipseStore 2.0.0 delivers bug fixes and new features such as: a new BinaryHandlerSetFromMap class for the inner private static class, SetFromMap, defined in the Java Collections class, for improved data handling; and enhancements to the Storer interface that include a new UsageMarkable interface to prevent references of the Lazy interface from being cleared despite having unstored changes. More details on this release may be found in the release notes.

Apache Software Foundation

After 26 milestone releases, Apache Tomcat 11.0.0 has been released featuring: support for virtual threads; the addition of compatibility methods from JEP 454, Foreign Function & Memory API, that support OpenSSL, LibreSSL and BoringSSL, which all require a minimal version of JDK 22; and easy integration with Let’s Encrypt and an improved process to renew TLS certificates via automatic reloading of updated TLS keys and certificates with zero downtime. October 7, 2024, marks the 25th anniversary of the first commit to the Apache Tomcat source code repository since Sun Microsystems donated Tomcat to the Apache Software Foundation. Further details on this release may be found in the release notes.

Apache Tomcat 9.0.96 has also been released featuring bug fixes and notable changes such as: improved WebDAV support via a minor refactoring of the WebdavServlet class; and improved stability of the Tomcat Native Library upon destroying instances of the SSLContext interface during garbage collection. More details on this release may be found in the release notes.

OpenXava

The release of OpenXava 7.4.1 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: new Maven archetypes, openxava-invoicing-archetype and openxava-invoicing-archetype-spanish, in English and Spanish, respectively; and a simple view layout with the property, flowLayout=true, that may now be applied up to 15 plain properties instead of eight. Further details on this release may be found in the release notes.

JHipster

The release of JHipster Lite 1.20.0 ships with bug fixes, improvements in documentation, dependency upgrades and new features/enhancements such as: an improved generated style using Tikui, a library for building static components; and support for JWT and OAuth2 authentication using Vue.js. More details on this release may be found in the release notes.

JetBrains Ktor

The release of JetBrains Ktor 3.0.0, the asynchronous framework for creating microservices and web applications, provides bug fixes and improvements such as: a migration to the kotlinx-io library to standardize I/O functionality across Kotlin libraries and improve performance; support for server-side events; and support for WebAssembly in Ktor Client. Further details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

This week’s Java roundup for September 23th, 2024 features news highlighting: the proposed release schedule for JDK 24; JEP 475, Late Barrier Expansion for G1, promoted from Candidate to Proposed to Target for JDK 24; JEP 486, Permanently Disable the Security Manager, promoted from its JEP Draft 8338625 to Candidate status; and Quarkus joining the Commonhaus Foundation.

OpenJDK

JEP 475, Late Barrier Expansion for G1, was promoted from Candidate to Proposed to Target for JDK 24. This JEP proposes to simplify the implementation of the G1 garbage collector’s barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT’s compilation pipeline to later. The goal is to reduce the execution time of C2 when using the G1 collector. The review is expected to conclude on October 2, 2024.

JEP 486, Permanently Disable the Security Manager, has been promoted from its JEP Draft 8338625 to Candidate status. This JEP proposes to permanently disable the SecurityManager class since it was deprecated with JEP 411, Deprecate the Security Manager for Removal, delivered in JDK 17. While it was possible for developers to still enable the SecurityManager class while it has been deprecated, this functionality will be removed as the next step for ultimate removal.

JDK 24

Build 17 of the JDK 24 early-access builds was made available this past week featuring updates from Build 16 that include fixes for various issues. More details on this release may be found in the release notes.

Mark Reinhold, Chief Architect, Java Platform Group at Oracle, formally proposed the release schedule for JDK 24 as follows:

• Rampdown Phase One (fork from main line): December 5, 2024
• Rampdown Phase Two: January 16, 2025
• Initial Release Candidate: February 6, 2025
• Final Release Candidate: February 20, 2025
• General Availability: March 18, 2025

The review period for this proposed schedule is expected to conclude on October 2, 2024.

For JDK 24, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

Versions 3.4.0-M2, 3.3.3 and 3.2.8 of Spring Shell have been released featuring support for JEP 454, Foreign Function & Memory API, delivered in JDK 22, via JLine, the Java library for handling console input. These releases build on Spring Boot versions 3.4.0-M3, 3.3.4 and 3.2.10, respectively. Further details on these releases may be found in the release notes for version 3.4.0-M2, version 3.3.3 and version 3.2.8.

Quarkus

Red Hat has released version 3.15 of Quarkus, a new long-term support release provides dependency upgrades and resolutions to notable issues such as: a class loading failure from the findFunctions() method defined in the AzureFunctionsProcessor class; and a bidirectional streaming failure in the Dev UI console. The Quarkus team has stated that new features will be delivered in Quarkus 3.16, scheduled for the end of October 2024. More details on this release may be found in the release notes.

Open Liberty

IBM has released version 24.0.0.10-beta of Open Liberty featuring: beta support for JDK 23; and improved handling of SameSite cookies by allowing SameSite=None on incompatible clients. Details on how to set a SameSite cookie with Open Liberty may be found on this website.

WildFly

The first beta release of WildFly 34 delivers bug fixes, dependency upgrades and enhancements such as: a relocation of dependency JARs from the OpenTelemetry module to their own respective modules to minimize the size of the OpenTelemetry module; and a simplification of installing singleton service for a deployment that was once very cumbersome. Further details on this release may be found in the release notes.

Apache Software Foundation

Maintaining alignment with Quarkus, the release of Camel Quarkus 3.15.0, composed of Camel 4.8.0 and Quarkus 3.15.0, provides resolutions to notable issues such as: a deprecation of the Kotlin and Kotlin DSL extensions because they only provide a Kotlin function wrapper around the configure() method defined in the RouteBuilder abstract class; and a ClassNotFoundException from the SmallRye FallbackFunction class due to Quarkus having upgraded to SmallRye 6.4.0. More details on this release may be found in the release notes.

LangChain4j

Version 0.35.0 of LangChain for Java (LangChain4j) features new integrations: chat and embedding models from GitHub Models; document loader from Google Cloud Storage; scoring model from Google Vertex AI Ranking API; scoring model from ONNX Reranker; embedding store from Tablestore; and embedding and scoring models from Voyage AI. Other notable changes include: support for embedding models, the ability to count tokens and enumerated structured outputs from Google AI; and support for observability in Ollama. Further details on this release may be found in the release notes.

JBang

Version 0.119.0 of JBang provides bug fixes and a new feature in which junctions can now be created on WindowsOS that resolves an issue where executing the jbang jdk default {version} command would fail. More details on this release may be found in the release notes.

Java Operator SDK

The release of Java Operator SDK 4.9.5 features bug fixes and some refactoring that includes: change the package access of the asBoolean() method, defined in the BooleanWithUndefined enum, to public; a rename and deprecation of the defaultNonSSAResource() method, defined in the ConfigurationService interface, to defaultNonSSAResources(); and change the shouldUseSSA() method, also defined in the ConfigurationService interface, to use types as opposed to instances and corresponding tests. Further details on this release may be found in the release notes.

Commonhaus Foundation

The Commonhaus Foundation, a new non-profit organization dedicated to the sustainability of open source libraries and frameworks, has announced that Quarkus has joined the foundation this past week. In a blog post published in late July 2024, Max Rydahl Andersen, Distinguished Engineer at Red Hat, described their transition to the foundation, writing:

Quarkus will continue to innovate and evolve. We are dedicated to making Quarkus the best framework for Java development. This transition will enable us to welcome more contributions from a diverse range of developers and organisations. We are actively working on upcoming releases and are eager to hear your ideas and feedback.

They join notable projects such as: Hibernate, JReleaser, JBang, OpenRewrite, SDKMAN, EasyMock, Objenesis and Feign.

Introduced to the Java community at Devnexus in April 2024, the foundation provides succession planning and fiscal support for self-governing open-source projects.

RefactorFirst

Jim Bethancourt, principal software consultant at Improving, an IT services firm offering training, consulting, recruiting, and project services, has released version 0.5.0 of RefactorFirst, a utility that prioritizes the parts of an application that should be refactored. This release delivers: support for JDK 21; performance improvements on large codebases with a high number of commits; and the addition of a simple HTML resort that may be used in GitHub Actions. More details on this release may be found in the release notes.

Gradle

Gradle 8.10.2, the second maintenance release, ships with resolutions to notable issues: a failure to update the Gradle wrapper in version 8.10.1; a failure using a build with the Kotlin Mutliplatform plugin and a reused daemon; and the configureEach(Action) method, defined in the DefaultTaskCollection class, on a task set cannot be executed in the current context. Further details on this release may be found in the release notes.

There was a flurry of activity in the Spring ecosystem during the week of September 16th, 2024, highlighting point and milestone releases of: Spring Boot, Spring Security, Spring Authorization Server, Spring Integration, Spring Modulith, Spring Batch, Spring AMQP and Spring for Apache Pulsar.

Spring Boot

The third milestone release of Spring Boot 3.4.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: the addition of the Graylog Extended Log Format (GELF) for structured logging built-in to Spring Boot; and improvements in the use of the @AutoConfigureTestDatabase annotation that now attempts to detect if a database has been sourced from a container that eliminates the need to add the replace=Replace.NONE parameter. More details on this release may be found in the release notes.

Similarly, versions 3.3.4 and 3.2.10 of Spring Boot provide improvements in documentation, dependency upgrades and resolutions to issues such as: a FileNotFoundException with configuring the application.yml file to not load SSL bundles; and an IllegalStateException with the message “Recursive update” when container beans are annotated with @RestartScope. Further details on these releases may be found in the release notes for version 3.3.4 and version 3.2.10.

Spring Cloud Data Flow

Spring Cloud Dataflow 2.11.5 has been released featuring dependency upgrades and resolutions to notable issues such as: the tablePrefix property not properly resolved in the Composed Task Runner due to relaxed case sensitivity of the property name; and the addition of verifying the /tasks/thinexecutions endpoint in the DataflowOAuthIT class. More details on this release may be found in the release notes.

Spring Security

The fourth milestone release of Spring Security 6.4.0 delivers bug fixes, dependency upgrades and new features such as: deprecate use of the default OAuth2AccessTokenResponseClient interface in favor of the clients based on the Spring Framework RestClient interface for improved protection of resources; and the ability to configure the OidcSessionRegistry interface in Kotlin. Further details on this release may be found in the release notes.

Spring Authorization Server

The second milestone release of Spring Authorization Server 1.4.0 provides dependency upgrades and new features: a new convenience method, invalidate(), added to the OAuth2Authorization.Builder class to invalidate an OAuth2 token if necessary; and a new guide that demonstrates how to implement the RegisteredClientRepository, OAuth2AuthorizationService and OAuth2AuthorizationConsentService interfaces using a JSON-backed data store. More details on this release may be found in the release notes.

Spring Integration

The third milestone release of Spring Integration 6.4.0 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: first class support to register the new Spring Expression Language IndexAccessor interface, introduced in Spring Framework 6.2.0, that aligns with the ability to register an instance of the PropertyAccessor interface; and a new JsonIndexAccessor class that implements the IndexAccessor interface. Further details on this release may be found in the release notes and what’s new page.

Spring Modulith

The third milestone release of Spring Modulith 1.3.0 delivers bug fixes, dependency upgrades and new features such as support for: Microsoft SQL Server in the JDBC event publication registry; and the ability to contribute application modules from other packages and external JARs. More details on this release may be found in the release notes.

Similarly, versions 1.2.4 and 1.1.9 of Spring Modulith provide bug fixes, dependency upgrades and notable resolutions to issues: the wrong assert message from the HourHasPassed class; and an invalid package reference defined in the JacksonEventSerializer class. Further details on these releases may be found in the release notes for version 1.2.4 and version 1.1.9.

Spring Batch

The first milestone release of Spring Batch 5.2.0 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: support to configure an instance of the Spring Framework DataClassRowMapper classes with the JdbcCursorItemReaderBuilder and JdbcPagingItemReaderBuilder classes; and encourage the use of the JobRegistrySmartInitializingSingleton class over the JobRegistryBeanPostProcessor class that allows developers to configure their own application context and a mechanism to automatically register job beans with the job registry. More details on this release may be found in the release notes.

Spring AMQP

The third milestone release of Spring AMQP 3.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features: improvements to numerous classes by applying pattern matching where necessary; the addition of fields, exchange and routingKey, to the RabbitMessageSenderContext class for improved compliance with the OpenTelemetry specification; and the ability to use the checkAfterCompletion() method, defined in the ConnectionFactoryUtils class, with the SimpleMessageListenerContainer class to verify that a RabbitMQ transaction has committed. Further details on this release may be found in the release notes.

Spring for Apache Pulsar

The second milestone release of Spring for Apache Pulsar 1.2.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: a Message Container Startup Policy that allows developers to configure the message listener container startup failure policy with a new StartupFailurePolicy enum class that defines actions to stop, continue or retry a failed startup; and improvements to the @PulsarListener annotation to avoid recovering from exclusive consumer exceptions. More details on this release may be found in the release notes.

Similarly, versions 1.1.4 and 1.0.10 of Spring for Apache Pulsar have been released featuring dependency upgrades such as Spring Framework 6.1.13; Project Reactor 2023.0.10; Micrometer Metrics 1.13.4; and Micrometer Tracing 1.3.4. Further details on thes releases may be found in the release notes for version 1.1.4 and version 1.0.10.

This week’s Java roundup for September 9th, 2024 features news highlighting: the September 2024 Payara Platform, Piranha Cloud and Micrometer releases, Spring Framework 6.2.0-RC1, Spring Data 2024.1.0-M1, JBang 0.118.0 and Groovy 5.0.0-alpha-10.

JDK 23

Build 37 remains the current build in the JDK 23 early-access builds. Further details on this release may be found in the release notes and details on the new JDK 23 features may be found in this InfoQ news story.

JDK 24

Build 15 of the JDK 24 early-access builds was made available this past week featuring updates from Build 14 that include fixes for various issues. More details on this release may be found in the release notes.

For JDK 23 and JDK 24, developers are encouraged to report bugs via the Java Bug Database.

GraalVM

Oracle Labs has released version 0.10.3 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides notable changes such as: a refactor of the MergeAgentFilesMojo class (and related classes) to remove the macro from the merger init command and throw a more informative message from the MojoExecutionException if the command doesn’t exist; a resolution to incorrect results while parsing command-line arguments due to the presence of whitespaces in the Windows file system; and a resolution to the nativeTest command unable to be executed when using JUnit 5.11.0-M2. More details on this release may be found in the changelog.

Spring Framework

The first release candidate of Spring Framework 6.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: an instance of the ResponseBodyEmitter now allows the registration of multiple state listeners; a rename of some class names for improved consistency in the org.springframework.http.client package due to the recent introduction of the ReactorNettyClientRequestFactory class; and a refactor of the ETag record class for improved comparison logic and exposing it on methods defined in the HttpHeaders class. More details on this release may be found in the release notes and what’s new page.

Similarly, Spring Framework 6.1.13 has also been released providing bug fixes, improvements in documentation, dependency upgrades and new features such as: errors thrown from the stop() method, defined in the SmartLifeycle interface, results in an unnecessary wait for the shutdown timeout; and an end to logging the value of result after changes made to the WebAsyncManager class as it was decided to allow applications to do so via other classes. More details on this release may be found in the release notes.

The Spring Framework team has disclosed CVE-2024-38816, Path Traversal Vulnerability in Functional Web Frameworks, a vulnerability in which an attacker can create a malicious HTTP request to obtain any file on the file system that is also accessible to the process on the running Spring application. The resolution was implemented in version 6.1.3 and backported to versions 6.0.4 and 5.3.40.

Versions 2024.1.0-M1, 2024.0.4 and 2023.1.10 of Spring Data have been released feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.4.0-M1, 3.3.4 and 3.2.10; Spring Data MongoDB 4.4.0-M1, 4.3.4 and 4.2.10; Spring Data Elasticsearch 5.4.0-M1, 5.3.4 and 5.2.10; and Spring Data Neo4j 7.4.0-M1, 7.3.4 and 7.2.10. These versions may be consumed by the upcoming releases of Spring Boot 3.4.0-M3, 3.3.4 and 3.2.10, respectively.

Version 4.25.0 of Spring Tools has been released with notable changes such as: improvements to Microsoft Visual Studio Code with the addition of code lenses to explain SPEL expressions and AOP annotations with Copilot, and syntax highlighting and validation for CRON expressions inside the Spring Framework @Scheduled annotation. More details on this release may be found in the release notes.

Open Liberty

IBM has released version 24.0.0.9 of Open Liberty featuring: support for the MicroProfile Telemetry 2.0 specification that now includes observability with metrics; the continued use of third-party cookies in Google Chrome with Cookies Having Independent Partitioned State (CHIPS); and a resolution to CVE-2023-50314, a vulnerability in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.8 that would allow an attacker, with access to the network, to conduct spoofing attacks resulting in obtaining a certificate issued by a trusted authority to obtain sensitive information.

Payara

Payara has released their September 2024 edition of the Payara Platform that includes Community Edition 6.2024.9 and Enterprise Edition 6.18.0 and Enterprise Edition 5.67.0. Along with bug fixes and dependency upgrades, all three releases primarily address security issues, namely: an attacker having the ability to inject a malicious URL via a Host header allowing an HTML page generated by the REST interface to target the /management/domain endpoint; and an exposure in which a new password being logged via the admin GUI when the logging is set to the FINEST level. Further details on these releases may be found in the release notes for Community Edition 6.2024.9 and Enterprise Edition 6.18.0 and Enterprise Edition 5.67.0.

Micronaut

The Micronaut Foundation has released version 4.6.2 of the Micronaut Framework featuring Micronaut Core 4.6.5, bug fixes, improvements in documentation and updates to modules: Micronaut Data Micronaut OpenAPI/Swagger Support, Micronaut SQL Libraries, Micronaut JAX-RS, Micronaut Cache, Micronaut Views and Micronaut Security. Further details on this release may be found in the release notes.

Quarkus

Quarkus 3.14.3, the second maintenance release (the first one was skipped) delivers bug fixes, dependency upgrades and a new feature that provides initial support for a Software Bill of Materials (SBOM) using the CycloneDX standard. More details on this release may be found in the changelog.

Micrometer

The third milestone release of Micrometer Metrics 1.14.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: no registration of metrics from the CaffeineCacheMetrics class (and related classes) when statistics are not enabled; and a resolution to metrics not being collected when an instance of the Java ExecutorService interface, wrapped in the monitor() method, defined in the ExecutorServiceMetrics class, shuts down. More details on this release may be found in the release notes.

Similarly, versions 1.13.4 and 1.12.10 of Micrometer Metrics feature notable bug fixes: a situation where Spring Boot configuration specifying metric percentiles in a standard application.yaml file are being overwritten; and a non-resolvable dependency, io.micrometer:concurrency-tests, incorrectly added to the Bill of Materials (BOM). Further details on these releases may be found in the release notes for version 1.13.4 and version 1.12.10.

Versions 1.4.0-M3, 1.3.4 and 1.2.10 of Micrometer Tracing 1.4.0 provide dependency upgrades and a resolution to a dependency convergence error when trying to use the io.micrometer:micrometer-tracing-bridge-otel dependency after upgrading to Micrometer Tracing 1.3.1. Further details on these releases may be found in the release notes for version 1.4.0-M3, version 1.3.4 and version 1.2.10.

Apache Software Foundation

Versions 11.0.0-M25, 10.1.29 and 9.0.94 of Apache Tomcat deliver bug fixes, dependency upgrades and notable changes such as: ensure that any instance of the Jakarta Servlet ReadListener interface is notified via a call to the onError() method if an HTTP/2 client resets a stream before the servlet request body is fully written; and an improvement in exception handling with methods annotated with the Jakarta WebSocket @OnMessage annotation that avoids the connection to automatically close. More details on these releases may be found in the release notes for version 11.0.0-M25, version 10.1.29 and version 9.0.94.

A regression affecting these versions, shortly after they were released, was reported and confirmed with configurations using HTTP/2. The Apache Tomcat team recommends a temporary fix by setting the property, discardRequestsAndResponses, to true on instances of the UpgradeProtocol element for HTTP/2. The Tomcat team plans to release a fix for this regression during the week of September 16, 2024.

The tenth alpha release of Apache Groovy 5.0.0 delivers bug fixes, dependency upgrades and improvements that support: ​​method references and method pointers in annotations; and the use of multiple @Requires, @Ensures and @Invariant annotations, located in the groovy-contracts package, that enable class-invariants, pre- and post-conditions. More details on this release may be found in the release notes.

Similarly, the release of Apache Groovy 4.0.23 features bug fixes and dependency upgrades. More details on this release may be found in the release notes.

Project Reactor

The sixth milestone release of Project Reactor 2024.0.0 provides dependency upgrades to reactor-core 3.7.0-M6. There was also a realignment to version 2024.0.0-M6 with the reactor-netty 1.2.0-M5, reactor-pool 1.1.0-M5, reactor-addons 3.6.0-M2, reactor-kotlin-extensions 1.3.0-M2 and reactor-kafka 1.4.0-M1 artifacts that remain unchanged. Further details on this release may be found in the changelog.

Next, Project Reactor 2023.0.10, the tenth maintenance release, provides dependency upgrades to reactor-core 3.6.10. There was also a realignment to version 2023.0.10 with the reactor-netty 1.1.22, reactor-pool 1.0.8, reactor-addons 3.5.2, reactor-kotlin-extensions 1.2.3 and reactor-kafka 1.3.23 artifacts that remain unchanged. More details on this release may be found in the changelog.

Finally, Project Reactor 2022.0.22, the twenty-second maintenance release, provides dependency upgrades to reactor-core 3.5.20 and reactor-netty 1.1.22 and reactor-pool 1.0.8, reactor-addons 3.5.2 and reactor-kotlin-extensions 1.2.3. There was also a realignment to version 2022.0.22 with the reactor-kafka 1.3.23 artifacts that remain unchanged. Further details on this release may be found in the changelog. This version is also the last in the 2022.0 release train as per the OSS support schedule.

Piranha Cloud

The release of Piranha 24.9.0 delivers notable changes such as: TCK updates in the Piranha Core Profile to support a number of Jakarta EE specifications (Jakarta Annotations 2.1.1, Jakarta Dependency Injection 2.0.2, Jakarta JSON Binding 3.0.0, etc.); and updates in their Arquillian adapter for improved deployment and un-deployment, and expose the ability to set the HTTP port and JVM arguments. Further details on this release may be found in their documentation and issue tracker.

JHipster

The release of JHipster Lite 1.18.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features/enhancements such as: a new class, OpenApiContractApplicationService, part of a new API that checks for backwards incompatible changes to OpenAPI contracts; and a refactor of the vue-core module for improved testing. There was also removal of deprecated code that may cause a breaking change. More details on this release may be found in the release notes.

JBang

Version 0.118.0 of JBang provides bug fixes and a new linuxdistro provider that searches a developer’s /usr/lib/jvm folder to detect JDKs that have already been installed. More details on this release may be found in the release notes.

JetBrains Ktor

The first release candidate of Ktor 3.0.0 delivers bug fixes and new features such as: support for Kotlin 2.0.0; an improved staticZip utility that watches for changes and reloading of ZIP files; and support for handling HTTP errors. More details on this release may be found in the release notes.

Gradle

Gradle 8.10.1, the first maintenance release, provides resolutions to issues: a performance degradation with version 8.10.0 due to dependency resolutions with detached configurations; an instance of the LifecycleAwareProject class is equal, via the equals() method, to an instance of it corresponding DefaultProject class, but not the other way around; and Gradle validating isolated projects when the configuration cache is disabled. More details on this release may be found in the release notes.

There was a flurry of activity in the Spring ecosystem during the week of August 19th, 2024, highlighting: point and milestone releases of Spring Boot, Spring Data, Spring Cloud, Spring Security, Spring Authorization Server, Spring Session, Spring for Apache Kafka and Spring for Apache Pulsar.

Spring Boot

The second milestone release of Spring Boot 3.4.0 delivers bug fixes, improvements in documentation, dependency upgrades and many new features such as: an update to the @ConditionalOnSingleCandidate annotation to deal with fallback beans in the presence of a regular single bean; and configure the SimpleAsyncTaskScheduler class when virtual threads are enabled. More details on this release may be found in the release notes.

Versions 3.3.3 and 3.2.9 of Spring Boot have been released to address CVE-2024-38807, Signature Forgery Vulnerability in Spring Boot’s Loader, where applications that use the spring-boot-loader or spring-boot-loader-classic APIs contain custom code that performs signature verification of nested JAR files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another. Developers using earlier versions of Spring Boot should upgrade to versions 3.1.13, 3.0.16 and 2.7.21.

Spring Data

Versions 2024.0.3 and 2023.1.9, both service releases of Spring Data, feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.3.3 and 3.2.9; Spring Data MongoDB 4.3.3 and 4.2.9; Spring Data Elasticsearch 5.3.3 and 5.2.9; and Spring Data Neo4j 7.3.3 and 7.2.9. These versions can be consumed by Spring Boot 3.3.3 and 3.2.9, respectively.

Spring Cloud

The first milestone release of Spring Cloud 2024.0.0, codenamed Mooregate, features bug fixes and notable updates to sub-projects: Spring Cloud Kubernetes 3.2.0-M1; Spring Cloud Function 4.2.0-M1; Spring Cloud OpenFeign 4.2.0-M1; Spring Cloud Stream 4.2.0-M1; and Spring Cloud Gateway 4.2.0-M1. This release provides compatibility with Spring Boot 3.4.0-M1. Further details on this release may be found in the release notes.

Spring Security

The second milestone release of Spring Security 6.4.0 delivers bug fixes, dependency upgrades and new features such as: improved support to the @AuthenticationPrincipal and @CurrentSecurityContext meta-annotations to better align with method security; preserve the custom user type in the InMemoryUserDetailsManager class for improved use in the loadUserByUsername() method; and the addition of a constructor in the AuthorizationDeniedException class to provide the default value for AuthorizationResult interface. More details on this release may be found in the release notes and what’s new page.

Similarly, versions 6.3.2, 6.2.6 and 5.8.14 of Spring Security have also been released providing bug fixes, dependency upgrades and a new feature that implements support for multiple URLs in the ActiveDirectoryLdapAuthenticationProvider class. Further details on these releases may be found in the release notes for version 6.3.2, version 6.2.6 and version 5.8.14.

Spring Authorization Server

Versions 1.4.0-M1, 1.3.2 and 1.2.6 of Spring Authorization Server have been released that ship with bug fixes, dependency upgrades and new features such as: a new authenticationDetailsSource() method added to the OAuth2TokenRevocationEndpointFilter class used for building an authentication details from an instance of the Jakarta Servlet HttpServletRequest interface; and allow customizing an instance of the Spring Security LogoutHandler interface in the OidcLogoutEndpointFilter class. More details on these releases may be found in the release notes for version 1.4.0-M1, version 1.3.2 and version 1.2.6.

Spring Session

The second milestone release of Spring Session 3.4.0-M2 provides many dependency upgrades and a new RedisSessionExpirationStore interface so that it is now possible to customize the expiration policy in an instance of the RedisIndexedSessionRepository.RedisSession class. Further details on this release may be found in the release notes and what’s new page.

Similarly, the release of Spring Session 3.3.2 and 3.2.5 ship with dependency upgrades and a resolution to an issue where an instance of the AbstractSessionWebSocketMessageBrokerConfigurer class triggers an eager instantiation of the SessionRepository interface due to a non-static declaration of the Spring Framework ApplicationListener interface. More details on this release may be found in the release notes for version 3.3.2 and version 3.2.5.

Spring Modulith

Versions 1.3 M2, 1.2.3, and 1.1.8 of Spring Modulith have been released that ship with bug fixes, dependency upgrades and new features such as: an optimization of the publication completion by event and target identifier to allow databases to optimize the query plan; and a refactor of the EventPublication interface that renames the isPublicationCompleted() method to isCompleted(). Further details on these releases may be found in the release notes for version 1.3.0-M2, version 1.2.3 and version 1.1.8.

Spring AI

The second milestone release of Spring AI 1.0.0 delivers bug fixes, improvements in documentation and new features such as: improved observability functionality for the ChatClient interface, chat models, embedding models, image generation models and vector stores; a new MarkdownDocumentReader for ETL pipelines; and a new ChatMemory interface that is backed by Cassandra.

Spring for Apache Kafka

Versions 3.3.0-M2, 3.2.3 and 3.1.8 of Spring for Apache Kafka have been released with bug fixes, dependency upgrades and new features such as: support for Apache Kafka 3.8.0; and improved error handling on fault tolerance retries. These releases will be included in the Spring Boot 3.4.0-M2, 3.3.3 and 3.2.9, respectively. More details on this release may be found in the release notes for version 3.3.0-M2, version 3.2.3 and version 3.1.8.

Spring for Apache Pulsar

The first milestone release of Spring for Apache Pulsar 1.2.0-M1 ships with improvements in documentation, dependency upgrades and new features: the ability to configure a default topic and namespace; and the ability to use an instance of a custom Jackson ObjectMapper class for JSON schemas. This release will be included in Spring Boot 3.4.0-M2. Further details on this release may be found in the release notes.

Similarly, versions 1.1.3 and 1.0.9 of Spring for Apache Pulsar have been released featuring dependency upgrades and will be included in Spring Boot 3.3.3 and 3.2.9, respectively. More details on these releases may be found in the release note for version 1.1.3 and version 1.0.9.

This week’s Java roundup for August 5th, 2024 features news highlighting: the first release candidates of JDK 23 and Gradle 8.10; JEP 483, Ahead-of-Time Class Loading & Linking, a new HotSpot feature; the releases of Hibernate ORM 6.6, Hibernate Search 7.2, Hibernate Reactive 2.4; multiple Apache Tomcat point and milestone releases; and GlassFish 8.0.0-M7.

OpenJDK

JEP 483, Ahead-of-Time Class Loading & Linking, has been promoted from its JEP Draft 8315737 to Candidate status. This JEP proposes to “improve startup time by making the classes of an application instantly available, in a loaded and linked state, when the HotSpot Java Virtual Machine starts.” This may be achieved by monitoring the application during one run and storing the loaded and linked forms of all classes in a cache for use in subsequent runs. This feature will lay a foundation for future improvements to both startup and warmup time.

JDK 23

Build 36 of the JDK 23 early-access builds was made available this past week featuring updates from Build 35 that include fixes for various issues. Further details on this release may be found in the release notes, and details on the new JDK 23 features may be found in this InfoQ news story.

As per the JDK 23 release schedule, Mark Reinhold, Chief Architect, Java Platform Group at Oracle, formally declared that JDK 23 has entered its first release candidate as there are no unresolved P1 bugs in Build 36. The anticipated GA release is scheduled for September 17, 2024. The final set of 12 features for the GA release in September 2024 will include:

More details on all of these new features may be found in this InfoQ news story.

JDK 24

Build 10 of the JDK 24 early-access builds was also made available this past week featuring updates from Build 9 that include fixes for various issues. Further details on this release may be found in the release notes.

For JDK 23 and JDK 24, developers are encouraged to report bugs via the Java Bug Database.

GlassFish

GlassFish 8.0.0-M7, the seventh milestone release, delivers notable changes such as: removal of throwing an IllegalArgumentException if an instance of the BundleDescriptor class is null while executing the toString() method defined in the Application class; removal of additional references to the deprecated SecurityManager that included formatting, name changes, and removing unused method parameters; and an implementation of the Jakarta Concurrency 3.1, the latest version for the upcoming release of Jakarta EE 11. More details on this release may be found in the release notes.

Quarkus

Quarkus 3.13.1, the first maintenance release in the 3.13 release train, provides bug fixes, improvements in documentation and notable changes such as: support for CompletableFuture when using JsonRPC extension in the Dev UI; avoid a possible NullPointerException due to a race condition in the ApplicationLifecycleManager class during shutdown; and a resolution to a NullPointerException when using the findFirstBy methods defined in Spring Data JPA project that already return Optional. Further details on this release may be found in the changelog.

Open Liberty

IBM has released version 24.0.0.8-beta of Open Liberty that introduces versionless features to simplify and streamline choosing compatible features for the MicroProfile, Jakarta EE and Java EE platforms. This is accomplished by configuring only the features at the specific versions required by an application. This composable design pattern minimizes runtime resource requirements and accelerates application startup times.

This release also provides previews of the upcoming releases of MicroProfile 7.0, scheduled to be released on or about August 22, 2024, and Jakarta EE 11, scheduled to be released in 3Q2024.

Hibernate

The release of Hibernate ORM 6.6.0.Final, preceded by the second release candidate a day earlier, delivers a complete implementation of the new Jakarta Data 1.0 specification that is: based on compile-time code generation via an annotation processor, enabling compile-time type safety; and backed by the StatelessSession interface, which has been enhanced especially to meet the needs of Jakarta Data. Other new features include: a new @ConcreteProxy annotation to replace the deprecated @Proxy and @LazyToOne annotations; and a discriminator-based inheritance for types annotated with @Embeddable.

The release of Hibernate Search 7.2.0.Final, preceded by the first release candidate two days earlier, provides improvements to the Search DSL that include: new projection types; new predicates; enhancements to the existing predicate types; query parameters; and a deprecation of the ValueConvert enumeration in favor of the ValueModel enumeration. This version upgrades to Hibernate ORM 6.6.0.Final which introduces compatibility with: OpenSearch 2.14, 2.15 and 2.16; and Elasticsearch 8.14 and 8.15.

The release of Hibernate Reactive 2.4.0.Final, also preceded by the first release candidate two days earlier, ships with notable changes such as: convert the cascadeOnLock() method, defined in the DefautlReactiveLockEventListener class, to be reactive; avoid the creation of multiple connections during schema migration; and a dependency upgrade to Hibernate ORM 6.6.0.Final. More details on this release may be found in the release notes.

Apache Software Foundation

Versions 11.0.0-M24, 10.1.28 and 9.0.93 of Apache Tomcat deliver bug fixes and notable changes such as: align HTTP/2 with HTTP/1.1 and recycle the container’s internal request and response processing objects by default that may be can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol; the addition of compatibility methods from JEP 454, Foreign Function & Memory API, that support OpenSSL, LibreSSL and BoringSSL, which all require a minimal version of JDK 22; and support for the RFC 8297, An HTTP Status Code for Indicating Hints, specification where applications can use this feature by casting the HttpServletResponse interface to the Response class and then calling the sendEarlyHints() method. Further details on these releases may be found in the release notes for version 11.0.0-M24, version 10.1.28 and version 9.0.93.

Infinispan

Infinispan 15.0.7.Final, the seventh maintenance release, provides resolutions to notable issues such as: throw a more refined and descriptive exception if user properties are malformed; a NullPointerException when attempting to remove an entry with Xsite; and the consistent return of an empty array from the IntermediateCacheStream class due to a typo that did not update a copy-and-paste from the toArray() method. More details on this release may be found in the release notes.

Gradle

The first release candidate of Gradle 8.10 delivers resolutions to numerous issues and notable changes: improvements to the configuration cache, including a significant reduction in the cache file size and accelerated cache loading times; and Improved behavior and callback execution for the GradleLifecycle API. Further details on this release may be found in the release notes.

This week’s Java roundup for July 29th, 2024 features news highlighting: the release of Hazelcast 5.5; early-access releases for Project Loom and Project Valhalla; beta releases of Hibernate ORM 7.0 and Hibernate Validation 9.0; and point releases for Quarkus, Helidon, GlassFish, JobRunr and Testcontainers for Java.

OpenJDK

JEP 404, Generational Shenandoah (Experimental), has been updated this past week to be included in JDK 24 despite its current Candidate status. We anticipate that this JEP will soon be promoted to Proposed to Target.

Originally targeted for JDK 21, JEP 404 was officially removed from the final feature set due to the “risks identified during the review process and the lack of time available to perform the thorough review that such a large contribution of code requires.” The Shenandoah team decided to “deliver the best Generational Shenandoah that they can” and target a future release.

JDK 23

Build 35 of the JDK 23 early-access builds was made available this past week featuring updates from Build 34 that include fixes for various issues. Further details on this release may be found in the release notes, and details on the new JDK 23 features may be found in this InfoQ news story.

JDK 24

Build 9 of the JDK 24 early-access builds was also made available this past week featuring updates from Build 8 that include fixes for various issues. More details on this release may be found in the release notes.

For JDK 23 and JDK 24, developers are encouraged to report bugs via the Java Bug Database.

Project Loom

Build 24-loom+3-33 of the Project Loom early-access builds was made available to the Java community this past week and is based on Build 8 of the JDK 24 early-access builds. This build improves the implementation of Java monitors (synchronized methods) for enhanced interoperability with virtual threads.

Project Valhalla

After more than 20 months since the release of the last build, Build 23-valhalla+1-90 of the Project Valhalla early-access builds was also made available and is based on an incomplete version of JDK 23. Daniel Smith, Programming Language Designer at Oracle, has published this early-access document that describes value classes and objects in more detail. InfoQ will follow up with a more detailed news story.

GlassFish

GlassFish 7.0.16, the sixteenth maintenance release, delivers bug fixes, improvements in documentation, refactoring and maintenance, dependency upgrades and new features such as: a new mechanism that logs admin commands that are invoked by the Admin Console, Admin CLI or the REST admin interface; allow a resource reference in the persistence.xml file that may be changed using the resource-ref XML tag in the glassfish-web.xml file with alternative runtime descriptor or in a deployment plan during deployment; and a new button in the Admin Console header to enable/disable admin command logging. Further details on this release may be found in the release notes.

Jakarta EE 11

In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, provided an update on the upcoming release of Jakarta EE 11, writing:

Since a couple of specification projects have published service releases to fix minor issues in their API artifacts or Java Doc, a release candidate of the Jakarta EE 11 APIs incorporating these updates will be produced shortly. There will most likely be a release candidate of the specification documents as well.

The road to Jakarta EE 11 included four milestone releases with the potential for release candidates as necessary before the GA release in 3Q2024.

Hazelcast

Hazelcast has released version 5.5 of their Hazelcast Platform delivering numerous new features such as: a new vector search utilizing a Vector Collection; a Hazelcast Jet Job Placement Control that enables developers to designate, at deployment time, which cluster members an event processing pipeline can use; and dynamic configuration using the Hazelcast REST API that enables access to data structures and cluster via HTTP/HTTPS protocols. More details on this release may be found in the what’s new page.

Quarkus

The release of Quarkus 3.13 delivers new features such as: support for OpenTelemetry Metrics with a new OpenTelemetry extension; support for Kotlin suspend functions in the WebSockets Next extension; and a new @WithTestResource annotation to replace the now-deprecated @QuarkusTestResource annotation. Further details on this release may be found in the changelog.

Helidon

Helidon 4.0.11, the eleventh maintenance release, provides notable changes such as: an updated decode() method, defined in the UriEncoding class, to expose the decodeQuery() method; remove usage of the Java ConcurrentHashMap class from the LocalXAResource class to avoid thread pinning in JDK versions 22 and lower; and a move of the client protocol ID caching from the HttpClientRequest class to the WebClient interface level for proper sharing. More details on this release may be found in the changelog.

Apache Software Foundation

The release of Apache Kafka 3.8.0 ships with bug fixes, improvements and new features such as: the launch of the Docker official image for Apache Kafka; the addition of the connectSourceStoreAndTopic() method, defined in the InternalTopologyBuilder class, as a public method within the Topology class for using a source topic directly without a redundant changelog topic; and an implementation of the ConsumerInterceptor interface in the AsyncKafkaConsumer class to eliminate redundant non-null branches. Further details on this release may be found in the release notes.

Maintaining alignment with Quarkus, the release of Camel Quarkus 3.13.0, composed of Camel 4.7.0 and Quarkus 3.13.0, provides resolutions to notable issues such as: the Camel Quarkus Syslog extension not compatible with the JDBC Driver – Oracle extension in native mode; a SQLSyntaxErrorException caused by case sensitivity in MySQL and MariaDB databases; and the Camel Caffeine Cache extension does not work in native mode when the camel.component.caffeine-cache.stats-enabled property is set to true. More details on this release may be found in the release notes.

Infinispan

Infinispan 14.0.30.Final, the thirtieth maintenance release, ships with dependency upgrades and resolutions to issues: a NullPointerException from the acquireKeyFromContext() method, defined in the PersistenceManagerImpl class, when an entry is not found in InvocationContext interface; and a failure to read cache files if Infinispan terminated with a force kill when used with JDK 21. Further details on this release may be found in the release notes.

Hibernate

The first beta release of Hibernate ORM 7.0.0 features: a migration to the Jakarta Persistence 3.2 specification, the latest version targeted for Jakarta EE 11; a baseline of JDK 17; improved domain model validations; and a migration from Hibernate Commons Annotations (HCANN) to the new Hibernate Models project for low-level processing of an application domain model. More details on migrating to version 7.0 may be found in the migration guide.

Similarly, the first beta release of Hibernate Validator 9.0.0 features: a migration to the Jakarta Validation 3.1 specification, the latest version targeted for Jakarta EE 11; a baseline of JDK 17; and a new Hibernate Validator BOM providing dependency management for all of its published artifacts. Note: this first beta release is labeled as version 9.0.0.Beta2 due to testing of their new release process causing the Beta1 release to not publish correctly.

JobRunr

Version 7.2.3 of JobRunr, a library for background processing in Java that is distributed and backed by persistent storage, has been released with enhancements: the Quarkus JobRunr extension is now visible in the Quarkus extensions catalog; an update to the quarkus-extension.yaml file to promote the JobRunr extension from preview to stable; and improved readability and performance when comparing instances of the ServerZookeeper class. Further details on this release may be found in the release notes.

Testcontainers for Java

Testcontainers for Java 1.20.1 delivers bug fixes, improvements in documentation and new features/enhancements such as: support for Apache Kafka native image; a rename of the now-deprecated SA_PASSWORD environmental variable to MSSQL_SA_PASSWORD; and support for the tenant name, password and mode in the OceanBase module. More details on this release may be found in the release notes.