This week's Java roundup for April 8th, 2024, features news highlighting: JobRunr 7.0; introducing the Commonhaus Foundation; the April 2024 edition of Payara Platform; JEP 473, Stream Gatherers (Second Preview), and JEP 469, Vector API (Eighth Incubator), Proposed to Target for JDK 23; and Devnexus 2024.
OpenJDK
Less than a week after having been declared a candidate, JEP 473, Stream Gatherers (Second Preview), has been promoted from Candidate to Proposed to Target for JDK 23. This JEP proposes a second round of preview from the previous round, namely: JEP 461, Stream Gatherers (Preview), delivered in JDK 22. This will allow additional time for feedback and more experience with this feature with no user-facing changes over JEP 461. This feature was designed to enhance the Stream API to support custom intermediate operations that will "allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations." More details on this JEP may be found in the original design document and this InfoQ news story. The review is expected to conclude on April 16, 2024.
Similarly, JEP 469, Vector API (Eighth Incubator) has been promoted from Candidate to Proposed to Target for JDK 23. This JEP incorporates enhancements in response to feedback from the previous seven rounds of incubation: JEP 460, Vector API (Seventh Incubator), delivered in JDK 22; JEP 448, Vector API (Sixth Incubator), delivered in JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. Originally slated to be a re-incubation by reusing the original Incubator status, it was decided to keep enumerating. The Vector API will continue to incubate until the necessary features of Project Valhalla become available as preview features. At that time, the Vector API team will adapt the Vector API and its implementation to use them, and will promote the Vector API from Incubation to Preview. The review is expected to conclude on April 16, 2024.
JEP 475, Late Barrier Expansion for G1, has been promoted from its JEP Draft to Candidate status. This JEP proposes to simplify the implementation of the G1 garbage collector's barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT's compilation pipeline to later. The goal is to reduce the execution time of C2 when using the G1 collector.
JDK 23
Build 18 of the JDK 23 early-access builds was made available this past week featuring updates from Build 17 that include fixes for various issues. Further details on this release may be found in the release notes.
Spring Framework
The first milestone release of Spring Framework 6.2.0 delivers bug fixes, improvements in documentation, dependency upgrades and numerous new features such as: replace use of the deprecated Jakarta Expression Language ELContext class in favor of the Jakarta Pages VariableResolver interface in the JspPropertyAccessor; an improved DefaultMessageListenerContainer class to support first-class virtual threads; and the addition of configuration and exposure of the Java DataSource interface to the LocalEntityManagerFactoryBean class. More details on this release may be found in the release notes.
Similarly, versions 6.1.6, 6.0.19 and 5.3.34 of Spring Framework have been released to primarily address CVE-2024-22262, Spring Framework URL Parsing with Host Validation (3rd report), a vulnerability in which applications that use the UriComponentsBuilder class to parse an externally provided URL and perform validation checks on the host of the parsed URL, may be vulnerable to an open redirect attack or a server-side-request forgery attack if the URL is used after passing validation checks. This CVE is the same as CVE-2024-22259 and CVE-2024-22243, but with different input. New features include: log column types that aren’t supported by the database driver in the getResultSetValue() method defined in the JdbcUtils class; avoid cloning an empty array of instances of the Annotation interface in the TypeDescriptor class; and consistent support for generic FactoryBean type matching when using the getBeanProvider() method defined in the DefaultListableBeanFactory class. More details on these releases may be found in the release notes for version 6.1.6, version 6.0.19 and version 5.3.34.
The first release candidate of Spring Data 2024.0.0 provides new features: support for value expressions for improved in expressions in entity- and property-related annotations that aligns with Spring Framework @Value annotation; and compatibility with the new MongoDB 5.0 driver containing a deprecated API that has now been removed. There were also upgrades to sub-projects such as: Spring Data Commons 3.3.0-RC1; Spring Data MongoDB 4.3.0-RC1; Spring Data Elasticsearch 5.3.0-RC1; and Spring Data Neo4j 7.3.0-RC1. More details on this release may be found in the release notes.
Similarly, versions 2023.1.5 and 2023.0.11 of Spring Data have been released providing bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.2.5 and 3.1.11; Spring Data MongoDB 4.2.5 and 4.1.11; Spring Data Elasticsearch 5.2.5 and 5.1.11; and Spring Data Neo4j 7.2.5 and 7.1.11. These versions may also be consumed by the upcoming releases of Spring Boot 3.2.5 and 3.1.11, respectively.
Versions 2.3.0-RC1, 2.2.2 and 2.1.5 of Spring HATEOAS have been released to primarily upgrade to the latest releases of Spring Framework that address the aforementioned CVE-2024-22262 along with dependency upgrades to Project Reactor 2023.0.5 and Lombok 1.18.32. More details on these releases may be found in the release notes for version 2.3.0-RC1, version 2.2.2 and version 2.1.5.
Sergi Almar, Java and Spring software engineer and Spring I/O organizer, has introduced the Spring Builders initiative, an environment for Spring Framework developers to learn, present their Spring-related work, and connect with other Spring developers.
Payara
Payara has released their April 2024 edition of the Payara Platform that includes Community Edition 6.2024.4 and Enterprise Edition 6.13.0. Both editions feature a security fix for CVE-2023-4043, a vulnerability in which parsing JSON from untrusted sources would allow attackers to exploit the built-in support for parsing numbers with large scale to exploit the number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
There were also a number of component upgrades and a resolution to a NullPointerException using profiled settings with MicroProfile Config. More details on these releases may be found in the release notes for Community Edition 6.2024.4 and Enterprise Edition 6.13.0.
Open Liberty
IBM has released version 24.0.0.4-beta of Open Liberty featuring: support for JDK 22 and an updated preview of Jakarta Data that includes the recent 1.0.0-M3 release in which the static metamodel was introduced. This allows for more type-safe usage, and the ability to define repository find methods with the @Find annotation.
Micronaut
The Micronaut Foundation has released version 4.3.8 of the Micronaut Framework featuring Micronaut Core 4.3.14, bug fixes, improvements in documentation, and updates to modules: Micronaut Security and Micronaut SQL Libraries. Further details on this release may be found in the release notes.
Quarkus
Quarkus 3.9.3, the second maintenance release (3.9.0 was skipped), features notable fixes such as: the inability to access any of the static resources defined in an application using REST and servlets with a custom implementation of the Jakarta RESTful Web Services ExceptionMapper interface; and routing for the index.html file fails with a HTTP status code 404 for directories. More details on this release may be found in the changelog.
Helidon
The release of Helidon 4.0.7 provides notable changes such as: a disabled instance of the OidcFeature class no longer throws a NullPointerException; properly return Optional.empty() for a current span if there is no current OpenTelemetry span; and avoid using replicated default values for lists when creating from the corresponding builder pattern or instances. More details on this release may be found in the release notes.
WildFly
The first beta release of WildFly 32 features bug fixes, component upgrades and improvements such as: integrate the Open Worldwide Application Security Project (OWASP) dependency check plugin into the WildFly build; mark as optional or remove references to the deprecated Jakarta Annotations @ManagedBean annotation; and the removal of some outdated Quickstart examples. More details on this release may be found in the release notes.
Apache Software Foundation
The first milestone release of Apache TomEE 10.0.0 delivers bug fixes, dependency upgrades and new features: a MicroProfile OpenAPI Reader example; and improved logging when failing to load a class. There was also a resolution to CVE-2023-35116, a vulnerability in Jackson Databind 2.15.2 and below such that an attacker can craft an object that uses cyclic dependencies that may result in a denial of service. More details on this release may be found in the release notes.
Micrometer
Version 1.13.0-RC1 of Micrometer Metrics ships with dependency upgrades and new features such as: allow for customizing Prometheus properties via the PrometheusConfig interface; announce that configuration for an instance of the OtlpMeterRegistry class has been found at startup; and a new constructor containing a logger name for the WarnThenDebugLogger class for metadata discrepancy logging. More details on this release may be found in the release notes.
Similarly, versions 1.12.5 and 1.11.11 of Micrometer Metrics 1.12.5 provide dependency upgrades and new features such as: use the same description for the same meter name in Log4j2Metrics class; and deprecate the DefaultUriMapper and PoolingHttpClientConnectionManagerMetricsBinder classes in httpcomponents package as they seem to have been missed when deprecating other classes in the same package. More details on these releases may be found in the version 1.12.5 and version 1.11.11.
Versions 1.3.0-RC1, 1.2.5 and 1.1.12 of Micrometer Tracing provide dependency upgrades to version 1.13.0-RC1, 1.12.5 and 1.11.11 of Micrometer Metrics. More details on these releases may be found in the release notes for version 1.3.0-RC1, version 1.2.5 and version 1.1.12
Project Reactor
The first milestone release of Project Reactor 2024.0.0 provides dependency upgrades to reactor-core 3.7.0-M1 and reactor-netty 1.2.0-M1. There was also a realignment to version 2024.0.0-M1 with the reactor-kafka 1.4.0-M1, reactor-pool 1.1.0-M1, reactor-addons 3.6.0-M1 and reactor-kotlin-extensions 1.3.0-M1 artifacts that remain unchanged. More details on this release may be found in the changelog.
Next, Project Reactor 2023.0.5, the fifth maintenance release, provides dependency upgrades to reactor-core 3.6.5 and reactor-netty 1.1.18. There was also a realignment to version 2023.0.5 with the reactor-kafka 1.3.23, reactor-pool 1.0.5, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.
Next, Project Reactor 2022.0.18, the eighteenth maintenance release, provides dependency upgrades to reactor-core 3.5.16 and reactor-netty 1.1.18. There was also a realignment to version 2022.0.18 with the reactor-kafka 1.3.23, reactor-pool 1.0.5, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. Further details on this release may be found in the changelog.
And finally, the release of Project Reactor 2020.0.43, codenamed Europium-SR43, provides dependency upgrades to reactor-core 3.4.37 and reactor-netty 1.0.44. There was also a realignment to version 2020.0.43 with the reactor-kafka 1.3.23, reactor-pool 0.2.12, reactor-addons 3.4.10, reactor-kotlin-extensions 1.1.10 and reactor-rabbitmq 1.5.6 artifacts that remain unchanged. More details on this release may be found in the changelog.
Hibernate
The second release candidate of Hibernate ORM 6.5.0 delivers bug fixes and improvements such as: improved use of Java time objects and timezone offsets that are now directly marshaled through the JDBC driver as defined by JDBC 4.2; a new layout to configure the format in which query results are stored in the query cache; and support for a Java record to be used as a parameter in the Jakarta Persistence @IdClass annotation. This release also provides a technical preview of the new Jakarta Data specification based on the Hibernate annotation processor.
Versions 7.1.1.Final, 7.0.1.Final and 6.2.4.Final of Hibernate Search, all maintenance releases, ship with dependency upgrades and notable changes such as: update potentially misleading error message about the minimum Elasticsearch version required for vector search capabilities; a resolution to possible issues with mass indexing when an ORM discriminator multi-tenancy is in use; and correct supported Java version discrepancies in the reference documentation. More details on this release may be found in the release notes.
The Hibernate team has also announced that it has joined the Commonhaus Foundation, a new foundation described below.
JobRunr
After two release candidates, version 7.0 of JobRunr, a utility to perform background processing in Java, has been released to the Java community. New functionality and improvements include: built-in support for virtual threads that are enabled by default when using JDK 21; the InMemoryStorageProvider class now allows for a poll interval as small as 200ms that is useful for testing; and the ability to configure the shutdown period of BackgroundJobServer class. Breaking changes include: the delete(String id) method in the JobScheduler class has been renamed to deleteRecurringJob(String id); and updates to the StorageProvider interface and the Page and PageRequest classes that include new features. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.
Infinispan
Infinispan 15.0.1.Final, the first maintenance release, provide notable changes such as: avoid a server shutdown upon an error with Infinispan Insights; and a resolution to the SoftIndexFileStore API pointing to a non-existent data location upon clearing the index; and. More details on this release may be found in the changelog.
Piranha
The release of Piranha 24.4.0 delivers notable changes such as: the addition of coreprofile start, coreprofile run and coreprofile stop commands to the Piranha CLI; a rebrand of Payara Uber, the wrapper that will allow developers to run everything in a JAR file, to Payara Fin; and expose the --https-keystore-file and --https-keystore-password parameters to the Maven plugin. Further details on this release may be found in their documentation and issue tracker.
JDKUpdater
Versions 14.0.39+63 and 14.0.39+61 of JDKUpdater, a new utility that provides developers the ability to keep track of updates related to builds of OpenJDK and GraalVM. Introduced in mid-March by Gerrit Grunwald, principal engineer at Azul, these releases include updates such as: initial support of a download feature that enables developers to download JDKs from different vendors; change the menu bar icon to SVG format which will allow an automatic switch of colors depending on the text color of the menu bar; and move the switches for SDKMAN!, JBang, Homebrew and Nix to separate screen settings. More details on this release may be found in the release notes.
JReleaser
April 10, 2024 marked the third anniversary of JReleaser, a release automation tool for Java and non-Java projects with the goal to simplify creating releases and publishing artifacts to multiple package managers while providing customizable options. Created by Andres Almiray, senior principal product manager at Oracle, this anniversary was celebrated with the announcement that JReleaser has joined the Commonhaus Foundation, a new foundation described below.
Apache Software Foundation
Versions 5.0.0-alpha-8 and 4.0.21 of Apache Groovy feature bug fixes, dependency upgrades and improvements such as: support for JDK 23; and a new meta instance of the Closure abstract class to enhance SQL metadata access for the five variants of the execute method. More details on these releases may be found in the release notes for version 5.0.0-alpha-8 and version 4.0.21.
JHipster
The release of JHipster 8.3.0 provides bug fixes, dependency upgrades to Spring Boot 3.2.4 and Gradle 8.7, and notable changes such as: a replacement of the jhipster-dependencies in favor of Spring Boot’s dependency management; experimental support for Spring Cloud Gateway MVC; and an improvement in Spring context caching during tests. More details on this release may be found in the release notes.
JetBrains Ktor
JetBrains has released version 2.3.10 of Ktor, the asynchronous framework for creating microservices and web applications, that include improvements and fixes such as: a resolution to inconsistent behavior of Netty that return null or an empty string for query parameters without values; support for IPv6 addresses in the NettyConnectionPoint and CIOConnectionPoint classes; and support for the ZIP64 format to overcome limitation of 65535 entries. More details on this release may be found in the changelog.
Commonhaus Foundation
The Commonhaus Foundation, a new non-profit organization dedicated to the sustainability of open source libraries and frameworks, was introduced to the Java community this past week to provide succession planning and fiscal support for self-governing open-source projects.
Their mission is to:
Empower a diverse community of developers, contributors, and users to create, maintain, and evolve open source libraries and frameworks, ensuring long-term growth and stability through shared stewardship and community collaboration.
Founders Erin Schnabel, distinguished engineer at Red Hat, Ken Finnigan, OpenTelemetry architect at Lumigo, and Cesar Saavedra, senior technical marketing manager at GitLab, will serve as chair, secretary and treasurer, respectively.
Open source projects having already joined Commonhaus at its launch include Hibernate, Jackson, OpenRewrite, JBang, JReleaser, and Morphia.
Devnexus
The 20th edition of Devnexus 2024, held at the Georgia World Congress Center in Atlanta, Georgia, this past week, featured speakers from the Java community who delivered workshops and talks on topics such as: Jakarta EE, Java Platform, Core Java, Architecture, Cloud Infrastructure and Security.
Devnexus, hosted by the Atlanta Java Users Group (AJUG), has a history that dates back to 2004 when the conference was originally called DevCon. The Devnexus name was introduced in 2010.
The conference also featured on-site live interviews with speakers interested in participating. Entitled DevOps Speakeasy and Build Propulsion Lab, these interviews were facilitated by employees representing JFrog and Gradle, respectively. An example interview that has already been published, Brian Demers, developer advocate at Gradle, interviewed Matt Brown, solutions architect at Endor Labs. InfoQ will follow up with a more detailed news story.