Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump org.clojure:clojure from 1.11.1 to 1.12.0 #8378

Merged
merged 2 commits into from
Oct 14, 2024
Merged

Bump org.clojure:clojure from 1.11.1 to 1.12.0 #8378

merged 2 commits into from
Oct 14, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 9, 2024
edited
Loading

Bumps org.clojure:clojure from 1.11.1 to 1.12.0.

Changelog

Sourced from org.clojure:clojure's changelog.

Changes to Clojure in Version 1.12.0

1 Compatibility

1.1 Java 8 - Compatiblity EOL notice

Clojure 1.12 produces Java 8 bytecode (same as Clojure 1.10 and 1.11), but this is expected to be the last release using a Java 8 baseline. Future releases will move the bytecode and minimum Java compatibility to a newer Java LTS release.

1.2 Java 21 - Virtual thread pinning from user code under synchronized

Clojure users want to use virtual threads on JDK 21. Prior to 1.12, Clojure lazy-seqs and delays, in order to enforce run-once behavior, ran user code under synchronized blocks, which as of JDK 21 don't yet participate in cooperative blocking. Thus if that code did e.g. blocking I/O it would pin a real thread. JDK 21 may emit warnings for this when using -Djdk.tracePinnedThreads=full.

To avoid this pinning, in 1.12 lazy-seq and delay use locks instead of synchronized blocks.

See: CLJ-2804

1.3 Security

Fix CVE-2024-22871 detailed in GHSA-vr64-r9qj-h27f:

  • CLJ-2839 iterate, cycle, repeat - infinite seqs have infinite hashCode()

1.4 Serialization

CLJ-1327 explicitly sets the Java serialization identifier for the classes in Clojure that implement Java serialization. In Clojure 1.11.0 this changed for two classes unnecessarily and we reverted those changes in Clojure 1.11.1 - this completes that work for the rest of the classes.

Clojure data types have implemented the Java serialization interfaces since Clojure 1.0. Java serialization is designed to save graphs of Java instances into a byte stream. Every class has an identifier (the serialVersionUID) that is automatically generated based on the class name, it's type hierarchy, and the serialized fields. At deserialization time, deserialization can only occur when the available class has an identifier that matches the class id recorded in the serialized bytes.

Clojure has never provided a guarantee of serialization consistency across Clojure versions, but we do not wish to break compatibility any more than necessary and these changes will give us more control over that in the future.

See: CLJ-1327

1.5 Dependencies

Updated dependencies:

  • spec.alpha dependency to 0.5.238 - changes
  • core.specs.alpha dependency to 0.4.74 - changes

See: CLJ-2852

2 Features

2.1 Add libraries for interactive use

There are many development-time cases where it would be useful to add a library interactively without restarting the JVM - speculative evaluation, adding a known dependency to your project, or adding a library to accomplish a specific task.

Clojure now provides new functions to add libraries interactively, without restarting the JVM or losing the state of your work:

  • add-lib takes a lib that is not available on the classpath, and makes it available by downloading (if necessary) and adding to the classloader. Libs already on the classpath are not updated. If the coordinate is not provided, the newest Maven or git (if the library has an inferred git repo name) version or tag are used.

... (truncated)

Commits
  • d4bb93f [maven-release-plugin] prepare release clojure-1.12.0
  • 23d0f98 fix link in changelog
  • 90e7dd0 [maven-release-plugin] prepare for next development iteration
  • b3bd4cd [maven-release-plugin] prepare release clojure-1.12.0-rc2
  • ad54fec CLJ-2881: Making asm-type function array class symbol aware.
  • 5ae9587 CLJ-2873 add-libs - reload data-readers if new libs were added
  • 48b1fe5 Update changelog for 1.12.0-rc1
  • faeda7a [maven-release-plugin] prepare for next development iteration
  • 9a13d44 [maven-release-plugin] prepare release clojure-1.12.0-rc1
  • 37b6f5a CLJ-2145 Fix clearing of closed overs in ^:once fns, recur to head of :once f...
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added external-dependency Related to an external dependency (ie maven package etc). Bug or update java Pull requests that update Java code labels Sep 9, 2024
@dependabot dependabot bot mentioned this pull request Sep 9, 2024
Closed
@dependabot dependabot bot force-pushed the dependabot/gradle/org.clojure-clojure-1.12.0 branch 3 times, most recently from 88bf305 to b28c0d7 Compare September 20, 2024 03:32
@dependabot dependabot bot force-pushed the dependabot/gradle/org.clojure-clojure-1.12.0 branch 4 times, most recently from ca0e319 to f3b2cf4 Compare September 27, 2024 12:01
@dependabot dependabot bot force-pushed the dependabot/gradle/org.clojure-clojure-1.12.0 branch 3 times, most recently from bfd69be to a072372 Compare October 4, 2024 21:17
@dependabot
Bump org.clojure:clojure from 1.11.1 to 1.12.0
c5c8108 
Bumps [org.clojure:clojure](https://github.com/clojure/clojure) from 1.11.1 to 1.12.0.
- [Changelog](https://github.com/clojure/clojure/blob/master/changes.md)
- [Commits](clojure/clojure@clojure-1.11.1...clojure-1.12.0)

---
updated-dependencies:
- dependency-name: org.clojure:clojure
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/gradle/org.clojure-clojure-1.12.0 branch from a072372 to c5c8108 Compare October 6, 2024 20:03
@dwolfson dwolfson merged commit e32b10c into main Oct 14, 2024
5 checks passed
@dependabot dependabot bot deleted the dependabot/gradle/org.clojure-clojure-1.12.0 branch October 14, 2024 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mandy-chessell mandy-chessell Awaiting requested review from mandy-chessell mandy-chessell is a code owner

@lpalashevski lpalashevski Awaiting requested review from lpalashevski

Assignees
No one assigned
Labels
external-dependency Related to an external dependency (ie maven package etc). Bug or update java Pull requests that update Java code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dwolfson