Author: Michael Redlich

Article originally posted on InfoQ. Visit InfoQ

Subscribe on:

Apple Podcasts
Google Podcasts
Soundcloud
Spotify
Overcast
Podcast Feed

.
From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for November 20th, 2023 features news from OpenJDK, JDK 22, JCON World 2023, and point, milestone and GA releases for: Spring Boot, Spring Framework, Spring Security, Spring Authorization Server, Spring GraphQL, Spring Integration, Spring Session, Spring Vault, Quarkus, Hibernate ORM, Hibernate Search, Infinispan, JHipster, JBang, OpenXava, Testcontainers and Gradle.

OpenJDK

After its review has concluded, JEP 447, Statements before super(…) (Preview), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP, under the auspices of Project Amber, proposes to: allow statements that do not reference an instance being created to appear before the this() or super() calls in a constructor; and preserve existing safety and initialization guarantees for constructors. Gavin Bierman, consulting member of technical staff at Oracle, has provided an initial specification of this JEP for the Java community to review and provide feedback.

JEP 461, Stream Gatherers (Preview), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to enhance the Stream API to support custom intermediate operations. “This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.” More details on this JEP may be found in the original design document written by Viktor Klang, Software Architect, Java Platform Group at Oracle. The review is expected to conclude on November 29, 2023.

JEP 462, Structured Concurrency (Second Preview), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP will propose to re-preview the API in JDK 22, without change, in order to gain more feedback from the previous round of preview: JEP 453, Structured Concurrency (Preview), delivered in JDK 21. This feature simplifies concurrent programming by introducing structured concurrency to “treat groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability.” The review is expected to conclude on December 1, 2023.

JEP 458, Launch Multi-File Source-Code Programs, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to enhance the Java Launcher to execute an application supplied as one or more files of Java source code. This allows a more gradual transition from small applications to larger ones by postponing a full-blown project setup. The review is expected to conclude on December 1, 2023.

JDK 22

Build 25 of the JDK 22 early-access builds was made available this past week featuring updates from Build 24 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The release of Spring Boot 3.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: support for Oracle Free, the replacement for Oracle XE, that comes with Testcontainers and Docker Compose; a change in parameter name discovery that replaces deducing parameter names by parsing bytecode; support for Jetty 12; and support for the new RestClient interface that was introduced in Spring Framework 6.1. More details on this release may be found in the release notes.

Similarly, versions 3.1.6, 3.0.13 and 2.7.18 of Spring Boot provides bug fixes, improvements in documentation, dependency upgrades and a new feature in which the default Cloud Native Buildpacks (CNBs) have been upgraded to Paketo Jammy due to the Paketo Bionic Builder having been declared as unsafe. More details on these releases may be found in the version 3.1.6, version 3.0.13 and version 2.7.18.

The release of Spring Framework 6.1.1 ships with bug fixes, improvements in documentation and new features such as: skip unnecessary buffer allocation in the copy(String) method defined in the StreamUtils class; and a fix for concurrency leaks large amounts of non-heap memory in JDK 17 from the isReadable() method defined in the Resource interface. More details on this release may be found in the release notes.

The release of Spring Security 6.2.0 delivers bug fixes, dependency upgrades and new features: support for Kotlin coroutines in the AuthorizationManagerBeforeReactiveMethodInterceptor and AuthorizationManagerAfterReactiveMethodInterceptor classes; and a simplification on configuring the OAuth2 Client component model. More details on this release may be found in the release notes and What’s New page.

The release of Spring Authorization Server 1.2.0 provides improvements in documentation, dependency upgrades and new features such as: allow a configurable refresh token strategy for AUTHORIZATION_CODE and REFRESH_TOKEN grant types defined in the Spring Security AuthorizationGrantType class; and introduce Ahead-of-Time (AOT) optimizations, or AOT hints, for types and resources used across the codebase to resolve failure in generating native images with GraalVM. More details on this release may be found in the release notes.

The release of Spring for GraphQL 1.2.4 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: improved parsing of the line and column attributes from the GraphQL SourceLocation class within the ResponseMapGraphQlResponse class; and use of the isOmitted() method rather than the isPresent() method from the ArgumentValue class within ArgumentValueValueExtractor class to allow validation of null arguments. More details on this release may be found in the release notes.

The release of Spring Integration 6.2.0 delivers notable changes such as: a fix for a race condition within the HazelcastMetadataStoreTests class; a more robust readRaw() and finalizeRaw() methods defined in the FtpSession class to eliminate exceptions thrown due to 550 FTP Response errors; and an increase in the timeout for the FTP RotatingServersTests class due to unknown delays on MacOS that cause the tests to fail. More details on this release may be found in the release notes and What’s New page.

The release of Spring Session 3.2.0 provides many dependency upgrades and a new feature in which improvements in documentation and logging have been made if a rememberMeRequestAttribute attribute has not been set within a custom implementation of the CookieSerializer interface. More details on this release may be found in the release notes and What’s New page.

The release of Spring Vault 3.1 ships with improvements in documentation, dependency upgrades and new features such as: support for HashiCorp Vault role_name and entity_alias parameters in the VaultTokenRequest class; and a new AuthenticationEventMulticaster interface to manage a number of AuthenticationEvent and AuthenticationErrorEvent objects and publish events to them. More details on this release may be found in the release notes.

The release of Spring for Apache Pulsar 1.0.0 delivers notable changes such as: the PulsarAdministration class now accepts multiple instances of the PulsarAdminBuilderCustomizer interface; and a dependency break with Spring Boot to avoid a “chicken-and-egg” problem for times when Spring Boot has a dependency on Spring for Apache Pulsar. More details on this release may be found in the release notes.

Version 3.1.0 of Spring for Apache Kafka and Spring for RabbitMQ have been released to provide bug fixes, improvements in documentation and dependency upgrades. New features in Spring for Apache Kafka include: removal of setting the brokerListProperty property within the EmbeddedKafkaKraftBroker class that could lead to an exception if the property is null; and provide a way to define a ContainerCustomizer bean name to associate with the @KafkaListener annotation. More details on this release may be found in the release notes for Apache Kafka and for RabbitMQ.

Versions 1.1.0 and 1.0.3 of Spring Modulith have been released that ship with bug fixes, dependency upgrades and new features such as: use the Spring Framework BeanFactoryInitializationAotProcessor interface to initialize actuator endpoints on native images rather than the ApplicationModules class; and a warning to alert developers that the updateFirst() method defined in the Spring Data MongoTemplate class does not support sort operations. Developers should instead use the findAndModify() method. More details on this release may be found in the release notes for version 1.1.0 and version 1.0.3.

Eclipse Store

The Eclipse Foundation has released version 1.0.0 of EclipseStore, a Java native-persistence library. Formerly known as MicroStream, this new version is the initial release under the Eclipse Foundation and a migration from MicroStream Storage 8.1.1. More details on this release may be found in the release notes.

Quarkus

Red Hat has released version 3.5.3 of Quarkus 3.5.3 featuring notable changes such as: a switch from HashMap to LinkedHashMap in the MultipartFormDataOutput class to maintain the users’ input order; and ensure that authentication and authorization occur before the WebSocket injector for GraphQL is injected. More details on this release may be found in the changelog.

Similarly, Quarkus 3.2.9.Final has also been released with notable changes such as: a resolution to the @ServerResponseFilter annotation with a Throwable parameter not being called when a REST resource is throwing an exception; and handle duplicate contexts that get mixed when caching the response of a REST call via the CacheResultInterceptor class. More details on this release may be found in the changelog.

Hibernate

The release of Hibernate ORM 6.4.0.Final delivers: a new @SoftDelete annotation to support soft deletes, values as deleted/non-deleted versus active/inactive (reversed); implementation of the remaining functions for handling arrays in HQL and Criteria queries; and support for writing Hibernate-specific events in the JDK Flight Recorder.

The second release candidate of Hibernate Search 7.0.0 features: bug fixes; compatibility with Jakarta EE, the Hibernate ORM discriminator-based multi-tenancy, Elasticsearch 8.11 and OpenSearch 2.10 and 2.11; and dependency upgrades to Hibernate ORM 6.4.0.Final and Apache Lucene 9.8. Hibernate Search 7.0.0.CR2 requires a minimal version of JDK 11.

Infinispan

Version 15.0.0.Dev05 of Infinispan has been released with notable changes such as: the use of the Spring Framework @DirtiesContext annotation on Spring tests to force the cache manager to stop; an improved WriteSkewConsistencyTest class to resolve random failures; and update the Jakarta JSON Processing dependency from the javax.* namespace to the jakarta.* namespace as required by WildFly Elytron 2.x. More details on this release may be found in the list of issues.

Similarly, version 14.0.21.Final of Infinispan has also been released with notable changes such as: default methods in the Java ConcurrentMap interface should ensure that their iterators are closed upon encountering an error; improvements in implementing virtual threads; and the creation of metrics to measure latency between nodes. More details on this release may be found in the list of issues.

JHipster

Version 0.49.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and enhancements: GraalVM automated builds; and a package-info.java file in their Dummy feature. More details on this release may be found in the release notes.

JBang

Versions 0.113.0 and 0.112.4 of JBang deliver notable changes such as: a new magic %{deps:..} expansion on the command line that will resolve dependencies within that expression and replace it with a classpath (see example below); a fix for when a custom port is provided via the --debug command line parameter, the default of 4004 is still used; and an updated docker-compose file for testing proxies that require authentication. More details on these releases may be found in the release notes for version 0.113.0 and version 0.112.4.

The new command line expansion allows developers to write something like:

    
$ jbang sqlline@maxandersen -cp %{deps:org.hsqldb:hsqldb:RELEASE} other args
    

OpenXava

The release of OpenXava 7.2.0 features bug fixes, dependency upgrades and new features such as: support for JDK 21; improvements to the calendar to show the week or the day; and numerous web security enhancements. More details on this release may be found in the release notes.

Testcontainers for Java

Testcontainers for Java 1.19.3 has been released with notable bug fixes such as: register missing default network aliases using the ContainerDef class; a regression due to a breaking change upon using the setImage() method defined in the GenericContainer class; and bugs within the SQLScriptScanner with large String literals and PostgreSQL identifiers.

Gradle

The fourth release candidate of Gradle 8.5.0 delivers continuous improvements on new features such as: full support for compiling, testing and running on JDK 21; improvements in the Kotlin DSL that include faster first use and version catalog support in precompiled Kotlin script plugins; and improved reporting of errors and warnings. More details on this release may be found in the release notes.

JCON World

The JCON World 2023 conference, the international online Java community conference organized by the Java User Group Oberpfalz, was held this past week, featuring over 100 speakers from the Java community who presented keynote addresses, one-hour sessions and workshops over a three-day timeframe.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for November 13th, 2023 features news from OpenJDK, JDK 22, and monthly, milestone and point releases of: Spring Framework; Spring Data; Payara Platform; Open Liberty; Micronaut; Grails; Quarkus; Tomcat; Apache Camel; Vert.x; Mojarra; Micrometer Metrics and Tracing; Project Reactor; Piranha; JDKMon; JobRunr; JHipster Lite; Testcontainers for Java; Arquillian; and Gradle.

OpenJDK

After its review has concluded, JEP 459: String Templates (Second Preview), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP provides a second preview from the first round of preview: JEP 430, String Templates (Preview), delivered in JDK 21. This feature enhances the Java programming language with string templates, string literals containing embedded expressions, that are interpreted at runtime where the embedded expressions are evaluated and verified. More details on JEP 430 may be found in this InfoQ news story.

JEP 463, Implicitly Declared Classes and Instance Main Methods (Second Preview), has been promoted from Candidate to Proposed to Target for JDK 22. Formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), this JEP incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story. The review is expected to conclude on November 28, 2023.

JEP 457, Class-File API (Preview), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to provide an API for parsing, generating, and transforming Java class files. This will initially serve as an internal replacement for ASM, the Java bytecode manipulation and analysis framework, in the JDK with plans to have it opened as a public API. Brian Goetz, Java language architect at Oracle, characterized ASM as “an old codebase with plenty of legacy baggage” and provided background information on how this draft will evolve and ultimately replace ASM. The review is expected to conclude on November 28, 2023.

JEP 447, Statements before super(…) (Preview), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP, under the auspices of Project Amber, proposes to: allow statements that do not reference an instance being created to appear before the this() or super() calls in a constructor; and preserve existing safety and initialization guarantees for constructors. Gavin Bierman, consulting member of technical staff at Oracle, has provided an initial specification of this JEP for the Java community to review and provide feedback. The review is expected to conclude on November 22, 2023.

JEP 423, Region Pinning for G1, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to reduce GC latency by implementing region pinning to the G1 garbage collector. This will extend G1 so that arbitrary regions may be pinned during both major and minor collection operations so that disabling the garbage collection process may be avoided while implementing JNI critical regions. The review is expected to conclude on November 28, 2023.

JDK 22

Build 24 of the JDK 22 early-access builds was made available this past week featuring updates from Build 23 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The release of Spring Framework 6.1.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: introduce way to convert the response body to a desired type using message converters from the ClientHttpResponse interface; improved support for method validation for errors on elements within a container; and support for pattern matching on method names in ControlFlowPointcut class. More details on this release may be found in the release notes and What’s New page.

Similarly, versions 6.0.14 and 5.3.31 of Spring Framework have been released featuring bug fixes, improvements in documentation, dependency upgrades and new features such as: Log4jLog inner class, defined in LogAdapter class, needs to re-resolve the Log4j ExtendedLogger interface on deserialization for compatibility with Log4j 2.21; an optimization of the StandardTypeLocator class for hotspot when the same classes are resolved; and enhancements to setting properties in the ProblemDetail class. More details on these releases may be found in the release notes for version 6.0.14 and version 5.3.31.

The release of Spring Data 2023.1.0, codenamed Vaughn, ships with: compatibility with JDK 21; use of virtual threads through configuration of the Java Executor interface; support for Kotlin inline value classes; and exploration on optimizations for Checkpoint/Restore (CRaC); single query loading for Spring Data JDBC; and a migration of documentation to Antora. More details on this release may be found in the release notes.

Similarly, versions 2023.0.6, 2022.0.12 and 2021.2.18, all service releases of Spring Data, feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.1.6, 3.0.12 and 2.7.18; Spring Data MongoDB 4.1.6, 4.0.12 and 3.4.18; Spring Data Elasticsearch 5.1.6, 5.0.12 and 4.4.18; and Spring Data Neo4j 7.1.6, 7.0.12 and 6.3.18. These versions can be consumed by the upcoming releases of Spring Boot 3.1.6, 3.0.13 and 2.7.18, respectively.

Payara

Payara has released their November 2023 edition of the Payara Platform that includes Community Edition 6.2023.11, Enterprise Edition 6.8.0 and Enterprise Edition 5.57.0 featuring: bug fixes; a dependency upgrade to Maven Bundle Plugin 5.1.9; and a security fix for CVE-2023-41699, a URL Redirection to Untrusted Site vulnerability in Payara Platform Payara Server, Micro and Embedded that allows redirect access to libraries.

New features include: a new --warmup command line parameter, in conjunction with the asadmin command, start-domain, to stop the server after bootstrapping; and the addition of individual timeout options for all the Payara Server Management asadmin commands.

With these releases, Payara also introduced Payara Starter, a source code generator to create new Payara Server or Payara Micro projects.

More details on these versions may be found in the release notes for Community Edition 6.2023.11 and Enterprise Edition 6.8.0 and Enterprise Edition 5.57.0.

Open Liberty

IBM has released version 23.0.0.11 of Open Liberty featuring new vendor metrics for MicroProfile Metrics 5.0, 4.0 and 3.0 that can be directly added to dashboards of various monitoring tools without additional computation. These new metrics are: Process CPU Utilization Percent; Heap Utilization Percent; GC Time per Cycle; Connection Pool in Use Time per Used Connection; Connection Pool Wait Time per Queued Request; Servlet Elapsed Time per Request; and REST Elapsed Time per Request.

Other new features include: a resolution for CVE-2023-46158, a vulnerability in IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 that could provide weaker than expected security due to improper resource expiration handling; and the ability to include all server configuration files in server.xml using the include element that eliminates the previous requirement in which they needed to be individually specified.

Micronaut

The Micronaut Foundation has released version 4.2.0 of the Micronaut Framework featuring Micronaut Core 4.2.0 with enhancements to their Kotlin Symbol Processing and dependency upgrades to Kotlin 1.9.20 and Netty 4.1.101. JDK 21 has been added to the list of available JDK versions in Micronaut Launch and support for the Gradle Kotlin DSL. More details on this release may be found in the release notes.

Grails

The Grails Foundation has released version 6.1.0 of the Grails Framework featuring bug fixes, improvements in documentation, dependency upgrades and notable changes such as: an upgrade to SnakeYAML 2.2 to mitigate CVE-2022-1471, a vulnerability in which the deserialization of types using the SnakeYAML Constructor() class will allow an attacker to initiate a malicious remote code execution; and a decoupling of the Sitemesh Plugin for improved flexibility. More details on this release may be found in the release notes.

Quarkus

The release of Quarkus 3.5.2 ships with bug fixes, improvements in documentation and notable changes such as: a resolution to mitigate CVE-2023-21971, a vulnerability that allows an attacker, with network access via multiple protocols, to compromise MySQL Connectors that may result in unauthorized ability to cause a hang or frequently repeatable denial-of-service of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data; disable the Http2RSTFloodProtectionTest and CustomManifestArgumentsTest classes on Windows OS due to instability from the tests creating many streams in a single connection; and avoid using the JUnit @TempDir annotation in the RestClientCDIDelegateBuilderTest class due to continuous integration issues in Windows OS. More details on this release may be found in the changelog.

Apache Software Foundation

Versions 11.0.0-M14, 10.1.16, 9.0.83 and 8.5.96 of Apache Tomcat all feature bug fixes and notable changes such as: ensure that an IOException during the reading of a request always triggers error handling, regardless of whether the application consumes the exception; a fix for a Tomcat Connector that refused new connections or caused the JVM to crash upon reloading the Transport Layer Security (TLS) configuration via the TLSCertificateReloadListener class; and the StatusManagerServlet class can now output statistics in JSON format.

For version 11.0.0-M14, integration with OpenSSL will use the Foreign Function & Memory API API rather than Tomcat Native. OpenSSL support may be enabled by adding the OpenSSLLifecycleListener class on the Server element when using Java 22 or later. More details on these releases may be found in the changelogs for version 11.0.0-M14, version 10.1.16, version 9.0.83 and version 8.5.96.

The release of Apache Camel 4.2.0 delivers bug fixes, dependency upgrades and new features/improvements such as: support for OAuth 2.0 (Camel HTTP component); support for Spring bean autowiring using the @Primary annotation (Camel Spring component); and the ability to use the old Micrometer meter names or follow the new Micrometer naming conventions (Camel Micrometer component). More details on this release may be found in the release notes.

Eclipse Foundation

The release of Eclipse Vert.x 4.5.0 provides new feature such as: support for JDK 21 and virtual threads; the creation of dynamic SQL connections; the ability to up­date TCP client/server SSL op­tions at run­time for cer­tifi­cate ro­ta­tion; and implementation of the Builder Pattern for connecting to HTTP clients and SQL connection pools. More details on this release may be found in the release notes and deprecations and breaking changes.

The release of Mojarra 4.0.5, the compatible implementation of the Jakarta Faces specification, ships with notable changes such as: Move reinitialization of Weld from ConfigureListener class back into it original FacesInitializer class due to exception issues; a fix for a mismatch between the specification and implementation on the use of the constant field, "jakarta.faces.WEBAPP_CONTRACTS_DIRECTORY" defined as WEBAPP_CONTRACTS_DIRECTORY_PARAM_NAME in the ResourceHandler class; and a new ExceptionHandler class added to the getExceptionHandler() method defined in the InitFacesContext class to resolve an UnsupportedOperationException. More details on this release may be found in the release notes.

Micrometer

Versions 1.12.0, 1.11.6, 1.10.13 and 1.9.17 of Micrometer Metrics all deliver bug fixes, improvements in documentation, dependency upgrades and new features in version 1.12.0 such as: support for Generational ZGC; support for Jetty 12 in the JettyConnectionMetrics class; and a new JmsInstrumentation class to add observability for the Jakarta Messaging specification; More details on these releases may be found in the release notes for version 1.12.0, version 1.11.6, version 1.10.13 and version 1.9.17.

Similarly, versions 1.2.0, 1.1.7 and 1.0.12 of Micrometer Tracing all deliver dependency upgrades and new features in version 1.2.0 such as: make the SpanTagAnnotationHandler class optional such that it will match with the TimedAspect class for frameworks to more easily configure it; a new getDuration() method defined in the FinishedSpan interface; and deprecate HTTP instrumentation abstractions for removal due to a decision to not provide abstractions over transports in all instrumentation projects. More details on these releases may be found in the release notes for version 1.2.0, version 1.1.7 and version 1.0.12.

Project Reactor

The release of Project Reactor 2023.0.0 provides dependency upgrades to reactor-core 3.6.0, reactor-netty 1.1.13, reactor-kafka 1.3.22, reactor-pool 1.0.3, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2. More details on this release may be found in the changelog.

Similarly, Project Reactor 2022.0.13, the thirteenth maintenance release, provides dependency upgrades to reactor-core 3.5.12, reactor-netty 1.1.13 and reactor-kafka 1.3.22. There was also a realignment to version 2022.0.13 with the reactor-pool 1.0.3, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.

Piranha

The release of Piranha 23.11.0 delivers notable changes such as: support for JDK 21; support for Coordinated Restore at Checkpoint (CRaC) to the Piranha Core Profile; and a removal of the Maintainability, Lines of Code, Code Coverage and Code Smells badges. More details on this release may be found in their documentation and issue tracker.

JDKMon

Versions 17.0.85 and 17.0.83 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, these new versions provide new features: support for GraalVM for National Vulnerability Database (NVD) scans related to the JDK; a new search field for discovering OpenJDK JEPs, JSRs and Java projects; and support for Common Vulnerability Scoring System (CVSS) 4.0 and NVD API 2.0.

JobRunr

Version 6.3.3 of JobRunr, a library for background processing in Java that is distributed and backed by persistent storage, has been released featuring: a separate build time and runtime configuration for Quarkus; and a fix for JobRunr accepting the synthetic classes provided by the Quarkus ClientProxy interface instead of the original proxy name that result in beans that are not found. More details on this release may be found in the release notes.

JHipster Lite

Version 0.48.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and new features/enhancements such as: a minimal JDK 21 for the JHipster Lite engine; a new license module to build multiple instances of the JHipsterModule class; and the addition of name and description attributes to the @BusinessContext and @SharedKernel annotations for better documenting contexts and the ability to generate living documentation. More details on this release may be found in the release notes.

Testcontainers for Java

Testcontainers for Java 1.19.2 has been released with notable changes such as: enable HTTP and HTTPS on native for the HttpWaitStrategy class; a new shutdown hook to send a SIGTERM to Moby Ryuk to shutdown sooner than the current default of 10 seconds; and support for the Elasticsearch image from DockerHub.

Arquillian

The release of Arquillian 1.8.0.Final delivers notable changes such as: elimination of a file leak in the RemoteExtensionLoader class; a dependency upgrade to Jetty 9.4.51.v20230217 to resolve the Jetty 8.1.2.v20120308 bypass vulnerability; and a replacement of deprecated JUnit and Arquillian constructors and methods.

Gradle

The third release candidate and second release candidate of Gradle 8.5 deliver continuous improvements on new features such as: full support for compiling, testing and running on JDK 21; improvements in the Kotlin DSL that include faster first use and version catalog support in precompiled Kotlin script plugins; and improved reporting of errors and warnings. More details on these releases may be found in the release notes for version 8.5-RC3 and version 8.5-RC2.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for November 6th, 2023 features news from OpenJDK, JDK 22, Spring Shell 3.2.0-M3, 3.1.5, 3.0.9 and 2.1.14, Quarkus 3.5.1 and 3.2.8, Apache Camel 3.14.10, Apache Camel Quarkus 3.2.2, JDKMon 17.0.81, Arquillian 1.7.2.Final, Gradle 8.5.0-RC1 and J-Fall 2023.

OpenJDK

After its review has concluded, JEP 460, Vector API (Seventh Incubator), has been promoted from Proposed to Target to Targeted for JDK 22. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), delivered in JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values.

JEP 459: String Templates (Second Preview), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP provides a second preview from the first round of preview: JEP 430, String Templates (Preview), delivered in JDK 21. This feature enhances the Java programming language with string templates, string literals containing embedded expressions, that are interpreted at runtime where the embedded expressions are evaluated and verified. More details on JEP 430 may be found in this InfoQ news story. The review is expected to conclude on November 15, 2023.

Gavin Bierman, consulting member of technical staff at Oracle, has published a draft specification for JEP 463, Implicit Classes and Instance Main Methods (Second Preview), for review by the Java community.

JDK 22

Build 23 of the JDK 22 early-access builds was made available this past week featuring updates from Build 22 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

Versions 3.2.0-M3, 3.1.5, 3.0.9 and 2.1.14 of Spring Shell have been released featuring notable changes such as: an upgrade to JLine 3.24.1 to resolve an issue in which stdout is redirected to stderr on non-interactive mode; improvements in the Terminal UI, especially the ability to autoconfigure; and resolve an issue in which tab completion may fail with lazy initialization. These versions build on Spring Boot 3.1.0-RC2, 3.1.5, 3.0.12 and 2.7.17, respectively. More details on these releases may be found in the release notes for version 3.2.0-M3, version 3.1.5, version 3.0.9 and version 2.1.14.

Quakrus

The release of Quarkus 3.5.1 delivers notable changes such as: a fix in the OIDC scope to permission mapping when the scope is empty; improved error messaging and documentation in the Keycloak DevService; and a temporary disabling of the VertxMDCTest class on the Windows OS due to instability. More details on this release may be found in the changelog.

Similarly, the release of Quarkus 3.2.8 ships with notable changes such as: a fix for the propagateToken() method defined in the AccessTokenRequestReactiveFilter class that duplicated the authorization header with the bearer scheme; the afterEach() method defined in the QuarkusSecurityTestExtension class should not call the current() method defined in the CDI class when not annotated with @TestSecurity; and a fix for a NullPointerException resulting from use of the ForwardedProxyHandler class that allowed a null value when no record was found. More details on this release may be found in the changelog.

Both releases address CVE-2023-5720, an exposure in which an attacker can access potentially sensitive information from a build system with an application due to a flaw found in Quarkus where it does not properly sanitize artifacts created using the Gradle plugin. This can allow certain build system information to remain.

Apache Software Foundation

The release of Apache Camel 3.14.10 features bug fixes, dependency upgrades and improvements: change directory permissions within the SFTP component option, chmodDirectory; and collection of authorization data within the Meter Registry component. More details on this release may be found in the release notes.

In maintaining alignment with Quarkus, Camel Quarkus 3.2.2 has been released with no documented big fixes, dependency upgrades or improvements. More details on this release may be found in the release notes.

JDKMon

Version 17.0.81 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version provides dependency upgrades, a build upgrade to Gradle 8.4, and new features: the ability to select a JEP, JSR or OpenJDK project from a list and open that selection in a default browser; and a tooltip of the JDK distribution will now also display the number of modules and size on disk.

Arquillian

The release of Arquillian 1.7.2.Final delivers a fix for failure of a parameterized test that was reported as having passed despite having failed. More details on this release may be found in the list of issues.

Gradle

The first release candidate of Gradle 8.5.0 ships with: full support for compiling, testing and running on JDK 21; improvements in the Kotlin DSL that include faster first use and version catalog support in precompiled Kotlin script plugins; and improved reporting of errors and warnings. More details on this release may be found in the release notes.

J-Fall 2023

The 2023 J-Fall conference, celebrating its 20th year, was held at the Pathé Ede in Ede, Netherlands this past week featuring speakers from the Java community who delivered pre-conference workshops, keynote addresses, 50-minute sessions and lightning talks from this conference agenda. A detailed report on J-Fall 2023 may be found in this blog post by Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 30th, 2023 features news from OpenJDK, JDK 22, GlassFish 7.0.10, Spring Boot 3.2-RC2, Spring Cloud 2023.0-RC1, Spring Cloud Stream Applications 2022.0, Spring Statemachine 4.0-M1, Spring Tools 4.20.1, Open Liberty 23.0.11-beta, Micronaut 4.1.6, Grails 6.1, TomEE 8.0.16, Infinispan 14.0.20, JHipster 8.0, JHipster Lite 0.47, JReleaser 1.9 and Kotlin 1.9.20.

OpenJDK

JEP 463, Implicit Classes and Instance Main Methods (Second Preview), has been promoted from its JEP Draft 8315398 to Candidate status. Formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), this JEP incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.

JDK 22

Build 22 of the JDK 22 early-access builds was made available this past week featuring updates from Build 21 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Eclipse GlassFish

Eclipse GlassFish 7.0.10, the tenth maintenance release, features bug fixes, dependency upgrades and notable changes such as: an improvement in reproducible builds; a refactor and cleanup of login modules; and replace the deprecated newInstance() method defined in the XMLInputFactory class with the newFactory() method. More details on this release may be found in the release notes.

Spring Framework

The second release candidate of Spring Boot 3.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: introduce the PemSslStore interface as an alternative to PemSslStoreDetails record because the latter does not provide a way to work with Certificates and PrivateKeys that have already been parsed from PEM content; a new PemContent class that provides a way for the auto-configured code to parse certificates; and allow the alias and password to be configured on a per-PEM store basis. Further details on this release may be found in the release notes.

The first release candidate of Spring Cloud 2023.0.0, codenamed Leyton, ships with bug fixes and release candidate upgrades to sub-projects such as: Spring Cloud Commons 4.1.0-RC1; Spring Cloud Starter Build 2023.0.0-RC1; and Spring Cloud Kubernetes 3.1.0-RC1. More details on this release may be found in the release notes.

Version 2022.0.0 of Spring Cloud Stream Applications has been released featuring big fixes and notable changes such as: a revision configuration of the HttpRequestFunctionConfiguration class to use Spring Framework WebClient.Builder interface; a new JsonBytesToMap class as a part of a payload-converter-function module which is auto-discovered by the Spring Cloud Function scanning algorithm; and apply the ComponentCustomizer in other modules as part of a fix to remove auto-configuration. Further details on this release may be found in the release notes.

The second release candidate of Spring Modulith 1.1.0 ships with a dependency upgrade to Spring Boot 3.2.0-RC2, a new feature that supports event externalization into AWS Simple Notification Service (SNS) and Simple Queue Service (SQS), and notable improvements such as: register parameter types of methods annotated with @TransactionalEventListener for reflection; allow the explicit declaration of an identifier in the @ApplicationModuleListener annotation; and reinstantiate general compatibility with Spring Boot 3.1 and Framework 6.0 to fall back to reflective invocation of the application event listener if working with Spring Framework 6.2. This also allows projects to upgrade to Spring Modulith 1.1 without necessarily upgrading to Spring Boot 3.2. More details on this release may be found in the release notes.

The first milestone release of Spring Statemachine 4.0.0 features a dependency upgrade to Spring Boot 3.1.5 and initial support for the Spring Boot 3.1 release train. Further details on this release may be found in the release notes.

The release of Spring Tools 4.20.1 for Eclipse, Visual Studio Code and Theia ships with notable changes such as: early access builds available for the upcoming release of Eclipse 2023-12; various performance optimizations around scanning symbols and Java reconciling; and significant improvement in completions for Spring Boot properties. More details on this release may be found in the release notes.

Open Liberty

IBM has released version 23.0.0.11-beta of Open Liberty featuring new vendor metrics for MicroProfile Metrics 5.0 that can be directly added to dashboards of various monitoring tools without additional computation. These new metrics are: Process CPU Utilization Percent; Heap Utilization Percent; GC Time per Cycle; Connection Pool in Use Time per Used Connection; Connection Pool Wait Time per Queued Request; Servlet Elapsed Time per Request; and REST Elapsed Time per Request. There were also new capabilities for MicroProfile Reactive Messaging 3.0 and MicroProfile Stream Operators 3.0 that include support for negative acknowledgements.

Micronaut

The Micronaut Foundation has released version 4.1.6 of the Micronaut Framework featuring Micronaut Core 4.1.11 and updates to modules: Micronaut Core, Micronaut Picocli Configuration, Micronaut MQTT and Micronaut Reactor. Further details on this release may be found in the release notes.

Grails

The Grails Foundation has released version 6.1.0 of the Grails Framework providing bug fixes, dependency upgrades and notable changes such as: convert the org.grails:grails-web-sitemesh dependency as optional in the build.gradle file due to the GroovyPageLayoutFinder class being tightly coupled with the ResponseRenderer trait; update the groovy-joint-workflow.yml file to adjust for the sunsetting of Sonatype Lift; and update the GitHub actions/checkout property to Checkout V4 in various YAML files. More details on this release may be found in the release notes.

TomEE

The release of Apache TomEE 8.0.16 primarily addresses several CVEs, namely: CVE-2023-33201, LDAP injection vulnerability in Bouncy Castle; CVE-2023-35116, cyclic dependencies in Jackson; CVE-2023-34981, information leak in Apache TomEE; and CVE-2023-44483, private key exposure in Apache Santuario. This release also includes bug fixes, dependency upgrades related to the CVEs, and an improvement in support in the JMX console to extract parameters via reflection. Further details on this release may be found in the release notes.

Infinispan

Version 14.0.20.Final of Infinispan has been released with notable changes such as: support for JDK 21; elimination of JMX registration conflicts by adding the @DirtiesContext annotation on Spring tests to force stopping cache manager; and add wait times in the testRequestsReceived() and other methods defined in the XSiteMBeanTest class to eliminate the random failures due to the method not waiting for the sender to update its statistics. More details on this release may be found in the list of issues.

JHipster

Two and a half years since the release of JHipster 7.0.0, the release of JHipster 8.0.0 delivers notable changes such as: fix the user search API to follow new standards that avoids repeating the entity’s name on each endpoint; call async methods via an injected dependency instead of directly via the this keyword; and improved support for Blueprints. Further details on this release may be found in the release notes.

Version 0.47.0 of JHipster Lite has been released featuring bug fixes, improvements in documentation, dependency upgrades and enhancements such as: support for YAML for Spring configuration; increase the height in the Tikui display to avoid scroll bar from appearing; and display the current version number in the navigation bar. More details on this release may be found in the release notes.

JReleaser

Version 1.9.0 of JReleaser, a Java utility that streamlines creating project releases, has been released to deliver bug fixes, improvements in documentation and notable changes such as: update the GitHub actions/checkout property to Checkout V4 in various YAML files; a new a f_file_exists template function that corresponds to a nested class, FileExistsFunction, defined in the DefaultMustacheExtensionPoint class, for improved generation of release notes; and a missing template option bindings to jlink that resolved the creation of a non-working launcher script. Further details on this release may be found in the release notes.

Kotlin

The release of Kotlin 1.9.20 featuring: the K2 compiler for all the targets is now in Beta; Kotlin Multiplatform is now stable and production-ready; performance improvements for the garbage collector in Kotlin/Native; full support for the Gradle configuration cache in Kotlin Multiplatform; and a new default hierarchy template for establishing multi-platform projects. More details on this release may be found in the release notes and this detailed InfoQ news story.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 23rd, 2023 features news from OpenJDK, JDK 22, Jakarta Data 1.0-M1, GraalVM 21.0.1, Spring 6.1-RC2, Spring Modulith 1.1-RC1, Spring Vault 3.1-RC1, Helidon 4.0, Eclipse Serializer 1.0, Quarkus 3.5, Liberica NIK 22.3.4, Hibernate ORM 6.4-CR1, Hibernate Search 7.0-CR1, Maven 4.0.0-alpha8, Camel 4.0.2, Camel Quarkus 3.5, JHipster Lite 0.46 and JDKMonitor.

OpenJDK

After its review has concluded, JEP 456, Unnamed Variables & Patterns, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to finalize this feature after one previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This feature will “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.

JEP 460, Vector API (Seventh Incubator), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), to be delivered in the upcoming GA release of JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values. The review is expected to conclude on November 3, 2023.

JEP 462, Structured Concurrency (Second Preview), has been promoted from its JEP Draft 8317302 to Candidate status. This JEP will propose to re-preview the API in JDK 22, without change, in order to gain more feedback from the previous round of preview: JEP 453, Structured Concurrency (Preview), delivered in JDK 21. This feature simplifies concurrent programming by introducing structured concurrency to “treat groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability.”

JEP 461, Stream Gatherers (Preview), has been promoted from its JEP Draft 8317955 to Candidate status. This JEP proposes to enhance the Stream API to support custom intermediate operations. “This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.” More details on this JEP may be found in the original design document written by Viktor Klang, Software Architect, Java Platform Group at Oracle.

JDK 22

Build 21 of the JDK 22 early-access builds was made available this past week featuring updates from Build 20 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Jakarta Data

The first milestone release of Jakarta Data 1.0.0 provides: a new BasicRepository interface for performing basic operations on entities; new insert() and update() methods in CrudRepository interface to extend the capabilities of basic operations on entities, including insert and update operations; and new annotations, Insert, Update, Delete and Save, for CRUD operations. More details on this release may be found in the release notes.

GraalVM

Oracle Labs has released GraalVM for JDK 21 Community 21.0.1 featuring fixes based on the Oracle Critical Patch Update for October 2023 These include: a new CEntryPointErrors class to return errors if the stack boundaries cannot be determined; the process crashing when uncommitting unused memory; and an occasional crash using the ProcessBuilder class on macOS. Further details on this release may be found in the release notes.

Spring Framework

The second release candidate of Spring Framework 6.1 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: support for ContextLoader configuration in the @SpringJUnitConfig and @SpringJUnitWebConfig annotations for compatibility with the @ContextConfiguration annotation; improve the extensibility of the ControlFlowPointcut class to support pattern matching in method names; and a new annotation, DisabledInAotMode, in the TestContext interface to skip AOT processing. More details on this release may be found in the release notes.

The first release candidate of Spring Modulith 1.1.0 and service release 1.0.2 ship with bug fixes, dependency upgrades and improvements such as: drop support of the memoize() method in the Google Suppliers class in favor of the of() method in the Spring SingletonSupplier class; and add a mission statement to reference documentation. New features in version 1.1.0-RC1 include: create a corresponding @ApplicationModuleListener annotation to be defined in the org.springframework.modulith.events package from its original org.springframework.modulith package and mark the original annotation as deprecated; and a refactor of the @Modulith annotation to define a Spring Boot application that follows the Modulith structuring conventions. Further details on this release may be found in the release notes for version 1.1.0-RC1 and version 1.0.2.

The first release candidate of Spring Vault 3.1.0 features improvements in documentation, dependency upgrades and new features: support for role_name and entity_alias token parameters in the VaultTokenRequest class; support for the prehashed property for the Transit Secrets Engine API; add rewrap() methods to the VaultTransitOperations interface and VaultTransitTemplate class for improved rewrap of the provided batch of cipher text using the latest version of the named key. More details on this release may be found in the release notes.

Helidon

Just over one year since Helidon 4.0.0-ALPHA1 was introduced to the Java community, Oracle has released version 4.0.0 of Helidon featuring the new Helidon Níma server, support for MicroProfile 6.0; and a shift from asynchronous to blocking APIs. The Helidon Níma server was designed and built from the ground up to fully harness the capabilities of virtual threads, one of the final features of JDK 21. Further details on this release may be found in the release notes and InfoQ will follow up with a more detailed news story.

Service releases 3.2.3 and 2.6.4 of Helidon both ship with notable changes such as: the tarketKeys variable defined in the HttpSignProvider class now returns an instance of the Java ConcurrentHashMap class over the previously used HashMap class; the max-payload-size property is now parsed as of type Long to align with Helidon 4.0 and to eliminate the IllegalArgumentException when the value is greater than Integer.MAX_VALUE; and add zero-argument non-private constructors to the NonTransactionalEntityManager and ExtendedEntityManager classes. More details on these releases may be found in the changelogs for version 3.2.3 and version 2.6.4.

Eclipse Serializer

The Eclipse Foundation has released version 1.0 of Eclipse Serializer, a project designed to handle any Java object, with complex object structure, and highly secure. Formerly known as MicroStream Serializer, this project enables developers to serialize any Java object, but unlike traditional Java serialization, there is no need to implement the Serializeable interface, and no specific interfaces, superclasses or annotations are required.

Quarkus

Red Hat has released version 3.5.0 of Quarkus 3.5.0 featuring bug fixes, improvements in documentation and performance, and notable changes such as: support for JDK 21; enhancements in OIDC token propagation filters to customize the exchange status and provide the client name; and allow the parallel execution of blocking health checks. Further details on this release may be found in the changelog.

BellSoft

BellSoft has released versions 22.3.4, 23.0.2, 23.1.1 for JDK 11.0.10, 17.0.9, and 21.0.1 of their Liberica Native Image Kit builds as part of aforementioned Critical Patch Update release cycle to address: CVE-2023-22025, a vulnerability that allows an unauthenticated attacker, with network access via multiple protocols, to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition and Oracle GraalVM for JDK resulting in unauthorized update, insert or delete access to accessible data; CVE-2023-22067, a vulnerability that allows an unauthenticated attacker, with network access via CORBA, to compromise Oracle Java SE resulting in unauthorized update, insert or delete access to some of Oracle Java SE accessible data; and CVE-2023-22081, a vulnerability that allows unauthenticated attacker, with network access via HTTPS, to compromise Oracle Java SE and Oracle GraalVM for JDK resulting in an unauthorized ability to cause a partial denial of service of Oracle Java SE, Oracle GraalVM for JDK.

Hibernate

The first release candidate of Hibernate ORM 6.4.0 delivers: a new @SoftDelete annotation to support soft deletes, values as deleted/non-deleted versus active/inactive (reversed); implementation of the remaining functions for handling arrays in HQL and Criteria queries; and support for writing Hibernate-specific events in the JDK Flight Recorder.

The first release candidate of Hibernate Search 7.0.0 features: bug fixes; compatibility with the Hibernate ORM discriminator-based multi-tenancy, Elasticsearch 8.10 and OpenSearch 2.10/2.11; dependency upgrades to Hibernate ORM 6.3.1.Final and Apache Lucene 9.8; and rename of some Maven artifact related to JSR-352, Batch Applications for the Java Platform, to reflect the move to the Jakarta Batch specification.

Apache Software Foundation

The eighth alpha release of Apache Maven 4.0.0 provides notable changes such as: drop support for Plexus XML in favor of StAX/Woodstox for XML parsing; a new 4.1.0 POM model for future releases of Maven; and attach the build POM with a build classifier to simplify the build/consumer implementation. More details on this release may be found in the release notes.

The release of Apache Camel 4.0.2 ships with bug fixes, dependency upgrades and new features/improvements such as: introduce the ability to use the old Micrometer meter names or follow the new Micrometer naming conventions; support for subfolders in the Dev console for uploading; and an optimization of the matchEndpoint() method defined in the EndpointHelper class to avoid regular expressions for endpoints. Further details on this release may be found in the release notes.

To maintain alignment with Quarkus, Camel Quarkus 3.5.0 has been released with notable resolutions to issues such as: a failure in the CamelOracleJdbcTest class due to timezone information not having been initialized; the Kafka container fails to start when configured for SSL; and an UnsupportedOperationException with the FastCamelContext class. More details on this release may be found in the release notes.

JHipster

Version 0.46.0 of JHipster Lite has been released featuring improvements in documentation, dependency upgrades and enhancements: use more universal shebang for scripts to fix compatibility with NixOS; and add interactions, such as hover and selection, to match the current state in the Landscape MiniMap. Further details on this release may be found in the release notes.

JDKMonitor

At Devoxx Morocco, Gerrit Grunwald, Principal Engineer at Azul, introduced a new macOS widget for the desktop that displays the number of days until the next release/update of OpenJDK. The widget also includes functionality to display the latest version of the last four long-term support releases with the ability to download them either as a JDK or JRE with an option to bundle with JavaFX. This widget requires macOS Sonoma and can be downloaded from the App Store.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 16th, 2023 features news from OpenJDK, JDK 22, BellSoft, Oracle VS Code extension, WildFly 30, Payara Platform, MicroProfile 6.1, EclipseCon and releases for GraalVM Native Build Tools, Spring Boot, Spring Security, Spring Authorization Server, Spring Cloud Dataflow, Micronaut, Quarkus, Open Liberty, Apache TomEE, Apache Tomcat, JHipster and JHipster Lite.

OpenJDK

JEP 456, Unnamed Variables and Patterns, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to finalize this feature after one previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This feature will “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _. The review is expected to conclude on October 26, 2023.

JDK 22

Build 20 of the JDK 22 early-access builds was made available this past week featuring updates from Build 19 that include fixes to various issues. More details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

BellSoft

Concurrent with Oracle’s Critical Patch Update (CPU) for October 2023, BellSoft has released CPU patches for versions 21.0.0.0.1, 17.0.8.1.1, 11.0.20.1.1, 8u391, 7u401 and 6u401 of Liberica JDK, their downstream distribution of OpenJDK. In addition, Patch Set Update (PSU) versions 21.0.1, 17.0.9, 11.0.21 and 8u392, containing CPU and non-critical fixes, have also been released.

Oracle

Oracle has introduced their Oracle Java Platform Extension for Visual Studio Code that brings full-featured Java development (edit/compile/debug/test cycle) for Maven and Gradle projects to VSCode along with other features such as a project explorer, debugging and launch configurations, a JDK downloader and supported refactorings.

GraalVM

On the road to version 1.0, Oracle Labs has released version 0.9.28 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides: revert to the previous version of the escapeArg() method defined in the NativeImageUtils class to fix issues with Windows path escaping; improve detection of major JDK versions; and a removal of the use of the deprecated Gradle JavaPluginConvention class and replace with the JavaPluginExtension class. More details on this release may be found in the changelog.

Spring Framework

The first release candidate of Spring Boot 3.2.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: break the cycle between TransactionManagerCustomizers class and TransactionManager interface; auto-configure the HikariCheckpointRestoreLifecycle class for a user-defined instance of an HikariDataSource class; and support for adding a Gradle Provider interface in the buildInfo Gradle task. More details on this release may be found in the release notes.

Similarly, versions 3.1.5, 3.0.12 and 2.7.17 of Spring Boot have been released featuring bug fixes, improvements in documentation, dependency upgrades, and the most notable change: correcting the behavior of the spring.jms.listener.concurrency property in which the maximum number of users was set to the value of this property and the minimum number of consumers was always set to 1. This is in contrast with the documentation, and developers should set their desired maximum value in the spring.jms.listener.max-concurrency property. More details on these releases may be found in the release notes for version 3.1.5, version 3.0.12 and version 2.7.17.

The first and second release candidates of Spring Security 6.2.0 along with service releases 6.1.5, 6.0.8 and 5.8.8 all deliver bug fixes and dependency upgrades. New features in all of these versions are: document how to publish an AuthenticationManager @Bean without the now deprecated WebSecurityConfigurerAdapter class; and use of the Gradle Version Catalog for dependencies. New features in the release candidate include: Servlet Path support for the AuthorizeHttpRequestsConfigurer class; and allow instances of the AuthenticationConverter interface to be settable in the BasicAuthenticationFilter class. More details on this release may be found in the release notes for version 6.2.0-RC2, version 6.2.0-RC1, version 6.1.5, version 6.0.8 and version 5.8.8.

The first release candidate of Spring Authorization Server 1.2.0 ships with dependency upgrades and a new feature that adds a reusable default authentication failure handler class, OAuth2ErrorAuthenticationFailureHandler. More details on this release may be found in the release notes.

Similarly, versions 1.1.3, 1.0.4 and 0.4.4 of Spring Authorization Server have been released featuring minor bug fixes and dependency upgrades to respective versions of: Spring Boot 3.1.4, 3.0.11 and 2.7.16; Spring Security 6.1.5, 6.0.8 and 5.8.8; and Spring Framework 6.0.13, 6.0.13 and 5.3.30. More details on these releases may be found in the release notes for version 1.1.3, version 1.0.4 and version 0.4.4.

The release of Spring Cloud Dataflow 2.11.1 delivers notable changes such as: ensure that the Launch API in the TaskOperations interface is backwards compatible; add common security configuration modules to dependency management that fixed issues after creating a monorepo; and dependency upgrades to json-smart 2.4.11, Nimbus JOSE + JWT 9.31, snappy-java 1.1.10.4 and Apache Commons Compress 1.24.0 to address various CVEs. More details on this release may be found in the release notes.

WildFly

Red Hat has released version 30.0.0 of WildFly featuring: support for JDK 21 as WildFly 30 has passed the TCKs as a compatible implementation of the Jakarta EE Core Profile. This release also supports most of the MicroProfile 6.0 specifications, but cannot claim to be a compatible implementation as Red Hat does not support the MicroProfile Metrics specification. It is important to note that Red Hat recommends developers remain running their applications on JDK 17 and JDK 11 because they haven’t certified WildFly 30 on the Jakarta EE Platform and Jakarta EE Web Profile. Despite this, Red Hat says that “WildFly 30 is a great choice for evaluating how your applications run on SE 21.” More details on this release may be found in the release notes.

Payara

Payara has released their October 2023 edition of the Payara Platform that includes Community Edition 6.2023.10, Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0 featuring: bug fixes; a dependency upgrade to the aforementioned json-smart 2.4.11 in the OIDC client to address CVE-2023-1370, a vulnerability a vulnerability in json-smart where parsing too many nested JSON structured arrays and objects, due to no defined limit, could cause a stack overflow and crash the software; and a new timeout option, --timeout, to the Payara domain commands such as start-domain and stop-domain. More details on these versions may be found in the release notes for Community Edition 6.2023.10 and Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0.

MicroProfile

The MicroProfile Working Group has released version 6.1 of MicroProfile featuring updates to specifications: MicroProfile Config 3.1, MicroProfile Metrics 5.1 and MicroProfile Telemetry 1.1.

Notable changes in MicroProfile Config include: an update to the TCK to align with breaking changes in the Jakarta EE Contexts and Dependency Injection 4.0 specification that include an empty beans.xml file and change in bean discovery mode from all to annotated; and the MissingValueOnObserverMethodInjectionTest class, that asserts a DeploymentException, fails a different reason due to the the ConfigObserver bean being defined as @ApplicationScoped (proxyable) and final (not proxyable). More details on this release may be found in the release notes.

Notable changes in MicroProfile Metrics include: introduce MicroProfile Config properties that customize how Histogram and Timer metrics track and output statistics for percentiles and histogram-buckets; define the @RegistryScope annotation as a qualifier; and include a new recommendation for multi-application deployments to use the mp.metrics.defaultAppName property to eliminate the problems caused by the requirement to have consistent tag sets for multi-app application server implementations. More details on this release may be found in the release notes.

Notable changes in MicroProfile Telemetry 1.1 include: a clarification of which API classes must be available to users; an implementation of tests that is not timestamp dependent; and a clarification of the behavior of the Span and Baggage beans when the current span or baggage changes. More details on this release may be found in the release notes.

The initial compatible implementation for MicroProfile 6.1 is Open Liberty 23.0.0.10-beta.

Micronaut

The Micronaut Foundation has disclosed a vulnerability in the OAuth2 section of their Micronaut Security module. CVE-2023-36820, a vulnerability in which the IdTokenClaimsValidator class skips the audience claim validation if the token is issued by the same identity issuer/provider resulting in improper access control.

The foundation has also released version 4.1.5 of the Micronaut Framework featuring Micronaut Core 4.10.0 and updates to modules: Micronaut AWS, Micronaut RxJava 3, Micronaut Discovery Client, Micronaut Reactor, Micronaut Object Storage. There was also a dependency upgrade to Netty 4.1.100.Final. More details on this release may be found in the release notes.

Quarkus

Versions 3.2.7 and 2.16.12 of Quarkus primarily address several CVEs:

• CVE-2023-44487, a vulnerability in which Tomcat’s implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an OutOfMemoryError.
• CVE-2023-39410, a vulnerability in Apache Avro that would allow an attacker to deserialize untrusted or corrupted data resulting in consuming memory beyond the allowed constraints and therefore leading to the system to run out of memory.
• CVE-2023-34454, a vulnerability in snappy-java that would allow an attacker to take advantage of unchecked multiplications causing a possible integer overflow resulting in an unrecoverable fatal error.

More details on these releases may be found in the changelogs for version 3.2.7 and version 2.6.12.

The Quarkus team has also documented their journey in addressing CVE-2023-44487 that includes an overview of the CVE, threads vs. event loops and their solution.

Open Liberty

IBM has released 23.0.0.10 of Open Liberty featuring support for JDK 21 and an update to the featureUtility command that now verifies feature authenticity by default when a new feature is installed into Open Liberty. This replaces the verified checksums, but checksums do not ensure the authenticity of downloaded files.

Apache Software Foundation

The release of Apache TomEE 9.1.1 ships with bug fixes, dependency upgrades and the most notable change that drops support for their own shade of CFX in favor of Apache CXF 4.0. This release also includes fixes and backports for several CVEs:

• CVE-2023-34981, a vulnerability in which a regression in the fix for Bug 66512 could lead to an information leak if a response did not include any HTTP headers, then no Apache JServ Protocol (AJP) SEND_HEADERS message would be sent for the response. This was fixed in Bug 66591 and developers are encouraged to migrate to minimal versions 11.0.0-M6, 10.1.9, 9.0.75 or 8.5.89.
• CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
• CVE-2023-35116, a vulnerability in Jackson Databind 2.15.2 and below such that an attacker can craft an object that uses cyclic dependencies that may result in a denial of service. It is important to note that this CVE is in dispute because FasterXML, creators of Jackson, believe that the steps to construct a cyclic data structure with an attempt to serialize it cannot be achieved by an external attacker.

More details on this release may be found in the release notes.

Versions 10.1.15 and 8.5.95 of Apache Tomcat both feature notable fixes: a regression with HTTP compression after refactoring code; and a regression in the clean-up of unnecessary use of fully qualified class names in versions 10.1.14 and 8.5.94 that broke the JDBC pool. More details on these releases may be found in the release notes for version 10.1.15 and version 8.5.95.

JHipster

The first release candidate of JHipster 8.0.0 provides bug fixes, dependency upgrades and notable changes such as: the JHipster-generated equals() method is now safe to use in Hibernate; improved code coverage of the MetricsComponent class; and improved support of JHipster Blueprints. More details on this release may be found in the release notes.

Version 0.45.0 of JHipster Lite has been released featuring bug fixes, improvements in documentation, dependency upgrades and new features/improvements such as: a new YamlFileSpringPropertiesHandler class in preparation for supporting YAML configuration; new toString() methods added to various JHipster classes for improved debugging; and support for processing multi-line comments in Spring property files. More details on this release may be found in the release notes.

The JHipster team also celebrated their 10th anniversary this past week. The very first commit was published on October 21, 2013.

EclipseCon

EclipseCon 2023 was held at the Forum am Schlosspark and the Film-und-Medienzentrum (FMZ) in Ludwigsburg, Germany this past week featuring speakers from the Java Community who presented on topics such as: Automotive & Mobility, IOT & Edge, Open Source Best Practices, Programming Languages & Runtimes, and Tools & IDEs. The conference also featured a Community Day that brings together like-minded individuals, passionate experts, and curious minds from all walks of life for meetings, project updates, workshops, presentations or panel discussions. Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation posted his daily summaries for Community Day, Day One, Day Two and Day Three.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 9th, 2023 features news from OpenJDK, JDK 22, Apache Tomcat CVEs, Devoxx Morocco, and milestone, point and release candidates of: Spring Framework; Spring Data; Micronaut; Quarkus; Micrometer Metrics; Micrometer Tracing; Apache Kafka; Apache Camel; Eclipse Vert.x; Project Reactor; JHipster Lite; Piranha; and RefactorFirst.

OpenJDK

After its review has concluded, JEP 454, Foreign Function & Memory API, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to finalize this feature after two rounds of incubation and three rounds of preview: JEP 412, Foreign Function & Memory API (Incubator), delivered in JDK 17; JEP 419, Foreign Function & Memory API (Second Incubator), delivered in JDK 18; JEP 424, Foreign Function & Memory API (Preview), delivered in JDK 19; JEP 434, Foreign Function & Memory API (Second Preview), delivered in JDK 20; and JEP 442, Foreign Function & Memory API (Third Preview), to be delivered in the upcoming GA release of JDK 21. Improvements since the last release include: a new Enable-Native-Access manifest attribute that allows code in executable JARs to call restricted methods without the use of the --enable-native-access flag; allow clients to programmatically build C function descriptors, avoiding platform-specific constants; improved support for variable-length arrays in native memory; and support for multiple charsets in native strings. InfoQ will follow up with a more detailed news story.

JEP 460: Vector API (Seventh Incubator), has been promoted from its JEP Draft 8315945 to Candidate status. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), to be delivered in the upcoming GA release of JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values.

JEP Draft 8315398, Implicitly Declared Classes and Instance Main Methods (Second Preview), formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.

Gavin Bierman, consulting member of technical staff at Oracle, has provided an updated specification document for JEP 447, Statements before super() (Preview), a JEP that proposes to: allow statements that do not reference an instance being created to appear before the this() or super() calls in a constructor; and preserve existing safety and initialization guarantees for constructors.

JDK 22

Build 19 of the JDK 22 early-access builds was made available this past week featuring updates from Build 18 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The first release candidate of Spring Framework 6.1.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a move of the ReactorResourceFactory class from the org.springframework.http.client.reactive to the org.springframework.http.client package for improved support of CRaC; allow custom implementations of the ClientRequestObservationConvention interface for the RestClient interface; and expose the shouldHandle(ApplicationEvent) method in the ApplicationListenerMethodAdapter class to inspect whether a listener is actually interested in an event instance. More details on this release may be found in the release notes.

Similarly, Spring Framework 6.0.13 has been released featuring bug fixes, improvement in documentation, dependency upgrades and new features such as: improved diagnostics for when repeated text size calculation results in overflow in the Spring Expression Language; and reintroduce the FastClass class in CGLIB proxy class names annotated with @Configuration. Further details on this release may be found in the release notes.

The first release candidate of Spring Data 2023.1.0, codenamed Vaughn, delivers: support for JDK 21; use of virtual threads via configuration of the Java Executor interface; support for Kotlin value classes; an initial exploration of optimizations with CRaC; and a migration of documentation to Antora. More details on this release may be found in the release notes.

Versions 2023.0.5, 2022.0.11 and 2021.2.17, all service releases of Spring Data, feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.1.5, 3.0.11 and 2.7.17; Spring Data MongoDB 4.1.5, 4.0.11 and 3.4.17; Spring Data Elasticsearch 5.1.5, 5.0.11 and 4.4.17; and Spring Data Neo4j 7.1.7, 7.0.11 and 6.3.17. These versions can be consumed by the upcoming releases of Spring Boot 3.1.5, 3.0.12 and 2.7.17, respectively.

The second milestone release of Spring Shell 3.2.0 provides: experimental support for a new Terminal UI and other notable changes such as: a new ViewCommand class to provide a higher level instruction for the View interface; and improved implementations of the ButtonView and DialogView classes. Further details on this release, including a demo of the new Terminal UI, may be found in the release notes.

Micronaut

The Micronaut Foundation has released version 4.1.4 of the Micronaut Framework featuring Micronaut Core 4.1.9 and update to modules: Micronaut Serialization, Micronaut AWS, Micronaut Email, Micronaut Data, Micronaut Maven Plugin, Micronaut SQL Libraries, and Micronaut Discovery Client. More details on this release may be found in the release notes.

Quarkus

Red Hat has released version 3.4.3 of Quarkus 3.4.3 that primarily addresses CVE-2023-44487, a vulnerability in which Tomcat’s implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an OutOfMemoryError. There were also improvements in documentation and notable fixes such as: a call to a Reactive REST Client that hangs when receiving an invalid chunked response resulting in resources not being released; a ClassNotFoundException when Quarkus applications using Picocli and JAX-RS to consume SSEs breaks when converted to a native build; and allow the MicroProfile @ClientHeaderParam annotation to override the “User-Agent” header parameter. Further details on this release may be found in the changelog.

Micrometer

Versions 1.12.0-RC1, 1.11.5, 1.10.12 and 1.9.16 of Micrometer Metrics all deliver dependency upgrades and these bug fixes: an instance of the ObservationRegistry.NOOP interface is null when running in a Spring Boot application; and a ConcurrentModificationException using the computeIfAbsent() method defined in the Context inner class of the Observation interface. New features in version 1.12.0-RC1 include: move the instrumentation for the Jakarta Messaging specification to a new module, micrometer-jakarta9; and support for the VMware CSP authentication system for their integration of Wavefront. More details on these releases may be found in the release notes for version 1.12.0-RC1, version 1.11.5, version 1.10.12 and version 1.9.16.

Similarly, versions 1.2.0-RC1, 1.1.6 and 1.0.11 of Micrometer Tracing all deliver dependency upgrades and bug fixes such as: apply a wider inclusion for Zipkin Reporter in the Gradle build to resolve dependency issues; and a scope override when a scope was set in the ObservationAwareSpanThreadLocalAccessor class. New features in version 1.2.0-RC1 include: define the SpanTagAnnotationHandler class as optional to match the TimedAspect class for improved configuration by frameworks; and a migration of io.opentelemetry:opentelemetry-semconv to io.opentelemetry.semconv:opentelemetry-semconv due to OpenTelemetry having deprecated their old Semantic Conventions module with a new module that have different Maven coordinates. Further details on these releases may be found in the release notes for version 1.2.0-RC1, version 1.1.6 and version 1.0.11.

Apache Software Foundation

The Apache Tomcat team has disclosed four Common Exposures and Vulnerabilities (CVEs) that affect versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80 and 8.5.0 to 8.5.93.

• CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
• CVE-2023-45648, a vulnerability in which an attacker can send a specially crafted, invalid trailer header that could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
• The aforementioned CVE-2023-44487.
• CVE-2023-42794, a vulnerability in which Tomcat’s internal fork of a Commons FileUpload package included an unreleased, in progress refactoring on Windows if a web application opened a stream for an uploaded file, but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. It is important to note that this CVE only affected Tomcat versions 9.0.70 to 9.0.80 and 8.5.85 to 8.5.93.

Users of these affected versions should apply one of the following mitigations: upgrade to minimal versions of Apache Tomcat 11.0.0-M12, 10.1.14, 9.0.81 and 8.5.94.

The release of Apache Kafka 3.6.0 delivers bug fixes, improvements and new features such as: support for delegation tokens in Kafka Raft (KRaft); the ability to migrate Kafka clusters from a ZooKeeper metadata system to a KRaft metadata system; and support for Tiered Storage as an early-access feature. More details on this release may be found in the release notes.

The release of Apache Camel 4.1.0 provides bug fixes, dependency upgrades and new features such as: capture startup events and report time in a report for human-readable form; a new Camel Thymeleaf template component to complement the existing Camel Freemarker and Camel Velocity components for working with templates; and a new command to generate SBOM for a given JBang project in CycloneDX format. Further details on this release may be found in the release notes.

Eclipse Vert.x

The release of Eclipse Vert.x 4.4.6 delivers dependency upgrades and notable changes such as: an upgrade to Netty 4.1.100.Final that addresses the aforementioned CVE-2023-44487; fixes in the Money class that include deprecating the Money(long, int) constructor in favor of Money(Number); and drop support for an empty Host header in a curl command that caused a NullPointerException. More details on this release may be found in the release notes and deprecations and breaking changes.

Project Reactor

The first release candidate of Project Reactor 2023.0.0 provides dependency upgrades to reactor-core 3.6.0-RC1, reactor-pool 1.0.3 and reactor-netty 1.1.12. There was also a realignment to version 2023.0.0-RC1 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. Further details on this release may be found in the changelog.

Similarly, Project Reactor 2022.0.12, the twelfth maintenance release, provides dependency upgrades to reactor-core 3.5.11, reactor-netty 1.1.12 and reactor-pool 1.0.3. There was also a realignment to version 2022.0.11 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.

JHipster Lite

Version 0.44.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and new features/enhancements such as: enable some builds on JDK 21; fix use of the Java HashMap class in the KafkaPropertiesTest class; and display a minimap on the landscape screen for improved navigation. Further details on this release may be found in the release notes.

Piranha

The release of Piranha 23.10.0 delivers notable changes such as: dependency and plugin upgrades; a code smell fix in the PiranhaJarContainer class; and a removal of the Vulnerabilities, Technical Debt, Security and Reliability badges. More details on this release may be found in their documentation and issue tracker.

RefactorFirst

Jim Bethancourt, principal software consultant at Improving, an IT services firm offering training, consulting, recruiting, and project services, has announced the release of RefactorFirst 0.5.0-M1. This release delivers: many dependency upgrades and new features such as: a new command line for RefactorFirst; and a refactor of the HTML, CSV and JSON reports into their own respective modules. It is important to note that RefactorFirst now requires JDK 11 to address CVE-2023-4759, a vulnerability in JGit versions below 6.6.0 that allows an attacker to use a symbolic link in a specially crafted git repository to write a file to locations outside the working tree. As a result, the project has also been moved into the newly created RefactorFirst organization on GitHub. Further details on this release may be found in the release notes.

Devoxx Morocco

Devoxx Morocco was held at the Hilton Taghazout Bay Beach Resort & Spa in Taghazout, Morocco this past week featuring speakers from the Java community who presented on topics such as: Architecture, Data & AI, Development Practices, DevOps & Cloud, and Security.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 2nd, 2023 features news from OpenJDK, JDK 22, Azul Code Inventory, Spring Shell 3.1.4, 3.0.8 and 2.1.13, JNoSQL 1.0.2, Quarkus 3.4.2, Micronaut 4.1.3, Hibernate Search 6.2.2, PrimeFaces 12.0.6, 11.0.12, 10.0.19 and 8.0.24, Maven 3.9.5, Camel 3.20.7, Tomcat Native 1.2.39, Testcontainers 1.19.1, JBang 0.111.0, Gradle 8.4, QCon San Francisco and Devoxx Belgium.

Open JDK

JEP 454, Foreign Function & Memory API, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to finalize this feature after two rounds of incubation and three rounds of preview: JEP 412, Foreign Function & Memory API (Incubator), delivered in JDK 17; JEP 419, Foreign Function & Memory API (Second Incubator), delivered in JDK 18; JEP 424, Foreign Function & Memory API (Preview), delivered in JDK 19; JEP 434, Foreign Function & Memory API (Second Preview), delivered in JDK 20; and JEP 442, Foreign Function & Memory API (Third Preview), to be delivered in the upcoming GA release of JDK 21. Improvements since the last release include: a new Enable-Native-Access manifest attribute that allows code in executable JARs to call restricted methods without the use of the --enable-native-access flag; allow clients to programmatically build C function descriptors, avoiding platform-specific constants; improved support for variable-length arrays in native memory; and support for multiple charsets in native strings. The review is expected to conclude on October 11, 2023.

JEP 459, String Templates (Second Preview), has been promoted from its JEP Draft 8314219 to Candidate status to provide a second preview from the first round of preview: JEP 430, String Templates (Preview). This JEP proposes to enhance the Java programming language with string templates, string literals containing embedded expressions, that are interpreted at runtime where the embedded expressions are evaluated and verified. More details on JEP 430 may be found in this InfoQ news story.

JEP 458, Launch Multi-File Source-Code Programs, was promoted from its JEP Draft 8304400 to Candidate status. This JEP proposes to enhance the Java Launcher to execute an application supplied as one or more files of Java source code. This allows a more gradual transition from small applications to larger ones by postponing a full-blown project setup.

JEP Draft 8316779, Null-Restricted Value Class Types (Preview), was updated to rename this draft from its original Value Object Storage Enhancements (Preview). Under the auspices of Project Valhalla, this JEP introduces null-restricted storage of value objects in fields and array components. “These variables are initialized to an initial instance of the class and reject attempts to write a null value. They can be optimized with compact, flattened object encodings.”

JDK 22

Build 18 of the JDK 22 early-access builds was made available this past week featuring updates from Build 17 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Azul

At Devoxx Belgium this past week, Azul introduced their new product, Code Inventory, a new feature under Azul Vulnerability Detection that provides developers and DevOps teams “a precise catalog of the source code actually used in production by Java applications, making it easy to accurately identify dead and unused code for removal.”

Spring Framework

Versions 3.1.4, 3.0.8 and 2.1.13 of Spring Shell have been released featuring a new property, spring.shell.context.close, to close context requests after Shell has completed its execution logic. These releases are built on Spring Boot 3.1.4, 3.0.11 and 2.7.16, respectively. More details on these releases may be found in the release notes for version 3.1.4, version 3.0.8 and version 2.1.13.

Eclipse JNoSQL

The release of Eclipse JNoSQL 1.0.2 delivers bug fixes, improvements in documentation and the addition of JNoSQL Lite, a new option that provides an alternative to the traditional JNoSQL framework. Developers can now avoid reflection and read Java metadata annotations through the Java Annotation processor. Eclipse JNoSQL is the compatible implementation to the Jakarta NoSQL specification. Further details on this release may be found in the release notes and this technical article.

Quarkus

Quarkus 3.4.2, the second maintenance release, delivers improvements in documentation, dependency upgrades and notable bug fixes such as: Quarkus 3.4.1 fails to start in dev mode; a ExceptionInInitializerError due to gRPC interceptors lookup in Micrometer binders; and a ClassCastException with RESTEasy reactive and a Jersey client. More details on this release may be found in the release notes.

Micronaut

The Micronaut Foundation has released Micronaut Framework 4.1.3 featuring Micronaut Core 4.1.8 and updates to modules: Micronaut Oracle Cloud, Micronaut Serialization, and Micronaut SQL. Further details on this release may be found in the release notes.

Hibernate

The release of Hibernate Search 6.2.2.Final provides: bug fixes; adds compatibility with Elasticsearch 8.10 and OpenSearch 2.10: deprecates the ~ operator in regular expression predicates; and dependency upgrades to Hibernate ORM 6.2.9.Final for the -orm6 artifacts, Elasticsearch client 8.10.2, Jackson 2.15.2 and Avro 1.11.3. More details on this release may be found in the release notes.

PrimeFaces

Versions 12.0.6, 11.0.12, 10.0.19 and 8.0.24 of PrimeFaces have been released that address two security fixes: CVE-2022-45688, a vulnerability in which a denial-of-service attack is possible due to an attacker crafting JSON or XML data that will cause a stack overflow from the toJSONObject() method of the XML class in Hutool 5.8.10; and CVE-2020-7746, a vulnerability in which a prototype pollution is possible due to an attacker taking advantage of the options parameter, not properly sanitized, in Chart.js 2.9.4 when it is processed. New features include: an Ajax request should provide information if response was a redirect to the next dialog box; eliminate hiding the AjaxStatus facet when an Ajax request leads to a redirect; and a dependency upgrade to Chart.js 3.9.1. Further details on these releases may be found in the changelogs for version 12.0.6, version 11.0.12, version 10.0.19 and version 8.0.24.

Apache Software Foundation

The release of Apache Maven 3.9.5 delivers one bug fix, a dependency upgrade to Maven Artifact Resolver 1.9.16, and notable changes such as: an un-deprecation of wrongly deprecated repository metadata; support for ${project.basedir} in file profile activation; and colorization of download transfer messages. More details on this release may be found in the release notes.

Apache Camel 3.20.7 has been released featuring bug fixes, dependency upgrades and improvements such as: environment variables with the name ‘secret’ are now masked in logs; prevent the usage of proxy protocol in producer endpoint; and improved support for Mappers defined as abstract classes to allow for unwanted instances of the TypeConverters interface to be registered for the equals() and wait() methods. Further details on this release may be found in the release notes.

The release of Apache Tomcat Native 1.2.39 features: disabling the Online Certificate Status Protocol (OCSP) if the insecure optionalNoCA certificate verification option is used; and the binaries for Windows have been built with OpenSSL 3.0.11. More details on this release may be found in the changelog.

Testcontainers for Java

Testcontainers for Java 1.19.1 was released with notable changes such as: the ability to define a custom ImagePullPolicy interface via configuration; override the toString() method of the ImageNameSubstitutor class to return the value set in the getDescription() method; and independently log the image pull and container startup times.

JBang

The release of JBang 0.111.0 provides: support for Groovy 4.0; a display of integration errors when the --verbose command line parameter is used; a check that a manifest exists before an attempt to read from it; and ensure that alias settings are properly applied.

Gradle

Gradle 8.4 has been released featuring two security fixes: a vulnerability in which an incorrect permission assignment for symbolic linked files used in copy or archiving operations can lead to unintended permissions that are world readable and writable; and a vulnerability in which resolving XML external entities that are not disabled while parsing XML files can lead to exfiltration of local text files to a remote server. New features include: initial support for JDK 21 only to compile, test, and run Gradle projects since Kotlin does not yet support JDK 21; improved compilation on Windows OS; a simplified way to create role-focused instances of the Configuration interface using the ConfigurationContainer interface; and improved support for the Kotlin DSL. Further details on this release may be found in the release notes.

QCon San Francisco

The 17th annual QCon San Francisco conference was held at the Hyatt Regency in San Francisco, California. This five-day event is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. The conference consisted of three days of presentations and two days of workshops. Daily recaps of the presentations can be found for Day One, Day Two and Day Three.

Devoxx Belgium

Devoxx Belgium, celebrating its 20th year, was also held at the Kinepolis Antwerp in Antwerp, Belgium featuring speakers from the Java community presenting in tracks such as: Java, Server-Side Java, Architecture, Development Practices, Data & AI, Security and UI & UX.

Article originally posted on InfoQ. Visit InfoQ

Ryan Dahl, Co-Founder and CEO at Deno and Software Engineer Best Known for Creating Node.js, presented Streamlining Cloud Development with Deno at the 2023 QCon San Francisco conference.

According to Dahl, the web has become the medium of human information. It should be in existence five years from now and perhaps even the next 10 or 20 years. JavaScript is inherently tied to the web and, therefore, JavaScript will be important in the future.

As the creator of Node.js, Dahl’s goal was to force developers to easily build fast servers by only exposing asynchronous I/O in JavaScript. However, building those fast servers requires more than just asynchronous I/O. Issues that need to be addressed include: managing complex cloud configurations; some sort of geographically replicated state; navigating a plethora of software, workflows and toolchains; and supply chain security. This was his inspiration behind creating Deno, an open source next-generation JavaScript runtime that is: secure by default; offers native support for JavaScript and TypeScript; ships with testing, linting, formatting and more; is backwards compatible with Node.js and npm; and contains web standard APIs.

Deno is a single executable file at 100MB with support for 14 different web standards such as: globalThis, window.close(), FormData and webAssembly. Deno is also a browser for command-line scripts as shown in the following examples:

    
$ deno run https://deno.land/std@0.150.0/examples/gist.ts
    

The above Deno command will upload a Gist file to GitHub.

    
$ deno run npm:cowsay moo
    

The above Deno will execute an npm application named cowsay and display ASCII art of a cow saying “moo.”

Once installed, Deno can initialize a project using:

    
$ deno init
    

It will generate three files, main.ts, the main application that defines a function to add two numbers and display it on the terminal window; main_test.ts, a simple test for main.ts; and deno.json, a JSON file that defines the deno run command. The main application and test are executed as follows:

    
$ deno run main.ts
$ deno test main_test.ts
    

Dahl then provided a demo on how to quickly build an asynchronous compression stream application in only three lines of code as shown in the following example:

    
const src = await Deno.open("/etc/passwd");
const dst = await Deno.open("out.gz", {write: true, create: true})
src.readable.pipeThrough(new CompressionStream("gzip")).pipeTo(dst.writable);
    

Upon executing the above application, Deno requested read access and write access to the file to be opened and the gzip file, respectively.

Libraries from Node.js can be imported into Deno applications as the following example shows:

    
import { readFileSync } from "node:fs";

const etc = readFileSync("/etc/password");
console.log(etc);
    

It is important to note that Deno security permissions still apply when importing libraries.

Deno Node Transform (DNT), a Deno-to-npm package build tool that can transpile JavaScript for distribution on npm. Deno tests can also be transpile and executed on Node.js. Dahl provided a demo on how to build an Express server:

    
import express from "npm:express"

const app = express();
app.get("/", (_req, res) => { res.send('Hellon');});
app.listen(3000, () => { console.log("server on http://localhost:3000"); });
    

Deno Deploy, the “easiest serverless platform,” as Dahl claimed, features: scaling to zero cost; support for npm packages; built-in storage and compute; low global latency in 35 regions; fast cold starts; and powers Netlify Edge functions. To install Deno Deploy, simply execute the following command:

    
$ deno install -Arf https://deno.land/x/deploy/deployctl.ts
    

Deploying applications is accomplished with the deployctl command as shown in the following example:

    
$ deployctl deploy --project=hello-world ./examples/hello.ts
    

It is important to note that a personal access token is required before using Deno Deploy. One can be obtained from the access token page. The token may be stored in the DENO_DEPLOY_TOKEN environment variable or passed into the deployctl command with the --token flag.

Dahl then provided a demo on how to take the aforementioned freshly-built Express server and deploy it to the cloud.

Deno KV, a datastore anchored by ACID transactions and powered by FoundationDB. Features include: zero configuration; ACID transactions; scaling to zero cost; and built-in to Deno Deploy. Dahl stated that Deno KV doesn’t replace a real database, but it is useful for sharing state.