[12.1.x EE11] Bump the dev-dependencies group across 1 directory with 26 updates

[dependabot]

Bumps the dev-dependencies group with 25 updates in the /jetty-ee11 directory:

Package	From	To
org.ow2.asm:asm	9.10	9.10.1
org.ow2.asm:asm-commons	9.10	9.10.1
org.ow2.asm:asm-bom	9.10	9.10.1
org.mariadb.jdbc:mariadb-java-client	3.5.8	3.5.9
com.fasterxml.jackson:jackson-bom	2.21.3	2.22.0
io.netty:netty-bom	4.2.13.Final	4.2.15.Final
org.hibernate.search:hibernate-search-bom	8.3.1.Final	8.4.0.Final
org.junit:junit-bom	6.0.3	6.1.0
ch.qos.logback:logback-core	1.5.32	1.5.37
com.github.jnr:jffi	1.3.15	1.4.0
io.grpc:grpc-core	1.81.0	1.82.1
io.grpc:grpc-netty-shaded	1.81.0	1.82.1
io.smallrye.common:smallrye-common-annotation	2.18.1	2.19.0
io.smallrye.common:smallrye-common-cpu	2.18.1	2.19.0
net.java.dev.jna:jna	5.18.1	5.19.1
net.java.dev.jna:jna-jpms	5.18.1	5.19.1
org.apache.kerby:kerb-simplekdc	2.1.1	2.1.2
org.codehaus.plexus:plexus-classworlds	2.11.0	2.12.0
org.eclipse.jdt:ecj	3.45.0	3.46.0
org.hibernate.models:hibernate-models	1.1.1	1.2.0
org.mortbay.jetty.quiche:jetty-quiche-native	0.29.1	0.29.2
eu.maveniverse.maven.njord:extension3	0.9.6	0.9.9
eu.maveniverse.maven.plugins:njord	0.9.6	0.9.9
org.apache.maven.extensions:maven-build-cache-extension	1.2.2	1.2.3
org.cyclonedx:cyclonedx-maven-plugin	2.9.1	2.9.2

Updates org.ow2.asm:asm from 9.10 to 9.10.1

Updates org.ow2.asm:asm-commons from 9.10 to 9.10.1

Updates org.ow2.asm:asm-bom from 9.10 to 9.10.1

Updates org.ow2.asm:asm-commons from 9.10 to 9.10.1

Updates org.mariadb.jdbc:mariadb-java-client from 3.5.8 to 3.5.9

Release notes

Sourced from org.mariadb.jdbc:mariadb-java-client's releases.

MariaDB Connector/Java 3.5.9

3.5.9 (Jun 2026)

Full Changelog

Key Enhancements

• CONJ-1223 - cache TLS trust/key managers across connections to reduce SSL connection cost
• CONJ-1314 - add SPI for interactive dialog (PAM) authentication callback
• CONJ-1311 - add dedicated option useIpForKillQuery for query cancellation
• CONJ-1310 - Add full native image support and CI coverage

Issues Resolved

• CONJ-1320 - PAM (dialog) authentication must require a secure connection (report by fg0x0)
• CONJ-1319 - Use constant-time comparison when validating the server certificate fingerprint (report by jmestwa-coder)
• CONJ-1318 - enforce allowLocalInfile=false on the server's local-infile request, so a malicious server cannot read a client file despite the option being disabled
• CONJ-1322 - match local infile filename case-sensitively (thanks to jmestwa-coder)
• CONJ-1323 - LOAD LOCAL INFILE validation rejects statements preceded by line comments (thanks to sebdomdev)
• CONJ-1315 - cap BigDecimal/BigInteger string parsing length to prevent CPU exhaustion if MitM (report by tonghuaroot)
• CONJ-1317 - ensure non-UTF8 charset cannot be used for protocol exchanges (report by fg0x0)
• CONJ-1304 - CallableStatement parameter metadata read from mysql.proc, with MySQL info_schema fallback
• CONJ-1299 - keep VALUES literals after the last placeholder when rewriting batches
• CONJ-1313 - race condition in HaMode#getAvailableHostInOrder can cause NPE
• CONJ-1311 - Connection.cancelCurrentQuery fails with SslMode.VERIFY_FULL when client socket IP is set
• CONJ-1264 - handle LocalDateTime as a zoneless wall-clock value
• CONJ-1316 - pin Locale.ROOT on locale-sensitive call sites and date/time/Duration text formatting (fixes locale-dependent parsing/formatting, e.g. under tr_TR) (thanks to jmestwa-coder)
• CONJ-1324 - fix SQL parser to correctly handle '--' in expressions and reset lastChar after block comments
• CONJ-1323 - LOAD LOCAL INFILE validation rejects statements preceded by line comments (thanks to sebdomdev)

Changelog

Sourced from org.mariadb.jdbc:mariadb-java-client's changelog.

3.5.9 (Jun 2026)

Full Changelog

Key Enhancements

• CONJ-1223 - cache TLS trust/key managers across connections to reduce SSL connection cost
• CONJ-1314 - add SPI for interactive dialog (PAM) authentication callback
• CONJ-1311 - add dedicated option useIpForKillQuery for query cancellation
• CONJ-1310 - Add full native image support and CI coverage

Issues Resolved

• CONJ-1320 - PAM (dialog) authentication must require a secure connection (report by fg0x0)
• CONJ-1319 - Use constant-time comparison when validating the server certificate fingerprint (report by jmestwa-coder)
• CONJ-1318 - enforce allowLocalInfile=false on the server's local-infile request, so a malicious server cannot read a client file despite the option being disabled
• CONJ-1322 - match local infile filename case-sensitively (thanks to jmestwa-coder)
• CONJ-1323 - LOAD LOCAL INFILE validation rejects statements preceded by line comments (thanks to sebdomdev)
• CONJ-1315 - cap BigDecimal/BigInteger string parsing length to prevent CPU exhaustion if MitM (report by tonghuaroot)
• CONJ-1317 - ensure non-UTF8 charset cannot be used for protocol exchanges (report by fg0x0)
• CONJ-1304 - CallableStatement parameter metadata read from mysql.proc, with MySQL info_schema fallback
• CONJ-1299 - keep VALUES literals after the last placeholder when rewriting batches
• CONJ-1313 - race condition in HaMode#getAvailableHostInOrder can cause NPE
• CONJ-1311 - Connection.cancelCurrentQuery fails with SslMode.VERIFY_FULL when client socket IP is set
• CONJ-1264 - handle LocalDateTime as a zoneless wall-clock value
• CONJ-1316 - pin Locale.ROOT on locale-sensitive call sites and date/time/Duration text formatting (fixes locale-dependent parsing/formatting, e.g. under tr_TR) (thanks to jmestwa-coder)
• CONJ-1324 - fix SQL parser to correctly handle '--' in expressions and reset lastChar after block comments
• CONJ-1323 - LOAD LOCAL INFILE validation rejects statements preceded by line comments (thanks to sebdomdev)
• CONJ-1318 - allowLocalInfile=false does not block LOAD DATA LOCAL INFILE against a malicious server (thanks to tharavel)

3.4.3 (Jun 2026)

Full Changelog

Bugs Fixed

• CONJ-1315 - cap BigDecimal/BigInteger string parsing length to prevent CPU exhaustion if Mitm (report by tonghuaroot)
• CONJ-1316 - pin Locale.ROOT on locale-sensitive call sites and date/time/Duration text formatting (fixes locale-dependent parsing/formatting, e.g. under tr_TR) (thanks to jmestwa-coder)
• CONJ-1259 - DatabaseMetaData read-only detection: handle MariaDB 12.0 @@read_only returning ON/OFF instead of 1/0
• CONJ-1317 - ensure non-UTF8 charset cannot be used for protocol exchanges (report by fg0x0)
• CONJ-1320 - PAM (dialog) authentication now requires a secure connection (TLS or unix socket), like mysql_clear_password (report by fg0x0)
• CONJ-1319 - use constant-time comparison when validating the server certificate fingerprint (thanks to jmestwa-coder)
• CONJ-1322 - match local infile filename case-sensitively (thanks to jmestwa-coder)
• CONJ-1323 - LOAD LOCAL INFILE validation rejects statements preceded by line comments (thanks to sebdomdev)
• CONJ-1318 - allowLocalInfile=false does not block LOAD DATA LOCAL INFILE against a malicious server (thanks to tharavel)

3.3.5 (Jun 2026)

... (truncated)

Commits

• df4ebe2 [misc] enhance TcpProxy and TcpProxySocket for improved thread safety and con...
• 687c840 [misc] update environment variable for Maxscale version
• 4466ad6 [misc] test stability improvement : update proxy close method in PooledConnec...
• 1e29819 [misc] update README version
• da297f1 Merge branch 'develop'
• 83d3da9 [misc] Update CHANGELOG
• e39e8b9 match local infile filename case-sensitively
• d90b987 [misc] Implement secure authentication checks and add regression tests for cr...
• f4a727c [CONJ-1320] PAM (dialog) authentication must require a secure connection
• a87c711 [misc] update CHANGELOG
• Additional commits viewable in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0

Commits

• 112e859 [maven-release-plugin] prepare release jackson-bom-2.22.0
• 2cae2ce Prep for 2.22.0 release
• 7955d21 Merge branch '2.21' into 2.x
• 8922a05 Post-release dep version bump
• 1fa9943 [maven-release-plugin] prepare for next development iteration
• d1abd31 [maven-release-plugin] prepare release jackson-bom-2.21.4
• 2aaea43 Prep for 2.21.4 release
• 902ec69 Update Woodstox/stax2-api (to 7.2.0/4.3.0)
• 2570647 Merge branch '2.21' into 2.x
• 9d3a9d5 Post-release dep version bump
• Additional commits viewable in compare view

Updates io.netty:netty-bom from 4.2.13.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-bom's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

netty-4.2.14.Final

What's Changed

• HTTP: Fix revapi failure introduced by 84530fa81e12dcd1d42310bb20c1385cb44128d8 by @​normanmaurer in netty/netty#16748
• HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by @​normanmaurer in netty/netty#16747
• Marshalling: Explicit document security requirements by @​normanmaurer in netty/netty#16752
• Fix io_uring op completion TRACE logging by @​chrisvest in netty/netty#16755
• Quic: Ensure writes are done before notify close promise of QuicheQui… by @​normanmaurer in netty/netty#16758
• Avoid re-parsing openssl key material with non-cached provider by @​chrisvest in netty/netty#16759

... (truncated)

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

Updates org.hibernate.search:hibernate-search-bom from 8.3.1.Final to 8.4.0.Final

Release notes

Sourced from org.hibernate.search:hibernate-search-bom's releases.

Release 8.4.0.Final

Hibernate Search 8.4.0.Final released

We are pleased to announce the release of Hibernate Search 8.4: 8.4.0.Final.

You can find the full list of 8.4.0.Final changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.

Conclusion

For additional details, see:

• the release page
• the Migration Guide
• the ORM Getting Started Guide
• the Standalone Getting Started Guide
• the Reference Guide
• the API docs

Visit the website for details on getting in touch with us.

Release 8.4.0.CR1

Hibernate Search 8.4.0.CR1 released

We are pleased to announce the release of Hibernate Search 8.4: 8.4.0.CR1.

You can find the full list of 8.4.0.CR1 changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.

Conclusion

For additional details, see:

• the release page
• the Migration Guide
• the ORM Getting Started Guide
• the Standalone Getting Started Guide
• the Reference Guide

... (truncated)

Changelog

Sourced from org.hibernate.search:hibernate-search-bom's changelog.

8.4.0.Final (2026-05-27)

Full changelog

Improvement

• HSEARCH-5630 - Update to Hibernate ORM 7.4.0.Final
• HSEARCH-5629 - Use Maven 3.9.16 as a required minimum version for the build
• HSEARCH-5627 - Switch from the Search session holder to a Hibernate ORM session extension
• HSEARCH-5626 - Update Elasticsearch client (elasticsearch-rest-client) to 9.4.1
• HSEARCH-5625 - Test against latest Elasticsearch 9.4.1
• HSEARCH-5624 - Update Elasticsearch client (elasticsearch-rest5-client) to 9.4.1

8.4.0.CR1 (2026-05-11)

Full changelog

Bug

• HSEARCH-5595 - checkstyle:check is not build cache relocatable due to project resources including the workspace root

Improvement

• HSEARCH-5623 - Update to Hibernate ORM 7.4.0.CR1
• HSEARCH-5622 - Update Elasticsearch client (elasticsearch-rest5-client) to 9.4.0
• HSEARCH-5621 - Update Elasticsearch client (elasticsearch-rest-client) to 9.4.0
• HSEARCH-5620 - Add compatibility with Elasticsearch 9.4
• HSEARCH-5619 - Upgrade to GSON 2.14.0
• HSEARCH-5618 - Update Jackson to 2.21.3
• HSEARCH-5617 - Update to AWS SDK 2.44.1
• HSEARCH-5616 - Update Elasticsearch client (elasticsearch-rest-client) to 9.3.4
• HSEARCH-5613 - Use Maven 3.9.15 as a required minimum version for the build
• HSEARCH-5612 - Upgrade to commons-codec 1.22.0
• HSEARCH-5611 - Update Apache HTTP Client components to 5.6.1
• HSEARCH-5609 - Update Elasticsearch client (elasticsearch-rest-client) to 9.3.3
• HSEARCH-5608 - Update Elasticsearch client (elasticsearch-rest5-client) to 9.3.4
• HSEARCH-5607 - Update Elasticsearch rest client (opensearch-rest-client) to 3.6.0
• HSEARCH-5606 - Add compatibility with OpenSearch 3.6
• HSEARCH-5601 - Update to commons-logging to 1.3.6
• HSEARCH-5600 - Update Jackson to 2.21.2
• HSEARCH-5599 - Update Apache HTTP Core client components to 5.4.2
• HSEARCH-5598 - Update Elasticsearch client (elasticsearch-rest-client) to 9.3.2
• HSEARCH-5597 - Update Elasticsearch client (elasticsearch-rest5-client) to 9.3.3

Task

• HSEARCH-5596 - Use changeDetection config option instead of the deprecated overwrite in maven-resources-plugin
• HSEARCH-5280 - Look into OutboxPollingAutomaticIndexingDynamicShardingRebalancingIT#agentJoined test
• HSEARCH-5242 - Investigate why building hibernate-search-integrationtest-performance-backend-lucene fails on some envs

8.3.0.Final (2026-03-20)

... (truncated)

Commits

• 7369a18 [Jenkins release job] Preparing release 8.4.0.Final
• 4e26c08 [Jenkins release job] changelog.txt updated by release build 8.4.0.Final
• fe410d2 HSEARCH-5630 Add a few migration notes
• 87335b6 HSEARCH-5630 Update to Hibernate ORM 7.4.0.Final
• 58d6af1 HSEARCH-5624 Update Elasticsearch client (elasticsearch-rest5-client) to 9.4.1
• 9efe369 Bump the build-dependencies group with 4 updates
• bc1c185 Use the ssh URL for updating the website during the release
• 311adb0 HSEARCH-5627 Mention limitations of a StatelessSession
• d429b05 HSEARCH-5627 Better error message for "incompatible" session types
• 2eaeb28 HSEARCH-5627 Add a simple StatelessSession test
• Additional commits viewable in compare view

Updates org.junit:junit-bom from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

• @​JarvisCraft made their first contribution in junit-team/junit-framework#5633
• @​Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

• @​mariokhoury4 made their first contribution in junit-team/junit-framework#4574
• @​Ogu1208 made their first contribution in junit-team/junit-framework#5145
• @​HyungGeun94 made their first contribution in junit-team/junit-framework#5271
• @​yalishevant made their first contribution in junit-team/junit-framework#5316
• @​JINU-CHANG made their first contribution in junit-team/junit-framework#5290
• @​jaschdoc made their first contribution in junit-team/junit-framework#5427
• @​kawshikbuet17 made their first contribution in junit-team/junit-framework#5561
• @​msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

• @​vy made their first contribution in junit-team/junit-framework#5041
• @​Pankraz76 made their first contribution in junit-team/junit-framework#5006
• @​arukiidou made their first contribution in junit-team/junit-framework#5066
• @​laeubi made their first contribution in junit-team/junit-framework#5092
• @​jihun4452 made their first contribution in junit-team/junit-framework#5088
• @​TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

• 0dc3af1 Release 6.1.0
• 1d13002 Prepare 6.1.0 release notes
• 072b217 Update plugin spotless to v8.5.0 (#5668)
• 3a53480 Update Gradle to v9.5.1 (#5666)
• 0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
• 0a2634f Update github/codeql-action action to v4.35.5 (#5671)
• 4dbd556 Restructure workflows to have single "status" job (#5670)
• f2194ce Increase timeout to reduce flakiness
• 5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
• 43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
• Additional commits viewable in compare view

Updates org.ow2.asm:asm-bom from 9.10 to 9.10.1

Updates ch.qos.logback:logback-core from 1.5.32 to 1.5.37

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

• Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

• ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

• JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

... (truncated)

Commits

• c1df7f5 prepare release 1.5.37
• a189967 remove conditional based on janino
• aaa9052 start work on 1.5.37-SNAPSHOT
• 9b94c37 prepare release 1.5.36
• e6a8280 prevent attacks using disallowed references
• 24c4b63 start work on 1.5.36-SNAPSHOT
• 08bd159 preapre release 1.5.35
• 37d256b indentation changes only
• d3d7307 minor comment
• fa0411a radomize file location
• Additional commits viewable in compare view

Updates com.github.jnr:jffi from 1.3.15 to 1.4.0

Commits

• 3a2aa58 Bump the major minor for new Maven structure before release
• 3da7efb Add bare relativePath to always resolve parent
• 4621e14 Update version for release
• 2b02140 Merge pull request #195 from headius/jnr-parent
• ea18e48 Remove snapshot repository inherited from parent
• f761f8d Update to release version of parent
• 5c1077e Install prerequisites to compile tests on macOS
• 2a8b56a Tweaks for toolchain use in jffi
• 86a1774 Disable fail-fast
• 45269c3 Update for toolchain and parent defaults
• Additional commits viewable in compare view

Updates io.grpc:grpc-core from 1.81.0 to 1.82.1

Release notes

Sourced from io.grpc:grpc-core's releases.

v1.82.1

• protoc-gen-grpc-java: Fix missing osx-x86_64 binary (grpc/grpc-java#12878). This fixes a regression in v1.82.0

v1.82.0

This release drops support for Bazel 7. It may still run, but we are no longer testing it. We are testing Bazel 8 and 9.

We are anticipating requiring Netty 4.2 in the next release. Please file an issue if you still need Netty 4.1 support.

Behavior Changes

• xds: Disable Priority LB child policy retention cache (#12806). Previously, when a priority became inactive, its associated child load balancer was kept in a deactivated state for potential reuse. Now, inactive child balancers are immediately torn down and removed.
• xds: skip DiscoveryRequest for unsubscribed types on stream ready (#12782). When the bootstrap declares more than one xDS server (e.g. a default server for LDS/CDS plus an authority-specific EDS-only server), grpc-java was sending CDS/LDS DiscoveryRequests to the EDS-only server too. That server replies UNIMPLEMENTED, which tears down the stream and EDS data never arrives. This fix makes it skip DiscoveryRequests for resource types we don't actually subscribe to on a given server.

Improvements

• Remove JSR-305 @ThreadSafe annotation and replace with JavaDoc (#12762). Removes JSR-305 annotations but instead of replacing it with ErrorProne's ThreadSafe, sticks to adding a JavaDoc comment. This is done only in public non-final classes and interfaces. This allows Java applications that have moved away from javax to compile and avoids a bug in Immutables and Lombok (and possibly other annotation processors) from failing when JSR-305 is not present.
• core: Reduce per-stream idle memory on the server by 0.5 KB (b38df6c94). The main improvement here is not retaining the request Metadata for the life of the RPC. That means RPCs with larger request Metadata would see a larger benefit.
• core: Clarify missing content-type on HTTP error responses (#12720). Adjusts the diagnostic for the missing rather than invalid content-type, in the Status description.
• core: throw IOException when ProxySelector returns null or empty list (#12793). ProxySelector.select(URI) is required to return a non-null, non-empty list. Some implementations violate this, which previously caused an opaque crash in ProxyDetectorImpl. Now it detects this case explicitly and fails gracefully, naming the offending ProxySelector class to help with debugging.
• okhttp: enable TLS 1.3 by default for Android clients, retain TLS 1.2-only for desktop JVM (f43013161)
• xds: Reduce per-endpoint memory from CDS LB (cc0d1a810). This is most noticeable when there are many endpoints returned by EDS, but the LB policy only uses a few of them, like pick_first.
• xds: pre-parse custom metric names in WRR load balancer (#12773) (324fce715). This reduces the per-RPC overhead of the gRFC A114 support added in v1.81.0
• xds: Propagate status cause through XdsDepManager (13b4b9727). This preserves more information for failures communicating with the control plane.
• binder: Give clear error when message is larger than parcel (d92ca44a1)

Bug Fixes

• xds: Trust Manager fix for certain scenarios where SAN validation shouldn't use the SNI sent (#12775) (bb153a83f).
• core: Cancel DelayedClientCall when application listener throws (#12761). Align DelayedClientCall.DelayedListener with ClientCallImpl's existing behavior for listener exceptions. When the application listener throws from onHeaders/onMessage/onReady, catch the Throwable, cancel the call with CANCELLED (cause = the throwable), and swallow subsequent callbacks. Previously, a throw from the application listener escaped to the callExecutor's uncaught-exception handler. The real call was not cancelled and the transport kept delivering callbacks to an already broken listener
• core,opentelemetry: Fix server metric labels on early close (#12774). Addresses the server-side OpenTelemetry metric labeling bug where a generated method can be recorded as grpc.method="other" if streamClosed() happens before serverCallStarted().
• core: Fix pick_first NPE with GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=true when accepting resolved addresses and in CONNECTING state (#12814). It makes sure that whenever PickFirstLeafLoadBalancer transitions into CONNECTING the current address in the addressIndex has a corresponding subchannel. This prevents an NPE in acceptResolvedAddresses in some situations.
• okhttp: HPACK should fail on varint overflow (ec1099254). This should have no visible impact in normal use. It mostly just makes it easier to debug broken implementations
• xds: When using the file watcher certificate provider, reload cert/key even if only one of them changes (f4125c591)
• compiler: Avoid compile error on weird proto file names (f021befcd)

New Features

• googleapis: support ?force-xds query parameter in the google-c2p resolver (#12760) (86fa86063). This disables environment checks and uses xDS unconditionally. Please note that this feature has not yet seen comprehensive testing.

Dependencies

• Upgrade Netty to 4.1.133 (ada087b9d)
• bazel: Upgrade googleapis proto repo to commit 1dbb1a14 (ec0a9c976). This fixed a rules_go incompatibility issue with Bazel 9.1. But it also greatly reduced the overall transitive dependencies, as the C++ grpc repo is no longer a dependency
• bazel: Upgrade workflows to Bazel 8 (039ad7779) add Bazel 9.1.0 to our CI matrix (17be0d3d1)
• protoc-gen-grpc-java: Linux binaries are now built with Ubuntu 20.04 instead of 18.04 (8802dc35b5, da98b04b09)

Thanks to

@​becomeStar
@​bengtsson1-flir

... (truncated)

Commits

• 7b5e9ff Bump version to 1.82.1
• 20768f1 Update README etc to reference 1.82.1
• 5ab5eba kokoro: Remove extra / in architecture replacement
• 6726caf buildscripts: add regional td config for psm-interop (v1.82.x backport) (#12864)
• 022256f Bump version to 1.82.1-SNAPSHOT
• 78fb519 Bump version to 1.82.0
• b62b0fc Update README etc to reference 1.82.0
• 8802dc3 build: downgrade multiarch to Ubuntu 20.04 and consolidate images (#12830)
• be300bd kokoro: Avoid brew on Mac OS
• 4111f6f core: throw IOException when ProxySelector returns null or empty list (#12793)
• Additional commits viewable in compare view

Updates io.grpc:grpc-netty-shaded from 1.81.0 to 1.82.1

Release notes

Sourced from io.grpc:grpc-netty-shaded's releases.

v1.82.1

• protoc-gen-grpc-java: Fix missing osx-x86_64 binary (grpc/grpc-java#12878). This fixes a regression in v1.82.0

v1.82.0

This release drops support for Bazel 7. It may still run, but we are no longer testing it. We are testing Bazel 8 and 9.

We are anticipating requiring Netty 4.2 in the next release. Please file an issue if you still need Netty 4.1 support.

Behavior Changes

• xds: Disable Priority LB child policy retention cache (#12806). Previously, when a priority became inactive, its associated child load balancer was kept in a deactivated state for potential reuse. Now, inactive child balancers are immediately torn down and removed.
• xds: skip DiscoveryRequest for unsubscribed types on stream ready (#12782). When the bootstrap declares more than one xDS server (e.g. a default server for LDS/CDS plus an authority-specific EDS-only server), grpc-java was sending CDS/LDS DiscoveryRequests to the EDS-only server too. That server replies UNIMPLEMENTED, which tears down the stream and EDS data never arrives. This fix makes it skip DiscoveryRequests for resource types we don't actually subscribe to on a given server.

Improvements

• Remove JSR-305 @ThreadSafe annotation and replace with JavaDoc (#12762). Removes JSR-305 annotations but instead of replacing it with ErrorProne's ThreadSafe, sticks to adding a JavaDoc comment. This is done only in public non-final classes and interfaces. This allows Java applications that have moved away from javax to compile and avoids a bug in Immutables and Lombok (and possibly other annotation processors) from failing when JSR-305 is not present.
• core: Reduce per-stream idle memory on the server by 0.5 KB (b38df6c94). The main improvement here is not retaining the request Metadata for the life of the RPC. That means RPCs with larger request Metadata would see a larger benefit.
• core: Clarify missing content-type on HTTP error responses (#12720). Adjusts the diagnostic...

  Description has been truncated