Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 #1600

Closed
wants to merge 1 commit into from
Closed

Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1 #1600

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 16, 2024

Bumps com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1.

Changelog

Sourced from com.mchange:c3p0's changelog.

c3p0-0.10.0-pre1 -- Fix doc comments no longer acceptable under persnicketty JDK 11 -- Build with JDK 11 JVM (still emitting JDK 1.6 compatible sources) -- Get tests working under new mill build -- Reorganize to switch build from ant to mill -- Update to mchange-commons-java 0.2.20 c3p0-0.9.5.5 -- Update docs to describe new com.mchange.v2.log.MLog.useRedirectableLoggers setting, implemented in mchange-commons-java 0.2.19 -- Update to mchange-commons-java 0.2.19 -- Properly implement the JDBC 4.1 abort method. Thanks to Andrew Johnson for calling attention to this issue. c3p0-0.9.5.4 -- Disabling entity expansions, as we did in v.0.9.5.3 turns out not to be sufficient to prevent all XML-config parsing related attacks (if an attacker can control the XML config file that will be parsed). We now make XML parsing much more restrictove by default, but allow users to revert to the old, permissive pre-0.9.5.3 behavior by setting config property 'com.mchange.v2.c3p0.cfg.xml.usePermissiveParser' to true. That property replaces and leaves deprecated the 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences' property introduced on 0.9.5.3. Many thanks to Aaron Massey (amassey) at HackerOne for calling attention to the continued vulnerability of XML parsing to these kinds of attacks. -- Address situation where a throwable during forceKillAcquires() left the force_kill_acquires flag set to true, making it impossible for the pool to restart acquisition attempts on recovery. We now unset the flag under any circumstance, but log interrupts or unexpected throwables, and make a best effort to complete the intended expiration of waiting clients by throwing InterruptException Many thanks to Stefan Cordes (rscadrde on github), Vipin Nair (swvist on github), and Łukasz Jąder (ljader on github) for their work on this issue. c3p0-0.9.5.3 -- Address CVE-2018-20433, https://nvd.nist.gov/vuln/detail/CVE-2018-20433 re liberal parsing of XML config. By default, c3p0 no longer expands entity references in XML config files. This behavior can be overridden via config property 'com.mchange.v2.c3p0.cfg.xml.expandEntityReferences' by applications that understand the security concerns but wish to make use of entity references. Thanks to user zhutougg on GitHub for calling attention to and suggesting a fix for this issue. -- Upgrade dependency to mchange-commons-java 0.2.15, which includes support for log4j2 (implemented in mchange-commons-java by GitHub user fireandfuel. Many thanks!

c3p0-0.9.5.2 -- Fix a bug in MLog bridge to slf4j logging, in which loggability of levels of wrapped loggers was misreported, leading to useless allocation of log Strings below the logging threshold. Grr. [change is in mchange-commons-java 0.2.11]. Many thanks to Lewis Wong on Stack Exchange for calling attention to this issue. -- Embed last acquistion failure as nested Exception in CannotAcquireResourceException. Thanks to nigam on github for this addition. c3p0-0.9.5.1 -- Implemented configuration property com.mchange.v2.c3p0.impl.DefaultConnectionTester.isValidTimeout to define timeouts on tests based on Connection.isValid(...). Many thanks to james-hu on github for suggesting this. -- Added a forceSynchronousCheckins config param, which can be a significant performance boost if no tests are performed on checkin and no long work is performed in ConnectionCustomizer.onCheckIn(...). The parameter is particularly useful for installations in which the Thread pool is under stress, as it permits prompt checkins without use of the Thread pool, and helps reduce Thread pool congestion.

... (truncated)

Commits
  • df2b44d Update version number for 0.10.0-pre1 final.
  • c52a8d9 Tweak README.md
  • 55e6f53 Tweak README.md
  • 5f49269 More work on README.md and CHANGELOG.
  • 21eea09 Work on README.md; get docJar working under Java 11 persnicketty tooling.
  • b24af8d Compile Java 6 compatible classfiles (against newer API!)
  • bf88675 Get all tests working.
  • d792689 Add more tests and hints on variations of tests.
  • f6b1ce9 Get C3P0BenchmarkApp running, add careful conditional logic to minimize unnec...
  • 0d37f26 Add minimal .gitignore
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump com.mchange:c3p0 from 0.9.5.5 to 0.10.0-pre1
7674f0a 
Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.9.5.5 to 0.10.0-pre1.
- [Changelog](https://github.com/swaldman/c3p0/blob/v0.10.0-pre1/CHANGELOG)
- [Commits](swaldman/c3p0@c3p0-0.9.5.5...v0.10.0-pre1)

---
updated-dependencies:
- dependency-name: com.mchange:c3p0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 16, 2024
@THausherr
Copy link
Contributor

Closing this one because it's a pre-release. However it builds here and at home on Windows, also for 2.x.

@THausherr THausherr closed this Feb 16, 2024
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 16, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/maven/com.mchange-c3p0-0.10.0-pre1 branch February 16, 2024 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
1 participant
@THausherr