Author: Michael Redlich

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 30th, 2023 features news from OpenJDK, JDK 22, GlassFish 7.0.10, Spring Boot 3.2-RC2, Spring Cloud 2023.0-RC1, Spring Cloud Stream Applications 2022.0, Spring Statemachine 4.0-M1, Spring Tools 4.20.1, Open Liberty 23.0.11-beta, Micronaut 4.1.6, Grails 6.1, TomEE 8.0.16, Infinispan 14.0.20, JHipster 8.0, JHipster Lite 0.47, JReleaser 1.9 and Kotlin 1.9.20.

OpenJDK

JEP 463, Implicit Classes and Instance Main Methods (Second Preview), has been promoted from its JEP Draft 8315398 to Candidate status. Formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), this JEP incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.

JDK 22

Build 22 of the JDK 22 early-access builds was made available this past week featuring updates from Build 21 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Eclipse GlassFish

Eclipse GlassFish 7.0.10, the tenth maintenance release, features bug fixes, dependency upgrades and notable changes such as: an improvement in reproducible builds; a refactor and cleanup of login modules; and replace the deprecated newInstance() method defined in the XMLInputFactory class with the newFactory() method. More details on this release may be found in the release notes.

Spring Framework

The second release candidate of Spring Boot 3.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: introduce the PemSslStore interface as an alternative to PemSslStoreDetails record because the latter does not provide a way to work with Certificates and PrivateKeys that have already been parsed from PEM content; a new PemContent class that provides a way for the auto-configured code to parse certificates; and allow the alias and password to be configured on a per-PEM store basis. Further details on this release may be found in the release notes.

The first release candidate of Spring Cloud 2023.0.0, codenamed Leyton, ships with bug fixes and release candidate upgrades to sub-projects such as: Spring Cloud Commons 4.1.0-RC1; Spring Cloud Starter Build 2023.0.0-RC1; and Spring Cloud Kubernetes 3.1.0-RC1. More details on this release may be found in the release notes.

Version 2022.0.0 of Spring Cloud Stream Applications has been released featuring big fixes and notable changes such as: a revision configuration of the HttpRequestFunctionConfiguration class to use Spring Framework WebClient.Builder interface; a new JsonBytesToMap class as a part of a payload-converter-function module which is auto-discovered by the Spring Cloud Function scanning algorithm; and apply the ComponentCustomizer in other modules as part of a fix to remove auto-configuration. Further details on this release may be found in the release notes.

The second release candidate of Spring Modulith 1.1.0 ships with a dependency upgrade to Spring Boot 3.2.0-RC2, a new feature that supports event externalization into AWS Simple Notification Service (SNS) and Simple Queue Service (SQS), and notable improvements such as: register parameter types of methods annotated with @TransactionalEventListener for reflection; allow the explicit declaration of an identifier in the @ApplicationModuleListener annotation; and reinstantiate general compatibility with Spring Boot 3.1 and Framework 6.0 to fall back to reflective invocation of the application event listener if working with Spring Framework 6.2. This also allows projects to upgrade to Spring Modulith 1.1 without necessarily upgrading to Spring Boot 3.2. More details on this release may be found in the release notes.

The first milestone release of Spring Statemachine 4.0.0 features a dependency upgrade to Spring Boot 3.1.5 and initial support for the Spring Boot 3.1 release train. Further details on this release may be found in the release notes.

The release of Spring Tools 4.20.1 for Eclipse, Visual Studio Code and Theia ships with notable changes such as: early access builds available for the upcoming release of Eclipse 2023-12; various performance optimizations around scanning symbols and Java reconciling; and significant improvement in completions for Spring Boot properties. More details on this release may be found in the release notes.

Open Liberty

IBM has released version 23.0.0.11-beta of Open Liberty featuring new vendor metrics for MicroProfile Metrics 5.0 that can be directly added to dashboards of various monitoring tools without additional computation. These new metrics are: Process CPU Utilization Percent; Heap Utilization Percent; GC Time per Cycle; Connection Pool in Use Time per Used Connection; Connection Pool Wait Time per Queued Request; Servlet Elapsed Time per Request; and REST Elapsed Time per Request. There were also new capabilities for MicroProfile Reactive Messaging 3.0 and MicroProfile Stream Operators 3.0 that include support for negative acknowledgements.

Micronaut

The Micronaut Foundation has released version 4.1.6 of the Micronaut Framework featuring Micronaut Core 4.1.11 and updates to modules: Micronaut Core, Micronaut Picocli Configuration, Micronaut MQTT and Micronaut Reactor. Further details on this release may be found in the release notes.

Grails

The Grails Foundation has released version 6.1.0 of the Grails Framework providing bug fixes, dependency upgrades and notable changes such as: convert the org.grails:grails-web-sitemesh dependency as optional in the build.gradle file due to the GroovyPageLayoutFinder class being tightly coupled with the ResponseRenderer trait; update the groovy-joint-workflow.yml file to adjust for the sunsetting of Sonatype Lift; and update the GitHub actions/checkout property to Checkout V4 in various YAML files. More details on this release may be found in the release notes.

TomEE

The release of Apache TomEE 8.0.16 primarily addresses several CVEs, namely: CVE-2023-33201, LDAP injection vulnerability in Bouncy Castle; CVE-2023-35116, cyclic dependencies in Jackson; CVE-2023-34981, information leak in Apache TomEE; and CVE-2023-44483, private key exposure in Apache Santuario. This release also includes bug fixes, dependency upgrades related to the CVEs, and an improvement in support in the JMX console to extract parameters via reflection. Further details on this release may be found in the release notes.

Infinispan

Version 14.0.20.Final of Infinispan has been released with notable changes such as: support for JDK 21; elimination of JMX registration conflicts by adding the @DirtiesContext annotation on Spring tests to force stopping cache manager; and add wait times in the testRequestsReceived() and other methods defined in the XSiteMBeanTest class to eliminate the random failures due to the method not waiting for the sender to update its statistics. More details on this release may be found in the list of issues.

JHipster

Two and a half years since the release of JHipster 7.0.0, the release of JHipster 8.0.0 delivers notable changes such as: fix the user search API to follow new standards that avoids repeating the entity’s name on each endpoint; call async methods via an injected dependency instead of directly via the this keyword; and improved support for Blueprints. Further details on this release may be found in the release notes.

Version 0.47.0 of JHipster Lite has been released featuring bug fixes, improvements in documentation, dependency upgrades and enhancements such as: support for YAML for Spring configuration; increase the height in the Tikui display to avoid scroll bar from appearing; and display the current version number in the navigation bar. More details on this release may be found in the release notes.

JReleaser

Version 1.9.0 of JReleaser, a Java utility that streamlines creating project releases, has been released to deliver bug fixes, improvements in documentation and notable changes such as: update the GitHub actions/checkout property to Checkout V4 in various YAML files; a new a f_file_exists template function that corresponds to a nested class, FileExistsFunction, defined in the DefaultMustacheExtensionPoint class, for improved generation of release notes; and a missing template option bindings to jlink that resolved the creation of a non-working launcher script. Further details on this release may be found in the release notes.

Kotlin

The release of Kotlin 1.9.20 featuring: the K2 compiler for all the targets is now in Beta; Kotlin Multiplatform is now stable and production-ready; performance improvements for the garbage collector in Kotlin/Native; full support for the Gradle configuration cache in Kotlin Multiplatform; and a new default hierarchy template for establishing multi-platform projects. More details on this release may be found in the release notes and this detailed InfoQ news story.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 23rd, 2023 features news from OpenJDK, JDK 22, Jakarta Data 1.0-M1, GraalVM 21.0.1, Spring 6.1-RC2, Spring Modulith 1.1-RC1, Spring Vault 3.1-RC1, Helidon 4.0, Eclipse Serializer 1.0, Quarkus 3.5, Liberica NIK 22.3.4, Hibernate ORM 6.4-CR1, Hibernate Search 7.0-CR1, Maven 4.0.0-alpha8, Camel 4.0.2, Camel Quarkus 3.5, JHipster Lite 0.46 and JDKMonitor.

OpenJDK

After its review has concluded, JEP 456, Unnamed Variables & Patterns, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to finalize this feature after one previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This feature will “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.

JEP 460, Vector API (Seventh Incubator), has been promoted from Candidate to Proposed to Target for JDK 22. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), to be delivered in the upcoming GA release of JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values. The review is expected to conclude on November 3, 2023.

JEP 462, Structured Concurrency (Second Preview), has been promoted from its JEP Draft 8317302 to Candidate status. This JEP will propose to re-preview the API in JDK 22, without change, in order to gain more feedback from the previous round of preview: JEP 453, Structured Concurrency (Preview), delivered in JDK 21. This feature simplifies concurrent programming by introducing structured concurrency to “treat groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability.”

JEP 461, Stream Gatherers (Preview), has been promoted from its JEP Draft 8317955 to Candidate status. This JEP proposes to enhance the Stream API to support custom intermediate operations. “This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.” More details on this JEP may be found in the original design document written by Viktor Klang, Software Architect, Java Platform Group at Oracle.

JDK 22

Build 21 of the JDK 22 early-access builds was made available this past week featuring updates from Build 20 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Jakarta Data

The first milestone release of Jakarta Data 1.0.0 provides: a new BasicRepository interface for performing basic operations on entities; new insert() and update() methods in CrudRepository interface to extend the capabilities of basic operations on entities, including insert and update operations; and new annotations, Insert, Update, Delete and Save, for CRUD operations. More details on this release may be found in the release notes.

GraalVM

Oracle Labs has released GraalVM for JDK 21 Community 21.0.1 featuring fixes based on the Oracle Critical Patch Update for October 2023 These include: a new CEntryPointErrors class to return errors if the stack boundaries cannot be determined; the process crashing when uncommitting unused memory; and an occasional crash using the ProcessBuilder class on macOS. Further details on this release may be found in the release notes.

Spring Framework

The second release candidate of Spring Framework 6.1 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: support for ContextLoader configuration in the @SpringJUnitConfig and @SpringJUnitWebConfig annotations for compatibility with the @ContextConfiguration annotation; improve the extensibility of the ControlFlowPointcut class to support pattern matching in method names; and a new annotation, DisabledInAotMode, in the TestContext interface to skip AOT processing. More details on this release may be found in the release notes.

The first release candidate of Spring Modulith 1.1.0 and service release 1.0.2 ship with bug fixes, dependency upgrades and improvements such as: drop support of the memoize() method in the Google Suppliers class in favor of the of() method in the Spring SingletonSupplier class; and add a mission statement to reference documentation. New features in version 1.1.0-RC1 include: create a corresponding @ApplicationModuleListener annotation to be defined in the org.springframework.modulith.events package from its original org.springframework.modulith package and mark the original annotation as deprecated; and a refactor of the @Modulith annotation to define a Spring Boot application that follows the Modulith structuring conventions. Further details on this release may be found in the release notes for version 1.1.0-RC1 and version 1.0.2.

The first release candidate of Spring Vault 3.1.0 features improvements in documentation, dependency upgrades and new features: support for role_name and entity_alias token parameters in the VaultTokenRequest class; support for the prehashed property for the Transit Secrets Engine API; add rewrap() methods to the VaultTransitOperations interface and VaultTransitTemplate class for improved rewrap of the provided batch of cipher text using the latest version of the named key. More details on this release may be found in the release notes.

Helidon

Just over one year since Helidon 4.0.0-ALPHA1 was introduced to the Java community, Oracle has released version 4.0.0 of Helidon featuring the new Helidon Níma server, support for MicroProfile 6.0; and a shift from asynchronous to blocking APIs. The Helidon Níma server was designed and built from the ground up to fully harness the capabilities of virtual threads, one of the final features of JDK 21. Further details on this release may be found in the release notes and InfoQ will follow up with a more detailed news story.

Service releases 3.2.3 and 2.6.4 of Helidon both ship with notable changes such as: the tarketKeys variable defined in the HttpSignProvider class now returns an instance of the Java ConcurrentHashMap class over the previously used HashMap class; the max-payload-size property is now parsed as of type Long to align with Helidon 4.0 and to eliminate the IllegalArgumentException when the value is greater than Integer.MAX_VALUE; and add zero-argument non-private constructors to the NonTransactionalEntityManager and ExtendedEntityManager classes. More details on these releases may be found in the changelogs for version 3.2.3 and version 2.6.4.

Eclipse Serializer

The Eclipse Foundation has released version 1.0 of Eclipse Serializer, a project designed to handle any Java object, with complex object structure, and highly secure. Formerly known as MicroStream Serializer, this project enables developers to serialize any Java object, but unlike traditional Java serialization, there is no need to implement the Serializeable interface, and no specific interfaces, superclasses or annotations are required.

Quarkus

Red Hat has released version 3.5.0 of Quarkus 3.5.0 featuring bug fixes, improvements in documentation and performance, and notable changes such as: support for JDK 21; enhancements in OIDC token propagation filters to customize the exchange status and provide the client name; and allow the parallel execution of blocking health checks. Further details on this release may be found in the changelog.

BellSoft

BellSoft has released versions 22.3.4, 23.0.2, 23.1.1 for JDK 11.0.10, 17.0.9, and 21.0.1 of their Liberica Native Image Kit builds as part of aforementioned Critical Patch Update release cycle to address: CVE-2023-22025, a vulnerability that allows an unauthenticated attacker, with network access via multiple protocols, to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition and Oracle GraalVM for JDK resulting in unauthorized update, insert or delete access to accessible data; CVE-2023-22067, a vulnerability that allows an unauthenticated attacker, with network access via CORBA, to compromise Oracle Java SE resulting in unauthorized update, insert or delete access to some of Oracle Java SE accessible data; and CVE-2023-22081, a vulnerability that allows unauthenticated attacker, with network access via HTTPS, to compromise Oracle Java SE and Oracle GraalVM for JDK resulting in an unauthorized ability to cause a partial denial of service of Oracle Java SE, Oracle GraalVM for JDK.

Hibernate

The first release candidate of Hibernate ORM 6.4.0 delivers: a new @SoftDelete annotation to support soft deletes, values as deleted/non-deleted versus active/inactive (reversed); implementation of the remaining functions for handling arrays in HQL and Criteria queries; and support for writing Hibernate-specific events in the JDK Flight Recorder.

The first release candidate of Hibernate Search 7.0.0 features: bug fixes; compatibility with the Hibernate ORM discriminator-based multi-tenancy, Elasticsearch 8.10 and OpenSearch 2.10/2.11; dependency upgrades to Hibernate ORM 6.3.1.Final and Apache Lucene 9.8; and rename of some Maven artifact related to JSR-352, Batch Applications for the Java Platform, to reflect the move to the Jakarta Batch specification.

Apache Software Foundation

The eighth alpha release of Apache Maven 4.0.0 provides notable changes such as: drop support for Plexus XML in favor of StAX/Woodstox for XML parsing; a new 4.1.0 POM model for future releases of Maven; and attach the build POM with a build classifier to simplify the build/consumer implementation. More details on this release may be found in the release notes.

The release of Apache Camel 4.0.2 ships with bug fixes, dependency upgrades and new features/improvements such as: introduce the ability to use the old Micrometer meter names or follow the new Micrometer naming conventions; support for subfolders in the Dev console for uploading; and an optimization of the matchEndpoint() method defined in the EndpointHelper class to avoid regular expressions for endpoints. Further details on this release may be found in the release notes.

To maintain alignment with Quarkus, Camel Quarkus 3.5.0 has been released with notable resolutions to issues such as: a failure in the CamelOracleJdbcTest class due to timezone information not having been initialized; the Kafka container fails to start when configured for SSL; and an UnsupportedOperationException with the FastCamelContext class. More details on this release may be found in the release notes.

JHipster

Version 0.46.0 of JHipster Lite has been released featuring improvements in documentation, dependency upgrades and enhancements: use more universal shebang for scripts to fix compatibility with NixOS; and add interactions, such as hover and selection, to match the current state in the Landscape MiniMap. Further details on this release may be found in the release notes.

JDKMonitor

At Devoxx Morocco, Gerrit Grunwald, Principal Engineer at Azul, introduced a new macOS widget for the desktop that displays the number of days until the next release/update of OpenJDK. The widget also includes functionality to display the latest version of the last four long-term support releases with the ability to download them either as a JDK or JRE with an option to bundle with JavaFX. This widget requires macOS Sonoma and can be downloaded from the App Store.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 16th, 2023 features news from OpenJDK, JDK 22, BellSoft, Oracle VS Code extension, WildFly 30, Payara Platform, MicroProfile 6.1, EclipseCon and releases for GraalVM Native Build Tools, Spring Boot, Spring Security, Spring Authorization Server, Spring Cloud Dataflow, Micronaut, Quarkus, Open Liberty, Apache TomEE, Apache Tomcat, JHipster and JHipster Lite.

OpenJDK

JEP 456, Unnamed Variables and Patterns, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to finalize this feature after one previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This feature will “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _. The review is expected to conclude on October 26, 2023.

JDK 22

Build 20 of the JDK 22 early-access builds was made available this past week featuring updates from Build 19 that include fixes to various issues. More details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

BellSoft

Concurrent with Oracle’s Critical Patch Update (CPU) for October 2023, BellSoft has released CPU patches for versions 21.0.0.0.1, 17.0.8.1.1, 11.0.20.1.1, 8u391, 7u401 and 6u401 of Liberica JDK, their downstream distribution of OpenJDK. In addition, Patch Set Update (PSU) versions 21.0.1, 17.0.9, 11.0.21 and 8u392, containing CPU and non-critical fixes, have also been released.

Oracle

Oracle has introduced their Oracle Java Platform Extension for Visual Studio Code that brings full-featured Java development (edit/compile/debug/test cycle) for Maven and Gradle projects to VSCode along with other features such as a project explorer, debugging and launch configurations, a JDK downloader and supported refactorings.

GraalVM

On the road to version 1.0, Oracle Labs has released version 0.9.28 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides: revert to the previous version of the escapeArg() method defined in the NativeImageUtils class to fix issues with Windows path escaping; improve detection of major JDK versions; and a removal of the use of the deprecated Gradle JavaPluginConvention class and replace with the JavaPluginExtension class. More details on this release may be found in the changelog.

Spring Framework

The first release candidate of Spring Boot 3.2.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: break the cycle between TransactionManagerCustomizers class and TransactionManager interface; auto-configure the HikariCheckpointRestoreLifecycle class for a user-defined instance of an HikariDataSource class; and support for adding a Gradle Provider interface in the buildInfo Gradle task. More details on this release may be found in the release notes.

Similarly, versions 3.1.5, 3.0.12 and 2.7.17 of Spring Boot have been released featuring bug fixes, improvements in documentation, dependency upgrades, and the most notable change: correcting the behavior of the spring.jms.listener.concurrency property in which the maximum number of users was set to the value of this property and the minimum number of consumers was always set to 1. This is in contrast with the documentation, and developers should set their desired maximum value in the spring.jms.listener.max-concurrency property. More details on these releases may be found in the release notes for version 3.1.5, version 3.0.12 and version 2.7.17.

The first and second release candidates of Spring Security 6.2.0 along with service releases 6.1.5, 6.0.8 and 5.8.8 all deliver bug fixes and dependency upgrades. New features in all of these versions are: document how to publish an AuthenticationManager @Bean without the now deprecated WebSecurityConfigurerAdapter class; and use of the Gradle Version Catalog for dependencies. New features in the release candidate include: Servlet Path support for the AuthorizeHttpRequestsConfigurer class; and allow instances of the AuthenticationConverter interface to be settable in the BasicAuthenticationFilter class. More details on this release may be found in the release notes for version 6.2.0-RC2, version 6.2.0-RC1, version 6.1.5, version 6.0.8 and version 5.8.8.

The first release candidate of Spring Authorization Server 1.2.0 ships with dependency upgrades and a new feature that adds a reusable default authentication failure handler class, OAuth2ErrorAuthenticationFailureHandler. More details on this release may be found in the release notes.

Similarly, versions 1.1.3, 1.0.4 and 0.4.4 of Spring Authorization Server have been released featuring minor bug fixes and dependency upgrades to respective versions of: Spring Boot 3.1.4, 3.0.11 and 2.7.16; Spring Security 6.1.5, 6.0.8 and 5.8.8; and Spring Framework 6.0.13, 6.0.13 and 5.3.30. More details on these releases may be found in the release notes for version 1.1.3, version 1.0.4 and version 0.4.4.

The release of Spring Cloud Dataflow 2.11.1 delivers notable changes such as: ensure that the Launch API in the TaskOperations interface is backwards compatible; add common security configuration modules to dependency management that fixed issues after creating a monorepo; and dependency upgrades to json-smart 2.4.11, Nimbus JOSE + JWT 9.31, snappy-java 1.1.10.4 and Apache Commons Compress 1.24.0 to address various CVEs. More details on this release may be found in the release notes.

WildFly

Red Hat has released version 30.0.0 of WildFly featuring: support for JDK 21 as WildFly 30 has passed the TCKs as a compatible implementation of the Jakarta EE Core Profile. This release also supports most of the MicroProfile 6.0 specifications, but cannot claim to be a compatible implementation as Red Hat does not support the MicroProfile Metrics specification. It is important to note that Red Hat recommends developers remain running their applications on JDK 17 and JDK 11 because they haven’t certified WildFly 30 on the Jakarta EE Platform and Jakarta EE Web Profile. Despite this, Red Hat says that “WildFly 30 is a great choice for evaluating how your applications run on SE 21.” More details on this release may be found in the release notes.

Payara

Payara has released their October 2023 edition of the Payara Platform that includes Community Edition 6.2023.10, Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0 featuring: bug fixes; a dependency upgrade to the aforementioned json-smart 2.4.11 in the OIDC client to address CVE-2023-1370, a vulnerability a vulnerability in json-smart where parsing too many nested JSON structured arrays and objects, due to no defined limit, could cause a stack overflow and crash the software; and a new timeout option, --timeout, to the Payara domain commands such as start-domain and stop-domain. More details on these versions may be found in the release notes for Community Edition 6.2023.10 and Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0.

MicroProfile

The MicroProfile Working Group has released version 6.1 of MicroProfile featuring updates to specifications: MicroProfile Config 3.1, MicroProfile Metrics 5.1 and MicroProfile Telemetry 1.1.

Notable changes in MicroProfile Config include: an update to the TCK to align with breaking changes in the Jakarta EE Contexts and Dependency Injection 4.0 specification that include an empty beans.xml file and change in bean discovery mode from all to annotated; and the MissingValueOnObserverMethodInjectionTest class, that asserts a DeploymentException, fails a different reason due to the the ConfigObserver bean being defined as @ApplicationScoped (proxyable) and final (not proxyable). More details on this release may be found in the release notes.

Notable changes in MicroProfile Metrics include: introduce MicroProfile Config properties that customize how Histogram and Timer metrics track and output statistics for percentiles and histogram-buckets; define the @RegistryScope annotation as a qualifier; and include a new recommendation for multi-application deployments to use the mp.metrics.defaultAppName property to eliminate the problems caused by the requirement to have consistent tag sets for multi-app application server implementations. More details on this release may be found in the release notes.

Notable changes in MicroProfile Telemetry 1.1 include: a clarification of which API classes must be available to users; an implementation of tests that is not timestamp dependent; and a clarification of the behavior of the Span and Baggage beans when the current span or baggage changes. More details on this release may be found in the release notes.

The initial compatible implementation for MicroProfile 6.1 is Open Liberty 23.0.0.10-beta.

Micronaut

The Micronaut Foundation has disclosed a vulnerability in the OAuth2 section of their Micronaut Security module. CVE-2023-36820, a vulnerability in which the IdTokenClaimsValidator class skips the audience claim validation if the token is issued by the same identity issuer/provider resulting in improper access control.

The foundation has also released version 4.1.5 of the Micronaut Framework featuring Micronaut Core 4.10.0 and updates to modules: Micronaut AWS, Micronaut RxJava 3, Micronaut Discovery Client, Micronaut Reactor, Micronaut Object Storage. There was also a dependency upgrade to Netty 4.1.100.Final. More details on this release may be found in the release notes.

Quarkus

Versions 3.2.7 and 2.16.12 of Quarkus primarily address several CVEs:

• CVE-2023-44487, a vulnerability in which Tomcat’s implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an OutOfMemoryError.
• CVE-2023-39410, a vulnerability in Apache Avro that would allow an attacker to deserialize untrusted or corrupted data resulting in consuming memory beyond the allowed constraints and therefore leading to the system to run out of memory.
• CVE-2023-34454, a vulnerability in snappy-java that would allow an attacker to take advantage of unchecked multiplications causing a possible integer overflow resulting in an unrecoverable fatal error.

More details on these releases may be found in the changelogs for version 3.2.7 and version 2.6.12.

The Quarkus team has also documented their journey in addressing CVE-2023-44487 that includes an overview of the CVE, threads vs. event loops and their solution.

Open Liberty

IBM has released 23.0.0.10 of Open Liberty featuring support for JDK 21 and an update to the featureUtility command that now verifies feature authenticity by default when a new feature is installed into Open Liberty. This replaces the verified checksums, but checksums do not ensure the authenticity of downloaded files.

Apache Software Foundation

The release of Apache TomEE 9.1.1 ships with bug fixes, dependency upgrades and the most notable change that drops support for their own shade of CFX in favor of Apache CXF 4.0. This release also includes fixes and backports for several CVEs:

• CVE-2023-34981, a vulnerability in which a regression in the fix for Bug 66512 could lead to an information leak if a response did not include any HTTP headers, then no Apache JServ Protocol (AJP) SEND_HEADERS message would be sent for the response. This was fixed in Bug 66591 and developers are encouraged to migrate to minimal versions 11.0.0-M6, 10.1.9, 9.0.75 or 8.5.89.
• CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
• CVE-2023-35116, a vulnerability in Jackson Databind 2.15.2 and below such that an attacker can craft an object that uses cyclic dependencies that may result in a denial of service. It is important to note that this CVE is in dispute because FasterXML, creators of Jackson, believe that the steps to construct a cyclic data structure with an attempt to serialize it cannot be achieved by an external attacker.

More details on this release may be found in the release notes.

Versions 10.1.15 and 8.5.95 of Apache Tomcat both feature notable fixes: a regression with HTTP compression after refactoring code; and a regression in the clean-up of unnecessary use of fully qualified class names in versions 10.1.14 and 8.5.94 that broke the JDBC pool. More details on these releases may be found in the release notes for version 10.1.15 and version 8.5.95.

JHipster

The first release candidate of JHipster 8.0.0 provides bug fixes, dependency upgrades and notable changes such as: the JHipster-generated equals() method is now safe to use in Hibernate; improved code coverage of the MetricsComponent class; and improved support of JHipster Blueprints. More details on this release may be found in the release notes.

Version 0.45.0 of JHipster Lite has been released featuring bug fixes, improvements in documentation, dependency upgrades and new features/improvements such as: a new YamlFileSpringPropertiesHandler class in preparation for supporting YAML configuration; new toString() methods added to various JHipster classes for improved debugging; and support for processing multi-line comments in Spring property files. More details on this release may be found in the release notes.

The JHipster team also celebrated their 10th anniversary this past week. The very first commit was published on October 21, 2013.

EclipseCon

EclipseCon 2023 was held at the Forum am Schlosspark and the Film-und-Medienzentrum (FMZ) in Ludwigsburg, Germany this past week featuring speakers from the Java Community who presented on topics such as: Automotive & Mobility, IOT & Edge, Open Source Best Practices, Programming Languages & Runtimes, and Tools & IDEs. The conference also featured a Community Day that brings together like-minded individuals, passionate experts, and curious minds from all walks of life for meetings, project updates, workshops, presentations or panel discussions. Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation posted his daily summaries for Community Day, Day One, Day Two and Day Three.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 9th, 2023 features news from OpenJDK, JDK 22, Apache Tomcat CVEs, Devoxx Morocco, and milestone, point and release candidates of: Spring Framework; Spring Data; Micronaut; Quarkus; Micrometer Metrics; Micrometer Tracing; Apache Kafka; Apache Camel; Eclipse Vert.x; Project Reactor; JHipster Lite; Piranha; and RefactorFirst.

OpenJDK

After its review has concluded, JEP 454, Foreign Function & Memory API, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to finalize this feature after two rounds of incubation and three rounds of preview: JEP 412, Foreign Function & Memory API (Incubator), delivered in JDK 17; JEP 419, Foreign Function & Memory API (Second Incubator), delivered in JDK 18; JEP 424, Foreign Function & Memory API (Preview), delivered in JDK 19; JEP 434, Foreign Function & Memory API (Second Preview), delivered in JDK 20; and JEP 442, Foreign Function & Memory API (Third Preview), to be delivered in the upcoming GA release of JDK 21. Improvements since the last release include: a new Enable-Native-Access manifest attribute that allows code in executable JARs to call restricted methods without the use of the --enable-native-access flag; allow clients to programmatically build C function descriptors, avoiding platform-specific constants; improved support for variable-length arrays in native memory; and support for multiple charsets in native strings. InfoQ will follow up with a more detailed news story.

JEP 460: Vector API (Seventh Incubator), has been promoted from its JEP Draft 8315945 to Candidate status. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), to be delivered in the upcoming GA release of JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values.

JEP Draft 8315398, Implicitly Declared Classes and Instance Main Methods (Second Preview), formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.

Gavin Bierman, consulting member of technical staff at Oracle, has provided an updated specification document for JEP 447, Statements before super() (Preview), a JEP that proposes to: allow statements that do not reference an instance being created to appear before the this() or super() calls in a constructor; and preserve existing safety and initialization guarantees for constructors.

JDK 22

Build 19 of the JDK 22 early-access builds was made available this past week featuring updates from Build 18 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The first release candidate of Spring Framework 6.1.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a move of the ReactorResourceFactory class from the org.springframework.http.client.reactive to the org.springframework.http.client package for improved support of CRaC; allow custom implementations of the ClientRequestObservationConvention interface for the RestClient interface; and expose the shouldHandle(ApplicationEvent) method in the ApplicationListenerMethodAdapter class to inspect whether a listener is actually interested in an event instance. More details on this release may be found in the release notes.

Similarly, Spring Framework 6.0.13 has been released featuring bug fixes, improvement in documentation, dependency upgrades and new features such as: improved diagnostics for when repeated text size calculation results in overflow in the Spring Expression Language; and reintroduce the FastClass class in CGLIB proxy class names annotated with @Configuration. Further details on this release may be found in the release notes.

The first release candidate of Spring Data 2023.1.0, codenamed Vaughn, delivers: support for JDK 21; use of virtual threads via configuration of the Java Executor interface; support for Kotlin value classes; an initial exploration of optimizations with CRaC; and a migration of documentation to Antora. More details on this release may be found in the release notes.

Versions 2023.0.5, 2022.0.11 and 2021.2.17, all service releases of Spring Data, feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.1.5, 3.0.11 and 2.7.17; Spring Data MongoDB 4.1.5, 4.0.11 and 3.4.17; Spring Data Elasticsearch 5.1.5, 5.0.11 and 4.4.17; and Spring Data Neo4j 7.1.7, 7.0.11 and 6.3.17. These versions can be consumed by the upcoming releases of Spring Boot 3.1.5, 3.0.12 and 2.7.17, respectively.

The second milestone release of Spring Shell 3.2.0 provides: experimental support for a new Terminal UI and other notable changes such as: a new ViewCommand class to provide a higher level instruction for the View interface; and improved implementations of the ButtonView and DialogView classes. Further details on this release, including a demo of the new Terminal UI, may be found in the release notes.

Micronaut

The Micronaut Foundation has released version 4.1.4 of the Micronaut Framework featuring Micronaut Core 4.1.9 and update to modules: Micronaut Serialization, Micronaut AWS, Micronaut Email, Micronaut Data, Micronaut Maven Plugin, Micronaut SQL Libraries, and Micronaut Discovery Client. More details on this release may be found in the release notes.

Quarkus

Red Hat has released version 3.4.3 of Quarkus 3.4.3 that primarily addresses CVE-2023-44487, a vulnerability in which Tomcat’s implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an OutOfMemoryError. There were also improvements in documentation and notable fixes such as: a call to a Reactive REST Client that hangs when receiving an invalid chunked response resulting in resources not being released; a ClassNotFoundException when Quarkus applications using Picocli and JAX-RS to consume SSEs breaks when converted to a native build; and allow the MicroProfile @ClientHeaderParam annotation to override the “User-Agent” header parameter. Further details on this release may be found in the changelog.

Micrometer

Versions 1.12.0-RC1, 1.11.5, 1.10.12 and 1.9.16 of Micrometer Metrics all deliver dependency upgrades and these bug fixes: an instance of the ObservationRegistry.NOOP interface is null when running in a Spring Boot application; and a ConcurrentModificationException using the computeIfAbsent() method defined in the Context inner class of the Observation interface. New features in version 1.12.0-RC1 include: move the instrumentation for the Jakarta Messaging specification to a new module, micrometer-jakarta9; and support for the VMware CSP authentication system for their integration of Wavefront. More details on these releases may be found in the release notes for version 1.12.0-RC1, version 1.11.5, version 1.10.12 and version 1.9.16.

Similarly, versions 1.2.0-RC1, 1.1.6 and 1.0.11 of Micrometer Tracing all deliver dependency upgrades and bug fixes such as: apply a wider inclusion for Zipkin Reporter in the Gradle build to resolve dependency issues; and a scope override when a scope was set in the ObservationAwareSpanThreadLocalAccessor class. New features in version 1.2.0-RC1 include: define the SpanTagAnnotationHandler class as optional to match the TimedAspect class for improved configuration by frameworks; and a migration of io.opentelemetry:opentelemetry-semconv to io.opentelemetry.semconv:opentelemetry-semconv due to OpenTelemetry having deprecated their old Semantic Conventions module with a new module that have different Maven coordinates. Further details on these releases may be found in the release notes for version 1.2.0-RC1, version 1.1.6 and version 1.0.11.

Apache Software Foundation

The Apache Tomcat team has disclosed four Common Exposures and Vulnerabilities (CVEs) that affect versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80 and 8.5.0 to 8.5.93.

• CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
• CVE-2023-45648, a vulnerability in which an attacker can send a specially crafted, invalid trailer header that could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
• The aforementioned CVE-2023-44487.
• CVE-2023-42794, a vulnerability in which Tomcat’s internal fork of a Commons FileUpload package included an unreleased, in progress refactoring on Windows if a web application opened a stream for an uploaded file, but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. It is important to note that this CVE only affected Tomcat versions 9.0.70 to 9.0.80 and 8.5.85 to 8.5.93.

Users of these affected versions should apply one of the following mitigations: upgrade to minimal versions of Apache Tomcat 11.0.0-M12, 10.1.14, 9.0.81 and 8.5.94.

The release of Apache Kafka 3.6.0 delivers bug fixes, improvements and new features such as: support for delegation tokens in Kafka Raft (KRaft); the ability to migrate Kafka clusters from a ZooKeeper metadata system to a KRaft metadata system; and support for Tiered Storage as an early-access feature. More details on this release may be found in the release notes.

The release of Apache Camel 4.1.0 provides bug fixes, dependency upgrades and new features such as: capture startup events and report time in a report for human-readable form; a new Camel Thymeleaf template component to complement the existing Camel Freemarker and Camel Velocity components for working with templates; and a new command to generate SBOM for a given JBang project in CycloneDX format. Further details on this release may be found in the release notes.

Eclipse Vert.x

The release of Eclipse Vert.x 4.4.6 delivers dependency upgrades and notable changes such as: an upgrade to Netty 4.1.100.Final that addresses the aforementioned CVE-2023-44487; fixes in the Money class that include deprecating the Money(long, int) constructor in favor of Money(Number); and drop support for an empty Host header in a curl command that caused a NullPointerException. More details on this release may be found in the release notes and deprecations and breaking changes.

Project Reactor

The first release candidate of Project Reactor 2023.0.0 provides dependency upgrades to reactor-core 3.6.0-RC1, reactor-pool 1.0.3 and reactor-netty 1.1.12. There was also a realignment to version 2023.0.0-RC1 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. Further details on this release may be found in the changelog.

Similarly, Project Reactor 2022.0.12, the twelfth maintenance release, provides dependency upgrades to reactor-core 3.5.11, reactor-netty 1.1.12 and reactor-pool 1.0.3. There was also a realignment to version 2022.0.11 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.

JHipster Lite

Version 0.44.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and new features/enhancements such as: enable some builds on JDK 21; fix use of the Java HashMap class in the KafkaPropertiesTest class; and display a minimap on the landscape screen for improved navigation. Further details on this release may be found in the release notes.

Piranha

The release of Piranha 23.10.0 delivers notable changes such as: dependency and plugin upgrades; a code smell fix in the PiranhaJarContainer class; and a removal of the Vulnerabilities, Technical Debt, Security and Reliability badges. More details on this release may be found in their documentation and issue tracker.

RefactorFirst

Jim Bethancourt, principal software consultant at Improving, an IT services firm offering training, consulting, recruiting, and project services, has announced the release of RefactorFirst 0.5.0-M1. This release delivers: many dependency upgrades and new features such as: a new command line for RefactorFirst; and a refactor of the HTML, CSV and JSON reports into their own respective modules. It is important to note that RefactorFirst now requires JDK 11 to address CVE-2023-4759, a vulnerability in JGit versions below 6.6.0 that allows an attacker to use a symbolic link in a specially crafted git repository to write a file to locations outside the working tree. As a result, the project has also been moved into the newly created RefactorFirst organization on GitHub. Further details on this release may be found in the release notes.

Devoxx Morocco

Devoxx Morocco was held at the Hilton Taghazout Bay Beach Resort & Spa in Taghazout, Morocco this past week featuring speakers from the Java community who presented on topics such as: Architecture, Data & AI, Development Practices, DevOps & Cloud, and Security.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for October 2nd, 2023 features news from OpenJDK, JDK 22, Azul Code Inventory, Spring Shell 3.1.4, 3.0.8 and 2.1.13, JNoSQL 1.0.2, Quarkus 3.4.2, Micronaut 4.1.3, Hibernate Search 6.2.2, PrimeFaces 12.0.6, 11.0.12, 10.0.19 and 8.0.24, Maven 3.9.5, Camel 3.20.7, Tomcat Native 1.2.39, Testcontainers 1.19.1, JBang 0.111.0, Gradle 8.4, QCon San Francisco and Devoxx Belgium.

Open JDK

JEP 454, Foreign Function & Memory API, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to finalize this feature after two rounds of incubation and three rounds of preview: JEP 412, Foreign Function & Memory API (Incubator), delivered in JDK 17; JEP 419, Foreign Function & Memory API (Second Incubator), delivered in JDK 18; JEP 424, Foreign Function & Memory API (Preview), delivered in JDK 19; JEP 434, Foreign Function & Memory API (Second Preview), delivered in JDK 20; and JEP 442, Foreign Function & Memory API (Third Preview), to be delivered in the upcoming GA release of JDK 21. Improvements since the last release include: a new Enable-Native-Access manifest attribute that allows code in executable JARs to call restricted methods without the use of the --enable-native-access flag; allow clients to programmatically build C function descriptors, avoiding platform-specific constants; improved support for variable-length arrays in native memory; and support for multiple charsets in native strings. The review is expected to conclude on October 11, 2023.

JEP 459, String Templates (Second Preview), has been promoted from its JEP Draft 8314219 to Candidate status to provide a second preview from the first round of preview: JEP 430, String Templates (Preview). This JEP proposes to enhance the Java programming language with string templates, string literals containing embedded expressions, that are interpreted at runtime where the embedded expressions are evaluated and verified. More details on JEP 430 may be found in this InfoQ news story.

JEP 458, Launch Multi-File Source-Code Programs, was promoted from its JEP Draft 8304400 to Candidate status. This JEP proposes to enhance the Java Launcher to execute an application supplied as one or more files of Java source code. This allows a more gradual transition from small applications to larger ones by postponing a full-blown project setup.

JEP Draft 8316779, Null-Restricted Value Class Types (Preview), was updated to rename this draft from its original Value Object Storage Enhancements (Preview). Under the auspices of Project Valhalla, this JEP introduces null-restricted storage of value objects in fields and array components. “These variables are initialized to an initial instance of the class and reject attempts to write a null value. They can be optimized with compact, flattened object encodings.”

JDK 22

Build 18 of the JDK 22 early-access builds was made available this past week featuring updates from Build 17 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Azul

At Devoxx Belgium this past week, Azul introduced their new product, Code Inventory, a new feature under Azul Vulnerability Detection that provides developers and DevOps teams “a precise catalog of the source code actually used in production by Java applications, making it easy to accurately identify dead and unused code for removal.”

Spring Framework

Versions 3.1.4, 3.0.8 and 2.1.13 of Spring Shell have been released featuring a new property, spring.shell.context.close, to close context requests after Shell has completed its execution logic. These releases are built on Spring Boot 3.1.4, 3.0.11 and 2.7.16, respectively. More details on these releases may be found in the release notes for version 3.1.4, version 3.0.8 and version 2.1.13.

Eclipse JNoSQL

The release of Eclipse JNoSQL 1.0.2 delivers bug fixes, improvements in documentation and the addition of JNoSQL Lite, a new option that provides an alternative to the traditional JNoSQL framework. Developers can now avoid reflection and read Java metadata annotations through the Java Annotation processor. Eclipse JNoSQL is the compatible implementation to the Jakarta NoSQL specification. Further details on this release may be found in the release notes and this technical article.

Quarkus

Quarkus 3.4.2, the second maintenance release, delivers improvements in documentation, dependency upgrades and notable bug fixes such as: Quarkus 3.4.1 fails to start in dev mode; a ExceptionInInitializerError due to gRPC interceptors lookup in Micrometer binders; and a ClassCastException with RESTEasy reactive and a Jersey client. More details on this release may be found in the release notes.

Micronaut

The Micronaut Foundation has released Micronaut Framework 4.1.3 featuring Micronaut Core 4.1.8 and updates to modules: Micronaut Oracle Cloud, Micronaut Serialization, and Micronaut SQL. Further details on this release may be found in the release notes.

Hibernate

The release of Hibernate Search 6.2.2.Final provides: bug fixes; adds compatibility with Elasticsearch 8.10 and OpenSearch 2.10: deprecates the ~ operator in regular expression predicates; and dependency upgrades to Hibernate ORM 6.2.9.Final for the -orm6 artifacts, Elasticsearch client 8.10.2, Jackson 2.15.2 and Avro 1.11.3. More details on this release may be found in the release notes.

PrimeFaces

Versions 12.0.6, 11.0.12, 10.0.19 and 8.0.24 of PrimeFaces have been released that address two security fixes: CVE-2022-45688, a vulnerability in which a denial-of-service attack is possible due to an attacker crafting JSON or XML data that will cause a stack overflow from the toJSONObject() method of the XML class in Hutool 5.8.10; and CVE-2020-7746, a vulnerability in which a prototype pollution is possible due to an attacker taking advantage of the options parameter, not properly sanitized, in Chart.js 2.9.4 when it is processed. New features include: an Ajax request should provide information if response was a redirect to the next dialog box; eliminate hiding the AjaxStatus facet when an Ajax request leads to a redirect; and a dependency upgrade to Chart.js 3.9.1. Further details on these releases may be found in the changelogs for version 12.0.6, version 11.0.12, version 10.0.19 and version 8.0.24.

Apache Software Foundation

The release of Apache Maven 3.9.5 delivers one bug fix, a dependency upgrade to Maven Artifact Resolver 1.9.16, and notable changes such as: an un-deprecation of wrongly deprecated repository metadata; support for ${project.basedir} in file profile activation; and colorization of download transfer messages. More details on this release may be found in the release notes.

Apache Camel 3.20.7 has been released featuring bug fixes, dependency upgrades and improvements such as: environment variables with the name ‘secret’ are now masked in logs; prevent the usage of proxy protocol in producer endpoint; and improved support for Mappers defined as abstract classes to allow for unwanted instances of the TypeConverters interface to be registered for the equals() and wait() methods. Further details on this release may be found in the release notes.

The release of Apache Tomcat Native 1.2.39 features: disabling the Online Certificate Status Protocol (OCSP) if the insecure optionalNoCA certificate verification option is used; and the binaries for Windows have been built with OpenSSL 3.0.11. More details on this release may be found in the changelog.

Testcontainers for Java

Testcontainers for Java 1.19.1 was released with notable changes such as: the ability to define a custom ImagePullPolicy interface via configuration; override the toString() method of the ImageNameSubstitutor class to return the value set in the getDescription() method; and independently log the image pull and container startup times.

JBang

The release of JBang 0.111.0 provides: support for Groovy 4.0; a display of integration errors when the --verbose command line parameter is used; a check that a manifest exists before an attempt to read from it; and ensure that alias settings are properly applied.

Gradle

Gradle 8.4 has been released featuring two security fixes: a vulnerability in which an incorrect permission assignment for symbolic linked files used in copy or archiving operations can lead to unintended permissions that are world readable and writable; and a vulnerability in which resolving XML external entities that are not disabled while parsing XML files can lead to exfiltration of local text files to a remote server. New features include: initial support for JDK 21 only to compile, test, and run Gradle projects since Kotlin does not yet support JDK 21; improved compilation on Windows OS; a simplified way to create role-focused instances of the Configuration interface using the ConfigurationContainer interface; and improved support for the Kotlin DSL. Further details on this release may be found in the release notes.

QCon San Francisco

The 17th annual QCon San Francisco conference was held at the Hyatt Regency in San Francisco, California. This five-day event is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. The conference consisted of three days of presentations and two days of workshops. Daily recaps of the presentations can be found for Day One, Day Two and Day Three.

Devoxx Belgium

Devoxx Belgium, celebrating its 20th year, was also held at the Kinepolis Antwerp in Antwerp, Belgium featuring speakers from the Java community presenting in tracks such as: Java, Server-Side Java, Architecture, Development Practices, Data & AI, Security and UI & UX.

Article originally posted on InfoQ. Visit InfoQ

Ryan Dahl, Co-Founder and CEO at Deno and Software Engineer Best Known for Creating Node.js, presented Streamlining Cloud Development with Deno at the 2023 QCon San Francisco conference.

According to Dahl, the web has become the medium of human information. It should be in existence five years from now and perhaps even the next 10 or 20 years. JavaScript is inherently tied to the web and, therefore, JavaScript will be important in the future.

As the creator of Node.js, Dahl’s goal was to force developers to easily build fast servers by only exposing asynchronous I/O in JavaScript. However, building those fast servers requires more than just asynchronous I/O. Issues that need to be addressed include: managing complex cloud configurations; some sort of geographically replicated state; navigating a plethora of software, workflows and toolchains; and supply chain security. This was his inspiration behind creating Deno, an open source next-generation JavaScript runtime that is: secure by default; offers native support for JavaScript and TypeScript; ships with testing, linting, formatting and more; is backwards compatible with Node.js and npm; and contains web standard APIs.

Deno is a single executable file at 100MB with support for 14 different web standards such as: globalThis, window.close(), FormData and webAssembly. Deno is also a browser for command-line scripts as shown in the following examples:

    
$ deno run https://deno.land/std@0.150.0/examples/gist.ts
    

The above Deno command will upload a Gist file to GitHub.

    
$ deno run npm:cowsay moo
    

The above Deno will execute an npm application named cowsay and display ASCII art of a cow saying “moo.”

Once installed, Deno can initialize a project using:

    
$ deno init
    

It will generate three files, main.ts, the main application that defines a function to add two numbers and display it on the terminal window; main_test.ts, a simple test for main.ts; and deno.json, a JSON file that defines the deno run command. The main application and test are executed as follows:

    
$ deno run main.ts
$ deno test main_test.ts
    

Dahl then provided a demo on how to quickly build an asynchronous compression stream application in only three lines of code as shown in the following example:

    
const src = await Deno.open("/etc/passwd");
const dst = await Deno.open("out.gz", {write: true, create: true})
src.readable.pipeThrough(new CompressionStream("gzip")).pipeTo(dst.writable);
    

Upon executing the above application, Deno requested read access and write access to the file to be opened and the gzip file, respectively.

Libraries from Node.js can be imported into Deno applications as the following example shows:

    
import { readFileSync } from "node:fs";

const etc = readFileSync("/etc/password");
console.log(etc);
    

It is important to note that Deno security permissions still apply when importing libraries.

Deno Node Transform (DNT), a Deno-to-npm package build tool that can transpile JavaScript for distribution on npm. Deno tests can also be transpile and executed on Node.js. Dahl provided a demo on how to build an Express server:

    
import express from "npm:express"

const app = express();
app.get("/", (_req, res) => { res.send('Hellon');});
app.listen(3000, () => { console.log("server on http://localhost:3000"); });
    

Deno Deploy, the “easiest serverless platform,” as Dahl claimed, features: scaling to zero cost; support for npm packages; built-in storage and compute; low global latency in 35 regions; fast cold starts; and powers Netlify Edge functions. To install Deno Deploy, simply execute the following command:

    
$ deno install -Arf https://deno.land/x/deploy/deployctl.ts
    

Deploying applications is accomplished with the deployctl command as shown in the following example:

    
$ deployctl deploy --project=hello-world ./examples/hello.ts
    

It is important to note that a personal access token is required before using Deno Deploy. One can be obtained from the access token page. The token may be stored in the DENO_DEPLOY_TOKEN environment variable or passed into the deployctl command with the --token flag.

Dahl then provided a demo on how to take the aforementioned freshly-built Express server and deploy it to the cloud.

Deno KV, a datastore anchored by ACID transactions and powered by FoundationDB. Features include: zero configuration; ACID transactions; scaling to zero cost; and built-in to Deno Deploy. Dahl stated that Deno KV doesn’t replace a real database, but it is useful for sharing state.

Article originally posted on InfoQ. Visit InfoQ

Day Three of the 17th annual QCon San Francisco conference was held on October 4th, 2023, at the Hyatt Regency San Francisco in San Francisco, California. This five-day event, consisting of three days of presentations and two days of workshops, is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. It included a keynote address by Will Larson and presentations from these four tracks:

• Architecting for the Cloud
  • Hosted by Khawaja Shams, Co-Founder and CEO at Momento
  • Offers attendees to share practitioner-driven insights on what works (and what doesn’t) as an inspiration to make the most out of a developer’s cloud computing journey.
• Deep Tech: Pushing the Boundaries of Hardware+Software
  • Hosted by Allison Randal, Board Member at sfconservancy.org, openinfra.dev, and openusage.org
  • Offers attendees to explore the latest trends in deep tech, including artificial intelligence, machine learning, big data, IoT/Edge, security, quantum computing, and more.
• Emerging Trends in the Frontend
  • Hosted by Jeff Wagner, Director of Engineering at Snowflake
  • Offers attendees to leverage new frameworks and capabilities to create more flexible, faster and engaging applications for users.
• Lessons in Building Organization Resilience
  • Hosted by Courtney Hemphill, Partner and Head of Product, Engineering and Design (PXEL) at WestMonroe
  • Offers attendees to dive into approaches teams and engineering leaders have taken to improve the resiliency of their organization over time.

There was also one sponsored solutions track.

Wes Reisz, Technical Principal at Thoughtworks, Creator/Co-Host of The InfoQ Podcast and QCon San Francisco 2023 Program Committee Chair, and Danny Latimer, Content Product Manager at C4Media, kicked off the day three activities by welcoming the attendees and providing an overview from day two. There were 20 editorial presentations, four unconference sessions and six presentations from sponsors.

Reisz highlighted a list of recommended day two sessions based on attendee feedback, namely: How Netflix Ensures Highly-Reliable Online Stateful Systems presented by Joseph Lynch, Distributed Systems Engineer at Netflix; How to Get Tech-Debt on the Roadmap presented by Ben Hartshorne, Principal Engineer at Honeycomb; Building Guardrails for Enterprise AI Applications with LLMs presented by Shreya Rajpal, Founder at Guardrails AI; and Defensible Moats: Unlocking Enterprise Value with Large Language Models presented by Nischal HP, Vice President of Data Science at Scoutbee.

Latimer provided an overview of how QCon conferences are organized. The process starts with a program committee six to seven months in advance, the selection of tracks and track hosts, and how the track hosts select the speakers for their respective tracks. There is no call for papers as speakers are selected by invitation, and are typically senior software practitioners and real-world technical experts.

Including himself, Reisz introduced the program committee, namely: Monica Beckwith, Java Champion, First Lego League Coach, passionate about JVM Performance at Microsoft; Haley Tucker, Principal Software Engineer for Platform Engineering at Netflix; Sid Anand, Chief Architect at Datazoom, Committer/PMC Apache Airflow; Courtney Hemphill; and Justin Cormack, CTO at Docker.

Latimer acknowledged the many QCon San Francisco staff and volunteers, the exhibitors and sponsors.

The aforementioned track leads for Day Three introduced themselves and described the presentations in their respective tracks.

Courtney Hemphill introduced the keynote speaker, Will Larson.

Keynote Address: Use Engineering Strategy to Reduce Friction and Improve Developer Experience

Will Larson, CTO at Carta and Author of “An Elegant Puzzle” and “Staff Engineer”, presented his keynote address entitled, Use Engineering Strategy to Reduce Friction and Improve Developer Experience. Larson kicked off his keynote with the alternate title, “Solving the Engineering Strategy Crisis!” Referencing the Book, “Good Strategy/Bad Strategy” by Richard Rumelt, Larson enumerated the attributes for a good engineering strategy, namely: diagnosis, guiding policies and coherent actions. This is the basis for his equation:

Engineering strategy = honest diagnosis + practical approach

As an example, Larson provided a step-by-step engineering crisis scenario using a fictitious company called “Widget & Hammer Company.”

• A software engineer joins Widget & Hammer Company
• The engineer’s team works in a Python monolith to build the Widget product
• The CTO hates monoliths and mandates a service migration
• The engineer switches teams to build a brand new Hammer product in a new service
• Two years later, the engineer’s old team and the Widget product are still in the monolith
• The engineer has no idea how to share code between the Widget and Hammer products

Focusing on the honest diagnosis operand of the above equation, Larson asks, “How can engineering strategy help the Widget & Hammer company?” To start, he presented a number of dishonest diagnoses, namely: “We can migrate to services in three months;” “We have de-risked our approach by moving meaningful complex component out of our monolith;” We are willing to invest heavily in migrating our services, even if it means slowing down product velocity in the short term;” and “We are willing to expand out Developer Tools team to build new tools for services in addition to supporting our existing monolith.”

Interestingly, the list of honest diagnoses was exactly the same because it is quite possible that any one of them can be accomplished. Larson then defined honest diagnosis as “A reality-based assessment of your circumstances. Nothing is universally honest.”

Focusing on the practical approach operand of the above equation, Larson asks, “How can engineering strategy help the Widget & Hammer company?” He maintained that practical approaches acknowledge tradeoffs when documenting strategies. A small example showed the process of how an engineering strategy evolved from something that would most likely fail to something that would most likely succeed. Context and knowing the tradeoffs are essential.

Larson then asked, “Can something so simple be so useful?” To answer that question, he elaborated on some concrete strategy examples from Stripe (“We run a Ruby monolith”), Calm (“We are a product engineering company”) and Uber (“We run our own hardware”). For each company, he provided the diagnosis, the approach and the impact.

The engineering strategies for all three companies were successful because: many interesting properties are only available through universal adoption (“We run our own hardware”); concentrate on tooling investment (“We run a Ruby monolith”); reduce energy lost on conflict (“We are a product engineering company”); control your innovation budget (all three); and new hires, especially senior new hires, are forced to explicitly engage with strategy rather than having the option of ignoring it. (all three).

There is also an impact on missing engineering strategies with examples of: a good diagnosis, but highly impractical approach; a diagnosis reasoned back from an approach as that approach was determined to be built on a shaky foundation; and two reasonable, but conflicting diagnoses that culminated in a flawed approach.

Larson stated that every company has an engineering strategy, but it is rarely documented. With a written strategy, it’s easier: for new hires to find; to get feedback; to explain updates; to clarify confusion; and to hold employees accountable. If a strategy is struggling, it either due to a dishonest diagnosis or an impractical approach.

Highlighted Presentations: Streamlining Cloud Development with Deno, Unconference Sessions

Streamlining Cloud Development with Deno was presented by Ryan Dahl, Co-Founder & CEO at Deno and Software Engineer Best Known for Creating Node.js. Dahl kicked off his presentation by stating that the web has become the medium of human information and that JavaScript is inherently tied to the web.

As the creator of Node.js, his goal was to force developers to easily build fast servers by only exposing asynchronous I/O in JavaScript. However, building those fast servers requires more than just asynchronous I/O. Issues that need to be addressed include: managing complex cloud configurations; some sort of geographically replicated state; navigating a plethora of software, workflows and toolchains; and supply chain security. This was the inspiration behind Deno, an open source next-generation JavaScript runtime.

Dahl introduced Deno as: a browser for command-line scripts; a single executable file at 100MB; support for 14 different web standards; and secure by default. Deno offers native support for JavaScript and TypeScript and the language includes a standard library.

Dahl then provided a demo on how to quickly build an asynchronous compression stream application that would open a file, then compress it to a gzip file. Upon executing the application, Deno requested read access and write access to the file to be opened and the gzip file, respectively. Libraries from Node.js can be imported in Deno.

Deno Node Transform (DNT), a Deno-to-npm package build tool that can transpile JavaScript for distribution on npm. Deno tests can also be transpile and executed on Node.js. Dahl provided a demo on how to build an Express server.

Deno Deploy, the “easiest serverless platform,” as Dahl claimed, features: scaling to zero cost; support for npm packages; built-in storage and compute; low global latency in 35 regions; fast cold starts; and powers Netlify Edge functions. Dahl then provided a demo on how to take the aforementioned freshly-built Express server and deploy it.

Deno KV, a datastore anchored by ACID transactions and powered by FoundationDB. Features include: zero configuration; ACID transactions; scaling to zero cost; and built-in to Deno Deploy. Dahl stated that Deno KV doesn’t replace a real database, but it is useful for sharing state.

Unconference Sessions, facilitated by Danny Latimer, Content Product Manager at C4Media, are facilitated, bottom up and self-directing discussions among experts. They are designed as “by the people, for the people.” There were a total of seven unconference sessions spread over the first two days of presentations related to the conference tracks:

• Languages of Infra
• Beyond YAML
• Architectures You’ve Always Wondered About
• Staff+ Engineering
• Platform Engineering Done Well
• JVM Trends; Modern ML
• Designing for Resilience

A typical unconference session featured a round of introductions followed by attendees writing down topics as candidates for discussion. Afterwards, attendees would then peruse through the submitted list of topics and select the ones that they felt were worthy of a more detailed discussion. Approximately eight topics were selected and areas for each topic were established in the conference room for attendees to participate in the conversation.

Summary

Day Three consisted of an opening keynote address, 20 editorial presentations, five presentations from sponsors and a closing keynote address, Mission, Culture, and Values: Using Them to Guide Your Company Through Good and Challenging Times, delivered by Heather McKelvey, Vice President of Engineering at LinkedIn.

Article originally posted on InfoQ. Visit InfoQ

Day One of the 17th annual QCon San Francisco conference was held on October 2nd, 2023, at the Hyatt Regency San Francisco in San Francisco, California. This five-day event, consisting of three days of presentations and two days of workshops, is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. It included a keynote address by Suhail Patel and presentations from these four tracks:

• Architectures You’ve Always Wondered About
  • Hosted by Wes Reisz, Technical Principal at Thoughtworks, Creator/Co-Host of The InfoQ Podcast and QCon San Francisco 2023 Program Committee Chair
  • Offers attendees to learn what it takes to operate modern, high scale systems from the engineers and leaders who build them..
• Modern Data Engineering & Architectures
  • Hosted by Sid Anand, Chief Architect at Datazoom, Committer/PMC Apache Airflow
  • Offers attendees to learn some fundamental, powerful yet versatile building blocks and their core engineering principles that developers can leverage to build a simple yet efficient and scalable data architecture.
• Languages of Infra: Beyond YAML
  • Hosted by Justin Cormack, CTO at Docker
  • Offers attendees to explore a variety of tools that move away from YAML with talks both from practitioners and from those who have brought new tools and processes into creation because they have a strong vision beyond the status quo.
• Staff+ Engineering Skills
  • Hosted by Krys Flores, Staff Engineer at Carta
  • Offers attendees to learn what it takes to be an effective and successful Staff+ Engineer.

There were also two sponsored solutions tracks.

Dio Synodinos, President of C4Media, kicked off the day one activities by welcoming the attendees and discussed: human progress through technology; the InfoQ core values; and highlighted that the speakers at QCon conferences reflect those values.

Wesley Reisz reaffirmed the InfoQ core values, discussed: how the editorial tracks and track hosts are selected; the concept of the unconference sessions that are facilitated, bottom up and self-directing discussions among experts; and highlighted the sponsored tracks.

Pia von Beren, QCon Product Manager and Diversity Lead at C4Media, introduced the new QCon features, namely: Attendee Lightning Talks; the 1:1s; the Women & Allies in Tech Breakfast; and defined the conference breaks where attendees can network as the “Hallway Track.”

The aforementioned track leads for Day One introduced themselves and described the presentations in their respective tracks.

Haley Tucker, Principal Software Engineer for Platform Engineering at Netflix and QCon San Francisco 2023 Program Committee Member, introduced the keynote speaker, Suhail Patel.

Keynote Address: From Mainframes to Microservices – the Journey of Building and Running Software

Suhail Patel, Staff Engineer at Monzo, presented his keynote address entitled, From Mainframes to Microservices – the Journey of Building and Running Software. On his opening slide, which Patel stated was also his conclusion, he asked why the following is true:

Many of our systems are built in the era of commodity computing. Our demands have surpassed the realms of commodity hardware and we’re in a world where only a few big players can satisfy our needs.

After showing a behind-the-scenes view of the required microservices for an application in which a Monzo customer uses their debit card, he provided a retrospective of the platforms and software patterns that made both mainframes and microservices so popular, such as: the oldest software system in continuous use by the IRS; the latest IBM mainframe; and warehouse scale computing, an example of how Amazon implements their Prime Day.

In a more humorous moment, Patel displayed a slide entitled, “Only Murders in the Building,” that contained an October 2015 tweet by Honest Update:

We replaced our monolith with microservices so that every outage could be more like a murder mystery.

Patel referenced The Tail at Scale, published in February 2013, in which software techniques that tolerate latency variability are vital to building responsive large-scale Web services.

Despite the advances in CPUs and networks, “The free lunch is over,” Patel said, referring to a March 2005 technical article by Herb Sutter, software architect at Microsoft and chair of the ISO C++ Standards Committee, that discussed the slowing down of Moore’s Law and how the drastic increases in CPU clock speed were coming to an end. Sutter maintained:

No matter how fast processors get, software consistently finds new ways to eat up the extra speed. Make a CPU ten times as fast, and software will usually find ten times as much to do (or, in some cases, will feel at liberty to do it ten times less efficiently).

Patel discussed the massive reduction in cost and complexity to get large scale software running on the web and how that trend might not continue forever, especially in the era of specialized offerings like custom datastores that cannot be individually hosted and edge computing.

Patel then introduced solutions to help developers in this area. These include: io_uring, an asynchronous interface to the Linux kernel that can potentially benefit networking; the emergence of programming languages, such as Java, “old language, new tricks,” as Patel characterized, due to its recent JDK 21 release; Rust and Zig; and simdjson, a library that uses commonly available SIMD instructions and micro-parallel algorithms to parse JSON for more efficient parsing of JSON.

Patel then showed the CNCF Cloud Native Interactive Landscape, to highlight the number of technologies that are available for cloud-native applications development.

The foundations in programming languages, software architecture, virtual machines and containers and even stateful systems have influenced how developers build and run software at scale today.

Highlighted Presentations: Pulumi, Pipelined Relational Query Language, Apache Hudi, Kubernetes without YAML

Pulumi Adventures: How Python Empowered My Infrastructure Beyond YAML was presented by Adora Nwodo, Founder at NexaScale, Senior Software Engineer and Author of “Cloud Engineering for Beginners.” Nwodo was once a full-stack developer until she discovered Pulumi, an open-source Infrastructure as Code platform, and how it interacts with languages such as Python to offer a familiar landscape for engineers who are interested in Infrastructure as Code (IaC).

Nwodo maintained that manual configurations “don’t cut it anymore” because: deployments are slower; developers rely on documentation; there is a larger risk of errors; and a manual effort is required for rollbacks. Managing resources has become more complex as cloud innovation has rapidly grown over the past few years. As a result, Nwodo switched to Pulumi as an alternative to ARM templates. This greatly impacted her workflow and she was able to more easily manage infrastructure while writing code.

IaC can solve these problems because: configurations are specified in code; infrastructure deployments can be automated; developers can test, version and rollback, if necessary; and transferable skills from programming can be utilized.

Using the pulumi command, Nwodo demonstrated how to create, build and execute a Pulumi application. Developers can reference a Pulumi example on GitHub.

PRQL: A Simple, Powerful, Pipelined SQL Replacement was presented by Aljaž Mur Eržen, Compiler Developer at EdgeDB and PRQL Maintainer. Before his formal introduction to Pipelined Relational Query Language (PRQL), Eržen presented a brief history of SQL that included acknowledgements to: Edgar F. Codd and his 1970 paper, “A Relational Model of Data for Large Shared Data Banks,” which described a new way of structuring data using ideas from set theory; and Donald D. Chamberlin and Raymond F. Boyce who developed SEQUEL, later renamed SQL for Structured Query Language.

Eržen then discussed the flaws of SQL demonstrating examples of how, despite the human friendly syntax, the order of providing traditional SQL statements isn’t all that natural. Also, while providing an alias in SQL statements, such as SELECT title AS title_alias, name resolution can be confusing because of the rules on when to reference the table name or alias name.

In his quest to provide an alternative to SQL, Eržen wanted to design a new language for relations that are more natural as demonstrated with a simple PRQL example. Requirements for this new design were: read from top to bottom; easy exploration; lazy evaluation; and more easily extract variables and functions. His data model for this new design included: basic data types (int, bool, etc.); tuples as described by tuple calculus; arrays; declarations; functions; transforms; and grouping. A relation can be defined as an array of tuples and transforms can be defined as a function on those relations. PRQL provides the set of 12 transforms that include names familiar to SQL developers such as: std.from, std.select, std.aggregate, std.join and std.sort.

Eržen mentioned other organizations that have provided an alternative to SQL, namely: EdgeDB with their motto that “we can do better than SQL;” LINQ, a pipelined language for the .NET framework; FunSQL.jl, a Julia library for compositional construction of SQL queries; Malloy, a modern open-source language for analyzing, transforming, and modeling data; and Ecto SQL, an Object-Relational Mapping (ORM) library for Elixir.

Eržen then introduced PRQL, a simple pipelined language that follows the aforementioned design principles, initially released in March 2022. It is fully open-sourced, adheres to the Apache License 2.0, and, as Eržen emphasized, will never be monetized.

The prqlc command is the PRQL compiler that targets SQL databases PostgreSQL, SQLite, DuckDB, MySQL and ClickHouse. Its bindings support C, Python, JS, Java, .NET and PHP. The compilation flow can be described as PRQL → Pipeline Language → Relational Query → SQL. PRQL is written in Rust and extensions for VScode are available. Developers can learn more about PRQL at this GitHub repository.

Incremental Data Processing with Apache Hudi was presented by Saketh Chintapalli, Software Engineer at Uber, and Bhavani Sudha Saktheeswaran, Distributed Systems Engineer at Onehouse and Apache Hudi PMC. Saktheeswaran kicked off the presentation with a discussion of the evolution of data infrastructure by comparing on-premise data warehouses (traditional business integration/reporting) and data lakes (search/social). In general, relative to data warehouses, data lakes are open-source and cheaper to scale. She then provided a graphical representation of a typical Lakehouse architecture.

Saktheeswaran then introduced Apache Hudi, a transactional data lake platform, and how THE platform interacts with data streams, databases, cloud storage, meta stores and various analytics tools.

Chintapalli introduced incremental data processing that combines the two modern processing models: batch and stream data processing. After comparing the two data processing models, he concluded that batch processes are slow and inefficient due to: slow batch ingestion; a rewrite of entire tables with overlaps; no smart way to recompute Extract, Transform and Load (ETL); and that late-arriving data can be a nightmare.

Chintapalli then provided two case studies. Case 1, Driver/Courier Earnings, in which he demonstrated the challenges with late-arriving data (relative to a 90-day window) and compared a traditional ETL load strategy with an improved incremental ETL load strategy. Case 2, Menu Updates for Uber Eats Merchants, described the challenges with modeled datasets for Uber Eats and the frequency of daily menu data changes.

Saktheeswaran demonstrated how Hudi unlocks incremental data processing for fast-changing data by introducing its various features along with the Hudi Table Types, Hudi Query Types and how it optimizes for large scale updates.

Hudi 0.14.0 is expected to be released very soon and plans for Hudi 1.0.0 will support non-blocking concurrency control. The Hudi Community consists of: five cloud providers with Hudi pre-installed; a diverse set of PMC and committers; and a rich community of participants.

Kubernetes without YAML presented by David Flanagan, Kubernetes Whisperer. Flanagan kicked off his presentation by engaging the audience with a Slido poll containing three questions:

• What resources do you need to deploy an application to Kubernetes in production?
• What tools have you used to deploy to Kubernetes?
• Are you happy with the developer experience of deploying to Kubernetes?

After discussing the results of the poll, Flanangan demonstrated some of the challenges of deploying an application to Kubernetes by playing a small portion of a video from his Klustered Teams series with Red Hat and Talos Systems in which the participants encountered a permission denied error upon executing the kubectl get nodes command and spent a significant amount of time trying to fix it.

Flanagan described the number of resources for a typical Kubernetes deployment, namely: a service; a configuration map; a secret; HPA; PDB; a pod monitor; and network policy, all of which require roughly 120 lines of YAML code. And this didn’t include a number of other resources that could be utilized.

Flanagan then listed the attributes and associated tools that developers should require, namely: the Don’t Repeat Yourself (DRY) Principle; being shareable; being composable; documentation; and being testable.

Tools in the DRY attribute included: YAML Anchors to handle repeated sections in a YAML file; and Kustomize, a template-free native configuration management tool.

Tools in the Shareable attribute included: Helm, a package manager for Kubernetes. Flanagan maintained that the main problem with Helm is the composition of the values.yaml file, but despite this issue, Helm can still be useful.

Tools in the Composable attribute included the aforementioned Kustomize which is essentially a copy and paste.

Tools in the Testable attribute included: Rego, a tool designed to allow asynchronous workloads to be deployed over Kubernetes with minimal effort; and Common Expression Language (CEL), a tool offered by Google to implement common semantics for expression evaluation for improved interoperability among different applications. Flanagan maintained that it can be difficult to work with Rego.

Flanagan then stated that despite these attributes, developers are missing the Developer Experience is missing from these attributes. In 2020, he was quoted as saying:

A good developer experience is one where a developer can be successful with intuitive decisions, rather than informed decisions.

There are a number of developer experience tools available, namely, cdk8s; Pulumi; CUE/Timoni; Terraform; and Go. Pulumi is a good tool, Flanagan said, but he doesn’t recommend it for Kubernetes because it is based on the Terraform model. As recent as five years ago, most of the developers were primarily using Go, but that has evolved to languages such as Java, Rust and Zig.

Flanagan focused on cdk8s, an open-source software development framework for defining Kubernetes applications and reusable abstractions that supports the familiar programming languages Go, JavaScript, TypeScript and Python. cdk8s applications can synthesize into standard Kubernetes manifests which can be applied to any Kubernetes cluster.

He then provided a live coding demo using TypeScript to create a deployment along with options for continuous improvement within the source code.

Flanagan concluded his presentation with best practices that included: build internal pattern libraries, i.e., stop reinventing the wheel; share publicly with other developers; policies and tests; and hook into the existing tools as necessary.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for September 25th, 2023 features news from OpenJDK, JDK 22, Eclipse GlassFish 7.0.9, Build 21-jextract+1-2, Spring Cloud 2023.0.0-M2, Helidon 4.0.0-RC1, Open Liberty 23.0.0.10-beta, Apache Camel 4.0.1 and 3.21.1, JHipster Lite 0.43.0, JDKMon 17.0.77 and 17.0.75, JobRunr 6.3.2, Yupiik Fusion 1.0.8 and Gradle 8.4.0-RC3.

OpenJDK

JEP 457, Class-File API (Preview), has been promoted from its Draft 8280389 to Candidate status. This JEP proposes to provide an API for parsing, generating, and transforming Java class files. This will initially serve as an internal replacement for ASM, the Java bytecode manipulation and analysis framework, in the JDK with plans to have it opened as a public API. Brian Goetz, Java language architect at Oracle, characterized ASM as “an old codebase with plenty of legacy baggage” and provided background information on how this draft will evolve and ultimately replace ASM.

JEP 456, Unnamed Variables and Patterns, has been promoted from its Draft 8311828 to Candidate status to finalize this feature from its previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This JEP proposes to “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.

JEP 455, Primitive types in Patterns, instanceof, and switch (Preview), has been promoted from its Draft 8288476 to Candidate status. This JEP proposes to “enhance pattern matching by allowing primitive type patterns to be used in all pattern contexts, align the semantics of primitive type patterns with instanceof, and extend switch to allow primitive constants as case labels.”

Jim Laskey, Software Development Director at Oracle Corporation, has submitted JEP Draft 8314219, String Templates, to finalize this feature from its previous round of preview, JEP 430, String Templates (Preview), delivered in JDK 21. This JEP enhances the Java programming language with string templates, string literals containing embedded expressions, that are interpreted at runtime where the embedded expressions are evaluated and verified. More details on JEP 430 may be found in this InfoQ news story.

JDK 22

Build 17 of the JDK 22 early-access builds was made available this past week featuring updates from Build 16 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

Eclipse GlassFish

Eclipse GlassFish 7.0.9, the ninth maintenance release, features component updates and notable fixes such as: an IllegalArgumentException attempting to deploy an application with an EJB remote interfaces to Embedded GlassFish; the contextInitialized() method defined in the ServletContextListener interface is invoked multiple times when deployed; and the stop-local-instance command line parameter doesn’t stop the instance of the server. More details on this release may be found in the release notes.

Ondro Mihályi, Director at OmniFish, has been working on virtual thread support for GlassFish and has provided this working example.

Project Jextract

Build 21-jextract+1-2 of the Project Jextract early-access builds was made available to the Java community and is based on JDK 21. With this build, developers running on MacOS Catalina or higher will be required to remove the quarantine attribute from the bits before using the jextract binaries.

With most of the features under the Project Panama early-access builds having moved over to incubating JEPs, jextract, a tool that mechanically generates Java bindings from a native library headers, remains the only feature and will therefore be maintained in its own project.

Spring Framework

The second milestone release of Spring Cloud 2023.0.0, codenamed Leyton, ships with: a migration of all Spring Cloud project documentation to Antora, a multi-repository documentation site generator; and milestone upgrades to sub-projects such as Spring Cloud Commons 4.1.0-M2, Spring Cloud Starter Build 2023.0.0-M2 and Spring Cloud Kubernetes 3.1.0-M2. Further details on this release may be found in the release notes.

Helidon

The first release candidate of Helidon 4.0.0 delivers bug fixes, dependency upgrades and notable changes such as: a major refactoring and stabilization of APIs; support for HTTP/2; and the WebServer and WebClient components having been declared as feature-complete. More details on this release may be found in the release notes.

Open Liberty

IBM has released version 23.0.0.10-beta of Open Liberty featuring: support for JDK 21 and the upcoming release of MicroProfile 6.1; improved startup times of of Spring Boot applications using Spring Boot 3.0 and InstantOn with Coordinated Restore at Checkpoint (CRaC); a beta 3 implementation of the Jakarta Data specification; and automatic generation and rotation of Lightweight Third Party Authentication (LTPA) keys without disruption to the application’s user experience.

Apache Software Foundation

Versions 4.0.1 and 3.21.1 of Apache Camel both provide notable improvements such as: provide a tracing strategy to trace each processor for OpenTelemetry; environment variables with the name ‘secret’ are now masked in logs; and prevent the usage of proxy protocol in producer endpoint. Further details on these releases may be found in the release notes for version 4.0.1 and version 3.21.1.

JHipster

Version 0.43.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and new features/enhancements such as: Split the original LogsSpy class into LogsSpy and LogsSpyExtension classes to follow single-responsibility principle and avoid exposing JUnit5 related methods; and replace the use of the Sinon JavaScript framework with Vitest. More details on this release may be found in the release notes.

JDKMon

Versions 17.0.77 and 17.0.75 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, these new versions provide: updated documentation for the latest updates; and a link to the GitHub releases added to the About dialog box.

JobRunr

Version 6.3.2 of JobRunr, a library for background processing in Java that is distributed and backed by persistent storage, has been released featuring bug fixes, dependency upgrades and a new feature that adds support for GraalVM Native executable in Quarkus. Further details on this release may be found in the release notes.

Yupiik

The release of Yupiik Fusion 1.0.8 provides new features such as: ensure span tags are only strings since it would otherwise require a mapping step; support for enum types; improved template handling; and new classes, RateLimiter and RateLimitedClient, to support limiting rates. More details on this release may be found in the release notes.

Gradle

The third release candidate of Gradle 8.4 delivers: initial support for JDK 21 only to compile, test, and run Gradle projects since Kotlin does not yet support JDK 21; improved compilation on Windows OS; a simplified way to create role-focused instances of the Configuration interface using the ConfigurationContainer interface; and improved support for the Kotlin DSL. Further details on this release may be found in the release notes.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for September 18th, 2023 features news from OpenJDK, JDK 22, JDK 21, GraalVM, Corretto, Liberica, Epicyro 3.0, Pinot 1.0, and releases for: Spring Boot; Spring Integration; Spring Batch; Spring Cloud Dataflow; Spring Security; Spring GraphQL; Spring Authorization Server; Spring Apache Pulsar; Spring Modulith; Quarkus; Open Liberty; Micronaut; Hibernate; OpenXava; Gradle.

OpenJDK

Daniel Smith, Programming Language Designer at Oracle, has submitted JEP 8316779, Value Object Storage Enhancements (Preview). Under the auspices of Project Valhalla, this JEP introduces null-restricted storage of value objects in fields and array components. “These variables are initialized to an initial instance of the class and reject attempts to write a null value. They can be optimized with compact, flattened object encodings.”

JDK 21

Oracle has released version 21 of the Java programming language and virtual machine, which ships with a final feature set of 15 JEPs. More details may be found in this InfoQ news story.

JDK 22

Build 16 of the JDK 22 early-access builds was made available this past week featuring updates from Build 15 that include fixes to various issues. Further details on this build may be found in the release notes.

With no objections to the proposed JDK 22 release schedule, Mark Reinhold, chief architect, Java Platform Group at Oracle, has declared the following release schedule as final:

• Rampdown Phase One (fork from main line): December 7, 2023
• Rampdown Phase Two: January 18, 2024
• Initial Release Candidate: February 8, 2024
• Final Release Candidate: February 22, 2024
• General Availability: March 19, 2024

For JDK 22, developers are encouraged to report bugs via the Java Bug Database.

GraalVM

In conjunction with the release of JDK 21, GraalVM for JDK 21 has also been released by Oracle Labs. new features include: full support for JDK 21; performance enhancements with Profile-Guided Optimizations; a new application levels policy for faster compilation time; and improved developer experience with a new CLI options, --parallelism and --color, for specifying the number of threads and output color during builds, respectively. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

On the road to version 1.0, Oracle Labs has released version 0.9.27 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides bug fixes and improvements for GraalVM for JDK 21. Further details on this release may be found in the changelog.

Amazon Corretto

Amazon has released Amazon Corretto 21, their downstream distribution of OpenJDK 21, which is available on Linux, Windows, and macOS. Developers may download this latest version from this site.

BellSoft Liberica JDK

Similarly, BellSoft has released Liberica JDK 21, their downstream distribution of OpenJDK 21. Developers may download this latest version from this site.

Spring Framework

The third milestone release of Spring Boot 3.2.0 delivers bug fixes, dependency upgrades and new feature such as: add the ConnectionDetails interface and @ServiceConnection annotation to the configuration in Spring for Apache Pulsar; provide an instance of the RestClientBuilderConfigurer class to apply Spring Boot defaults to a custom RestClient.Builder interface; and remove the use of the deprecated ServerHttpObservationFilter class for WebFlux instrumentation. More details on this release may be found in the release notes.

Similarly, versions 3.1.4, 3.0.11 and 2.7.16 of Spring Boot provide improvements in documentation, dependency upgrades, a TWENTY_ONE enum constant to the JavaVersion enum class, and notable bug fixes such as: the Saml2RelyingPartyAutoConfiguration class ignores the value set in the sign-request property when using the metadata-url query; a leaking file descriptor and socket within DomainSocket class; and an invalid Accept request HTTP header produces an HTTP 500 Internal Server Error when using the WelcomePageHandlerMapping class. Further details on these releases may be found in the release notes for version 3.1.4, version 3.0.11 and version 2.7.16.

The third milestone release of Spring Integration 6.2.0 ships with dependency upgrades and notable changes such as: a refactor of the KafkaMessageDrivenChannelAdapter class for future maintenance to avoid code duplication; new overloaded executeLocked() methods added to the LockRegistry interface to follow best practice and well-known patterns with the JdbcTemplate, RestTemplate and JmsTemplate classes; and support for custom instances of the DefaultSftpSessionFactory class. More details on this release may be found in the release notes.

The third milestone release of Spring Batch 5.1.0 provides bug fixes, improvements in documentation and new features such as: auto-configure the JobRegistryBeanPostProcessor class with @EnableBatchProcessing annotation and the DefaultBatchConfiguration class for improved job registration with the JobRegistry interface; the ability to specify a database type via a new parameter in the @EnableBatchProcessing annotation; and the ability to provide a custom JobKeyGenerator interface in the JdbcJobInstanceDao class. Further details on this release may be found in the release notes.

The release of Spring Cloud Dataflow 2.11.0 delivers bug fixes, dependency upgrades and support for: Spring Boot 3.x-based stream applications; Spring Cloud Task 3.x-based task applications; and Spring Batch 5.x-based batch applications. There was also an upgrade to the Kubernetes batch/v1 cron job so that developers can now use Kubernetes 1.25.0 and above. More details on this release may be found in the release notes.

Versions 6.2.0-M1, 6.1.4, 6.0.7 and 5.8.7 of Spring Security have been released featuring fixes for CVE-2023-34042, Incorrect Permission Assignment for spring-security.xsd, a vulnerability in which the spring-security.xsd file, found inside the spring-security-config JAR archive, is world writable and could result in an exploit. Developers are encouraged to upgrades to these releases. Further details on these releases may be found in the release notes for version 6.2.0-M1, version 6.1.4, version 6.0.7 and version 5.8.7.

Versions 1.2.3, 1.1.6 and 1.0.5 of Spring for GraphQL have been released deliver bug fixes, improvements in documentation, dependency upgrades and new features such as: the ability to access object type extensions (to complement object types) using the ConnectionTypeDefinitionConfigurer class; raise a Spring Security AuthenticationCredentialsNotFoundException to require authentication when an instance of the Java Principal interface is not present and not declared as Optional; and enhancements to the GraphQL request body checks to prevent an HTTP 500 Internal Server Error. These releases may be consumed with Spring Boot versions 3.1.4, 3.0.11 and 2.7.16, respectively. More details on these releases may be found in the release notes for version 1.2.3, version 1.1.6 and version 1.0.5.

The first milestone release of Spring Authorization Server 1.2.0 ships with bug fixes, dependency upgrades and new features such as: the ability to inject custom metadata to improve client registration; new code challenge methods for OIDC provider configuration response; and improvements in logging with the CodeVerifierAuthenticator class. Further details on this release may be found in the release notes.

The second milestone release of Spring for Apache Pulsar 1.0.0 features notable changes such as: the ability to add multiple customizers to the PulsarAdministration, DefaultPulsarConsumerFactory, DefaultPulsarReaderFactory and DefaultReactivePulsarSenderFactory classes; and move the cache provider modules source files from the default spring.pulsar.core package to a package that is specific to the module name to avoid any confusion with the Java module system. More details on this release may be found in the release notes.

Versions 1.1.0-M1 and 1.0.1 of Spring Modulith have been released provide bug fixes, improvements in documentation, dependency upgrades and new features such as: support to externalize domain events into messaging middleware (Kafka, AMQP, JMS, etc.) by registering an @ApplicationEventListener; a new Neo4j event publication repository; and new interfaces – CompletedEventPublications, IncompleteEventPublications and EventPublicationRepository – for improved handling of completed and incomplete event publications. Further details on these releases may be found in the release notes for version 1.1.0-M1 and version 1.0.1.

Quarkus

The release of Quarkus 3.4.1 features support for Redis 7.2 and changes in support for the Flyway extension that include: the ability to disable the automatic setup of the Flyway extension by setting the quarkus.flyway.enabled property to false; and declare a datasource as inactive for a specific datasource and named datasource by setting the quarkus.flyway.active and quarkus.flyway..active properties, respectively, to false. More details on this release may be found in the changelog.

Open Liberty

IBM has released version 23.0.0.9 of Open Liberty that provides support for: Spring Boot 3.0 requiring Jakarta EE 10, Spring Security 6.x, and a new server template named springBoot3; support for Private Key JWT authentication with OpenID Connect token endpoints; and the ability to set the LTPA or JWT cookie path to the application context root to allow for different LTPA and JWT tokens for different applications.

Micronaut

The Micronaut Foundation has released version 4.1.2 of the Micronaut featuring Micronaut Core 4.1.6 and updates to the Micronaut Data module. Further details on this release may be found in the release notes.

Hibernate

Versions 6.3.1.Final and 6.2.9.Final of Hibernate ORM have been released that ship with bug fixes and improvements in query methods and finder methods. More details on these releases may be found in the release notes for version 6.3.1.Final and version 6.2.9.Final.

Eclipse Foundation

Shortly after it was introduced by OmniFishEE, Eclipse Epicyro 3.0 has formally been released as a standalone implementation of the Jakarta Authentication 3.0 specification. This new project will define a general low-level SPI for authentication mechanisms, controllers that interact with a caller and a container’s environment to obtain the caller’s credentials. These will be validated and pass an authenticated identity (such as name and groups) to a container.

Apache Software Foundation

The release of Apache Pinot 1.0.0, a realtime distributed OLAP datastore, delivers bug fixes, enhancements and new features such as: initial support for Query runtime for Window Functions using ORDER BY clause within the OVER() clause; an early termination in the execution of the SortOperator class if the LIMIT clause is used; and support for partition-based leaf stage processing. Further details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

OpenXava

The release of OpenXava 7.1.6 ships with notable fixes such as: improvements in the interactions between the @ElementCollection and @DescriptionsList annotations; grouping after filtering or sorting a list fails with the @Tab annotation if it contains a baseCondition parameter and an instance of the IFilter interface; and an instance of the IForwardAction interface does not work if the application is behind a proxy. More details on this release may be found in the release notes.

Gradle

The first release candidate of Gradle 8.4 delivers: initial support for JDK 21 only to compile, test, and run Gradle projects since Kotlin does not yet support JDK 21; improved compilation on Windows OS; a simplified way to create role-focused instances of the Configuration interface using the ConfigurationContainer interface; and improved support for the Kotlin DSL. Further details on this release may be found in the release notes.