v0.13.2

Various bug fixes in this release and better JSpecify support.

• Fix for explicitly-typed lambda parameters in JDK 24+ (#​1452)
• Improve handling of wildcard upper bounds in generic method inference by @​dhruv-agr (#​1454)
• Add default support for @​PostConstruct as an initializer annotation (#​1459)
• Include nested annotation information in astubx files when loading external library models by @​haewiful (#​1456)
• JSpecify: assume NONNULL in generic method inference for unconstrained type variables (#​1471)
• JSpecify: improve inference for generic methods based on method reference arguments (#​1438)
• Improve printing of annotated type variables in error messages (#​1478)
• Initial handling of constructor diamond operators (#​1464)
• Handle restrictive type-use @NonNull annotations on varargs array (#​1484)
• Test case for issue 1493 (#​1496)
• Fix library modeling for varargs arrays (#​1485)
• Re-introduce annotations elided by javac for certain cases (#​1473)
• JDK javac plugin: properly handle nested annotations on array parameter types and varargs (#​1497)
• Print only @Nullable type use annotations in error messages (#​1507)
• Better handling of method references passed to generic methods in JSpecify mode (#​1499)
• Support for Spring's @​Value annotation (#​1505)
• Fix crash with captured array types (#​1508)
• Maintenance
  • Update comments in NullabilityUtil#hasAnyAnnotationMatching (#​1457)
  • Update to Gradle 9.3.1 (#​1458)
  • Update to Error Prone 2.47.0 (#​1461)
  • Switch InvocationAndContext to be a record (#​1463)
  • Upgrade GitHub Actions for Node 24 compatibility by @​salmanmkc (#​1465)
  • Upgrade GitHub Actions to latest versions by @​salmanmkc (#​1466)
  • Bump various dependencies (#​1469)
  • Use text blocks in CustomLibraryModelsTests (#​1482)
  • Update Error Prone and EP plugin (#​1486)
  • Update to Gradle 9.4.0 (#​1491)
  • Minor cleanup, no behavior changes by @​armandino (#​1487)
  • Update to Error Prone 2.49.0 (#​1514)

v2.35.2

Compare Source

v2.35.1: - Security Release

Compare Source

🔒 This is a security release that addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS
  Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @​W0rty, @​numacanedo, @​Mahoney, @​tomakehurst, @​oleg-nenashev

v1.16.5: 1.16.5

🐞 Bug Fixes

• Invalid reflection hint in micrometer-core for native GraalVM 25 build #​7316
• ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #​7380
• Wrong Nullability Information in OkHttpMetricsEventListener #​7373

🔨 Dependency Upgrades

• Bump com.netflix.spectator:spectator-reg-atlas from 1.9.4 to 1.9.6 #​7393
• Bump spring6 from 6.2.16 to 6.2.17 #​7294

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, and @​ribafish