Java News Roundup: Jakarta EE 11-M1, Payara Platform, Quarkus Release Plan, Spring Releases
MMS • Michael Redlich
This week’s Java roundup for December 18th, 2023 features news highlighting: Jakarta EE 11-M1 and GA release plan; Payara Platform December 2023 release; point releases for Spring Boot, Spring Cloud and Spring Security; Quakrus release plan; and CVE-2023-46131, a Grails data binding vulnerability.
Build 3 of the JDK 23 early-access builds was made available this past week featuring updates from Build 2 that include fixes for various issues. Further details on this release may be found in the release notes.
Build 29 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 28 that include fixes to various issues. More details on this build may be found in the release notes.
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, has announced that the first milestone release of Jakarta EE 11 has been made available to the Java community. The goal of this release is to verify that the build chain was well established and provide the API artifacts to all implementers of Jakarta EE. Details for each profile may be found in Jakarta EE Platform 11-M1, Jakarta EE Web Profile 11-M1 and Jakarta EE Core 11-M1.
Grimstad also provided an update on the status of plan reviews for the specifications that will provide updates for Jakarta EE 11, scheduled for a GA release in 1H2024:
- December 2023: Milestone 1 providing milestone releases for all specifications that have planned updates for Jakarta EE 11.
- February 2024: Milestone 2 providing final versions of specifications in waves 1 to 4 and updated milestone versions for the remaining specifications.
- March 2024: Milestone 3 providing final versions of specifications in wave 5 and updated milestones for the remaining specifications.
- April 2024: Milestone 4 providing final versions of specifications in waves 6 to 7.
Further details on Jakarta EE 11, including the specifications classified in each wave, may be found in the release plan.
Version 1.0.4 of Eclipse JNoSQL, the compatible implementation of the Jakarta NoSQL specification, has been released featuring: fixes for constructor and generics type handling to ensure a more seamless experience when working with Eclipse JNoSQL; enhanced handling of
null values in embeddable documents; and change in the package name to avoid duplicate names in different modules. More details on this release may be found in the release notes.
Versions 3.2.1 and 3.1.7 of Spring Boot deliver improvements in documentation, dependency upgrades and notable bug fixes such as: an instance of the
HibernateJpaAutoConfiguration class should be applied before
DataSourceTransactionManagerAutoConfiguration class because the former imports required beans; an
IllegalStateException from closing a ZIP file due to the
StaticResourceJars class closing JAR files from cached connections; and child contexts created with the
SpringApplicationBuilder class executes the parents runners. Further details on these releases may be found in the release notes for version 3.2.1 and version 3.1.7.
Versions 6.2.1, 6.1.6 and 5.8.9 of Spring Security have been released featuring bug fixes, dependency upgrades and new features such as: document that the Shibboleth Repository is required for support of the Security Assertion Markup Language (SAML); integrate caching of the
HandlerMappingIntrospector class; and a resolution to the OAuth2 Resource Server exposing server information. More details on these releases may be found in the release notes for version 6.2.1, version 6.1.6 and version 5.8.9.
Spring Cloud 2021.0.9, codenamed Jubilee, has been released providing bug fixes and upgrades to sub-projects such as: Spring Cloud Commons 3.1.8; Spring Cloud Starter Build 2021.0.9; Spring Cloud Kubernetes 2.1.9; and Spring Cloud Netflix 3.1.8. This release is based on Spring Boot 2.6.15 and is compatible with Spring Boot 2.7.18 and 3.0.13.
Versions 1.1.1 and 1.0.4 of Spring Modulith have been released to deliver bug fixes, dependency upgrades and improvements: avoid potential duplicate inclusions of the
ModuleTestExecution class; and exclude Spring AOT classes from architecture verification as they might otherwise introduce dependencies to application components considered module internals. Further details on these releases may be found in the release notes for version 1.1.1 and version 1.0.4.
Versions 1.2.1, 1.1.4 and 0.4.5 of Spring Authorization Server have been released featuring bug fixes, dependency upgrades and a new feature in which the
org.webjars dependencies were removed from the
demo-authorizationserver sample application. More details on this release may be found in the release notes for version 1.2.1, version 1.1.4 and version 0.4.5.
The release of Spring for Apache Kafka 3.1.1 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: minor improvements to the listeners associated with the
MessagingMessageListenerAdapter class; a resolution to defects in perceived counterintuitive default methods in the
ConsumerFactory interface; and improvements to the
DefaultKafkaHeaderMapper class to avoid any potential
NullPointerException exceptions. Further details on this release may be found in the release notes.
The release of Spring for Apache Pulsar 1.0.1 provides bug fixes, improvements in documentation, dependency upgrades and improvements: a more convenient way to use the
@ReactivePulsarListener annotation in streaming mode with Spring messages; support for tombstone records with the
@PulsarListener annotation; and a deprecation of the (Reactive)
ReactivePulsarListenerEndpointAdapter classes in favor of default methods defined in the
ListenerEndpoint interface and its subinterfaces for improved custom implementations of
ListenerEndpoint. More details on this release may be found in the release notes.
The release of Spring AMQP 3.1.1 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: elimination of the
synchronized keyword in the
RabbitAdmin classes; and a resolution to a new
ObjectMapper instance of the
Jackson2JsonMessageConverter class not aware of the module supporting JSR 310, Date and Time API. Further details on this release may be found in the release notes.
Payara has released their December 2023 edition of the Payara Platform that includes Community Edition 6.2023.12 and Enterprise Edition 6.9.0. Both editions feature bug fixes, component upgrades and improvements: enhancements in the Payara Bill of Materials (BOM) for version consistency with the Payara API dependency that simplifies dependency management for developers; and publication of Docker images compatible with JDK 21 that ensures developers have access to the latest and most secure Java features. More details on these versions may be found in the release notes for Community Edition 6.2023.12 and Enterprise Edition 6.9.0.
IBM has released version 220.127.116.11-beta of Open Liberty featuring support Jakarta Data 1.0-M2 specification which provides API updates to pagination and various improvements to the Javadoc and specification text. This release includes a test implementation of Jakarta Data that they use to experiment with proposed specification features so that developers can try out these features and provide feedback for the Jakarta Data 1.0 specification beyond milestone 2.
The release of Quarkus 3.6.4 provides resolutions to: a
NullPointerException observed in edge cases during a live reload by adding
null checks to the
isRestartNeeded() method defined in the
TimestampSet inner static class within the
RuntimeUpdatesProcessor class; an incorrect error reported when the OpenAPI key is not present by adding a Vert.x
NoStackTraceException class in the metrics output; and a
NoClassDefFoundError from the Java SequencedCollection interface with an application targeting Java 17, built with JDK 21 and running with Java 17. Further details on this release may be found in the changelog.
With Quarkus 3.2 defined as the current LTS release, Red Hat has published their release plans for upcoming minor releases of Quarkus 3.7, 3.8 and 3.9, currently scheduled for release at the end of January, February and March 2024, respectively. JDK 17 will be the minimal JDK version starting with Quarkus 3.7 and Quarkus 3.8 will be defined as the next LTS release. More details on the upcoming release of Quarkus 3.7 may be found in this InfoQ news story.
The release of Helidon 4.0.2 ships with notable changes such as: an update to the web server’s internal state if a listener fails to start by ensuring that calls to the
isRunning() method defined in the
WebServer interface must return
false and the server isn’t listening for connections; a resolution to premature access to the
RegistryFactory class due to the JPA CDI extension running some start-up complete code before the metrics CDI extension had a chance to prepare Helidon MP metrics; and ensure that a supplier of the
WsListener interface is called exactly once per connection to resolve reuse of the supplier in request/response lifecycle. Further details on this release may be found in the release notes.
Similarly, Helidon 3.2.5 provides: dependency upgrades; fixes to some of the examples; and slight relaxation of a unit test to avoid test ordering issues. More details on this release may be found in the release notes.
The release of Hibernate Search 6.2.3.Final delivers notable changes such as: upgrade the
-orm6 artifacts to Hibernate ORM 6.2.17.Final; compatibility with OpenSearch 2.11.0; and an adjustment to Hibernate Search’s Jandex index reading and building to work correctly with Spring Boot 3.2’s nested JARs. Further details on this release may be found in the release notes.
The Grails Foundation has provided full disclosure for CVE-2023-46131, a vulnerability in which a specially crafted Grails data binding web request can lead to a JVM crash or a denial of service. This CVE has been resolved in Grails versions 3.3.17, 4.1.3, 5.3.4 and 6.1.0.
The foundation has also released version 5.3.5 of the Grails Framework featuring: dependency upgrades; improvements to the release workflow; and change the resolve strategy from
OWNER_FIRST due to the
setProperty() method defined in the
BeanBuilder class intercepting assignments, then discarding them if the
currentBeanConfig variable is
null. More details on this release may be found in the release notes.
Apache Software Foundation
The fourth alpha release of Apache Groovy 5.0.0 delivers bug fixes, dependency upgrades and new features/improvements such as: the addition of a
getCodePoints() method in the
StringGroovyMethods class to allow traditional Groovy conventions of using the
codePoints property; a reconsideration to implement an implication operator,
==>, for scenarios where the operator aids readability or otherwise makes sense; and generation of bytecode for Groovy interfaces with default, private and static methods to replace defaults methods that are currently based on traits. Further details on this release may be found in the release notes.
Apache Groovy 4.0.17 has been released with dependency upgrades and resolutions to: a regression in version 4.0.16 related to static type checking with Groovy generics; the
JsonSlurper class parsing badly format JSON files without throwing an exception; and patterns conditionally created using the pattern operator,
~, are cast to type
GString instead of
Pattern. More details on this release may be found in the release notes.
Similarly, Apache Groovy 3.0.20 has also been released providing bug fixes, dependency upgrades and improvements such as: an enhancement to the coercion and implicit cast of map literals for the
@CompileStatic annotation; and a resolution to the static type checker not being able to infer
Map types for a method return. Further details on this release may be found in the release notes.
The release of Apache Camel 4.3.0 ships with bug fixes, dependency upgrades and new features such as: a new Kamelet to support the Advanced Message Queuing Protocol; basic support for virtual threads (but doesn’t cover the replacement of synchronized blocks with reentrant locks nor the review of all thread locals); and support for start and end dates in the Camel Quartz component. More details on this release may be found in the release notes
The release of Infinispan 13.0.21.Final provides resolutions to: CVE-2023-4487, a process control vulnerability in which an attacker can insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the Human Machine Interface software; CVE-2023-44487, a vulnerability in which Tomcat’s implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an
OutOfMemoryError; and an availability check failure with an uncaught exception from the
PersistenceManager interface. Further details on this release may be found in the release notes.
Version 2.2.0 of Resilience4j, a fault tolerance library for Java, has been released with bug fixes and these enhancements: support for Micronaut 4.0; and a framework agnostic bootstrapping of Resilience4j from Apache Commons configuration of properties for non-Spring Java applications. More details on Resilience4j may be found in this InfoQ news story.