Skip to content

Bump the all group across 1 directory with 13 updates#361

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/all-dfc207c9dd
Closed

Bump the all group across 1 directory with 13 updates#361
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/all-dfc207c9dd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 13 updates in the / directory:

Package From To
org.http4k:http4k-server-netty 6.50.0.0 6.53.0.0
gradle-wrapper 9.5.1 9.6.0
org.commonmark:commonmark 0.28.0 0.29.0
com.networknt:json-schema-validator 3.0.3 3.0.5
io.heapy.kotaml:kotaml 0.108.0 0.109.0
ch.qos.logback:logback-classic 1.5.33 1.5.34
io.micrometer:micrometer-registry-prometheus 1.16.5 1.17.0
io.netty:netty-all 4.2.14.Final 4.2.15.Final
io.netty:netty-transport-native-kqueue 4.2.14.Final 4.2.15.Final
io.netty:netty-transport-native-epoll 4.2.14.Final 4.2.15.Final
io.netty:netty-transport-native-io_uring 4.2.14.Final 4.2.15.Final
org.jetbrains.kotlin.jvm 2.3.21 2.4.0
org.jetbrains.kotlin.plugin.serialization 2.3.21 2.4.0

Updates org.http4k:http4k-server-netty from 6.50.0.0 to 6.53.0.0

Release notes

Sourced from org.http4k:http4k-server-netty's releases.

6.53.0.0

Changelog:

  • http4k-*: Upgrade versions including Kotlin to 2.4.0
  • http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

6.52.0.0

Changelog:

  • http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
  • http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
  • http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
  • http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
  • http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
  • http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
  • http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
  • http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
  • http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
  • http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
  • http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
  • http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
  • http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
  • http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
  • http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
  • http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
  • http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
  • http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
  • http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
  • http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
  • http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
  • http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
  • http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
  • http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
  • http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
  • http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
  • http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
  • http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
  • http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
  • http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
  • http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
  • http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

6.51.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.
Changelog

Sourced from org.http4k:http4k-server-netty's changelog.

v6.53.0.0

  • http4k-*: Upgrade versions including Kotlin to 2.4.0
  • http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

v6.52.0.0

  • http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
  • http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
  • http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
  • http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
  • http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
  • http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
  • http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
  • http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
  • http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
  • http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
  • http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
  • http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
  • http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
  • http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
  • http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
  • http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
  • http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
  • http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
  • http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
  • http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
  • http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
  • http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
  • http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
  • http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
  • http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
  • http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
  • http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
  • http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
  • http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
  • http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
  • http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
  • http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

v6.51.0.0

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.
Commits

Updates gradle-wrapper from 9.5.1 to 9.6.0

Release notes

Sourced from gradle-wrapper's releases.

9.6.0

The Gradle team is excited to announce Gradle 9.6.0.

Here are the highlights of this release:

  • Improved Configuration Cache hit rates
  • Additional CLI rendering options
  • Important project hierarchy lookup deprecations

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: Aharnish Solanki, Benedikt Johannes, Devendra Reddy Pennabadi, Dmytro Rodionov, Dreeam, Elías Hernández Rodríguez, Eng Zer Jun, FinlayRJW, Kamal Kansal, Marcono1234, Nelson Osacky, Philip Wedemann, Ravi, Roberto Perez Alcolea, Ryan Schmitt, Sebastian Schuberth, seunghun.ham, sk-reddy17, Suvrat Acharya, Vedant Madane.

Upgrade instructions

Switch your build to use Gradle 9.6.0 by updating your wrapper:

./gradlew :wrapper --gradle-version=9.6.0 && ./gradlew :wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.6.0 RC3

... (truncated)

Commits
  • 3f750f0 Update distro size for Gradle 9.6.0 release (#38243)
  • ae93cfa update distro size
  • f7e22b5 Update Gradle wrapper to version 9.6.0-rc-3 (#38227)
  • 71a8eb9 Update Gradle wrapper to version 9.6.0-rc-3
  • 70a8745 Prepare release notes for Gradle 9.6.0RC3 (#38220)
  • 9706522 some final polishing for release notes
  • af308eb Restore GradleInternal.getRootProject overload for binary compatibility (#38214)
  • 239361b Restore GradleInternal.getRootProject overload for binary compatibility
  • 896dc44 Update Gradle wrapper to version 9.6.0-rc-2 (#38187)
  • 2d4ec25 Update Gradle wrapper to version 9.6.0-rc-2
  • Additional commits viewable in compare view

Updates org.commonmark:commonmark from 0.28.0 to 0.29.0

Release notes

Sourced from org.commonmark:commonmark's releases.

commonmark-java 0.29.0

Added

  • Support rendering GFM task list items to Markdown (#433)
  • Support rendering YAML front matter to Markdown (#434)
  • Alerts
    • Allow customizing HTML attributes for alert title <p> tag via AttributeProvider (#427)
    • New configuration for AlertsExtension to allow authors to provide custom titles per alert. See the custom titles section of the alerts README for more information. (#430)
    • New configuration for AlertsExtension to allow alerts to be nested within other blocks (including other alerts). See this section of the alerts README for more information. (#430)
    • New configuration for AlertsExtension to allow the set of alert types (including standard GFM types) to be completely overwritten. (#435)
      var extension = AlertsExtension.builder()
              .setAllowedTypes(Map.ofEntries(
                      Map.entry("IMPORTANT", "Important"),
                      Map.entry("WARNING", "Warning")
                      Map.entry("BUG", "Known Bug")
              ))
              .build();
    • Support rendering alerts to text (#437)
Changelog

Sourced from org.commonmark:commonmark's changelog.

[0.29.0] - 2026-06-20

Added

  • Support rendering GFM task list items to Markdown (#433)
  • Support rendering YAML front matter to Markdown (#434)
  • Alerts
    • Allow customizing HTML attributes for alert title <p> tag via AttributeProvider (#427)
    • New configuration for AlertsExtension to allow authors to provide custom titles per alert. See the custom titles section of the alerts README for more information. (#430)
    • New configuration for AlertsExtension to allow alerts to be nested within other blocks (including other alerts). See this section of the alerts README for more information. (#430)
    • New configuration for AlertsExtension to allow the set of alert types (including standard GFM types) to be completely overwritten. (#435)
      var extension = AlertsExtension.builder()
              .setAllowedTypes(Map.ofEntries(
                      Map.entry("IMPORTANT", "Important"),
                      Map.entry("WARNING", "Warning")
                      Map.entry("BUG", "Known Bug")
              ))
              .build();
    • Support rendering alerts to text (#437)
Commits
  • 57cf9fd [maven-release-plugin] prepare release commonmark-parent-0.29.0
  • 4f6b66e Merge pull request #438 from commonmark/release-0.29.0
  • b0f4dbc mvn versions:set -DnewVersion=0.29.0-SNAPSHOT
  • c5f6bc9 Prepare CHANGELOG for version 0.29.0
  • 952ce9d Merge pull request #437 from rdestefa/issue-436-alerts-text-rendering
  • efc90bd Update CHANGELOG.md
  • 0117b82 Update AlertHtmlNodeRenderer.java
  • ffa682e Update AlertTextContentNodeRenderer.java
  • 717dedd Add Text Content Rendering Support for Alerts
  • b146e55 Merge pull request #435 from rdestefa/issue-431-disallow-github-alert-types
  • Additional commits viewable in compare view

Updates com.networknt:json-schema-validator from 3.0.3 to 3.0.5

Release notes

Sourced from com.networknt:json-schema-validator's releases.

3.0.5- 2026-06-21

Added

Changed

  • fixes #1252 problem with additionalProperties schema in jsconfig schema (#1253)
  • fixes #1174 TextNodes as schema seem to validate any value (#1250)

3.0.4- 2026-06-10

Added

Changed

Changelog

Sourced from com.networknt:json-schema-validator's changelog.

Change Log

All notable changes to this project will be documented in this file.

This format is based on Keep a Changelog.

This project does not adhere to Semantic Versioning and minor version changes can have incompatible API changes. These incompatible API changes will largely affect those who have custom validator or walker implementations. Those who just use the library to validate using the standard JSON Schema Draft specifications may not need changes.

[Unreleased]

Added

Changed

Changed

3.0.5- 2026-06-21

Added

Changed

  • fixes #1252 problem with additionalProperties schema in jsconfig schema (#1253)
  • fixes #1174 TextNodes as schema seem to validate any value (#1250)

3.0.4- 2026-06-10

Added

Changed

3.0.3- 2026-05-27

Added

Changed

3.0.2- 2026-04-14

Added

Changed

3.0.1- 2026-03-10

... (truncated)

Commits

Updates io.heapy.kotaml:kotaml from 0.108.0 to 0.109.0

Release notes

Sourced from io.heapy.kotaml:kotaml's releases.

v0.109.0

What's Changed

Dependency updates

  • Kotlin 2.3.21 → 2.4.0
  • KSP 2.3.8 → 2.3.9
  • Spotless 8.5.1 → 8.6.0
  • actions/checkout 6.0.2 → 6.0.3

The Kotlin upgrade also re-resolved some transitive JS dependencies in kotlin-js-store/yarn.lock (string-width, strip-ansi, wrap-ansi).

Pull requests

Full Changelog: Heapy/kotaml@v0.108.0...v0.109.0

Commits
  • d5bde95 Release v0.109.0
  • ef4a983 chore(deps): bump the all group with 2 updates (#6)
  • 774218f chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the all group (#5)
  • 7061740 chore(deps): bump the all group with 2 updates (#4)
  • See full diff in compare view

Updates ch.qos.logback:logback-classic from 1.5.33 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • See full diff in compare view

Updates io.micrometer:micrometer-registry-prometheus from 1.16.5 to 1.17.0

Release notes

Sourced from io.micrometer:micrometer-registry-prometheus's releases.

1.17.0

See also the 1.17 migration guide and the release notes for 1.17.0-RC1, 1.17.0-M3, 1.17.0-M2, 1.17.0-M1.

🐞 Bug Fixes

  • ArrayIndexOutOfBoundsException when using LongTaskTimer #3877
  • Jetty 12's TimedHandler marks some requests with outcome UNKNOWN #7276
  • MeterRegistry closes HighCardinalityTagsDetector twice if the registry is closed twice #7409
  • Reduce allocation in HTTP server instrumentation #7580
  • Reduce allocation in gRPC server convention #7581

📔 Documentation

  • Clarify time series produced by LongTaskTimer when using Prometheus #6507
  • Document metrics that need to close the MeterBinder #4624
  • Multigauge Documentation lacks overwrite=true #4403

🔨 Dependency Upgrades

  • Bump com.dynatrace.metric.util:dynatrace-metric-utils-java from 2.4.0 to 2.5.0 #7452
  • Bump com.google.auth:google-auth-library-oauth2-http from 1.43.0 to 1.48.0 #7397
  • Bump com.google.cloud:google-cloud-monitoring from 3.89.0 to 3.94.0 #7398
  • Bump com.google.cloud:libraries-bom from 26.79.0 to 26.83.0 #7497
  • Bump com.netflix.spectator:spectator-reg-atlas from 1.9.6 to 1.9.9 #7552
  • Bump dropwizard-metrics from 4.2.38 to 4.2.39 #7527
  • Bump io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0 #7572
  • Bump software.amazon.awssdk:cloudwatch from 2.42.32 to 2.46.4 #7494

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​blaspat, @​codingkiddo, @​izeye, @​jewoodev, and @​schiemon

1.17.0-RC1

⭐ New Features

  • Add meter for ForkJoinPool#getDelayedTaskCount #6381
  • Add support for JDK 26's MemoryPoolMXBean.getTotalGcCpuTime() #7245
  • Clear the state of the ObservationValidator #7337
  • Improve exemplars sizing and add exemplarsSize config #7324
  • Log warning when a registry is added to composite after meter registration #6908
  • Treat OkHttp Request as non-nullable #7388
  • Validate Observation.Scope closing when using TestObservationRegistry #6329

🐞 Bug Fixes

  • Invalid reflection hint in micrometer-core for native GraalVM 25 build #7316
  • ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #7380

... (truncated)

Commits
  • 8466fea Merge branch '1.16.x'
  • fa2ed32 Merge branch '1.15.x' into 1.16.x
  • dc2e5e2 Reduce allocation in gRPC server convention
  • 36da131 Reduce allocation in HTTP server instrumentation
  • 9591cb4 Bump com.uber.nullaway:nullaway from 0.13.5 to 0.13.6 (#7575)
  • 7a92a44 Bump software.amazon.awssdk:cloudwatch from 2.46.3 to 2.46.4 (#7576)
  • e11e7c6 Merge branch '1.16.x'
  • d8e8bcb Merge branch '1.15.x' into 1.16.x
  • cf6ac02 Reduce flakiness of PushMeterRegistryTest (#7574)
  • d74759a Bump com.google.cloud:google-cloud-monitoring from 3.93.0 to 3.94.0 (#7573)
  • Additional commits viewable in compare view

Updates io.netty:netty-all from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-all's releases.

netty-4.2.15.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

New Contributors

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits
  • a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
  • 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
  • 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
  • 76291f5 Fix SCTP and Redis tests (#16893)
  • e067b6e Fix revapi warnings (#16885)
  • 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
  • 541add0 Merge commit from fork
  • 270800e Merge commit from fork
  • 3d45a1e Merge commit from fork
  • 75127ca Merge commit from fork
  • Additional commits viewable in compare view

Updates io.netty:netty-transport-native-kqueue from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-transport-native-kqueue's releases.

netty-4.2.15.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

Bumps the all group with 13 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [org.http4k:http4k-server-netty](https://github.com/http4k/http4k) | `6.50.0.0` | `6.53.0.0` |
| [gradle-wrapper](https://github.com/gradle/gradle) | `9.5.1` | `9.6.0` |
| [org.commonmark:commonmark](https://github.com/commonmark/commonmark-java) | `0.28.0` | `0.29.0` |
| [com.networknt:json-schema-validator](https://github.com/networknt/json-schema-validator) | `3.0.3` | `3.0.5` |
| [io.heapy.kotaml:kotaml](https://github.com/Heapy/kotaml) | `0.108.0` | `0.109.0` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.33` | `1.5.34` |
| [io.micrometer:micrometer-registry-prometheus](https://github.com/micrometer-metrics/micrometer) | `1.16.5` | `1.17.0` |
| [io.netty:netty-all](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-transport-native-kqueue](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-transport-native-epoll](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-transport-native-io_uring](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [org.jetbrains.kotlin.jvm](https://github.com/JetBrains/kotlin) | `2.3.21` | `2.4.0` |
| [org.jetbrains.kotlin.plugin.serialization](https://github.com/JetBrains/kotlin) | `2.3.21` | `2.4.0` |



Updates `org.http4k:http4k-server-netty` from 6.50.0.0 to 6.53.0.0
- [Release notes](https://github.com/http4k/http4k/releases)
- [Changelog](https://github.com/http4k/http4k/blob/master/CHANGELOG.md)
- [Commits](http4k/http4k@6.50.0.0...6.53.0.0)

Updates `gradle-wrapper` from 9.5.1 to 9.6.0
- [Release notes](https://github.com/gradle/gradle/releases)
- [Commits](gradle/gradle@v9.5.1...v9.6.0)

Updates `org.commonmark:commonmark` from 0.28.0 to 0.29.0
- [Release notes](https://github.com/commonmark/commonmark-java/releases)
- [Changelog](https://github.com/commonmark/commonmark-java/blob/main/CHANGELOG.md)
- [Commits](commonmark/commonmark-java@commonmark-parent-0.28.0...commonmark-parent-0.29.0)

Updates `com.networknt:json-schema-validator` from 3.0.3 to 3.0.5
- [Release notes](https://github.com/networknt/json-schema-validator/releases)
- [Changelog](https://github.com/networknt/json-schema-validator/blob/master/CHANGELOG.md)
- [Commits](networknt/json-schema-validator@3.0.3...3.0.5)

Updates `io.heapy.kotaml:kotaml` from 0.108.0 to 0.109.0
- [Release notes](https://github.com/Heapy/kotaml/releases)
- [Commits](Heapy/kotaml@v0.108.0...v0.109.0)

Updates `ch.qos.logback:logback-classic` from 1.5.33 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.33...v_1.5.34)

Updates `io.micrometer:micrometer-registry-prometheus` from 1.16.5 to 1.17.0
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](micrometer-metrics/micrometer@v1.16.5...v1.17.0)

Updates `io.netty:netty-all` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-kqueue` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-epoll` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-io_uring` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-kqueue` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-epoll` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-transport-native-io_uring` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `org.jetbrains.kotlin.jvm` from 2.3.21 to 2.4.0
- [Release notes](https://github.com/JetBrains/kotlin/releases)
- [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md)
- [Commits](JetBrains/kotlin@v2.3.21...v2.4.0)

Updates `org.jetbrains.kotlin.plugin.serialization` from 2.3.21 to 2.4.0
- [Release notes](https://github.com/JetBrains/kotlin/releases)
- [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md)
- [Commits](JetBrains/kotlin@v2.3.21...v2.4.0)

Updates `org.jetbrains.kotlin.plugin.serialization` from 2.3.21 to 2.4.0
- [Release notes](https://github.com/JetBrains/kotlin/releases)
- [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md)
- [Commits](JetBrains/kotlin@v2.3.21...v2.4.0)

---
updated-dependencies:
- dependency-name: org.http4k:http4k-server-netty
  dependency-version: 6.53.0.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: gradle-wrapper
  dependency-version: 9.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: org.commonmark:commonmark
  dependency-version: 0.29.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: com.networknt:json-schema-validator
  dependency-version: 3.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.heapy.kotaml:kotaml
  dependency-version: 0.109.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.micrometer:micrometer-registry-prometheus
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: io.netty:netty-all
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-kqueue
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-epoll
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-io_uring
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-kqueue
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-epoll
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: io.netty:netty-transport-native-io_uring
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: org.jetbrains.kotlin.jvm
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: org.jetbrains.kotlin.plugin.serialization
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: org.jetbrains.kotlin.plugin.serialization
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 21, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 28, 2026
@dependabot dependabot Bot deleted the dependabot/gradle/all-dfc207c9dd branch June 28, 2026 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Development

Successfully merging this pull request may close these issues.

0 participants