Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v3.5.8

⚠️ Noteworthy changes

• This release contains a fix to get Testcontainers working with modern Docker versions. If this causes problems in your setup, you can downgrade the minimum Docker API, effectively reverting that change.

🐞 Bug Fixes

• Gradle war task does not exclude starter POMs from lib-provided #48196
• Testcontainers integration fails on Docker 29.0.0 #48192
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #48180
• Properties bound in the child management context ignore the parent's environment prefix #48176
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #48153
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #48129
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #48127
• NullPointerException when using @ConditionalOnSingleCandidate with multiple manually registered singletons #48123
• Buildpack fails with recent Docker installs due to hardcoded version in URL #48102
• Image building may fail when specifying a platform if an image has already been built with a different platform #48098
• Undertow's ServletContext is destroy too early, making it unusable in @PreDestroy methods #48061
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #48058
• Auto-configured JCacheMetrics cannot be customized #48056
• WebSecurityCustomizer beans are excluded by WebMvcTest #48054
• Devtools Restarter does not work with a parameterless main method #47987
• Setting 'max-uri-tags' does not prevent unlimited meter growth on any AutoConfiguredCompositeMeterRegistry #47923
• Docker response 407 is not handled correctly resulting in no error message #47900
• spring-boot-maven-plugin process-aot goal does not find package-private main method #47780

📔 Documentation

• Revise AWS section of "Deploying to the Cloud" in reference manual #48156
• Fix typo in PortInUseException Javadoc #48133
• Correct section about required setters in "Type-safe Configuration Properties" #48130
• Document EndpointObjectMapper and management.endpoints.jackson.isolated-object-mapper #48114
• Document support for configuring servlet context init parameters using properties #48111
• Clarify how warnings about soon-to-expire SSL certificates are reported #48062
• Document how to use ContextPropagatingTaskDecorator for propagating trace context over thread boundaries #48052
• Use since attribute in configuration properties deprecation consistently #47980
• BootstrapContext#getOrElseThrow has incorrect reference to IllegalStateException #47905
• Clarify when BootstrapContext get methods may return null rather than throwing an exception or calling the fallback supplier #47898
• Document that Actuator endpoint may have at most one extension of each type #47873
• Limit Kotlin API documentation to Kotlin-specific APIs #47859
• Adapt AOTCache documentation to JEP 514 #47274

🔨 Dependency Upgrades

• Downgrade to Cassandra Driver 4.19.0 #47926
• Upgrade to AspectJ 1.9.25 #48005
• Upgrade to Caffeine 3.2.3 #48006
• Upgrade to Cassandra Driver 4.19.2 #48183
• Upgrade to DB2 JDBC 12.1.3.0 #48083
• Upgrade to Hibernate 6.6.36.Final #48148

... (truncated)

• 17f22c3 Release v3.5.8
• 4f03b44 Merge branch '3.4.x' into 3.5.x
• 3d15c13 Next development version (v3.4.13-SNAPSHOT)
• 3b539aa Merge branch '3.4.x' into 3.5.x
• ee70d55 Upgrade to Spring Framework 6.2.14
• f7b4a8b Merge branch '3.4.x' into 3.5.x
• 4a8d01d Exclude starter POMs from lib-provided when using Gradle
• 0bb0d53 Merge branch '3.4.x' into 3.5.x
• 4625534 Force Testcontainers Docker API version for Docker 29.0.0+ compatibility
• 7891ebf Merge branch '3.4.x' into 3.5.x
• Additional commits viewable in compare view

Sourced from org.apache.commons:commons-exec's changelog.

Apache Commons Exec 1.6.0 Release Notes

The Apache Commons Exec team is pleased to announce the release of Apache Commons Exec 1.6.0.

Apache Commons Exec is a library that reliably executes external processes from within the JVM.

This is a feature and maintenance release. Java 8 or later is required.

Changes in this version include:

New features: o TimeoutObserver now extends Consumer. Thanks to Gary Gregory. o Add org.apache.commons.exec.Watchdog.getTimeout(). Thanks to Gary Gregory.

Fixed Bugs: o Watchdog.builder().get() now uses a default timeout of 30 seconds instead of throwing a NullPointerException. Thanks to Gary Gregory. o ExecuteWatchdog.builder().get() now uses a default timeout of 30 seconds instead of throwing a NullPointerException. Thanks to Gary Gregory. o Calling org.apache.commons.exec.Watchdog.Builder.setTimeout(Duration) with null now resets to the default INFINITE_TIMEOUT_DURATION timeout. Thanks to Gary Gregory. o Calling org.apache.commons.exec.ExecuteWatchdog.Builder.setTimeout(Duration) with null now resets to the default INFINITE_TIMEOUT_DURATION timeout. Thanks to Gary Gregory. o Calling org.apache.commons.exec.Watchdog.Builder.setThreadFactory(ThreadFactory) with null now resets to the default java.util.concurrent.Executors.defaultThreadFactory(). Thanks to Gary Gregory. o Calling org.apache.commons.exec.ExecuteWatchdog.Builder.setThreadFactory(ThreadFactory) with null now resets to the default java.util.concurrent.Executors.defaultThreadFactory(). Thanks to Gary Gregory. o Fix Checkstyle issues. Thanks to Gary Gregory. o Fix StringUtils.quoteArgument(String) when input contains single and double quotes #309. Thanks to Xin Wang, Sebb, Gary Gregory. o Fix Apache RAT plugin console warnings. Thanks to Gary Gregory.

Changes: o Bump org.apache.commons:commons-parent from 83 to 93 #299, #308, #314, #316. Thanks to Dependabot, Gary Gregory. o Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.20.0 #282. Thanks to Dependabot, Gary Gregory.

Historical list of changes: https://commons.apache.org/proper/commons-exec//changes.html

For complete information on Apache Commons Exec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Exec website:

https://commons.apache.org/proper/commons-exec/

Download page: https://commons.apache.org/proper/commons-exec//download_exec.cgi

Have fun! -Apache Commons Team

=============================================================================

• 3ee697a Bump github/codeql-action from 4.31.4 to 4.31.5
• b4d857f Prepare for the release candidate 1.6.0 RC1
• 3694a46 Prepare for the next release candidate
• ad98710 Test doesn't need to write to the console
• b566668 Test doesn't need to write to the console
• 11a38d4 Merge ifs with the same return value
• e4c8c60 Sort members
• 9a7e27a Use new oak leaf logo
• 753dcf8 Fix Apache RAT plugin console warnings
• 3b9366a Merge branch 'master' of https://github.com/apache/commons-exec.git
• Additional commits viewable in compare view

Sourced from org.asciidoctor:asciidoctorj's releases.

v3.0.1

Documentation

• cli.adoc - describe how to run AsciidoctorJ using JBang

Improvements

• Upgrade to asciidoctorj-pdf 2.3.26 (#1316)
• Upgrade to asciidoctorj-epub 2.2.0 (#1300)
• Upgrade to asciidoctorj-diagram 3.0.1 (#1316)
• Upgrade to asciidoctorj-revealjs 5.2.0 (#1300)
• Upgrade to JRuby 9.4.14.0 (#1313)

Bug Fixes

• Create new log handler for each instance of Asciidoctor (#1297) (@​dhendriks)

Build Improvement

• Move to new plugin suite org.ysb33r.jruby for installing ruby gems (#1293)
• Upgrade build to Gradle 8.12 (#1293)
• Upgrade gh action upload-artifact to v4 (#1294)

New Contributors

• @​wfouche made their first contribution in asciidoctor/asciidoctorj#1315

Full Changelog: asciidoctor/asciidoctorj@v3.0.0...v3.0.1

Sourced from org.asciidoctor:asciidoctorj's changelog.

== 3.0.1 (2025-11-06)

Documentation::

• cli.adoc - describe how to run AsciidoctorJ using JBang

Improvements::

• Upgrade to asciidoctorj-pdf 2.3.26 (#1316)
• Upgrade to asciidoctorj-epub 2.2.0 (#1300)
• Upgrade to asciidoctorj-diagram 3.0.1 (#1316)
• Upgrade to asciidoctorj-revealjs 5.2.0 (#1300)
• Upgrade to JRuby 9.4.14.0 (#1313)

Bug Fixes::

• Create new log handler for each instance of Asciidoctor (#1297) (@​dhendriks)

Build Improvement::

• Move to new plugin suite org.ysb33r.jruby for installing ruby gems (#1293)
• Upgrade build to Gradle 8.12 (#1293)
• Upgrade gh action upload-artifact to v4 (#1294)

• e0af807 Publish to nexus (#1318)
• 1ba6b9e Release 3.0.1 (#1317)
• c68d42d Upgrade to Asciidoctor 2.0.26 (#1316)
• 807e293 Document how to run AsciidoctorJ using JBang (#1315)
• dc7fb78 Upgrade to JRuby 9.4.14.0 (#1313)
• d081f5f Bump test dependencies (#1304)
• 886db90 Bump JRuby from v9.4.9.0 to v9.4.12.1 (#1302)
• cf889b9 Component upgrades (#1300)
• f224425 Fix #1297. Create ServiceLoader for loggers per Asciidoctor instance (#1298)
• 12eca16 Fix #1294. Upgrade upload-artifact (#1295)
• Additional commits viewable in compare view

Sourced from org.jsoup:jsoup's releases.

jsoup 1.21.2

jsoup 1.21.2 is out now, adding support for custom SSLContext in HTTP/2 connections, and improving consistency in how user data is handled in attributes. It also brings performance gains in DOM manipulation and fragment parsing, and fixes several edge cases in stream parsing, traversal, cloning, and concurrent reads.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Changes

• Deprecated internal (yet visible) methods Normalizer#normalize(String, bool) and Attribute#shouldCollapseAttribute(Document.OutputSettings). These will be removed in a future version.
• Deprecated Connection#sslSocketFactory(SSLSocketFactory) in favor of the new Connection#sslContext(SSLContext). Using sslSocketFactory will force the use of the legacy HttpUrlConnection implementation, which does not support HTTP/2. #2370

Improvements

• When pretty-printing, if there are consecutive text nodes (via DOM manipulation), the non-significant whitespace between them will be collapsed. #2349.
• Updated Connection.Response#statusMessage() to return a simple loggable string message (e.g. "OK") when using the HttpClient implementation, which doesn't otherwise return any server-set status message. #2356
• Attributes#size() and Attributes#isEmpty() now exclude any internal attributes (such as user data) from their count. This aligns with the attributes' serialized output and iterator. #2369
• Added Connection#sslContext(SSLContext) to provide a custom SSL (TLS) context to requests, supporting both the HttpClient and the legacy HttUrlConnection implementations. #2370
• Performance optimizations for DOM manipulation methods including when repeatedly removing an element's first child (element.child(0).remove(), and when using Parser#parseBodyFragement() to parse a large number of direct children. #2373.

Bug Fixes

• When parsing from an InputStream and a multibyte character happened to straddle a buffer boundary, the stream would not be completely read. #2353.
• In NodeTraversor, if a last child element was removed during the head() call, the parent would be visited twice. #2355.
• Cloning an Element that has an Attributes object would add an empty internal user-data attribute to that clone, which would cause unexpected results for Attributes#size() and Attributes#isEmpty(). #2356
• In a multithreaded application where multiple threads are calling Element#children() on the same element concurrently, a race condition could happen when the method was generating the internal child element cache (a filtered view of its child nodes). Since concurrent reads of DOM objects should be threadsafe without external synchronization, this method has been updated to execute atomically. #2366
• When parsing HTML with svg:script elements in SVG elements, don't enter the Text insertion mode, but continue to parse as foreign content. Otherwise, misnested HTML could then cause an IndexOutOfBoundsException. #2374
• Malformed HTML could throw an IndexOutOfBoundsException during the adoption agency. #2377.

jsoup 1.21.1

jsoup 1.21.1 is out now, featuring powerful new node selection capabilities that let you target specific DOM nodes like comments and text nodes using CSS selectors, dynamic tag customization through the new TagSet callback system, and improved defense against mutation XSS attacks with simplified attribute escaping. This release also brings HTTP/2 support by default, numerous API improvements for better developer experience, and fixes for several edge-case parsing issues.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class<T> type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull(Object) (replaced by typed Validate#expectNotNull(T)); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class<T> nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace). #2330
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326
• Added Connection.Response#readFully() as a replacement for Connection.Response#bufferUp() with an explicit IOException. Similarly, added Connection.Response#readBody() over Connection.Response#body(). Deprecated Connection.Response#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

... (truncated)

Sourced from org.jsoup:jsoup's changelog.

1.21.2 (2025-Aug-25)

Changes

• Deprecated internal (yet visible) methods Normalizer#normalize(String, bool) and Attribute#shouldCollapseAttribute(Document.OutputSettings). These will be removed in a future version.
• Deprecated Connection#sslSocketFactory(SSLSocketFactory) in favor of the new Connection#sslContext(SSLContext). Using sslSocketFactory will force the use of the legacy HttpUrlConnection implementation, which does not support HTTP/2. #2370

Improvements

• When pretty-printing, if there are consecutive text nodes (via DOM manipulation), the non-significant whitespace between them will be collapsed. #2349.
• Updated Connection.Response#statusMessage() to return a simple loggable string message (e.g. "OK") when using the HttpClient implementation, which doesn't otherwise return any server-set status message. #2356
• Attributes#size() and Attributes#isEmpty() now exclude any internal attributes (such as user data) from their count. This aligns with the attributes' serialized output and iterator. #2369
• Added Connection#sslContext(SSLContext) to provide a custom SSL (TLS) context to requests, supporting both the HttpClient and the legacy HttUrlConnection implementations. #2370
• Performance optimizations for DOM manipulation methods including when repeatedly removing an element's first child (element.child(0).remove(), and when using Parser#parseBodyFragement() to parse a large number of direct children. #2373.

Bug Fixes

• When parsing from an InputStream and a multibyte character happened to straddle a buffer boundary, the stream would not be completely read. #2353.
• In NodeTraversor, if a last child element was removed during the head() call, the parent would be visited twice. #2355.
• Cloning an Element that has an Attributes object would add an empty internal user-data attribute to that clone, which would cause unexpected results for Attributes#size() and Attributes#isEmpty(). #2356
• In a multithreaded application where multiple threads are calling Element#children() on the same element concurrently, a race condition could happen when the method was generating the internal child element cache (a filtered view of its child nodes). Since concurrent reads of DOM objects should be threadsafe without external synchronization, this method has been updated to execute atomically. #2366
• When parsing HTML with svg:script elements in SVG elements, don't enter the Text insertion mode, but continue to parse as foreign content. Otherwise, misnested HTML could then cause an IndexOutOfBoundsException. #2374
• Malformed HTML could throw an IndexOutOfBoundsException during the adoption agency. #2377.

1.21.1 (2025-Jun-23)

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull (replaced by typed Validate#expectNotNull); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace).
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326.
• Added Connection#readFully() as a replacement for Connection#bufferUp() with an explicit IOException. Similarly, added Connection#readBody() over Connection#body(). Deprecated Connection#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

• The contents of a script in a svg foreign context should be parsed as script data, not text. #2320
• Tag#isFormSubmittable() was updating the Tag's options. #2323
• The HTML pretty-printer would incorrectly trim whitespace when text followed an inline element in a block element. #2325
• Custom tags with hyphens or other non-letter characters in their names now work correctly as Data or RcData tags. Their closing tags are now tokenized properly. #2332
• When cloning an Element, the clone would retain the source's cached child Element list (if any), which could lead to incorrect results when modifying the clone's child elements. #2334

... (truncated)

• b02837b [maven-release-plugin] prepare release jsoup-1.21.2
• 1f0c207 v1.21.2 release date
• b093463 Use central-publishing-maven-plugin
• 615b959 Updating sonatype deploy URLs
• 6961720 Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.2 to 3.11.3 (#2386)
• 82864b2 Bump jetty.version from 9.4.57.v20241219 to 9.4.58.v20250814 (#2385)
• 71f963e Fix for HTML that breaks the select scope
• 6b20f6e Removed effective recursion closing \</select>
• eb2957a Bump actions/checkout from 4 to 5 (#2382)
• 3a9a6c7 Fix ProxyTest in CI
• Additional commits viewable in compare view

• See full diff in compare view

Sourced from io.jsonwebtoken:jjwt's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

• Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

• @​sigpwned made their first contribution in jwtk/jjwt#968
• @​TheMrMilchmann made their first contribution in jwtk/jjwt#979
• @​atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See jwtk/jjwt#947.

... (truncated)

Sourced from io.jsonwebtoken:jjwt's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

• Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See Issue 947.
• Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See Issue 949.
• Upgrades BouncyCastle to 1.78 via PR 941.
• Ensures that a JwkSet's keys list member is no longer considered secret and is not redacted by default. However, each individual JWK element within the keys list may still have redacted private or secret members as expected. See Issue 976.

0.12.5

This patch release:

• Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer

... (truncated)

• a757add [maven-release-plugin] prepare release 0.13.0
• e357463 Preparing for the 0.13.0 release.
• b6f8cb8 Made constructor public to allow users their own objectMapper instance (#972)
• 03f088a Bumping development version to 0.13.0-SNAPSHOT (#1014)
• 3f2697f Release 0.12.7 (#1012)
• efed1cf Updated 0.12.7 change list
• ca27b12 Resolves #1010 (#1011)
• 55c7b9a Resolves #771 (#1009)
• 6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
• 7ec7dd1 Enable JwtParser empty nested algorithm collections. (#1007)
• Additional commits viewable in compare view

Sourced from commons-io:commons-io's changelog.

Apache Commons IO 2.21.0 Release Notes

The Apache Commons IO team is pleased to announce the release of Apache Commons IO 2.21.0.

Introduction

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Version 2.21.0: Java 8 or later is required.

New features

o FileUtils#byteCountToDisplaySize() supports Zettabyte, Yottabyte, Ronnabyte and Quettabyte #763. Thanks to strangelookingnerd, Gary Gregory. o Add org.apache.commons.io.FileUtils.ONE_RB #763. Thanks to strangelookingnerd, Gary Gregory. o Add org.apache.commons.io.FileUtils.ONE_QB #763. Thanks to strangelookingnerd, Gary Gregory. o Add org.apache.commons.io.output.ProxyOutputStream.writeRepeat(byte[], int, int, long). Thanks to Gary Gregory. o Add org.apache.commons.io.output.ProxyOutputStream.writeRepeat(byte[], long). Thanks to Gary Gregory. o Add org.apache.commons.io.output.ProxyOutputStream.writeRepeat(int, long). Thanks to Gary Gregory. o Add length unit support in FileSystem limits. Thanks to Piotr P. Karwasz. o Add IOUtils.toByteArray(InputStream, int, int) for safer chunked reading with size validation. Thanks to Piotr P. Karwasz. o Add org.apache.commons.io.file.PathUtils.getPath(String, String). Thanks to Gary Gregory. o Add org.apache.commons.io.channels.ByteArraySeekableByteChannel. Thanks to Gary Gregory. o Add IOIterable.asIterable(). Thanks to Gary Gregory. o Add NIO channel support to AbstractStreamBuilder. Thanks to Piotr P. Karwasz. o Add CloseShieldChannel to close-shielded NIO Channels #786. Thanks to Piotr P. Karwasz. o Added IOUtils.checkFromIndexSize as a Java 8 backport of Objects.checkFromIndexSize #790. Thanks to Piotr P. Karwasz.

Fixed Bugs

o When testing on Java 21 and up, enable -XX:+EnableDynamicAgentLoading. Thanks to Gary Gregory. o When testing on Java 24 and up, don't fail FileUtilsListFilesTest for a different behavior in the JRE. Thanks to Gary Gregory. o ValidatingObjectInputStream does not validate dynamic proxy interfaces. Thanks to Stanislav Fort, Gary Gregory. o BoundedInputStream.getRemaining() now reports Long.MAX_VALUE instead of 0 when no limit is set. Thanks to Piotr P. Karwasz. o BoundedInputStream.available() correctly accounts for the maximum read limit. Thanks to Piotr P. Karwasz. o Deprecate IOUtils.readFully(InputStream, int) in favor of toByteArray(InputStream, int). Thanks to Gary Gregory, Piotr P. Karwasz. o IOUtils.toByteArray(InputStream) now throws IOException on byte array overflow. Thanks to Piotr P. Karwasz. o Javadoc general improvements. Thanks to Gary Gregory, Piotr P. Karwasz. o IOUtils.toByteArray() now throws EOFException when not enough data is available #796. Thanks to Piotr P. Karwasz. o Fix IOUtils.skip() usage in concurrent scenarios. Thanks to Piotr P. Karwasz. o [javadoc] Fix XmlStreamReader Javadoc to indicate the correct class that is built #806. Thanks to J Hawkins.

Changes

o Bump org.apache.commons:commons-parent from 85 to 91 #774, #783, #808. Thanks to Gary Gregory, Dependabot.

... (truncated)

• 54073d3 Prepare for the release candidate 2.21.0 RC1
• f141f09 Prepare for the next release candidate
• adcf135 Add license header
• 0f499d0 Use new oak logo
• 34a961c Use HTTPS in URL
• 9e51118 Use HTTPS in URL
• d715865 Add dependabot email [skip ci]
• 3d6a7e1 Javadoc
• ad875d5 Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#810)
• bc01dee Bump github/codeql-action from 4.30.9 to 4.31.2 (#811)
• Additional commits viewable in compare view

• 1ec20f8 [maven-release-plugin] prepare for next development iteration