Update versions.postgresql [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.postgresql:postgresql (source)	42.7.10 → 42.7.11
org.mockito:mockito-core	5.22.0 → 5.23.0
org.springdoc:springdoc-openapi-starter-webmvc-ui (source)	3.0.2 → 3.0.3
com.nimbusds:oauth2-oidc-sdk	11.34 → 11.37.2
org.flywaydb:flyway-maven-plugin	12.0.3 → 12.8.1
com.github.gantsign.maven:ktlint-maven-plugin	3.5.0 → 3.7.1
org.apache.maven.plugins:maven-enforcer-plugin (source)	3.6.2 → 3.6.3
org.openapitools:openapi-generator-maven-plugin	7.20.0 → 7.23.0
org.springframework.boot:spring-boot-starter-parent (source)	4.0.3 → 4.1.0

---

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

1. The connection uses SCRAM-SHA-256 authentication.
2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

• the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
• the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
• the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
• the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
• an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
• an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

1. Only connect to trusted PostgreSQL servers whose identity is verified.
   Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
   TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
   On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

3. Avoid SCRAM on untrusted or interceptable connection paths.
   For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

4. Reduce blast radius operationally.
   Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
   This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
• https://nvd.nist.gov/vuln/detail/CVE-2026-42198
• https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
• https://github.com/advisories/GHSA-98qh-xjc8-98pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server.
  pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
  See the Security Advisory for more detail.
  The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #​3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
• chore: upgrade Gradle to v9 PR #​3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #​3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
• fix: release COPY lock on IOException to prevent connection hang PR #​3957
• fix: return jsonb as PGObject instead of String PR #​3956
• fix: align SSL key file permission check with libpq PR #​3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

mockito/mockito (org.mockito:mockito-core)

v5.23.0

Compare Source

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #​3788 for more details.

---

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline (#​3792)
• Fix StackOverflowError with AbstractList after using mockSingleton (#​3790)
• Mark parameters of Mockito.when @Nullable (#​3503)

springdoc/springdoc-openapi (org.springdoc:springdoc-openapi-starter-webmvc-ui)

v3.0.3: springdoc-openapi v3.0.3 released!

Compare Source

Added

• #​3246 – Add Springdoc OpenAPI MCP (Model Context Protocol) support
• #​3256 – Auto-set nullable: true for Kotlin nullable types in schema properties
• #​3239 – Add support for the @Range constraint validation annotation
• #​3244 – Handle default values for LocalDate

Changed

• Upgrade Spring Boot to version 4.0.5
• Upgrade swagger-core to version 2.2.47
• Upgrade swagger-ui to version 5.32.2
• #​3260 – @ConditionalOnClass(HateoasProperties.class) in SpringDocHateoasConfiguration
• Forwards all MCP non-transport headers to downstream methods
• Dynamically resolve the base path from window.location.pathname for MCP UI

Fixed

• #​3258 – Setting API Version Required when using WebFlux breaks the Swagger UI
• #​3259 – Annotated Generic properties getting applied to sibling properties
• #​3255 – Direction enum: fixed visibility scope of group order so that setGroupsOrder method can be used
• #​3247 – Preserve YAML group URLs in Swagger UI
• #​3245 – Upgrade swagger-core from version 2.2.43 to 2.2.45
• #​3235 – PropertyResolverUtils retains a JsonNode when reading an ExtensionProperty annotation
• #​3226 – Propagate JsonView context when resolving Page<T> schema

New Contributors

• @​seregamorph made their first contribution in #​3260

Full Changelog: springdoc/springdoc-openapi@v3.0.2...v3.0.3

connect2id/oauth-2.0-sdk-with-openid-connect-extensions (com.nimbusds:oauth2-oidc-sdk)

v11.37.2

Compare Source

v11.37.1

Compare Source

v11.37

Compare Source

v11.36

Compare Source

v11.35

Compare Source

gantsign/ktlint-maven-plugin (com.github.gantsign.maven:ktlint-maven-plugin)

v3.7.1

Compare Source

Changes:

• #​718: Fix deploy timeout

v3.7.0

Compare Source

Enhancement:

• #​717: Update ktlint to 1.8.0 and kotlin to 2.2.21

v3.6.0

Compare Source

Enhancement:

• #​681: Update to ktlint 1.7.1 and kotlin 2.2.0
  • Thanks to @​JonathanLennox for the PR

Other changes:

• #​662: Upgraded commons-codec:commons-codec from 1.17.2 to 1.18.0
• #​671: Updated GitHub Actions runner
• #​663: Upgraded commons-logging:commons-logging from 1.3.4 to 1.3.5
• #​664: Upgraded commons-beanutils:commons-beanutils from 1.10.0 to 1.10.1
• #​685: Fix devcontainer
• #​686: Fix devcontainer
• #​687: Migrate deployment to Sonatype Central Portal
• #​688: Fix Maven deploy
• #​688: Fix formatting (fix-deploy)
• #​666: Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0
• #​669: Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
• #​673: Bump commons-beanutils:commons-beanutils from 1.10.1 to 1.11.0
• #​675: Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0
• #​676: Bump commons-io:commons-io from 2.18.0 to 2.20.0
• #​679: Bump actions/setup-java from 4 to 5
• #​680: Bump codecov/codecov-action from 5.3.1 to 5.5.1
• #​682: Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
• #​683: Bump actions/checkout from 4 to 6
• #​689: Bump org.codehaus.plexus:plexus-utils from 4.0.2 to 4.0.3
• #​690: Update Dependabot to allow newer Maven versions
• #​693: Bump org.apache.maven:maven-core from 3.5.4 to 3.8.1
• #​691: Bump codecov/codecov-action from 5.5.1 to 6.0.0
• #​694: Bump org.jetbrains.dokka:dokka-maven-plugin from 2.0.0 to 2.2.0
• #​695: Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24 to 1.27
• #​696: Bump commons-codec:commons-codec from 1.18.0 to 1.21.0
• #​692: Bump maven.version from 3.8.1 to 3.8.9
• #​698: Add org.dom4j:dom4j dependency to dependabot configuration
• #​703: Bump org.dom4j:dom4j from 2.1.4 to 2.1.5
• #​704: Add org.codehaus.plexus:plexus-xml dependency to dependabot configuration
• #​699: Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29
• #​700: Bump commons-logging:commons-logging from 1.3.5 to 1.3.6
• #​701: Bump org.apache.maven.plugin-tools:maven-plugin-annotations
• #​706: Bump commons-io:commons-io from 2.20.0 to 2.21.0
• #​707: Add maven-reporting-impl dependency to dependabot configuration
• #​708: Add plexus-classworlds dependency to dependabot config
• #​710: Add maven-plugin-testing-harness to dependabot config
• #​711: Add Guice to dependabot config
• #​712: Bump com.google.inject:guice from 4.2.2 to 4.2.3
• #​713: Add doxia-sink-api-ktx to dependabot config
• #​714: Bump doxia-sink-api-ktx version to 1.6.1
• #​715: Update build Maven version to 3.9.14
• #​716: Update Maven Central badge to use img.shields.io

openapitools/openapi-generator (org.openapitools:openapi-generator-maven-plugin)

v7.23.0: released

Compare Source

v7.23.0 stable release (breaking changes with fallbacks) comes with 170+ enhancements and bug fixes.

This release comes with 2 breaking changes (with fallback):

• [jaxrs-spec][quarkus] Emit @​RolesAllowed({"**"}) for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes and rename "useQuarkusSecurityAnnotations" to "useJakartaSecurityAnnotations" (Breaking change (with fallback)) #​23680
• fix(Kotlin): use the global apiNamePrefix and apiNameSuffix settings instead of apiSuffix (generator's option) (Breaking change (with fallback)) #​23926

Below are the highlights of the changes. For a full list of changes, please refer to the "Pull Request" tab.

General

• Normalizer: new rule LOOSE_NULL_DEFINITIONS to allow more null definitions in 3.0 spec. #​23932
• fix(InlineModelResolver): prevent numbered duplicate models from multi-file OAS 3.1 specs #​23856
• fix(core): normalize OAS 3.1 content media schemas #​23851
• [GRADLE-WRAPPER] feat: add configurable worker isolation and max heap size for code generation #​23648 by
• [GRADLE-WRAPPER] bug fix - pass maven java_home to gradle correctly #​23646
• Add security schemes filter normalizer option #​23174

C#

• [csharp][generichost] Deserialize present-but-null nullable enums #​23912
• [csharp] Fix HTTP signature auth failure on .NET 8 when query params contain special characters #​23714
• [csharp][restsharp] add throwOnAnyError option to surface client errors #​23663
• Fix/csharp reserved headers and file parameter not serialising correctly #​23593
• [csharp] Extend HostConfiguration with additional AddApiHttpClients signatures #​22500

Dart

• feat(dart): make requests abortable #​23930
• [Dart] Preserve uppercase names with trailing digits #​23894
• [BUG][DART] fix nullable nested array item handling #​23365

Go

• fix(go): avoid duplicate unknown enum defaults #​23909
• [go] support io.Reader and []byte response types in client decode #​23789

Java

• [Java][restclient] Build XmlMapper via builder when useJackson3=true #​23872
• [Java] [vertx] Allow PoolOptions configuration when vertx 5 #​23829
• feat(java/jersey3): add jackson 3 support #​23819
• feat(java/jersey3): Update jakarta annotation and validation libs #​23810
• [JAVA-SPRING] spring http interface library should support 'useBeanValidation' #​23803
• [jaxrs-spec][quarkus] Emit @​PermitAll for unauthenticated operations (op/global empty security, anonymous OR alternative, no security defined) #​23782
• [JavaJaxRS] [CXF] Add Support for Jackson3 #​23767
• [jaxrs-spec][quarkus] Emit @​RolesAllowed({scope}) for OAuth2 and OpenID Connect operations with explicit scopes #​23752
• [jaxrs-spec][quarkus] - Add CLI flag (useQuarkusSecurityAnnotations) to enable emitting security annotation (@​Authenticated, @​RolesAllowed, @​PermitAll) #​23699
• [JAVA-SPRING;KOTLIN-SPRING] feature - add support for 'substituteGenericPagedModel' also for 'spring-cloud' libraries #​23690
• [jaxrs-spec][quarkus] Emit @​RolesAllowed({"**"}) for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes and rename "useQuarkusSecurityAnnotations" to "useJakartaSecurityAnnotations" (Breaking change (with fallback)) #​23680
• [jaxrs-spec][quarkus]: Emit @​ResponseStatus annotation for 2XX success codes #​23673
• [Java] [vertx] Make supportVertxFuture compatible with vertx 5 #​23660
• Fix Jspecify nullable issue with spring boot 4 #​23649
• [java][spring] fix: disableDiscriminatorJsonIgnoreProperties not working #​23640
• [java] Support 'time-local' format #​23555
• [java] Support 'date-time-local' format #​23395
• [Spring] Add clientRegistrationId option for OAuth2 HTTP Interface #​22726

Kotlin

• fix(Kotlin): use the global apiNamePrefix and apiNameSuffix settings instead of apiSuffix (generator's option) (Breaking change (with fallback)) #​23926
• [kotlin-client][jvm-ktor] Support nullable response types #​23870
• feat(kotlin-client): support dynamic auth credentials for okhttp client (#​23835) #​23836
• [KOTLIN-SPRING] - add support for 'openApiNullable' - jackson nullable library to handle non-required AND nullable: true properties #​23804
• [Kotlin] Fix explicitApi/nonPublicApi/generateOneOfAnyOfWrappers generation for kotlinx_serialization #​23796
• [Kotlin][ktor] add delegate pattern support #​23756
• [JAVA-SPRING;KOTLIN-SPRING] feature - add support for 'substituteGenericPagedModel' also for 'spring-cloud' libraries #​23690
• [KOTLIN-SPRING] Feature - add support for 'useDeductionForOneOfInterfaces' #​23677
• [KOTLIN]: add 'bestEffortBacktick' naming option for Kotlin enums #​23620
• feat(kotlin-spring): add suspendFunctions option for coroutine support #​23444

Python

• [Python] fix constraint settings for decimalType #​23928
• [python] Fix invalid pip syntax for httpx/tornado in requirements.txt #​23889
• [python-fastapi] type binary multipart fields as UploadFile #​23793
• Fix Python (e.g. FastApi) example generation #​23537

PHP

• [php-nextgen] Check for $openApiType === "string" instead of "\DateTime" in ObjectSerializer #​23937

PowerShell

• PowerShell: fix enum string starting with a number #​23715

Rust

• [rust-salvo] Add Rust server generator targeting the Salvo web framework (New Generator) #​23772

Scala

• [scala-http4s] Fix name mapping of discriminator property #​23853
• [scala-http4s] Preserve underscores in enum names #​23842
• [scala-sttp4-jsoniter] extend Primitive type with UUID, LocalDate and OffsetDateTime #​23801
• [Fix][scala-sttp] Register JSON value type in importMapping to avoid model-package-prefixed import #​23652
• feat: add support for oneOf in sttp4 client #​22916

Swift

• [swift5][swift6] Add additionalModelObjectAttributes/EnumAttributes/Imports #​23773
• [BUG][SWIFT6] unalias additionalProperties before building map type declaration #​23668
• [swift5/swift6] Fix oneOf decoding when enumUnknownDefaultCase is enabled #​23496

TypeScript

• [Typescript] Enum types (#​18531) #​23921
• [typescript-nestjs] Use paramName for URL path substitution (fixes #​16668) #​23868
• [typescript-fetch] Fix nested oneOf generating uncompilable interface extends on union type #​23501
• [typescript-fetch] Fix oneOf with mixed array types causing TypeScript compile error #​23500
• [typescript-fetch] Fix instanceOf type guards for discriminated unions #​23497
• [typescript-fetch] Bugfix additional properties in multipart requests

v7.22.0: released

Compare Source

v7.22.0 stable release comes with 150+ enhancements and bug fixes.

Below are the highlights of the changes. For a full list of changes, please refer to the "Pull Request" tab.

General

• refactor: centralize common schema checks in ModelUtils #​23608
• [CORE] : BUGFIX - prevent Stream closed on concurrent JAR access in TemplateManager #​23596
• Improve OneOf handling with new normalizer REPLACE_ONE_OF_BY_DISCRIMINATOR_MAPPING #​23543
• ci: upload openapi-generator-cli.jar as GitHub Release asset #​23524
• fix: preserve parent description when simplifying nullable anyOf/oneOf #​23361
• [GRADLE-PLUGIN] - Modernize plugin to use Lazy Configuration API #​23042

C#

• [csharp][generichost] Fix TokenBase race condition #​23356
• [csharp][generichost] Fix possible concatentation bug #​23355
• [csharp][generichost] Fix invalid implicit cast #​23344
• [csharp][generichost] Treat warnings as errors #​23343
• [csharp][generichost] Fix dateTimeOffset bug #​23342
• Marking a class abstract should not mark the methods abstract as well #​23291
• [csharp][generichost] Multiple oauth tokens #​23264
• [csharp] Support null types #​23260

Crystal

• [crystal] Fix empty auth_settings Hash literal #​23625

Dart

• [dart-dio] Fix json_serializable serialize template to support hasFormParams #​23579
• Fix wrong import statements in dart-dio when using import-mappings #​23571
• fix: Change Dart Serializer for MapBuilder to be nullable #​23460
• feat(dart-dio): add methods to remove auth tokens in api client #​23386

Go

• feat(go): add enumUnknownDefaultCase config option #​23417

Java

• Correct imports for RxJava2 and RxJava3. Add support for Vert.x 5. #​23563
• add support for sealed response interfaces for spring-declarative-http-interface #​23549
• [Java][jersey3] Add error entity deserialization to ApiException #​23542
• [Java] [apache-httpclient] Add support for Jackson3 for apache httpclient generator #​23446
• [Java][WebClient][RestClient] Standardize useAbstractionForFiles behavior to use Resource interface #​23382
• feat(spring): enable openApiNullable with useJackson3 #​23331
• [java] [Spring] useJspecify for java clients and spring generator #​23256

Kotlin

• [KOTLIN-SPRING;JAVA-SPRING] chore: upgrade spring boot 3 to 3.3.13 version #​23591
• [KOTLIN-SPRING] Add oneOf sealed interface support with discriminator #​23574
• fix [Kotlin]: handle nullable response.body in jvm-okhttp ApiClient #​23515
• [kotlin-server] Fix class names for useTags #​23441
• fix(kotlin-spring): use Jackson 3 annotation package in model imports #​23406

PHP

• [PHP] Support map/object format for x-enum-varnames and x-enum-descriptions #​23540
• fix(php-symfony): enum $ref query params — short types and imports (#​23521) #​23525
• [php-nextgen] Fix validity checks for nullable properties that are required #​23419
• [php-nextgen] Remove invalid @​implements ArrayAccess tag in models with parents #​23418
• [Php] Fix form data field names to use spec-defined baseName #​23347
• [php-nextgen]: Fix imports for models with parent schema #​23317
• [php-nextgen]: Fix ArrayAccess parameter types #​23315

PowerShell

• [POWERSHELL] fix: single-quote DTO property names to prevent $-variable interpolation #​23624
• [PowerShell] Correct comment syntax in array query parameters #​23491

Python

• [PYTHON][bugfix] Fix python model dict array generation #​23538
• [PYTHON][bugfix] Fix missing post-params when content type is json #​23526
• [python] Add buildSystem option to support hatchling #​23483
• fix(python): Fix sanitize_for_serialization code generation for python client #​23415
• Drop python 3.9 and support python 3.14 in python generator #​22926

Rust

• fix(rust): use serde_repr for integer property enums #​23580
• [rust-axum] Fix uint32/uint64 type mapping #​23547
• feat(rust-server): refactor server module templates to avoid a monolithic run function. #​23432
• Feat: (Rust) Added chrono (date/date-time) support for Rust Generator #​23451

Scala

• [Fix][scala-sttp][circe] Add Base64OrArrayByteDecoder for format:byte and format:binary JSON properties #​23619
• [Fix][scala-sttp][circe] Add NaN-tolerant Decoder[Double] for non-finite values #​23611
• [feat][scala-sttp] Add oneOf and allOf discriminator support with sealed traits for circe generator #​23510
• Mark scala-finch generator as deprecated #​23484
• [Fix][scala-sttp][circe] Circe codecs do not preserve original JSON field names for non-camelCase properties #​23465

Swift

• [swift6] fix map nullable values #​23629

TypeScript

• Update axios to 1.15.2 #​23637
• fix(typescript-angular): handle Set in query parameter serialization #​23442
• fix(typescript-fetch): prevent HTML-escaping of pattern in validationAttributes #​23420
• [typescript-*]: Improve literal regexp for JSON MIME-type #​23319
• fix(typescript-fetch): remove barrel imports #​22706

v7.21.0: released

Compare Source

v7.21.0 stable release (breaking changes with fallbacks) comes with 190+ enhancements and bug fixes.

This release comes with 3 breaking changes (with fallback):

• Use Spring Boot 3.x by default (useSpringBoot3=true) #​23318
• Add option to fallback to non-pointer number, boolean types #​23197
• fix c-libcurl generator for int and boolean values by moving to int* #​23052

Below are the highlights of the changes. For a full list of changes, please refer to the "Pull Request" tab.

General

• Update jackson dependencies to newer versions #​23152
• fix: core: preserve OAS 3.1 numeric exclusive validation constraints in composed schemas #​23053
• fix: OAS3.1 deprecated property for array properties #​23019
• openapi-generator-gradle-plugin: upgrade Gradle to v8 #​22864
• (OpenAPINormalizer): Removed reset of OAS content #​22573

C

• Add option to fallback to non-pointer number, boolean types #​23197 (Breaking change (with fallback))
• fix c-libcurl generator for int and boolean values by moving to int* (Breaking change (with fallback)) #​23052

C#

• [C#] Fix invalid implicit casts #​23192
• [csharp] Fix/override central package versions for csharp test projects #​23092
• [csharp][generichost] Better file support #​22806

C++

• [cpp-qt-client] Remove deprecated SignalE/SignalEFull signals in API classes #​23113
• [cpp-qt-client] Optimize generated code #​23089
• [cpp-qt-client]Fix variable redeclarations in the api-body.mustache #​22982
• Move C++ virtual destructor definition to .cpp files #​21530

Dart

• [dart] Fix enum defaults, Object arrays, and nullable required assertions in native serialization #​23027
• [dart] Preserve inner generic type for Map<String, List> deserialization #​22717
• Add support for Optional in Dart generator (both dart and dart-dio) to distinguish absent, null, and present states #​22257

Go

• Update go client README to match modern module support #​23292

Java

• Use Spring Boot 3.x by default (useSpringBoot3=true) (Breaking change (with fallback)) #​23318
• Decommission springfox from spring generator #​23280
• fix(jaxrs): correct add/remove methods for JsonNullable<List> fields #​23258
• [Java] Optimize All Enum fromValue Mustache Templates #​23165
• Update jackson core in Java restclient to newer version #​23151
• [java][resttemplate] Add support for Jackson 3 and Spring Boot 4 in Java resttemplate #​23144
• [spring] Add an option "additionalNotNullAnnotations" to include additional NotNull annotations #​23096
• feature/jackson3 native #​23071
• feat(jackson3): add jackson3 support for Java Client generator - WebClient #​23031
• feature(jackson3) add jackson3 support for Java Client generator - Restclient #​23023
• fixes(spring) add JsonProperty on setter #​22978
• [java-spring] - add 'includeHttpRequestContext' additional property (option) defaulting to "true" for reactive and "false" for blocking to include ServerWebExchange/HttpServletRequest #​22910
• spring-http-interface: introduce springHttpClientAdapter, fix paramDoc.mustache #​19710

JavaScript

• [JS] Fix handling of oneOf when you have explicitly used a discriminator #​23026

Kotlin

• Decommission springfox from kotlin-spring generator [#​23283](htt

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

pom.xml

Package	Version	License	Issue Type
com.github.gantsign.maven:ktlint-maven-plugin	3.7.1	Null	Unknown License
com.nimbusds:oauth2-oidc-sdk	11.37.2	Null	Unknown License
org.apache.maven.plugins:maven-enforcer-plugin	3.6.3	Null	Unknown License
org.flywaydb:flyway-maven-plugin	12.8.1	Null	Unknown License
org.openapitools:openapi-generator-maven-plugin	7.23.0	Null	Unknown License

Allowed Licenses:

CC0-1.0, CC-BY-4.0, Unlicense, WTFPL, 0BSD, MIT, Apache-2.0, ISC, BSD-2-Clause, BSD-3-Clause, Zlib, MPL-1.1, MPL-2.0, CDDL-1.0, EPL-1.0, EPL-2.0, CECILL-2.1, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, EUPL-1.0, EUPL-1.1, EUPL-1.2, AAL, AFL-3.0, Apache-1.1, APL-1.0, APSL-2.0, Artistic-1.0-Perl, Artistic-2.0, BlueOak-1.0.0, BSL-1.0, CATOSL-1.1, CPAL-1.0, CUA-OPL-1.0, ECL-2.0, EFL-2.0, Entessa, EUDatagrid, Fair, LPPL-1.3c, LPL-1.02, MirOS, Motosoto, Multics, NASA-1.3, NCSA, NTP, Naumen, Nokia, PostgreSQL, PSF-2.0, RPSL-1.0, RSCPL, SimPL-2.0, Sleepycat, SPL-1.0, VSL-1.0, W3C, W3C-20150513, Xnet, ZPL-2.0

Excluded from license check:

pkg:githubactions/trufflesecurity/trufflehog, pkg:npm/knex, pkg:npm/mapbox-gl

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.github.gantsign.maven:ktlint-maven-plugin	3.7.1	🟢 4.2	Details Check Score Reason Code-Review ⚠️ 0 Found 1/14 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/com.nimbusds:oauth2-oidc-sdk	11.37.2	Unknown	Unknown
maven/org.apache.maven.plugins:maven-enforcer-plugin	3.6.3	🟢 5.8	Details Check Score Reason Code-Review 🟢 7 Found 9/12 approved changesets -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 14 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/org.flywaydb:flyway-maven-plugin	12.8.1	🟢 4.7	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 9 binaries present in source code Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
maven/org.mockito:mockito-core	5.23.0	🟢 7.3	Details Check Score Reason Code-Review 🟢 9 Found 19/20 approved changesets -- score normalized to 9 Maintained 🟢 10 13 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Binary-Artifacts 🟢 10 no binaries found in the repo SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/org.openapitools:openapi-generator-maven-plugin	7.23.0	🟢 5.7	Details Check Score Reason Code-Review 🟢 9 GitHub code reviews found for 28 commits out of the last 30 -- score normalized to 9 Maintained 🟢 10 30 commit(s) out of 30 and 4 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ -1 internal error: error parsing shell code: modules/openapi-generator/src/main/resources/bash/Dockerfile.mustache:1:9: reached EOF without closing quote ' Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts ⚠️ 0 binaries present in source code
maven/org.postgresql:postgresql	42.7.11	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Code-Review ⚠️ 1 Found 3/23 approved changesets -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts 🟢 8 binaries present in source code Signed-Releases ⚠️ 1 1 out of the last 5 releases have a total of 1 signed artifacts. Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches CI-Tests 🟢 9 22 out of 23 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 34 contributing companies or organizations
maven/org.springdoc:springdoc-openapi-starter-webmvc-ui	3.0.3	🟢 4.8	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 8/21 approved changesets -- score normalized to 3 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 28 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• pom.xml