From 998f15c18c5b19f2f065617e2852cc159d792a0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 01:38:47 +0530 Subject: [PATCH 01/32] Bump com.uber.nullaway:nullaway from 0.12.1 to 0.12.3 (#2055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [com.uber.nullaway:nullaway](https://github.com/uber/NullAway) from 0.12.1 to 0.12.3.
Release notes

Sourced from com.uber.nullaway:nullaway's releases.

NullAway 0.12.3

NullAway 0.12.2

Changelog

Sourced from com.uber.nullaway:nullaway's changelog.

Version 0.12.3

Version 0.12.2

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.uber.nullaway:nullaway&package-manager=maven&previous-version=0.12.1&new-version=0.12.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c01de9918..8a442dd59 100644 --- a/pom.xml +++ b/pom.xml @@ -327,7 +327,7 @@ com.uber.nullaway nullaway - 0.12.1 + 0.12.3 From f75dfbe8c2c7d20743dd98707d21eafeed48525e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 01:39:01 +0530 Subject: [PATCH 02/32] Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.16 (#2054) Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.12 to 1.5.16.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ch.qos.logback:logback-classic&package-manager=maven&previous-version=1.5.12&new-version=1.5.16)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8a442dd59..8dfad9c98 100644 --- a/pom.xml +++ b/pom.xml @@ -51,7 +51,7 @@ 2.0.16 1.5.6-8 2.0.1 - 1.5.12 + 1.5.16 26.0.1 From bf63baf04ca17e2a94adb356bcc42f2acbc51847 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 01:39:14 +0530 Subject: [PATCH 03/32] Bump org.junit:junit-bom from 5.11.3 to 5.11.4 (#2046) Bumps [org.junit:junit-bom](https://github.com/junit-team/junit5) from 5.11.3 to 5.11.4.
Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 5.11.4 = Platform 1.11.4 + Jupiter 5.11.4 + Vintage 5.11.4

See Release Notes.

Full Changelog: https://github.com/junit-team/junit5/compare/r5.11.3...r5.11.4

Commits
  • 6430ba4 Release 5.11.4
  • d093121 Finalize 5.11.4 release notes
  • 0444353 Fix Maven integration tests on JDK 24
  • b5c7f4e Move #4153 to 5.11.4 release notes
  • b20c4e2 Ensure the XMLStreamWriter is closed after use
  • 6376f0a Configure Git username and email
  • 2b485c4 Set reference repo URI
  • 500b5a0 Inject username and password via new DSL
  • d671961 Update plugin gitPublish to v5
  • 3d11279 Add JAVA_25 to JRE enum
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.junit:junit-bom&package-manager=maven&previous-version=5.11.3&new-version=5.11.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8dfad9c98..c83b5794a 100644 --- a/pom.xml +++ b/pom.xml @@ -105,7 +105,7 @@ org.junit junit-bom - 5.11.3 + 5.11.4 pom import From 86c2176dfb8cb93f246ff8a134906afac6982d74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Feb 2025 03:54:12 +0530 Subject: [PATCH 04/32] Bump org.jetbrains:annotations from 26.0.1 to 26.0.2 (#2058) Bumps [org.jetbrains:annotations](https://github.com/JetBrains/java-annotations) from 26.0.1 to 26.0.2.
Release notes

Sourced from org.jetbrains:annotations's releases.

26.0.2

  • Fixed missing klibs for apple artifacts.
Changelog

Sourced from org.jetbrains:annotations's changelog.

Version 26.0.2

  • Fixed missing klibs for apple artifacts.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.jetbrains:annotations&package-manager=maven&previous-version=26.0.1&new-version=26.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c83b5794a..52d768182 100644 --- a/pom.xml +++ b/pom.xml @@ -52,7 +52,7 @@ 1.5.6-8 2.0.1 1.5.16 - 26.0.1 + 26.0.2 From 390c26b0890ca381b8865295801156e8e945ca98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Feb 2025 03:54:19 +0530 Subject: [PATCH 05/32] Bump com.github.luben:zstd-jni from 1.5.6-8 to 1.5.6-9 (#2057) Bumps [com.github.luben:zstd-jni](https://github.com/luben/zstd-jni) from 1.5.6-8 to 1.5.6-9.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.github.luben:zstd-jni&package-manager=maven&previous-version=1.5.6-8&new-version=1.5.6-9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 52d768182..71240c309 100644 --- a/pom.xml +++ b/pom.xml @@ -49,7 +49,7 @@ 0.0.26.Final 1.18.0 2.0.16 - 1.5.6-8 + 1.5.6-9 2.0.1 1.5.16 26.0.2 From eef8d9374b411d2bf0f42bf6452ee3b0333915c8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Feb 2025 03:54:26 +0530 Subject: [PATCH 06/32] Bump netty.version from 4.1.116.Final to 4.1.117.Final (#2056) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps `netty.version` from 4.1.116.Final to 4.1.117.Final. Updates `io.netty:netty-buffer` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec-http` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec-socks` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-handler-proxy` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-common` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-handler` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-resolver-dns` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport-native-epoll` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport-native-kqueue` from 4.1.116.Final to 4.1.117.Final
Commits
  • 3b03648 [maven-release-plugin] prepare release netty-4.1.117.Final
  • 28a81c6 Update java versions (#14660)
  • 1bd459a Correcly handle comments appended to nameserver declarations (#14658)
  • ad00d19 Add configure to be able to use perf / intellij profiler within devco… (#14661)
  • cd3dfe9 Update maven to 3.9.9 (#14654)
  • 4d1f98d Adaptive: Only use ThreadLocal if called from FastThreadLocalThread i… (#14656)
  • 01e14bc Provides Brotli settings without com.aayushatharva.brotli4j dependency (#14...
  • d5bad42 OpenSslSession: Add support to defensively check for peer certs (#14641)
  • b8e25e0 SslHandler: Ensure buffers are never leaked when wrap(...) produce SS… (#14647)
  • 9f0b38b Reentrant close in EmbeddedChannel (#14642)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 71240c309..9dfe832a7 100644 --- a/pom.xml +++ b/pom.xml @@ -45,7 +45,7 @@ 11 UTF-8 - 4.1.116.Final + 4.1.117.Final 0.0.26.Final 1.18.0 2.0.16 From a4a3746b6461181221513870dded579cb041e4bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Feb 2025 03:23:19 +0530 Subject: [PATCH 07/32] Bump netty.version from 4.1.117.Final to 4.1.118.Final (#2060) Bumps `netty.version` from 4.1.117.Final to 4.1.118.Final. Updates `io.netty:netty-buffer` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec-http` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-codec-socks` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-handler-proxy` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-common` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-handler` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-resolver-dns` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport-native-epoll` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Updates `io.netty:netty-transport-native-kqueue` from 4.1.117.Final to 4.1.118.Final
Commits
  • 36f95cf [maven-release-plugin] prepare release netty-4.1.118.Final
  • 87f4072 Merge commit from fork
  • d1fbda6 Merge commit from fork
  • f844d78 Upgrade netty-tcnative to 2.0.70.Final (#14790)
  • 8afb5d9 Only run 2 jobs with leak detection to minimize build times (#14784)
  • f2c27da AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and re...
  • 8d387ff Change the default AdaptiveRecvByteBufAllocator buffer size values' visibilit...
  • 1cfd3a6 Fix possible buffer leak when stream can't be mapped (#14746)
  • 8f9eadb Fix AccessControlException in GlobalEventExecutor (#14743)
  • 6fcd3e6 KQueueEventLoop leaks memory on shutdown. (#14745)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9dfe832a7..68d95dc04 100644 --- a/pom.xml +++ b/pom.xml @@ -45,7 +45,7 @@ 11 UTF-8 - 4.1.117.Final + 4.1.118.Final 0.0.26.Final 1.18.0 2.0.16 From 6fa2efd3f9af636bf192a452698044a9829cf8ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Feb 2025 03:23:35 +0530 Subject: [PATCH 08/32] Bump org.apache.tomcat.embed:tomcat-embed-core from 10.1.34 to 10.1.35 (#2061) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps org.apache.tomcat.embed:tomcat-embed-core from 10.1.34 to 10.1.35.
Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | org.apache.tomcat.embed:tomcat-embed-core | [>= 11.a0, < 12] |
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat.embed:tomcat-embed-core&package-manager=maven&previous-version=10.1.34&new-version=10.1.35)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/pom.xml b/client/pom.xml index b2e551d5a..f035ac57c 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -31,7 +31,7 @@ org.asynchttpclient.client 11.0.24 - 10.1.34 + 10.1.35 2.18.0 4.11.0 3.0 From 6c2cc553201581eb5a0ec348f67b064ae32c770f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Feb 2025 03:23:45 +0530 Subject: [PATCH 09/32] Bump io.github.nettyplus:netty-leak-detector-junit-extension from 0.0.5 to 0.0.6 (#2062) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [io.github.nettyplus:netty-leak-detector-junit-extension](https://github.com/nettyplus/netty-leak-detector-junit-extension) from 0.0.5 to 0.0.6.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.github.nettyplus:netty-leak-detector-junit-extension&package-manager=maven&previous-version=0.0.5&new-version=0.0.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 68d95dc04..8ea2684ca 100644 --- a/pom.xml +++ b/pom.xml @@ -112,7 +112,7 @@ io.github.nettyplus netty-leak-detector-junit-extension - 0.0.5 + 0.0.6 From 3972890fbb63ae96faafc7e1892416915b619fd6 Mon Sep 17 00:00:00 2001 From: sullis Date: Thu, 13 Feb 2025 14:05:52 -0800 Subject: [PATCH 10/32] netty leak detector 0.0.6 (#2059) Co-authored-by: Aayush Atharva From 11a15c388a930515eefc93f03fd0997200481b7d Mon Sep 17 00:00:00 2001 From: sullis Date: Sat, 15 Feb 2025 21:34:21 -0800 Subject: [PATCH 11/32] enable leak detection in AutomaticDecompressionTest (#2064) use Netty Leak Detector JUnit extension in AutomaticDecompressionTest ``` https://github.com/nettyplus/netty-leak-detector-junit-extension ``` --- .../java/org/asynchttpclient/AutomaticDecompressionTest.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java b/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java index dfd0a9446..0f9843af1 100644 --- a/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java +++ b/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java @@ -22,6 +22,7 @@ import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import com.sun.net.httpserver.HttpServer; +import io.github.nettyplus.leakdetector.junit.NettyLeakDetectorExtension; import io.netty.handler.codec.compression.Brotli; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; @@ -35,9 +36,11 @@ import java.util.List; import java.util.stream.Collectors; import java.util.zip.GZIPOutputStream; +import org.junit.jupiter.api.extension.ExtendWith; import static org.junit.jupiter.api.Assertions.assertEquals; +@ExtendWith(NettyLeakDetectorExtension.class) public class AutomaticDecompressionTest { private static final String UNCOMPRESSED_PAYLOAD = "a".repeat(500); From 182ab1b36b603eeebe85ee05da269f18c710278b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Feb 2025 11:04:37 +0530 Subject: [PATCH 12/32] Bump com.github.luben:zstd-jni from 1.5.6-9 to 1.5.6-10 (#2063) Bumps [com.github.luben:zstd-jni](https://github.com/luben/zstd-jni) from 1.5.6-9 to 1.5.6-10.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.github.luben:zstd-jni&package-manager=maven&previous-version=1.5.6-9&new-version=1.5.6-10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8ea2684ca..18c754452 100644 --- a/pom.xml +++ b/pom.xml @@ -49,7 +49,7 @@ 0.0.26.Final 1.18.0 2.0.16 - 1.5.6-9 + 1.5.6-10 2.0.1 1.5.16 26.0.2 From 600520c9810052c1c80925ed6041795a48e22a18 Mon Sep 17 00:00:00 2001 From: sullis Date: Mon, 17 Feb 2025 08:58:39 -0800 Subject: [PATCH 13/32] use larger payload in AutomaticDecompressionTest (#2065) --- .../java/org/asynchttpclient/AutomaticDecompressionTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java b/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java index 0f9843af1..8f57ffb88 100644 --- a/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java +++ b/client/src/test/java/org/asynchttpclient/AutomaticDecompressionTest.java @@ -42,7 +42,7 @@ @ExtendWith(NettyLeakDetectorExtension.class) public class AutomaticDecompressionTest { - private static final String UNCOMPRESSED_PAYLOAD = "a".repeat(500); + private static final String UNCOMPRESSED_PAYLOAD = "a".repeat(50_000); private static HttpServer HTTP_SERVER; From f19415223262b3333212652aeae47040dc006919 Mon Sep 17 00:00:00 2001 From: Jason Joo Date: Mon, 10 Mar 2025 03:09:46 +0800 Subject: [PATCH 14/32] fix: inappropriate connection reuse when using HTTP proxy if the initial CONNECT failed (#2072) # What This MR Resolves A CONNECT request is needed to sent to the HTTP proxy first before the actual client request to establish the tunnel on the proxy. A `HTTP/1.1 200 Connection established` is expected for the initial CONNECT request. Only when the CONNECT is successful, the client continues sending the actual request through the "tunnel". And when CONNECT failed, the connection remains the initial state `unconnected`. There are following circumstances that a CONNECT fails under but not limited to following situations: - The destination is not whitelisted. - The dest domain can't be resolved(timeout/SERVFAIL/NX/etc.). - The dest IP can't be connected(timeout/unreachable/etc.). There could be 2 following strategies to deal with CONNECT failures on the client side: 1. Close the connection before return to the caller. 2. Mark this connection "unconnected" and put it into the pool. Then retry the CONNECT next time it's picked out of the pool. The 2nd one needs to add extra state to Channel in the manager which brings bigger change to the code. This MR employs the 1st strategy to resolve it. The issue is described in #2071 . # Readings The CONNECT is documented in `Section 5.3` in RFC2871: https://www.ietf.org/rfc/rfc2817.txt The proxy won't actively terminate the connection if the CONNECT failed if keep-alive is enabled. Unless the tunnel is established and there is any communication failures in the middle. Therefore the client needs to deal with this error by its own. Signed-off-by: Jason Joo --- .../netty/handler/HttpHandler.java | 11 +++-- .../asynchttpclient/proxy/HttpsProxyTest.java | 45 ++++++++++++++++++- 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/client/src/main/java/org/asynchttpclient/netty/handler/HttpHandler.java b/client/src/main/java/org/asynchttpclient/netty/handler/HttpHandler.java index 06ec46a2b..99a23c7e9 100755 --- a/client/src/main/java/org/asynchttpclient/netty/handler/HttpHandler.java +++ b/client/src/main/java/org/asynchttpclient/netty/handler/HttpHandler.java @@ -21,6 +21,7 @@ import io.netty.handler.codec.DecoderResultProvider; import io.netty.handler.codec.http.HttpContent; import io.netty.handler.codec.http.HttpHeaders; +import io.netty.handler.codec.http.HttpMethod; import io.netty.handler.codec.http.HttpRequest; import io.netty.handler.codec.http.HttpResponse; import io.netty.handler.codec.http.LastHttpContent; @@ -32,6 +33,7 @@ import org.asynchttpclient.netty.NettyResponseStatus; import org.asynchttpclient.netty.channel.ChannelManager; import org.asynchttpclient.netty.request.NettyRequestSender; +import org.asynchttpclient.util.HttpConstants.ResponseStatusCodes; import java.io.IOException; import java.net.InetSocketAddress; @@ -43,8 +45,11 @@ public HttpHandler(AsyncHttpClientConfig config, ChannelManager channelManager, super(config, channelManager, requestSender); } - private static boolean abortAfterHandlingStatus(AsyncHandler handler, NettyResponseStatus status) throws Exception { - return handler.onStatusReceived(status) == State.ABORT; + private static boolean abortAfterHandlingStatus(AsyncHandler handler, HttpMethod httpMethod, NettyResponseStatus status) throws Exception { + // For non-200 response of a CONNECT request, it's still unconnected. + // We need to either close the connection or reuse it but send CONNECT request again. + // The former one is easier or we have to attach more state to Channel. + return handler.onStatusReceived(status) == State.ABORT || httpMethod == HttpMethod.CONNECT && status.getStatusCode() != ResponseStatusCodes.OK_200; } private static boolean abortAfterHandlingHeaders(AsyncHandler handler, HttpHeaders responseHeaders) throws Exception { @@ -61,7 +66,7 @@ private void handleHttpResponse(final HttpResponse response, final Channel chann HttpHeaders responseHeaders = response.headers(); if (!interceptors.exitAfterIntercept(channel, future, handler, response, status, responseHeaders)) { - boolean abort = abortAfterHandlingStatus(handler, status) || abortAfterHandlingHeaders(handler, responseHeaders); + boolean abort = abortAfterHandlingStatus(handler, httpRequest.method(), status) || abortAfterHandlingHeaders(handler, responseHeaders); if (abort) { finishUpdate(future, channel, true); } diff --git a/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java b/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java index 6c4109aec..011f15d78 100644 --- a/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java +++ b/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java @@ -13,14 +13,21 @@ package org.asynchttpclient.proxy; import io.github.artsok.RepeatedIfExceptionsTest; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + import org.asynchttpclient.AbstractBasicTest; import org.asynchttpclient.AsyncHttpClient; import org.asynchttpclient.AsyncHttpClientConfig; import org.asynchttpclient.RequestBuilder; import org.asynchttpclient.Response; +import org.asynchttpclient.proxy.ProxyServer.Builder; import org.asynchttpclient.request.body.generator.ByteArrayBodyGenerator; import org.asynchttpclient.test.EchoHandler; +import org.asynchttpclient.util.HttpConstants; import org.eclipse.jetty.proxy.ConnectHandler; +import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.handler.AbstractHandler; @@ -37,6 +44,8 @@ import static org.asynchttpclient.test.TestUtils.addHttpsConnector; import static org.junit.jupiter.api.Assertions.assertEquals; +import java.io.IOException; + /** * Proxy usage tests. */ @@ -46,7 +55,7 @@ public class HttpsProxyTest extends AbstractBasicTest { @Override public AbstractHandler configureHandler() throws Exception { - return new ConnectHandler(); + return new ProxyHandler(); } @Override @@ -142,4 +151,38 @@ public void testPooledConnectionsWithProxy() throws Exception { assertEquals(200, response2.getStatusCode()); } } + + @RepeatedIfExceptionsTest(repeats = 5) + public void testFailedConnectWithProxy() throws Exception { + try (AsyncHttpClient asyncHttpClient = asyncHttpClient(config().setFollowRedirect(true).setUseInsecureTrustManager(true).setKeepAlive(true))) { + Builder proxyServer = proxyServer("localhost", port1); + proxyServer.setCustomHeaders(r -> r.getHeaders().add(ProxyHandler.HEADER_FORBIDDEN, "1")); + RequestBuilder rb = get(getTargetUrl2()).setProxyServer(proxyServer); + + Response response1 = asyncHttpClient.executeRequest(rb.build()).get(); + assertEquals(403, response1.getStatusCode()); + + Response response2 = asyncHttpClient.executeRequest(rb.build()).get(); + assertEquals(403, response2.getStatusCode()); + + Response response3 = asyncHttpClient.executeRequest(rb.build()).get(); + assertEquals(403, response3.getStatusCode()); + } + } + + public static class ProxyHandler extends ConnectHandler { + final static String HEADER_FORBIDDEN = "X-REJECT-REQUEST"; + + @Override + public void handle(String s, Request r, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { + if (HttpConstants.Methods.CONNECT.equalsIgnoreCase(request.getMethod())) { + if (request.getHeader(HEADER_FORBIDDEN) != null) { + response.setStatus(HttpServletResponse.SC_FORBIDDEN); + r.setHandled(true); + return; + } + } + super.handle(s, r, request, response); + } + } } From c06dcab48c85bb84f071124a97898d56130dbcc6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Mar 2025 00:40:16 +0530 Subject: [PATCH 15/32] Bump org.apache.maven.plugins:maven-compiler-plugin from 3.13.0 to 3.14.0 (#2069) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [org.apache.maven.plugins:maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) from 3.13.0 to 3.14.0.
Release notes

Sourced from org.apache.maven.plugins:maven-compiler-plugin's releases.

3.14.0

🚀 New features and improvements

🐛 Bug Fixes

📦 Dependency updates

👻 Maintenance

🔧 Build

Commits
  • b5e7d9b [maven-release-plugin] prepare release maven-compiler-plugin-3.14.0
  • 9134f12 Enable GitHub Issues
  • 19b8b12 Update scm tag according to branch
  • 09dce4e [MCOMPILER-579] allow module-version configuration (#273)
  • f7c3c5f Bump org.codehaus.plexus:plexus-java from 1.2.0 to 1.4.0
  • 764a54b [MNGSITE-529] Rename "Goals" to "Plugin Documentation"
  • cfacbc1 PR Automation only on close event
  • 5c26bba Use JUnit version from parent
  • 5449407 [MCOMPILER-529] Update docs about version schema (Maven 3)
  • 01d5b88 Bump mavenVersion from 3.6.3 to 3.9.9 (#283)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.maven.plugins:maven-compiler-plugin&package-manager=maven&previous-version=3.13.0&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 18c754452..6393a3ac5 100644 --- a/pom.xml +++ b/pom.xml @@ -293,7 +293,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.13.0 + 3.14.0 11 11 From 8f314527ffa7fa091f8cb115f7012ae01b9cc7f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Mar 2025 00:40:29 +0530 Subject: [PATCH 16/32] Bump com.github.luben:zstd-jni from 1.5.6-10 to 1.5.7-1 (#2067) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [com.github.luben:zstd-jni](https://github.com/luben/zstd-jni) from 1.5.6-10 to 1.5.7-1.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.github.luben:zstd-jni&package-manager=maven&previous-version=1.5.6-10&new-version=1.5.7-1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6393a3ac5..bc92eb92e 100644 --- a/pom.xml +++ b/pom.xml @@ -49,7 +49,7 @@ 0.0.26.Final 1.18.0 2.0.16 - 1.5.6-10 + 1.5.7-1 2.0.1 1.5.16 26.0.2 From 8189c92e5ab1e2a34d326cdc13d66de02b99ce67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Mar 2025 00:40:43 +0530 Subject: [PATCH 17/32] Bump org.apache.tomcat.embed:tomcat-embed-core from 10.1.35 to 10.1.36 (#2066) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps org.apache.tomcat.embed:tomcat-embed-core from 10.1.35 to 10.1.36.
Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | org.apache.tomcat.embed:tomcat-embed-core | [>= 11.a0, < 12] |
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat.embed:tomcat-embed-core&package-manager=maven&previous-version=10.1.35&new-version=10.1.36)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/pom.xml b/client/pom.xml index f035ac57c..826ee0db8 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -31,7 +31,7 @@ org.asynchttpclient.client 11.0.24 - 10.1.35 + 10.1.36 2.18.0 4.11.0 3.0 From a9a3a7eb5a1df87fb2a5b5fd23eeb7519435ab4a Mon Sep 17 00:00:00 2001 From: Jason Joo Date: Sat, 15 Mar 2025 01:50:47 +0800 Subject: [PATCH 18/32] fix: send CONNECT first when recovering a HTTPS request (#2077) # Issue description AHC has retry mechanism enabled with up to 5 attempts by default. But the initial CONNECT is omitted when recovering the HTTPS requests with IO exceptions. This MR fixes this issue and guarantees the proper workflow in retries. It's related to #2071 and fixes a different failing case. # How the issue is fixed * For any new connections, make sure there is an initial CONNECT for WebSocket/HTTPS request. * For the condition check that a CONNECT has been sent, make sure the connection the current future attaches is reusable/active. # Unit test IOException has various reasons but in the unit test, we emulate it by closing the connection after receiving the CONNECT request. The internal recovery process will retry another 4 times, and through an IOException eventually. Signed-off-by: Jason Joo --- .../netty/request/NettyRequestSender.java | 29 +++++++++++++----- .../asynchttpclient/proxy/HttpsProxyTest.java | 30 +++++++++++++++++-- 2 files changed, 50 insertions(+), 9 deletions(-) diff --git a/client/src/main/java/org/asynchttpclient/netty/request/NettyRequestSender.java b/client/src/main/java/org/asynchttpclient/netty/request/NettyRequestSender.java index 9fff868b2..b66dd713d 100755 --- a/client/src/main/java/org/asynchttpclient/netty/request/NettyRequestSender.java +++ b/client/src/main/java/org/asynchttpclient/netty/request/NettyRequestSender.java @@ -97,6 +97,13 @@ public NettyRequestSender(AsyncHttpClientConfig config, ChannelManager channelMa requestFactory = new NettyRequestFactory(config); } + // needConnect returns true if the request is secure/websocket and a HTTP proxy is set + private boolean needConnect(final Request request, final ProxyServer proxyServer) { + return proxyServer != null + && proxyServer.getProxyType().isHttp() + && (request.getUri().isSecured() || request.getUri().isWebSocket()); + } + public ListenableFuture sendRequest(final Request request, final AsyncHandler asyncHandler, NettyResponseFuture future) { if (isClosed()) { throw new IllegalStateException("Closed"); @@ -106,9 +113,7 @@ public ListenableFuture sendRequest(final Request request, final AsyncHan ProxyServer proxyServer = getProxyServer(config, request); // WebSockets use connect tunneling to work with proxies - if (proxyServer != null && proxyServer.getProxyType().isHttp() && - (request.getUri().isSecured() || request.getUri().isWebSocket()) && - !isConnectAlreadyDone(request, future)) { + if (needConnect(request, proxyServer) && !isConnectAlreadyDone(request, future)) { // Proxy with HTTPS or WebSocket: CONNECT for sure if (future != null && future.isConnectAllowed()) { // Perform CONNECT @@ -125,6 +130,8 @@ public ListenableFuture sendRequest(final Request request, final AsyncHan private static boolean isConnectAlreadyDone(Request request, NettyResponseFuture future) { return future != null + // If the channel can't be reused or closed, a CONNECT is still required + && future.isReuseChannel() && Channels.isChannelActive(future.channel()) && future.getNettyRequest() != null && future.getNettyRequest().getHttpRequest().method() == HttpMethod.CONNECT && !request.getMethod().equals(CONNECT); @@ -137,11 +144,19 @@ private static boolean isConnectAlreadyDone(Request request, NettyResponseFuture */ private ListenableFuture sendRequestWithCertainForceConnect(Request request, AsyncHandler asyncHandler, NettyResponseFuture future, ProxyServer proxyServer, boolean performConnectRequest) { - NettyResponseFuture newFuture = newNettyRequestAndResponseFuture(request, asyncHandler, future, proxyServer, performConnectRequest); Channel channel = getOpenChannel(future, request, proxyServer, asyncHandler); - return Channels.isChannelActive(channel) - ? sendRequestWithOpenChannel(newFuture, asyncHandler, channel) - : sendRequestWithNewChannel(request, proxyServer, newFuture, asyncHandler); + if (Channels.isChannelActive(channel)) { + NettyResponseFuture newFuture = newNettyRequestAndResponseFuture(request, asyncHandler, future, + proxyServer, performConnectRequest); + return sendRequestWithOpenChannel(newFuture, asyncHandler, channel); + } else { + // A new channel is not expected when performConnectRequest is false. We need to + // revisit the condition of sending + // the CONNECT request to the new channel. + NettyResponseFuture newFuture = newNettyRequestAndResponseFuture(request, asyncHandler, future, + proxyServer, needConnect(request, proxyServer)); + return sendRequestWithNewChannel(request, proxyServer, newFuture, asyncHandler); + } } /** diff --git a/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java b/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java index 011f15d78..9bd5ca911 100644 --- a/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java +++ b/client/src/test/java/org/asynchttpclient/proxy/HttpsProxyTest.java @@ -13,6 +13,7 @@ package org.asynchttpclient.proxy; import io.github.artsok.RepeatedIfExceptionsTest; +import io.netty.handler.codec.http.DefaultHttpHeaders; import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; @@ -43,8 +44,10 @@ import static org.asynchttpclient.test.TestUtils.addHttpConnector; import static org.asynchttpclient.test.TestUtils.addHttpsConnector; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrowsExactly; import java.io.IOException; +import java.util.concurrent.ExecutionException; /** * Proxy usage tests. @@ -156,7 +159,7 @@ public void testPooledConnectionsWithProxy() throws Exception { public void testFailedConnectWithProxy() throws Exception { try (AsyncHttpClient asyncHttpClient = asyncHttpClient(config().setFollowRedirect(true).setUseInsecureTrustManager(true).setKeepAlive(true))) { Builder proxyServer = proxyServer("localhost", port1); - proxyServer.setCustomHeaders(r -> r.getHeaders().add(ProxyHandler.HEADER_FORBIDDEN, "1")); + proxyServer.setCustomHeaders(r -> new DefaultHttpHeaders().set(ProxyHandler.HEADER_FORBIDDEN, "1")); RequestBuilder rb = get(getTargetUrl2()).setProxyServer(proxyServer); Response response1 = asyncHttpClient.executeRequest(rb.build()).get(); @@ -170,16 +173,39 @@ public void testFailedConnectWithProxy() throws Exception { } } + @RepeatedIfExceptionsTest(repeats = 5) + public void testClosedConnectionWithProxy() throws Exception { + try (AsyncHttpClient asyncHttpClient = asyncHttpClient( + config().setFollowRedirect(true).setUseInsecureTrustManager(true).setKeepAlive(true))) { + Builder proxyServer = proxyServer("localhost", port1); + proxyServer.setCustomHeaders(r -> new DefaultHttpHeaders().set(ProxyHandler.HEADER_FORBIDDEN, "2")); + RequestBuilder rb = get(getTargetUrl2()).setProxyServer(proxyServer); + + assertThrowsExactly(ExecutionException.class, () -> asyncHttpClient.executeRequest(rb.build()).get()); + assertThrowsExactly(ExecutionException.class, () -> asyncHttpClient.executeRequest(rb.build()).get()); + assertThrowsExactly(ExecutionException.class, () -> asyncHttpClient.executeRequest(rb.build()).get()); + } + } + public static class ProxyHandler extends ConnectHandler { final static String HEADER_FORBIDDEN = "X-REJECT-REQUEST"; @Override public void handle(String s, Request r, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { if (HttpConstants.Methods.CONNECT.equalsIgnoreCase(request.getMethod())) { - if (request.getHeader(HEADER_FORBIDDEN) != null) { + String headerValue = request.getHeader(HEADER_FORBIDDEN); + if (headerValue == null) { + headerValue = ""; + } + switch (headerValue) { + case "1": response.setStatus(HttpServletResponse.SC_FORBIDDEN); r.setHandled(true); return; + case "2": + r.getHttpChannel().getConnection().close(); + r.setHandled(true); + return; } } super.handle(s, r, request, response); From 4bd02df8668dc03ee9d09805faaaeefca97a038b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Mar 2025 23:21:27 +0530 Subject: [PATCH 19/32] Bump netty.version from 4.1.118.Final to 4.1.119.Final (#2076) Bumps `netty.version` from 4.1.118.Final to 4.1.119.Final. Updates `io.netty:netty-buffer` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-codec-http` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-codec` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-codec-socks` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-handler-proxy` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-common` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-transport` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-handler` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-resolver-dns` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-transport-native-epoll` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates `io.netty:netty-transport-native-kqueue` from 4.1.118.Final to 4.1.119.Final
Commits
  • fb7c786 [maven-release-plugin] prepare release netty-4.1.119.Final
  • f0a546d Use initialized BouncyCastle providers when available (#14855)
  • 7fc6a23 Add QueryStringDecoder option to leave '+' alone (#14850)
  • 8f3dd2f Consistently add channel info in HTTP/2 logs (#14829)
  • bd08643 Bump BlockHound version to 1.0.11.RELEASE (#14814)
  • 0138f23 SslHandler: Fix possible NPE when executor is used for delegating (#14830)
  • 84120a7 Fix NPE when upgrade message fails to aggregate (#14816)
  • dc6b051 Replace SSL assertion with explicit record length check (#14810)
  • 34011b5 chore: Sync the id when DefaultHttp2FrameStream's stream is updated. (#14803)
  • f3311e5 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index bc92eb92e..d280fa329 100644 --- a/pom.xml +++ b/pom.xml @@ -45,7 +45,7 @@ 11 UTF-8 - 4.1.118.Final + 4.1.119.Final 0.0.26.Final 1.18.0 2.0.16 From 0fe2036be2941886d4582878c20f7846f82b24f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Mar 2025 23:21:54 +0530 Subject: [PATCH 20/32] Bump org.apache.tomcat.embed:tomcat-embed-core from 10.1.36 to 10.1.39 (#2073) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps org.apache.tomcat.embed:tomcat-embed-core from 10.1.36 to 10.1.39.
Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | org.apache.tomcat.embed:tomcat-embed-core | [>= 11.a0, < 12] |
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat.embed:tomcat-embed-core&package-manager=maven&previous-version=10.1.36&new-version=10.1.39)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/pom.xml b/client/pom.xml index 826ee0db8..7cc99b940 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -31,7 +31,7 @@ org.asynchttpclient.client 11.0.24 - 10.1.36 + 10.1.39 2.18.0 4.11.0 3.0 From acdacfb0701ec62949439b5dad78581ea0b0cf2f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 18:11:30 +0530 Subject: [PATCH 21/32] Bump crazy-max/ghaction-import-gpg from 6.2.0 to 6.3.0 (#2084) Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 6.2.0 to 6.3.0.
Release notes

Sourced from crazy-max/ghaction-import-gpg's releases.

v6.3.0

Full Changelog: https://github.com/crazy-max/ghaction-import-gpg/compare/v6.2.0...v6.3.0

Commits
  • e89d409 Merge pull request #215 from crazy-max/dependabot/npm_and_yarn/openpgp-6.1.0
  • 9239589 fix README
  • 177db9d chore: update generated content
  • 78b11f3 build(deps): bump openpgp from 5.11.2 to 6.1.0
  • bc96911 Merge pull request #218 from crazy-max/bake-v6
  • b70aa9b ci: update bake-action to v6
  • d690cc9 Merge pull request #212 from crazy-max/dependabot/npm_and_yarn/cross-spawn-7.0.6
  • 9e887f4 Merge pull request #211 from crazy-max/dependabot/github_actions/codecov/code...
  • 442980b ci: fix deprecated codecov input
  • a0098b6 Merge pull request #217 from crazy-max/gha-perms
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=crazy-max/ghaction-import-gpg&package-manager=github_actions&previous-version=6.2.0&new-version=6.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4a462dc99..b175fa865 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,7 +37,7 @@ jobs: }] - name: Import GPG - uses: crazy-max/ghaction-import-gpg@v6.2.0 + uses: crazy-max/ghaction-import-gpg@v6.3.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} From 96840692decab2541c8f13d2dbfbbca35311890f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 18:11:34 +0530 Subject: [PATCH 22/32] Bump com.uber.nullaway:nullaway from 0.12.3 to 0.12.6 (#2082) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [com.uber.nullaway:nullaway](https://github.com/uber/NullAway) from 0.12.3 to 0.12.6.
Release notes

Sourced from com.uber.nullaway:nullaway's releases.

NullAway 0.12.6

  • JSpecify: view type as super in generic method inference (#1177)
  • Infer @​Nullable type arguments for type variables from unmarked code (#1181)
  • Convert android-jar.py to Python 3 (#1175)
  • Suggest castToNonNull fix for unboxing error (#1182)

NullAway 0.12.5

Version 0.12.4

Better @​MonotonicNonNull support (#1149) Add support for local variables for arrays. (#1146) Ignore Spring Framework 6.2 @​MockitoBean, @​MockitoSpyBean fields (#1147) JSpecify: preserve explicit nullability annotations on type variables when performing substitutions (#1143) Always acknowledge restrictive annotations in JSpecify mode (#1144) Fix printing of array types in JSpecify errors (#1145) Remove need to use JSpecify's @​Nullable annotation (#1142) Handle calls to generic constructors in JSpecify mode (#1141) Properly handle conditional expression within parens as RHS of assignment (#1140) Skip checks involving wildcard generic type arguments (#1137) Update to Gradle 8.12.1 (#1133)

Changelog

Sourced from com.uber.nullaway:nullaway's changelog.

Version 0.12.6

  • JSpecify: view type as super in generic method inference (#1177)
  • Infer @​Nullable type arguments for type variables from unmarked code (#1181)
  • Convert android-jar.py to Python 3 (#1175)
  • Suggest castToNonNull fix for unboxing error (#1182)

Version 0.12.5

Version 0.12.4

  • Better @MonotonicNonNull support (#1149)
  • Add support for local variables for arrays. (#1146)
  • Ignore Spring Framework 6.2 @MockitoBean, @MockitoSpyBean fields (#1147)
  • JSpecify: preserve explicit nullability annotations on type variables when performing substitutions (#1143)
  • Always acknowledge restrictive annotations in JSpecify mode (#1144)
  • Fix printing of array types in JSpecify errors (#1145)
  • Remove need to use JSpecify's @​Nullable annotation (#1142)
  • Handle calls to generic constructors in JSpecify mode (#1141)
  • Properly handle conditional expression within parens as RHS of assignment (#1140)
  • Skip checks involving wildcard generic type arguments (#1137)
  • Update to Gradle 8.12.1 (#1133)
Commits
  • 649f25a Prepare for release 0.12.6.
  • 9369704 Suggest castToNonNull fix for unboxing error (#1182)
  • f1aca1b Convert android-jar.py to Python 3 (#1175)
  • 33588de Infer @Nullable type arguments for type variables from unmarked code (#1181)
  • dd0fe71 JSpecify: view type as super in generic method inference (#1177)
  • 2c8049c Prepare next development version.
  • 9613fb7 Prepare for release 0.12.5.
  • b84feb7 Don't treat @ParametricNullness as @Nullable in JSpecify mode (#1174)
  • 3da2c82 Use proper name for constructors in JarInfer (#1167)
  • 685065a Update to Error Prone 2.37.0 (#1169)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.uber.nullaway:nullaway&package-manager=maven&previous-version=0.12.3&new-version=0.12.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d280fa329..20b284dc0 100644 --- a/pom.xml +++ b/pom.xml @@ -327,7 +327,7 @@ com.uber.nullaway nullaway - 0.12.3 + 0.12.6 From 5977cd39acf22326ae5a8313987e27117c8ffbc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 18:11:47 +0530 Subject: [PATCH 23/32] Bump com.github.luben:zstd-jni from 1.5.7-1 to 1.5.7-2 (#2078) Bumps [com.github.luben:zstd-jni](https://github.com/luben/zstd-jni) from 1.5.7-1 to 1.5.7-2.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.github.luben:zstd-jni&package-manager=maven&previous-version=1.5.7-1&new-version=1.5.7-2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 20b284dc0..9b48a8c0d 100644 --- a/pom.xml +++ b/pom.xml @@ -49,7 +49,7 @@ 0.0.26.Final 1.18.0 2.0.16 - 1.5.7-1 + 1.5.7-2 2.0.1 1.5.16 26.0.2 From 1f642ba712f04b8385171107efefae2a44df72fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 18:11:55 +0530 Subject: [PATCH 24/32] Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.18 (#2080) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.16 to 1.5.18.
Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.18

2025-03-18 Release of logback version 1.5.18

• Added support for XZ compression for archived log files. Note that XZ compression requires Tukaani project's XZ library for Java. In case XZ compression is requested but the XZ library is missing, then logback will substitute GZ compression as a fallback. This feature was requested in issues/755.

• Removed references to java.security.AccessController class. This class has been deprecated for some time and is slated for removal in future JDK versions.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit b2a02f065379a9b1ba5ff837fc08913b744774bc associated with the tag v_1.5.18. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.17

2025-02-25 Release of logback version 1.5.17

• Fixed Jansi 2.4.0 color-coded output not working on Windows CMD.exe console when the default terminal application is set to "Windows Console Host". This problem was reported in issues/753 by Michael Lyubkin.

• Fixed race condition occurring in case MDC class is initialized while org.slf4j.LoggerFactory is initializing logback-classic's LoggerContext. When this race conditions occurs, the MDCAdapter instance used by MDC does not match the instance used by logback-classic. This issue was reported in SLF4J issues/450. While logback-classic version 1.5.17 remains compatible with SLF4J versions in the 2.0.x series, fixing this particular MDC issue requires SLF4J version 2.0.17.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 10358724ed723b3745c010aa40cb02a2dfed4593 associated with the tag v_1.5.17. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • b2a02f0 prepare release 1.5.18
  • 991de58 remove references to AccessController marked for deletion in the JDK
  • f54ab16 If compression mode is XZ but the XZ library is missing, then fallback to GZ ...
  • fb45971 add support for XZ compression
  • 31c1f55 add xz compression support with tests
  • 8968d0f introduce strategy based compression
  • 834059c start work on 1.5.18-SNAPSHOT
  • 1035872 prepare release 1.5.17
  • 2e6984d bump to slf4j version 2.0.17
  • 1009952 use a new LoggerContert instance when running LogbackListenerTest. This shoul...
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ch.qos.logback:logback-classic&package-manager=maven&previous-version=1.5.16&new-version=1.5.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9b48a8c0d..98e816c79 100644 --- a/pom.xml +++ b/pom.xml @@ -51,7 +51,7 @@ 2.0.16 1.5.7-2 2.0.1 - 1.5.16 + 1.5.18 26.0.2 From 4fea3f747700475af5abc96e2eaa1b7cb6185366 Mon Sep 17 00:00:00 2001 From: Aayush Atharva Date: Mon, 31 Mar 2025 18:24:04 +0530 Subject: [PATCH 25/32] Disable Dependabot (#2085) Dependabot creates a separate PR for each dependency, which has broken the final release builds many times. It will be disabled for the time being until a better way to manage dependency upgrades is implemented, --- .github/dependabot.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index f4538d3c7..000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,17 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file - -version: 2 -updates: - - package-ecosystem: "maven" - directories: - - "/" - schedule: - interval: "daily" - - package-ecosystem: "github-actions" - directories: - - "/" - schedule: - interval: "daily" From 3f1de314d7e340a90929ef7d422eeaed2253b33c Mon Sep 17 00:00:00 2001 From: Aayush Atharva Date: Mon, 31 Mar 2025 19:28:09 +0530 Subject: [PATCH 26/32] Release v3.0.2 (#2086) --- README.md | 4 ++-- client/pom.xml | 2 +- pom.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4ae651b75..0272134ed 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Maven: org.asynchttpclient async-http-client - 3.0.1 + 3.0.2 ``` @@ -28,7 +28,7 @@ Maven: Gradle: ```groovy dependencies { - implementation 'org.asynchttpclient:async-http-client:3.0.1' + implementation 'org.asynchttpclient:async-http-client:3.0.2' } ``` diff --git a/client/pom.xml b/client/pom.xml index 7cc99b940..749a98ddb 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -19,7 +19,7 @@ org.asynchttpclient async-http-client-project - 3.0.1 + 3.0.2 4.0.0 diff --git a/pom.xml b/pom.xml index 98e816c79..70d09ac53 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ org.asynchttpclient async-http-client-project - 3.0.1 + 3.0.2 pom AHC/Project From 14ee30acf476d52831f7048bf861a4752bb13a08 Mon Sep 17 00:00:00 2001 From: sullis Date: Wed, 2 Apr 2025 12:58:01 -0700 Subject: [PATCH 27/32] netty leak detector 0.0.8 (#2087) https://github.com/nettyplus/netty-leak-detector-junit-extension --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 70d09ac53..4dbe02c1d 100644 --- a/pom.xml +++ b/pom.xml @@ -112,7 +112,7 @@ io.github.nettyplus netty-leak-detector-junit-extension - 0.0.6 + 0.0.8 From 73911ebe4c464588fb10c211a43caeec394d97ca Mon Sep 17 00:00:00 2001 From: Pratik Katti <90851204+pratt4@users.noreply.github.com> Date: Fri, 9 May 2025 23:14:39 +0530 Subject: [PATCH 28/32] Fix NPE race in NettyResponseFuture.cancel (#2042) (#2088) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #2042 This is a typical TOCTOU (time-of-check/time-of-use) race https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use. The NPE was occurring because the channel field could be set to null by another thread between the check and its use: if (channel != null) { // time-of-check Channels.setDiscard(channel); // time-of-use Channels.silentlyCloseChannel(channel); } By copying channel into a local variable in one atomic read, we ensure that—even if another thread changes the field—the local reference remains valid. P.S. It is hard to write a deterministic test that fails consistently, so this PR only includes the code fix. --------- Co-authored-by: prat --- .../org/asynchttpclient/netty/NettyResponseFuture.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/client/src/main/java/org/asynchttpclient/netty/NettyResponseFuture.java b/client/src/main/java/org/asynchttpclient/netty/NettyResponseFuture.java index c5e4a97d0..c29c0f33d 100755 --- a/client/src/main/java/org/asynchttpclient/netty/NettyResponseFuture.java +++ b/client/src/main/java/org/asynchttpclient/netty/NettyResponseFuture.java @@ -187,10 +187,10 @@ public boolean cancel(boolean force) { return false; } - // cancel could happen before channel was attached - if (channel != null) { - Channels.setDiscard(channel); - Channels.silentlyCloseChannel(channel); + final Channel ch = channel; //atomic read, so that it won't end up in TOCTOU + if (ch != null) { + Channels.setDiscard(ch); + Channels.silentlyCloseChannel(ch); } if (ON_THROWABLE_CALLED_FIELD.getAndSet(this, 1) == 0) { From 6ac1cccad93bf617200f6a87f9790de273529256 Mon Sep 17 00:00:00 2001 From: Aayush Atharva Date: Sun, 11 May 2025 04:58:54 +0530 Subject: [PATCH 29/32] Add japicmp (#2091) --- .github/workflows/builds.yml | 26 +++++++++++++++++++++----- pom.xml | 28 ++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 6a59bde6c..2586cf3c6 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -5,34 +5,50 @@ on: - cron: '0 12 * * *' jobs: + Verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Grant Permission + run: chmod +x ./mvnw + - uses: actions/setup-java@v4 + with: + distribution: 'corretto' + java-version: '11' + - name: Verify + run: ./mvnw -B -ntp clean verify -DskipTests -Dgpg.skip=true + RunOnLinux: runs-on: ubuntu-latest + needs: Verify steps: - uses: actions/checkout@v4 - name: Grant Permission - run: sudo chmod +x ./mvnw + run: chmod +x ./mvnw - uses: actions/setup-java@v4 with: distribution: 'corretto' java-version: '11' - name: Run Tests - run: ./mvnw -B -ntp clean test + run: ./mvnw -B -ntp test RunOnMacOs: runs-on: macos-latest + needs: Verify steps: - uses: actions/checkout@v4 - name: Grant Permission - run: sudo chmod +x ./mvnw + run: chmod +x ./mvnw - uses: actions/setup-java@v4 with: distribution: 'corretto' java-version: '11' - name: Run Tests - run: ./mvnw -B -ntp clean test + run: ./mvnw -B -ntp test RunOnWindows: runs-on: windows-latest + needs: Verify steps: - uses: actions/checkout@v4 - uses: actions/setup-java@v4 @@ -40,4 +56,4 @@ jobs: distribution: 'corretto' java-version: '11' - name: Run Tests - run: ./mvnw.cmd -B -ntp clean test + run: ./mvnw.cmd -B -ntp test diff --git a/pom.xml b/pom.xml index 4dbe02c1d..ee1c2308c 100644 --- a/pom.xml +++ b/pom.xml @@ -422,10 +422,38 @@ --pinentry-mode loopback + false + + + com.github.siom79.japicmp + japicmp-maven-plugin + 0.23.1 + + + RELEASE + ${project.version} + + + true + true + true + false + public + + + + + + cmp + + verify + + + From fb50dc26717f0e6aaaef58e2a01924a56aab2021 Mon Sep 17 00:00:00 2001 From: Aayush Atharva Date: Sun, 11 May 2025 05:00:47 +0530 Subject: [PATCH 30/32] Feature: Add Option to Strip Authorization Header on Redirect (#2090) Closes #1884 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../AsyncHttpClientConfig.java | 7 ++ .../DefaultAsyncHttpClientConfig.java | 16 ++++ .../intercept/Redirect30xInterceptor.java | 9 +- .../DefaultAsyncHttpClientConfigTest.java | 30 ++++++ .../StripAuthorizationOnRedirectHttpTest.java | 95 +++++++++++++++++++ 5 files changed, 153 insertions(+), 4 deletions(-) create mode 100644 client/src/test/java/org/asynchttpclient/DefaultAsyncHttpClientConfigTest.java create mode 100644 client/src/test/java/org/asynchttpclient/StripAuthorizationOnRedirectHttpTest.java diff --git a/client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java b/client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java index 12dc93d7d..954628b3d 100644 --- a/client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java +++ b/client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java @@ -375,6 +375,13 @@ public interface AsyncHttpClientConfig { int getIoThreadsCount(); + /** + * Indicates whether the Authorization header should be stripped during redirects to a different domain. + * + * @return true if the Authorization header should be stripped, false otherwise. + */ + boolean isStripAuthorizationOnRedirect(); + enum ResponseBodyPartFactory { EAGER { diff --git a/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java b/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java index e72235c17..1c7dbf37f 100644 --- a/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java +++ b/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java @@ -127,6 +127,7 @@ public class DefaultAsyncHttpClientConfig implements AsyncHttpClientConfig { private final boolean keepEncodingHeader; private final ProxyServerSelector proxyServerSelector; private final boolean validateResponseHeaders; + private final boolean stripAuthorizationOnRedirect; // websockets private final boolean aggregateWebSocketFrameFragments; @@ -219,6 +220,7 @@ private DefaultAsyncHttpClientConfig(// http boolean validateResponseHeaders, boolean aggregateWebSocketFrameFragments, boolean enablewebSocketCompression, + boolean stripAuthorizationOnRedirect, // timeouts Duration connectTimeout, @@ -307,6 +309,7 @@ private DefaultAsyncHttpClientConfig(// http this.keepEncodingHeader = keepEncodingHeader; this.proxyServerSelector = proxyServerSelector; this.validateResponseHeaders = validateResponseHeaders; + this.stripAuthorizationOnRedirect = stripAuthorizationOnRedirect; // websocket this.aggregateWebSocketFrameFragments = aggregateWebSocketFrameFragments; @@ -564,6 +567,11 @@ public boolean isValidateResponseHeaders() { return validateResponseHeaders; } + @Override + public boolean isStripAuthorizationOnRedirect() { + return stripAuthorizationOnRedirect; + } + // ssl @Override public boolean isUseOpenSsl() { @@ -800,6 +808,7 @@ public static class Builder { private boolean useProxySelector = defaultUseProxySelector(); private boolean useProxyProperties = defaultUseProxyProperties(); private boolean validateResponseHeaders = defaultValidateResponseHeaders(); + private boolean stripAuthorizationOnRedirect = false; // default value // websocket private boolean aggregateWebSocketFrameFragments = defaultAggregateWebSocketFrameFragments(); @@ -891,6 +900,7 @@ public Builder(AsyncHttpClientConfig config) { keepEncodingHeader = config.isKeepEncodingHeader(); proxyServerSelector = config.getProxyServerSelector(); validateResponseHeaders = config.isValidateResponseHeaders(); + stripAuthorizationOnRedirect = config.isStripAuthorizationOnRedirect(); // websocket aggregateWebSocketFrameFragments = config.isAggregateWebSocketFrameFragments(); @@ -1079,6 +1089,11 @@ public Builder setUseProxyProperties(boolean useProxyProperties) { return this; } + public Builder setStripAuthorizationOnRedirect(boolean value) { + stripAuthorizationOnRedirect = value; + return this; + } + // websocket public Builder setAggregateWebSocketFrameFragments(boolean aggregateWebSocketFrameFragments) { this.aggregateWebSocketFrameFragments = aggregateWebSocketFrameFragments; @@ -1444,6 +1459,7 @@ public DefaultAsyncHttpClientConfig build() { validateResponseHeaders, aggregateWebSocketFrameFragments, enablewebSocketCompression, + stripAuthorizationOnRedirect, connectTimeout, requestTimeout, readTimeout, diff --git a/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java b/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java index e60495f80..40628a7e5 100644 --- a/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java +++ b/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java @@ -35,7 +35,6 @@ import org.slf4j.LoggerFactory; import java.util.HashSet; -import java.util.List; import java.util.Set; import static io.netty.handler.codec.http.HttpHeaderNames.AUTHORIZATION; @@ -73,11 +72,13 @@ public class Redirect30xInterceptor { private final AsyncHttpClientConfig config; private final NettyRequestSender requestSender; private final MaxRedirectException maxRedirectException; + private final boolean stripAuthorizationOnRedirect; Redirect30xInterceptor(ChannelManager channelManager, AsyncHttpClientConfig config, NettyRequestSender requestSender) { this.channelManager = channelManager; this.config = config; this.requestSender = requestSender; + stripAuthorizationOnRedirect = config.isStripAuthorizationOnRedirect(); // New flag maxRedirectException = unknownStackTrace(new MaxRedirectException("Maximum redirect reached: " + config.getMaxRedirects()), Redirect30xInterceptor.class, "exitAfterHandlingRedirect"); } @@ -127,7 +128,7 @@ public boolean exitAfterHandlingRedirect(Channel channel, NettyResponseFuture } } - requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody)); + requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuthorizationOnRedirect)); // in case of a redirect from HTTP to HTTPS, future // attributes might change @@ -180,7 +181,7 @@ public boolean exitAfterHandlingRedirect(Channel channel, NettyResponseFuture return false; } - private static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody) { + private static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) { HttpHeaders headers = request.getHeaders() .remove(HOST) .remove(CONTENT_LENGTH); @@ -189,7 +190,7 @@ private static HttpHeaders propagatedHeaders(Request request, Realm realm, boole headers.remove(CONTENT_TYPE); } - if (realm != null && realm.getScheme() == AuthScheme.NTLM) { + if (stripAuthorization || (realm != null && realm.getScheme() == AuthScheme.NTLM)) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION); } diff --git a/client/src/test/java/org/asynchttpclient/DefaultAsyncHttpClientConfigTest.java b/client/src/test/java/org/asynchttpclient/DefaultAsyncHttpClientConfigTest.java new file mode 100644 index 000000000..1548d6812 --- /dev/null +++ b/client/src/test/java/org/asynchttpclient/DefaultAsyncHttpClientConfigTest.java @@ -0,0 +1,30 @@ +package org.asynchttpclient; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +class DefaultAsyncHttpClientConfigTest { + @Test + void testStripAuthorizationOnRedirect_DefaultIsFalse() { + DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder().build(); + assertFalse(config.isStripAuthorizationOnRedirect(), "Default should be false"); + } + + @Test + void testStripAuthorizationOnRedirect_SetTrue() { + DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder() + .setStripAuthorizationOnRedirect(true) + .build(); + assertTrue(config.isStripAuthorizationOnRedirect(), "Should be true when set"); + } + + @Test + void testStripAuthorizationOnRedirect_SetFalse() { + DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder() + .setStripAuthorizationOnRedirect(false) + .build(); + assertFalse(config.isStripAuthorizationOnRedirect(), "Should be false when set to false"); + } +} diff --git a/client/src/test/java/org/asynchttpclient/StripAuthorizationOnRedirectHttpTest.java b/client/src/test/java/org/asynchttpclient/StripAuthorizationOnRedirectHttpTest.java new file mode 100644 index 000000000..08c150c08 --- /dev/null +++ b/client/src/test/java/org/asynchttpclient/StripAuthorizationOnRedirectHttpTest.java @@ -0,0 +1,95 @@ +package org.asynchttpclient; + +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpHandler; +import com.sun.net.httpserver.HttpServer; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; + +import java.net.InetSocketAddress; +import java.util.concurrent.TimeUnit; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; + +public class StripAuthorizationOnRedirectHttpTest { + private static HttpServer server; + private static int port; + private static volatile String lastAuthHeader; + + @BeforeAll + public static void startServer() throws Exception { + server = HttpServer.create(new InetSocketAddress(0), 0); + port = server.getAddress().getPort(); + server.createContext("/redirect", new RedirectHandler()); + server.createContext("/final", new FinalHandler()); + server.start(); + } + + @AfterAll + public static void stopServer() { + server.stop(0); + } + + static class RedirectHandler implements HttpHandler { + @Override + public void handle(HttpExchange exchange) { + String auth = exchange.getRequestHeaders().getFirst("Authorization"); + lastAuthHeader = auth; + exchange.getResponseHeaders().add("Location", "http://localhost/" + port + "/final"); + try { + exchange.sendResponseHeaders(302, -1); + } catch (Exception ignored) { + } + exchange.close(); + } + } + + static class FinalHandler implements HttpHandler { + @Override + public void handle(HttpExchange exchange) { + String auth = exchange.getRequestHeaders().getFirst("Authorization"); + lastAuthHeader = auth; + try { + exchange.sendResponseHeaders(200, 0); + exchange.getResponseBody().close(); + } catch (Exception ignored) { + } + exchange.close(); + } + } + + @Test + void testAuthHeaderPropagatedByDefault() throws Exception { + DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder() + .setFollowRedirect(true) + .build(); + try (DefaultAsyncHttpClient client = new DefaultAsyncHttpClient(config)) { + lastAuthHeader = null; + client.prepareGet("http://localhost/" + port + "/redirect") + .setHeader("Authorization", "Bearer testtoken") + .execute() + .get(5, TimeUnit.SECONDS); + // By default, Authorization header is propagated to /final + assertEquals("Bearer testtoken", lastAuthHeader, "Authorization header should be present on redirect by default"); + } + } + + @Test + void testAuthHeaderStrippedWhenEnabled() throws Exception { + DefaultAsyncHttpClientConfig config = new DefaultAsyncHttpClientConfig.Builder() + .setFollowRedirect(true) + .setStripAuthorizationOnRedirect(true) + .build(); + try (DefaultAsyncHttpClient client = new DefaultAsyncHttpClient(config)) { + lastAuthHeader = null; + client.prepareGet("http://localhost/" + port + "/redirect") + .setHeader("Authorization", "Bearer testtoken") + .execute() + .get(5, TimeUnit.SECONDS); + // When enabled, Authorization header should be stripped on /final + assertNull(lastAuthHeader, "Authorization header should be stripped on redirect when enabled"); + } + } +} From 41b1eec767ded1c2dcf9e7c690a4b8b6e0145e83 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 May 2025 22:24:59 +0530 Subject: [PATCH 31/32] Bump org.apache.tomcat.embed:tomcat-embed-core from 10.1.39 to 10.1.40 in /client (#2092) Bumps org.apache.tomcat.embed:tomcat-embed-core from 10.1.39 to 10.1.40. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat.embed:tomcat-embed-core&package-manager=maven&previous-version=10.1.39&new-version=10.1.40)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AsyncHttpClient/async-http-client/network/alerts).
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/pom.xml b/client/pom.xml index 749a98ddb..733f20b51 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -31,7 +31,7 @@ org.asynchttpclient.client 11.0.24 - 10.1.39 + 10.1.40 2.18.0 4.11.0 3.0 From c8cc6e82e633e4f5d8e71646a9432e6e1d5b41a3 Mon Sep 17 00:00:00 2001 From: sullis Date: Thu, 22 May 2025 12:50:25 -0700 Subject: [PATCH 32/32] netty leak detector extension 0.2.0 (#2095) https://github.com/nettyplus/netty-leak-detector-junit-extension --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ee1c2308c..e55fe8a26 100644 --- a/pom.xml +++ b/pom.xml @@ -112,7 +112,7 @@ io.github.nettyplus netty-leak-detector-junit-extension - 0.0.8 + 0.2.0