Bump the maven group across 21 directories with 13 updates

[dependabot]

Bumps the maven group with 3 updates in the /SecVulns/VulnCore/Command directory: org.springframework:spring-core, commons-io:commons-io and org.apache.commons:commons-lang3.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Expression/ELAttack directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 3 updates in the /SecVulns/VulnCore/Expression/OGNLAttack directory: org.springframework:spring-core, commons-io:commons-io and org.apache.commons:commons-lang3.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/FilesOperations directory: commons-io:commons-io.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Inject/SQL directory: com.microsoft.sqlserver:mssql-jdbc.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/JDBCAttack directory: org.springframework:spring-context.
Bumps the maven group with 2 updates in the /SecVulns/VulnCore/JNDIAttack directory: org.apache.tomcat:tomcat-catalina and com.thoughtworks.xstream:xstream.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/MemShellAndRceEcho/JakartaTomcatDemo directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/MemShellAndRceEcho/JavaxJettyDemo directory: commons-fileupload:commons-fileupload.
Bumps the maven group with 2 updates in the /SecVulns/VulnCore/MemShellAndRceEcho/JavaxTomcatDemo directory: org.apache.tomcat:tomcat-catalina and commons-fileupload:commons-fileupload.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/MemShellAndRceEcho/LowTomcatDemo directory: commons-fileupload:commons-fileupload.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/MemShellAndRceEcho/OSEcho directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/MemShellAndRceEcho/ResinDemo directory: commons-fileupload:commons-fileupload.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/SSRF directory: com.squareup.okhttp3:okhttp.
Bumps the maven group with 2 updates in the /SecVulns/VulnCore/Serialization/ClassLoad directory: org.springframework:spring-core and org.mozilla:rhino.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Serialization/ConstructorEXP directory: org.springframework:spring-context.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Serialization/FastjsonDemo directory: com.alibaba:fastjson.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Serialization/SnakeyamlDemo directory: com.alibaba:fastjson.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/Serialization/XMLSerialization/XStreamAttack directory: com.thoughtworks.xstream:xstream.
Bumps the maven group with 1 update in the /SecVulns/VulnCore/XXE directory: org.jdom:jdom2.
Bumps the maven group with 1 update in the /Utils directory: com.thoughtworks.xstream:xstream.

Updates org.springframework:spring-core from 5.3.18 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

• Missing @Nullable on JsonPathAssertions.isEqualTo #35445
• Graceful fallback for non-default NIO.2 FileSystems #35443
• Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423
• Detect Informix error codes as DuplicateKeyException #35400
• Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377
• Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372
• StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

• "mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409
• Annotation not found on parameter in overridden method unless method is public #35349
• Annotations on overridden methods not found in type hierarchy with unresolved generics #35342
• Performance degradation when using singleton beans with Provider #35330
• JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319
• Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

• Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410
• Fix links to Reactive Libraries and RestTemplate #35392
• Fix broken link in WebDriver docs #35374
• Document Web DataBinder support for RouterFunction #35367
• Improve documentation for ApplicationEvents to clarify recommended usage #35335
• Document terms and units in DataSize.parse() #35298
• Refine @Contract Javadoc #35285
• Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.11 #35455
• Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​Kehrlann, @​acktsap, @​khj68, @​ngocnhan-tran1996, @​scordio, and @​sgflt

v6.2.10

⭐ New Features

• Optimize NIO path resolution in PathEditor #35304
• Make type in ProblemDetail nullable #35294
• Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253
• Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits

• 4c13425 Release v6.2.11
• d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
• 5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
• 0e3e34b Find annotations on parameters in overridden non-public methods
• 4745c7c Name local variables consistently
• 275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
• 7f9aa39 Polishing
• c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
• 9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
• ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
• Additional commits viewable in compare view

Updates commons-io:commons-io from 2.2 to 2.14.0

Updates org.apache.commons:commons-lang3 from 3.12.0 to 3.18.0

Updates org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.3

Updates org.springframework:spring-core from 5.3.18 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

• Missing @Nullable on JsonPathAssertions.isEqualTo #35445
• Graceful fallback for non-default NIO.2 FileSystems #35443
• Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423
• Detect Informix error codes as DuplicateKeyException #35400
• Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377
• Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372
• StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

• "mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409
• Annotation not found on parameter in overridden method unless method is public #35349
• Annotations on overridden methods not found in type hierarchy with unresolved generics #35342
• Performance degradation when using singleton beans with Provider #35330
• JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319
• Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

• Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410
• Fix links to Reactive Libraries and RestTemplate #35392
• Fix broken link in WebDriver docs #35374
• Document Web DataBinder support for RouterFunction #35367
• Improve documentation for ApplicationEvents to clarify recommended usage #35335
• Document terms and units in DataSize.parse() #35298
• Refine @Contract Javadoc #35285
• Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.11 #35455
• Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​Kehrlann, @​acktsap, @​khj68, @​ngocnhan-tran1996, @​scordio, and @​sgflt

v6.2.10

⭐ New Features

• Optimize NIO path resolution in PathEditor #35304
• Make type in ProblemDetail nullable #35294
• Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253
• Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits

• 4c13425 Release v6.2.11
• d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
• 5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
• 0e3e34b Find annotations on parameters in overridden non-public methods
• 4745c7c Name local variables consistently
• 275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
• 7f9aa39 Polishing
• c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
• 9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
• ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
• Additional commits viewable in compare view

Updates commons-io:commons-io from 2.2 to 2.14.0

Updates org.apache.commons:commons-lang3 from 3.12.0 to 3.18.0

Updates commons-io:commons-io from 2.2 to 2.14.0

Updates com.microsoft.sqlserver:mssql-jdbc from 9.2.1.jre8 to 11.2.0.jre8

Release notes

Sourced from com.microsoft.sqlserver:mssql-jdbc's releases.

[11.2.0] Stable Release

Added

• Added support for caching parameter metadata for Always Encrypted with secure enclaves 1866
• Added explicit dependency for com.microsoft.azure.msal4j (was a transitive dependency in previous releases) 1863

Changed

• Changed default loginTimeout value to 30s 1885
• Updated dependency versions of com.azure.azure-security-keyvault-keys and com.azure.azure-identity 1863
• Send TDS version 8 in Login7 when in strict mode (encrypt=strict) 1870
• Validate that the serverName field of the connection string does not have an equal sign 1853

Fixed issues

• Fixed intermittent null prepared statement handle error caused by sp_prepare when used with batch queries. 1886
• Fixed race condition with addressList which may result in IndexOutOfBoundsException when establishing multiple connections 1855
• Updated secure string usage to prepend Initialization Vector into the encrypted bytes so each IV is unique and preserved with its encrypted bytes for later decryption 1858
• Added check for DONE_ERROR status token which may occur from a killed session on the server 1857
• Fixed issue where the driver may assert when canceling a statement 1872

[11.1.2] Preview Release

Added

• Added support for caching managed identity tokens 1825
• Added support for caching Always Encrypted parameter metadata 1845

Changed

• Switched from strings to char arrays for secure string use 1813
• Added check for negotiated ALPN 1818

Fixed issues

• Fixed double connection issue when enabling TDS 8.0 and SSL by reusing original socket connection 1817
• Fixed unknown token error 0xA3 when selectMethod cursor is used with data classification 1821
• Fixed out of bounds error for when a data classification information type is not provided 1847

[11.1.1] Preview Release

Added

• Added support for Java 18 1802
• Added support for bulk insert of null GUID values 1778
• Added ALPN for TDS 8.0 connections 1795

Changed

• Updated dependency versions of azure-keyvault and azure-identity 1798
• Refactored Idle Connection Resiliency timeout to use existing SharedTimer 1794

Fixed issues

• Fixed regression with Always Encrypted with secure enclaves 1805

[11.1.0] Preview Release

Added

• Added new connection string property prepareMethod to toggle use of sp_prepare 1719
• Added new encrypt options for TDS 8.0 support 1757
• Added Configurable IPv6 Support 1766
• Added serverCertificate connection property for encrypt=strict 1773
• Added option for NONE attestation protocol 1779

Changed

• Added encrypt utility to obfuscate password strings in memory 1780

... (truncated)

Commits

• See full diff in compare view

Updates org.springframework:spring-context from 5.3.28 to 6.1.20

Release notes

Sourced from org.springframework:spring-context's releases.

v6.1.20

⭐ New Features

• Add option for case-insensitive match to PatternMatchUtils #34802

🐞 Bug Fixes

• HttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 #34854
• Accidental ClassLoader defineClass enforcement after #34677 #34839

📔 Documentation

• Clarify CompositePropertySource behavior for EnumerablePropertySource contract #34887

🔨 Dependency Upgrades

• Upgrade to Reactor 2023.0.18 #34899

v6.1.19

⭐ New Features

• Suggest compilation with -parameters when AspectJAdviceParameterNameDiscoverer fails against ambiguity #34618

🐞 Bug Fixes

• PropertyBatchUpdateException: causes of nested PropertyAccessExceptions not shown in output #34698
• Change in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed #34694
• Startup performance regression due to CGLIB class load attempts in Spring 6.1.x #34693
• IllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere #34690
• @Configuration classes can no longer be abstract without @Bean methods #34689
• Generated-code for LinkedHashMap is missing static keyword #34661
• AbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt #34619

📔 Documentation

• Add javadoc notes on potential exception suppression in ListableBeanFactory#getBeansOfType #34631
• Remove remaining references to Forwarded headers in MvcUriComponentsBuilder #34626
• MvcUriComponentsBuilder javadocs inaccurately reflects usage of forwarded headers #34620

v6.1.18

⭐ New Features

• Avoid unnecessary CGLIB processing on configuration classes #34487
• Inconsistent default class loaders in hint classes #34473

🐞 Bug Fixes

• DefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks #34515
• Endless loop with DataSourceUtils in spring-jdbc #34497
• MockHttpServletResponse - handle multiple values for Content-Language header #34491

... (truncated)

Commits

• 1f9c59b Release v6.1.20
• edfcc6f Make use of PatternMatchUtils ignoreCase option
• f93132b Add missing @​since tags in PatternMatchUtils
• 6ab4c84 Upgrade to Reactor 2023.0.18
• d5fca0d Upgrade to Jetty 12.0.21, Netty 4.1.121, Apache HttpClient 5.4.4, Checkstyle ...
• cbb9419 Clarify CompositePropertySource behavior for EnumerablePropertySource contract
• 5b5e2b6 Fix HttpClient 5.3.x request config compatibility
• a5b0399 Polishing
• 71f2725 Try loadClass on LinkageError in case of same ClassLoader as well
• daee9f1 Reinstate the @⁠Inject Technology Compatibility Kit (TCK)
• Additional commits viewable in compare view

Updates org.apache.tomcat:tomcat-catalina from 8.5.78 to 9.0.112

Updates com.thoughtworks.xstream:xstream from 1.4.17 to 1.4.21

Commits

• See full diff in compare view

Updates org.apache.tomcat:tomcat-catalina from 11.0.0-M1 to 11.0.14

Updates commons-fileupload:commons-fileupload from 1.5 to 1.6.0

Updates org.apache.tomcat:tomcat-catalina from 8.0.53 to 9.0.112

Updates commons-fileupload:commons-fileupload from 1.5 to 1.6.0

Updates commons-fileupload:commons-fileupload from 1.5 to 1.6.0

Updates org.apache.tomcat:tomcat-catalina from 8.5.82 to 9.0.112

Updates commons-fileupload:commons-fileupload from 1.5 to 1.6.0

Updates com.squareup.okhttp3:okhttp from 3.14.9 to 4.9.2

Changelog

Sourced from com.squareup.okhttp3:okhttp's changelog.

Change Log

Version 5.3.2

2025-11-18

• Fix: Don't delay triggering timeouts. In Okio 3.16.0 we introduced a regression that caused timeouts to fire later than they were supposed to.

• Upgrade: [Okio 3.16.4][okio_3_16_4].

Version 5.3.1

2025-11-16

This release is the same as 5.3.0. Okio 3.16.3 didn't have a necessary fix!

• Upgrade: [Okio 3.16.3][okio_3_16_3].

Version 5.3.0

2025-10-30

• New: Add tags to Call, including computable tags. Use this to attach application-specific metadata to a Call in an EventListener or Interceptor. The tag can be read in any other EventListener or Interceptor.

    override fun intercept(chain: Interceptor.Chain): Response {
      chain.call().tag(MyAnalyticsTag::class) {
        MyAnalyticsTag(...)
      }
  return chain.proceed(chain.request())
  
  }

• New: Support request bodies on HTTP/1.1 connection upgrades.

• New: EventListener.plus() makes it easier to observe events in multiple listeners.

• Fix: Don't spam logs with ‘Method isLoggable in android.util.Log not mocked.’ when using OkHttp in Robolectric and Paparazzi tests.

• Upgrade: [Kotlin 2.2.21][kotlin_2_2_21].

• Upgrade: [Okio 3.16.2][okio_3_16_2].

• Upgrade: [ZSTD-KMP 0.4.0][zstd_kmp_0_4_0]. This update fixes a bug that caused APKs to fail [16 KB ELF alignment checks][elf_alignment].

... (truncated)

Commits

• 3edf17c Prepare for release 4.9.2.
• 262b3cd Handle strict module handling on JDK17 (#6707) (#6742)
• f574ea2 Cherry pick fix for CVE-2021-0341 onto 4.9.x (#6741)
• 1fd7c0a Make it more difficult to accidentally log sensitive headers (#6551) (#6740)
• b0397cc 4.9.x GitHub builds update (#6732)
• eb5a834 Prepare next development version.
• 63dcd95 Prepare for release 4.9.1.
• d2e28ab Silently ignore 'bio == null' NullPointerExceptions (#6534)
• cbeaf8f Prepare for release 4.9.0.
• 8fd74a7 Conscrypt 2.5.1 Upgrade (#6263)
• Additional commits viewable in compare view

Updates org.springframework:spring-core from 5.3.18 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

• Missing @Nullable on JsonPathAssertions.isEqualTo #35445
• Graceful fallback for non-default NIO.2 FileSystems #35443
• Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423
• Detect Informix error codes as DuplicateKeyException #35400
• Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377
• Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372
• StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

• "mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409
• Annotation not found on parameter in overridden method unless method is public #35349
• Annotations on overridden methods not found in type hierarchy with unresolved generics #35342
• Performance degradation when using singleton beans with Provider #35330
• JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319
• Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

• Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410
• Fix links to Reactive Libraries and RestTemplate #35392
• Fix broken link in WebDriver docs #35374
• Document Web DataBinder support for RouterFunction #35367
• Improve documentation for ApplicationEvents to clarify recommended usage #35335
• Document terms and units in DataSize.parse() #35298
• Refine @Contract Javadoc #35285
• Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.11 #35455
• Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​Kehrlann, @​acktsap, @​khj68, @​ngocnhan-tran1996, @​scordio, and @​sgflt

v6.2.10

⭐ New Features

• Optimize NIO path resolution in PathEditor #35304
• Make type in ProblemDetail nullable #35294
• Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253
• Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits

• 4c13425 Release v6.2.11
• d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
• 5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
• 0e3e34b Find annotations on parameters in overridden non-public methods
• 4745c7c Name local variables consistently
• 275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
• 7f9aa39 Polishing
• c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
• 9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
• ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
• Additional commits viewable in compare view

Updates org.mozilla:rhino from 1.7.14 to 1.7.14.1

Changelog

Sourced from org.mozilla:rhino's changelog.

Rhino 1.8.1, Rhino 1.7.15.1, Rhino 1.7.14.1

December 2, 2025

These releases fix a bug in the code that formats floating-point numbers into strings that could result in very bad performance in some cases.

We recommend that all users of Rhino upgrade to release 1.8.1 if possible, and upgrade to Java 17 or 21.

Users who need an older release, or who cannot yet leave Java 8, can also use 1.7.15.1 or 1.7.14.1.

Rhino 1.8.0

January 2, 2025

Rhino 1.8.0 contains some significant changes, so we're incrementing the final version number for the first time in a very long time. Here are a few highlights:

• Rhino now requires Java 11 minimum. We currently test against Java 11, 17, and 21.
• Rhino has been broken down into individual Java modules that are properly encapsulated as Java Modules. See README.md for a breakdown of which modules are which -- short answer is that everyone will need the "rhino" module and many will need others.
• Older code not able to adapt to using multiple JARS can still use the "rhino-all" module, which publishes an "all-in-one" JAR like the old "rhino.jar".
• The default language level is "VERSION_ES6". That means that modern JavaScript features supported by Rhino will work by default.
• There are big improvements in compatibility, including support for "super", reflect and proxy, and lots of other language features. See the compatibility table for the details.

Thanks to all who contributed -- we had 24 contributors to this release, with some new contributors who added significant capabilities. Please keep the contributions and attention coming!

Rhino 1.7.15

May 3, 2024

Highlights of this release include:

• Basic support for "rest parameters"
• Improvements in Unicode support
• "Symbol.species" implemented in many places
• More correct property ordering in many places
• And many more improvements and bug fixes

This release includes committs from 29 different committers. Thanks to you all for your help!

Commits

• See full diff in compare view

Updates org.springframework:spring-context from 5.3.28 to 6.1.20

Release notes

Sourced from org.springframework:spring-context's releases.

v6.1.20

⭐ New Features

• Add option for case-insensitive match to PatternMatchUtils #34802

🐞 Bug Fixes

• HttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 #34854
• Accidental ClassLoader defineClass enforcement after #34677 #34839

📔 Documentation

• Clarify CompositePropertySource behavior for EnumerablePropertySource contract #34887

🔨 Dependency Upgrades

• Upgrade to Reactor 2023.0.18 #34899

v6.1.19

⭐ New Features

• Suggest compilation with -parameters when AspectJAdviceParameterNameDiscoverer fails against ambiguity #34618

🐞 Bug Fixes

• PropertyBatchUpdateException: causes of nested PropertyAccessExceptions not shown in output #34698
• Change in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed #34694
• Startup performance regression due to CGLIB class load attempts in Spring 6.1.x #34693
• IllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere #34690
• @Configuration classes can no longer be abstract without @Bean methods #34689
• Generated-code for LinkedHashMap is missing static keyword #34661
• AbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt #34619

📔 Documentation

• Add javadoc notes on potential exception suppression in ListableBeanFactory#getBeansOfType #34631
• Remove remaining references to Forwarded headers in MvcUriComponentsBuilder #34626
• MvcUriComponentsBuilder javadocs inaccurately reflects usage of forwarded headers #34620

v6.1.18

⭐ New Features

• Avoid unnecessary CGLIB processing on configuration classes #34487
• Inconsistent default class loaders in hint classes #34473

🐞 Bug Fixes

• DefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks #34515
• Endless loop with DataSourceUtils in spring-jdbc #34497
• MockHttpServletResponse - handle multiple values for Content-Language header #34491

... (truncated)

Commits

• 1f9c59b Release v6.1.20
• edfcc6f Make use of PatternMatchUtils ignoreCase option
• f93132b Add missing @​since tags in PatternMatchUtils
• 6ab4c84 Upgrade to Reactor 2023.0.18
• d5fca0d Upgrade to Jetty 12.0.21, Netty 4.1.121, Apache HttpClient 5.4.4, Checkstyle ...
• cbb9419 Clarify CompositePropertySource behavior for EnumerablePropertySource contract
• 5b5e2b6 Fix HttpClient 5.3.x request config compatibility
• a5b0399 Polishing
• 71f2725 Try loadClass on LinkageError in case of same ClassLoader as well
• daee9f1 Reinstate the @⁠Inject Technology Compatibility Kit (TCK)
• Additional commits viewable in compare view

Updates com.alibaba:fastjson from 1.2.47 to 1.2.83

Release notes

Sourced from com.alibaba:fastjson's releases.

FASTJSON 1.2.83版本发布（安全修复）

这是一个安全修复版本，修复最近收到在特定场景下可以绕过autoType关闭限制的漏洞，建议fastjson用户尽快采取安全措施保障系统安全。

安全修复方案 ：https://github.com/alibaba/fastjson/wiki/security_update_20220523

FASTJSON2已经发布并且提供兼容包，性能更好也更安全，升级指南 https://github.com/alibaba/fastjson2/wiki/fastjson_1_upgrade_cn

Issues

1. 安全加固
2. 修复JDK17下setAccessible报错的问题 #4077

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.83/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.83
• 2.0.x Releases https://github.com/alibaba/fastjson2/releases

fastjson 1.2.79版本发布，BUG修复

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复引入MethodInheritanceComparator导致某些场景序列化报错的问题
2. 增强JDK 9兼容
3. 修复JSONArray/JSONObject的equals方法在内部对象map/list相同时不直接返回true的问题

相关链接

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.79/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.79

fastjson 1.2.76版本发布，BUG修复增强兼容

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复一些直接抛RuntimeException的问题 #3631
2. parser自动识别gzip bytes #3614
3. 修复Throwable继承类属性不支持自动类型转换问题 #3217
4. 修复PrettyFormat情况下引用计算不对的问题 #3672
5. 修复AutoType不兼容LinkedHashMap的问题
6. 增强对Enum类型的自定类型转换
7. 修复deserializeUsing在泛型某些场景不能正常工作的问题 #3693
8. 提升JSONReader性能，减少小对象创建 #3627
9. 增强对JSONPath对filter的支持 #3629
10. JSONPath支持忽略NullValue的选项 #3607
11. 增强对定制化enum的支持 #3601
12. 增强对java.time.Instant和org.joda.time.Instant的支持 #3539
13. 修复Parser某些场景不能识别引用的问题

相关链接

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.76/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98

... (truncated)

Commits

• 26f13f8 1.2.83
• 8f3410f bug fix for autotype
• cd3c2de improved jdk8 java.time support
• c63866e remove unused import
• 35db4ad bug fix for autoType
• 3f009e1 Merge pull request #4085 from hengyunabc/fix_setAccessible
• dd3de5f fix InaccessibleObjectException in jdk17. #4077
• a234f9a Merge pull request #4084 from alibaba/revert-4078-master
• 0814909 Revert "fix InaccessibleObjectException in jdk17. #4077"
• ab82d0b Merge pull request #4078 from hengyunabc/master
• Additional commits viewable in compare view

Updates com.alibaba:fastjson from 1.2.47 to 1.2.83

Release notes

Sourced from com.alibaba:fastjson's releases.

FASTJSON 1.2.83版本发布（安全修复）

这是一个安全修复版本，修复最近收到在特定场景下可以绕过autoType关闭限制的漏洞，建议fastjson用户尽快采取安全措施保障系统安全。

安全修复方案 ：https://github.com/alibaba/fastjson/wiki/security_update_20220523

FASTJSON2已经发布并且提供兼容包，性能更好也更安全，升级指南 https://github.com/alibaba/fastjson2/wiki/fastjson_1_upgrade_cn

Issues

1. 安全加固
2. 修复JDK17下setAccessible报错的问题 #4077

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.83/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.83
• 2.0.x Releases https://github.com/alibaba/fastjson2/releases

fastjson 1.2.79版本发布，BUG修复

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复引入MethodInheritanceComparator导致某些场景序列化报错的问题
2. 增强JDK 9兼容
3. 修复JSONArray/JSONObject的equals方法在内部对象map/list相同时不直接返回true的问题

相关链接

• 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.79/
• 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
• 源码 https://github.com/alibaba/fastjson/tree/1.2.79

fastjson 1.2.76版本发布，BUG修复增强兼容

这又是一个bug fixed的版本，大家按需升级

Issues

1. 修复一些直接抛RuntimeException的问题 #3631
2. parser自动识别gzip bytes #3614
3. 修复Throwable继承类属性不支持自动类型转换问题 #3217
4. 修复PrettyFormat情况下引用计算不对的问题 #3672
5. 修复AutoType不兼容LinkedHashMap的问题
6. 增强对Enum类型的自定类型转换
7. 修复deserializeUsing在泛型某些场景不能正常工作的问题 #3693
8. 提升JSONReader性能，减少小对象创建 #3627
9. 增强对JSON...

   Description has been truncated