This week's Java roundup for December 20th, 2021, features news from OpenJDK with a new draft on value objects, JDK 18, JDK 19, Project Loom, additional statements from vendors on Log4Shell, numerous Spring and Quarkus updates, Hibernate ORM 6.0.0-M3, point releases from Apache Camel and Camel Quarkus, Apache Tika 2.2.1 and GraalVM Native Build Tools 0.9.9.
OpenJDK
A new JEP draft, Value Objects (Preview), was added to the list this past week. This new preview language and VM feature proposes to enhance the Java object model with value types defined as identity-free value classes and specifying the behavior of their instances. These classes contain only final instance fields and have no object identity.
JDK 18
Build 29 of the JDK 18 early access builds was made available this past week, featuring updates from Build 28 that include fixes to various issues. More details may be found in the release notes.
JDK 19
Build 3 of the JDK 19 early-access builds was also made available this past week, featuring updates from Build 2 that include fixes to various issues.
For JDK 18 and JDK 19, developers are encouraged to report bugs via the Java Bug Database.
Project Loom
Build 19-loom+1-11 of the Project Loom early-access builds was made available to the Java community and is based on Build 2 of the JDK 19 early access builds.
Additional Vendor Statements to Log4Shell Vulnerability
Oracle statement on Helidon:
By default Log4j is not used by Helidon based applications and does not appear on the classpath. However Helidon provides an optional Log4j integration module (
helidon-logging-log4
) and Helidon manages the version of Log4j.If your application uses
helidon-logging-log4
, or if your application uses Log4j directly then your application will have declared an explicit dependency on Log4j. But the version of this dependency might be managed by Helidon.
JetBrains statement on Third-party Plugins within the JetBrains Marketplace
Because of how many IntelliJ-based plugins there are, we initially used API Watcher to check what plugins and which of their exact versions used anything from log4j. We have temporarily hidden all plugin versions in which we detected any use of log4j.
We understand that such a check can produce some false positives. But we'd rather play it extra safe and draw the attention of many plugin authors to the potential risks, rather than miss some plugins that have repackaged log4j.
Spring Framework
It was a very busy week over at Spring as there were a number of point releases with various Spring projects.
There were two point releases on the Spring Boot 2.6 and 2.5 release trains:
Version 2.6.2 features 55 bug fixes and documentation improvements along with many dependency upgrades such as Log4j 2.17.0, Kotlin 1.6.10, Hibernate 5.6.3.Final and multiple Spring-related projects.
Version 2.5.8 features 46 bug fixes and documentation improvements along with many dependency upgrades such as Log4j 2.17.0, Kotlin 1.5.32, Hibernate 5.4.33 and multiple Spring-related projects.
Spring Cloud Square 0.4.0 has been released featuring: support for providing adjustments on non-load-balanced use cases; the ability to configure different WebClient.Builder
beans for each instance of a Retrofit client annotated with @RetrofitClient
; and integration of Spring Cloud Sleuth for an instance of the OkHttpClient
class.
Spring Native 0.11.1 was made available to include 13 bug fixes and documentation improvements along with a dependency upgrade to Spring Boot 2.6.2.
Spring Integration 5.5.7 has been released featuring a number of bug fixes. More details may be found in the migration guide (for potential breaking changes) and the changelog.
Point releases for Spring Security versions 5.2.15, 5.3.13, 5.4.10, 5.5.4 and 5.6.1 were made available this past week featuring bug fixes and minor improvements.
Quarkus
Quarkus 2.5.4.Final, a maintenance release, features a dependency upgrade to Jackson 2.12.6 to fix a possible denial-of-service attack in Jackson Databind. Further details may be found in the changelog.
Quarkus 2.6.0.Final has been released featuring: dependency upgrades to SmallRye Reactive Messaging 3.13, Kafka 3.0, Kotlin 1.6 and Camel 3.14; extensions, such as Neo4J, Amazon Alexa and Reactive Messaging HTTP having been moved to the Quarkiverse Hub; a new programmatic API for caching; and a smaller Docker image, based on UBI Micro, for native executables. This release did not include the fixes from Quarkus 2.5.4.Final, but were included in Quarkus 2.6.1.Final.
Quarkus 2.6.1.Final, the last maintenance release of 2021, includes all the fixes from Quarkus 2.5.4.Final and some dependency upgrades. More details may be found in the changelog.
Hibernate
The third beta release of Hibernate ORM 6.0 was made available this past week featuring new annotations: @IdGeneratorType
allows configuration of the IdentifierGenerator
interface in a type-safe way; @TenantId
uses column-based multi-tenancy to mark an attribute that defines the tenant; and @AttributeBinderType
allows customization of how mapping of an attribute is defined. Further details may be found in the Hibernate 6.0 user guide and migration guide.
Apache Camel
The Apache Software Foundation has provided the last point release in the Camel 3.7 release train. Version 3.7.7 features seven bug fixes and improvements, and dependency upgrades to Logback 1.2.8, Log4j 2.16.0, and the camel-nsq
and camel-corda
components. More details may be found in the release notes.
Maintaining alignment with Quarkus, Apache also released Camel Quarkus 2.6.0 containing Camel 3.14.0, Quarkus 2.6.0.Final and JFR native support.
Apache Tika
Apache Tika has released version 2.2.1 of their metadata extraction toolkit. Formerly a subproject of Apache Lucene, this latest version includes an upgrade to Log4j 2.17.0 and a critical fix for an Office Open XML (docx
/pptx
/xlsx
) regression that was introduced in version 2.2.0. Further details may be found in the release notes.
GraalVM Native Build Tools
On the road to version 1.0, Oracle Labs has released version 0.9.9 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides fixes for the Gradle plug-in, namely: leniency with the resource detection mechanism if a classpath entry is missing; a proper native inference task associated with custom binaries, i.e., binaries outside of the main
and test
binaries; and a rework on the operation of disabling toolchain detection.