Sourced from junit:junit's releases.

JUnit 4.13.1

Please refer to the release notes for details.

Sourced from junit:junit's changelog.

Summary of changes in version 4.13.1

Rules

Security fix: TemporaryFolder now limits access to temporary folders on Java 1.7 or later

A local information disclosure vulnerability in TemporaryFolder has been fixed. See the published security advisory for details.

Test Runners

[Pull request #1669:](junit-team/junit#1669) Make FrameworkField constructor public

Prior to this change, custom runners could make FrameworkMethod instances, but not FrameworkField instances. This small change allows for both now, because FrameworkField's constructor has been promoted from package-private to public.

• 1b683f4 [maven-release-plugin] prepare release r4.13.1
• ce6ce3a Draft 4.13.1 release notes
• c29dd82 Change version to 4.13.1-SNAPSHOT
• 1d17486 Add a link to assertThrows in exception testing
• 543905d Use separate line for annotation in Javadoc
• 510e906 Add sub headlines to class Javadoc
• 610155b Merge pull request from GHSA-269g-pwp5-87pp
• b6cfd1e Explicitly wrap float parameter for consistency (#1671)
• a5d205c Fix GitHub link in FAQ (#1672)
• 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
• Additional commits viewable in compare view

• See full diff in compare view

Sourced from com.squareup.okio:okio's changelog.

Version 3.4.0

2023-07-07

• New: Adapt a Java NIO FileSystem (java.nio.file.FileSystem) as an Okio FileSystem using fileSystem.asOkioFileSystem().
• New: Adapt Android’s AssetManager as an Okio FileSystem using AssetFileSystem. This is in the new okio-assetfilesystem module. Android applications should prefer this over FileSystem.RESOURCES as it’s faster to load.
• Fix: Don't crash decoding GZIP files when the optional extra data (XLEN) is 32 KiB or larger.
• Fix: Resolve symlinks in FakeFileSystem.canonicalize().
• Fix: Report the correct createdAtMillis in NodeJsFileSystem file metadata. We were incorrectly using ctimeMs, where c means changed, not created.
• Fix: UnsafeCursor is now Closeable.

Version 3.3.0

2023-01-07

• Fix: Don't leak resources when use {} is used with a non-local return. We introduced this performance and stability bug by not considering that non-local returns execute neither the return nor catch control flows.
• Fix: Use a sealed interface for BufferedSink and BufferedSource. These were never intended for end-users to implement, and we're happy that Kotlin now allows us to express that in our API.
• New: Change internal locks from synchronized to ReentrantLock and Condition. We expect this to improve help when using Okio with Java virtual threads ([Project Loom][loom]).
• Upgrade: [Kotlin 1.8.0][kotlin_1_8_0].

Version 3.2.0

2022-06-26

• Fix: Configure the multiplatform artifact (com.squareup.okio:okio:3.x.x) to depend on the JVM artifact (com.squareup.okio:okio-jvm:3.x.x) for Maven builds. This should work-around an issue where Maven doesn't interpret Gradle metadata.
• Fix: Change CipherSource and CipherSink to recover if the cipher doesn't support streaming. This should work around a crash with AES/GCM ciphers on Android.
• New: Enable compatibility with non-hierarchical projects.

Version 3.1.0

2022-04-19

• Upgrade: [Kotlin 1.6.20][kotlin_1_6_20].
• New: Support [Hierarchical project structure][hierarchical_projects]. If you're using Okio in a multiplatform project please upgrade your project to Kotlin 1.6.20 (or newer) to take advantage of this. With hierarchical projects it's easier to use properties like FileSystem.SYSTEM that

... (truncated)

• a161b07 Prepare for release 3.4.0.
• c5f462b Copyright to files in build-support (#1285)
• f21714d Upgrade Gradle and JMH (#1283)
• 5f5db4a Merge pull request #1284 from square/renovate/com.google.jimfs
• 8af8d2a Update dependency com.google.jimfs:jimfs to v1.3.0
• b64c198 Update dependency com.vanniktech:gradle-maven-publish-plugin to v0.25.3 (#1282)
• ea82713 Merge pull request #1281 from square/renovate/gradle-7.x
• 3569daa Update dependency gradle to v7.6.2
• e937a50 Merge pull request #1277 from sifmelcara/fix-int-sign-conversion
• 81bce1a Fix a bug where xlen larger than 0x7fff was rejected (#1280)
• Additional commits viewable in compare view

Sourced from com.github.tomakehurst:wiremock-jre8-standalone's releases.

2.35.1 - Security Release

🔒 This is a security release that addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @​W0rty, @​numacanedo, @​Mahoney, @​tomakehurst, @​oleg-nenashev

2.35.0

Enhancements

• Add a negative contains matcher - thanks Damian Orzepowski
• Expose a Java API method for removing stubs by ID - thanks Patryk Fraczek
• Document the import API in the OpenAPI doc - thanks to user i-whammy
• Added the ability to restrict the addresses WireMock can proxy/record to, as a security measure.

Fixes

• Strip Maven directories from the standalone JAR as some were appearing that weren't related to dependencies actually present, confusing scanning tools - thanks to user krageon
• Dropped back to slf4j 1.7.36 and relocate it in the standalone JAR (ensuring 2.x users won't experience conflicts).

2.34.0

This will be the final 2.x.x release and also the last to support Java 8.

Fixes

• Fixed #1689 - incorrect HTTP version header - thanks to user Poojitha
• Fixed #1882 - bug preventing matching of date/time query params/headers with custom format - thanks Klaas Dellschaft
• #1930 - Fixed a partial path traversal vulnerability in the file source code - thanks Jonathan Leitschuh
• Fixed #1783 - proxyUrlPrefixToRemove ignored when using a response definition transformer - thanks to user Ross-H-Projects
• Fixed #1872 - create a request entity for POST, PUT etc. proxied requests when a content-length header is present, regardless of whether the size is 0.
• Fixed #1946 - maths helper now supports epoch dates as inputs.

Enhancements

• Added a public, non-static getScenarios() method allowing access to all scenarios.

All dependencies brought up to date including Jetty to 9.4.48.v20220622.

2.33.2

WireMock 2.33.1 was accidentally released using Java 11 rather than 8, resulting in class incompatibilities in places.

This release is functionally identical but built using Java 8.

2.33.1

Fixes

... (truncated)

• 8706343 Bumped patch version
• 20adc25 Stop NetworkAddressRules doing DNS lookups
• aa29d9c Make NetworkAddressRulesAdheringDnsResolver testable
• 90a37e1 Applied DNS resolver enforcement to webhooks extension
• d9fd0b4 Moved enforcement of network address rules to Apache client DNS resolver to a...
• eac439f Prevent webhook calling forbidden endpoints
• 9ba86d6 Rename poorly named method
• ef5b722 spotless apply
• 5412ed1 Fixed some formatting in NetworkAddressRulesTest
• 295ad5c Added some extra NetworkAddressRules test cases
• Additional commits viewable in compare view

Sourced from com.google.code.gson:gson's releases.

Gson 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#1986).
• Prevent Java deserialization of internal classes (#1991).
• Improve number strategy implementation (#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990).
• Support arbitrary Number implementation for Object and Number deserialization (#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#1980).
• Don't exclude static local classes (#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#1959).
• Improve Maven build (#1964).
• Make dependency on java.sql optional (#1707).

Gson 2.8.8

• Fixed issue with recursive types (#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (#1495).

Sourced from com.google.code.gson:gson's changelog.

Version 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (google/gson#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (google/gson#1986).
• Prevent Java deserialization of internal classes (google/gson#1991).
• Improve number strategy implementation (google/gson#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (google/gson#1990).
• Support arbitrary Number implementation for Object and Number deserialization (google/gson#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (google/gson#1980).
• Don't exclude static local classes (google/gson#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (google/gson#1959).
• Improve Maven build (google/gson#1964).
• Make dependency on java.sql optional (google/gson#1707).

Version 2.8.8

• Fixed issue with recursive types (google/gson#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (google/gson#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (google/gson#1495).

Version 2.8.7

• Fixed ISO8601UtilsTest failing on systems with UTC+X.
• Improved javadoc for JsonStreamParser.
• Updated proguard.cfg (google/gson#1693).
• Fixed IllegalStateException in JsonTreeWriter (google/gson#1592).
• Added JsonArray.isEmpty() (google/gson#1640).
• Added new test cases (google/gson#1638).
• Fixed OSGi metadata generation to work on JavaSE < 9 (google/gson#1603).

• 6a368d8 [maven-release-plugin] prepare release gson-parent-2.8.9
• ba96d53 Fix missing bounds checks for JsonTreeReader.getPath() (#2001)
• ca1df7f #1981: Optional OSGi bundle's dependency on sun.misc package (#1993)
• c54caf3 Deprecate Gson.excluder() exposing internal Excluder class (#1986)
• e6fae59 Prevent Java deserialization of internal classes (#1991)
• bda2e3d Improve number strategy implementation (#1987)
• cd748df Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990)
• fe30b85 Support arbitrary Number implementation for Object and Number deserialization...
• 1cc1627 Fix incorrect feature request template label (#1982)
• 7b9a283 Bump bnd-maven-plugin from 5.3.0 to 6.0.0 (#1985)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.