This week's Java roundup for January 29th, 2024, features news highlighting: LibericaJDK 21 with support for RISC-V, January release of Payara Platform, Gradle 8.6, LangChain4j 0.26, GraalVM Native Build Tools 0.10, and multiple releases of Open Liberty and Eclipse Vert.x.
OpenJDK
Brian Goetz, Java Language Architect at Oracle, has submitted JEP Draft 8324965, Class-File API (Second Preview), for a second round of preview to obtain feedback from the previous round of preview: JEP 457, Class-File API (Preview), to be delivered in the upcoming release of JDK 22. This JEP proposes to provide an API for parsing, generating, and transforming Java class files. This will initially serve as an internal replacement for ASM, the Java bytecode manipulation and analysis framework, in the JDK with plans to have it opened as a public API. Goetz has characterized ASM as "an old codebase with plenty of legacy baggage" and provided background information on how this draft will evolve and ultimately replace ASM.
JDK 23
Build 8 of the JDK 23 early-access builds was made available this past week featuring updates from Build 7 that include fixes for various issues. More details on this release may be found in the release notes.
JDK 22
Build 34 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 33 that include fixes to various issues. Further details on this build may be found in the release notes.
For JDK 23 and JDK 22, developers are encouraged to report bugs via the Java Bug Database.
GlassFish
GlassFish 7.0.12, the twelfth maintenance release, was primarily focused on finding and fixing the root cause of several "strange" WebSocket-related bugs that had been witnessed in the past. New features include: an optimization of the servlet caching filter that eliminates possible unnecessary multiple loads of the same resource under high request rate; a new Transport Layer Security (TLS) checkbox in AdminGUI; and a new --debug
option to the start-cluster
command, analogous to the start-domain
and start-instance
commands, to start all instances in debug mode. More details on this release may be found in the release notes.
GraalVM
Oracle Labs has released version 0.10.0 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides: improvements in documentation; dependency upgrades; support for concurrency with test arrays in the workflow matrix; and a reduction in the time required for each test execution. Further details on this release may be found in the changelog.
Spring Framework
Spring Cloud 2022.0.5, codenamed Kilburn, has been released featuring updates to sub-projects such as: Spring Cloud Vault 4.0.2, Spring Cloud Kubernetes 3.0.5, Spring Cloud OpenFeign 4.0.6 and Spring Cloud Config 4.0.5. There are, however, breaking changes that include: removal of auto-configuration for the Spring Cloud LoadBalancer due to the removal of the AsyncRestTemplate
class in Spring Framework 6; removal of the property, spring.cloud.kubernetes.enabled
, in favor of applying the Spring Boot @ConditionalOnCloudPlatform
annotation; and a migration to Spring Security OAuth2 client for OAuth2 support. More details on this release may be found in the release notes.
Payara
Payara has released their January 2024 edition of the Payara Platform that includes Community Edition 6.2024.1 and Enterprise Edition 6.10.0. Both editions feature bug fixes, component upgrades and support for Payara Micro and Payara Server Docker Images for the ARM architecture. There were also dependency upgrades to Okio 3.4.0 and OkHttp 4.9.2 to address CVE-2023-3635, a vulnerability resulting from a flaw in Okio in which an instance of the GzipSource
class does not handle an exception when parsing a malformed gzip buffer. An attacker can start processing a malformed file, which can result in a denial-of-service. Further details on these releases may be found in the release notes for Community Edition 6.2024.1 and Enterprise Edition 6.10.0.
Open Liberty
IBM has released version 24.0.0.1 of Open Liberty featuring: expanded InstantOn support for specifications and utilities such as Jakarta XML Web Services, Jakarta Mail, Password Utilities, Java Database Connectivity and Application Security; and the ability to verify the authenticity of the Open Liberty public key to check the signature, verify that the package was released by Open Liberty, and that it was not modified since its release.
IBM has also released version 21.0.1.0 of the Open and Certified Editions of IBM Semeru Runtime that are based on Eclipse OpenJ9 0.42 and OpenJDK jdk-21.0.1+12 and contains the latest CPU and security fixes from the Oracle Critical Patch Update for October 2023.
Quarkus
Red Hat has released version 3.7 of Quarkus that delivers bug fixes, dependency upgrades and new features such as: JDK 17 as a baseline; support for the Micrometer @MeterTag
annotation; and support token verification with the inlined certificate chain. This release also addresses: CVE-2023-5675, an authorization flaw with endpoints used in Quarkus RestEasy Reactive and Classic applications customized by Quarkus extensions using the annotation processor; and CVE-2023-6267, an annotation-based security flaw in which the JSON body that a resource may consume is being processed, i.e., deserialized, prior to the security constraints being evaluated and applied. More details on this release may be found in the changelog.
BellSoft
BellSoft has released Liberica JDK 21, their downstream distribution of OpenJDK, with support for the RISC-V architecture due to its increasing popularity in embedded systems. BellSoft states key reasons for choosing Java as a suitable language for RISC-V:
- High performance and small memory footprint, especially when using their Liberica JDK for Embedded Systems.
- Great portability with Java's write once, run anywhere model that eliminates the need to rewrite an application when introducing a new architecture in production.
- Numerous standard libraries for any task keep the developers from writing their implementation for a particular use case.
- Convenient in-built memory management to avoid memory allocation errors.
Further details on BellSoft's assessment on RISC-V's rapid expansion and Java may be found in this article.
Hibernate
The release of Hibernate ORM 6.4.3.Final delivers bug fixes and a new feature that supports Oracle GraalVM for builds using Atlas, a modern tool for managing database schemas. More details on this release may be found in the release notes.
Infinispan
The release of Infinispan 15.0.0.Dev08 ships with numerous dependency upgrades and notable changes such as: a replacement of Square OkHttp with the Java HttpClient
; a move of the TimeoutException
class to the org.infinispan.commons
package to reside in the same package as the CacheException
class; and an update to the JGroupsTransport
class to implement the AddressGenerator
interface that complement the existing Transport
and ChannelListener
interfaces. Further details on this release may be found in the release notes.
Similarly, Infinispan 14.0.23 provides numerous dependency upgrades and notable changes such as: Add options to configure the JGroups bundler to define the transfer-queue
as the default bundler type and disables the TCP SO_LINGER
setting; a resolution in which a replaced value was accidentally resurrected in the testStatsUponRestart()
method defined in the SoftIndexFileStoreRestartTest
; and a resolution to random test failures in the TopologyChangeFunctionalTest
class due to update functions not properly handling retries of state transfer. More details on this release may be found in the release notes.
Grails
The release of Grails 6.1.2 features dependency upgrades and improvements such as: a decoupling in configuration of the Sonatype Nexus Repository publish and release jobs; compatibility with Groovy 3.0.20; and improvements to the release workflow via a separation of tasks in multiple jobs. Further details on this release may be found in the release notes.
TornadoVM
TornadoVM 1.0.1, the first maintenance release, delivers bug fixes and improvements such as: initial support for half-precision data types; support for the ceil()
method defined in the Java Math
class and the addition of a ceil()
method in the TornadoMath
class for all the backends; and enable multi-task multiple device behavior on device selection as part of the TaskGraph
API. More details on this release may be found in the release notes
Eclipse Vert.x
The release of Eclipse Vert.x 4.5.2 ships with notable changes such as: improvements to the HostAndPort
API when dealing with URI authorities; a resolution to the WebSocket
interface exception handling strategy in which the ConnectionBase
exception handler was not properly set in the exceptionHandler()
method; and a deprecation of the prettyMapper()
method defined in the DatabindCodec
class as it is no longer needed. Further details on this release may be found in the release notes and deprecations and breaking changes.
Similarly, the release of Eclipse Vert.x 4.4.7 also ships with notable changes such as: a new Timer
interface, that extends a Vert.x Future
interface, that may be used as a starting point in a future chain or can be used within future compositions; and ensure that an instance of the Task
class is not in the TaskQueue
when it is rejected from a Java Executor
. More details on this release may be found in the release notes.
Both versions address CVE-2024-1023, a vulnerability in the Eclipse Vert.x toolkit that results in a memory leak due to using the data structures provided by the Netty FastThreadLocal
class, especially when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability.
Graal Cloud Native
Version 4.2.1 of Graal Cloud Native (GCN), an Oracle build of the Micronaut Framework, has been released featuring: new guides for Google Cloud; support for JDK 21 and GraalVM Native Image; a new bill of materials with Micronaut Framework 4.2.1; updates to GCN Launcher and the GCN CLI; and updated VS Code tooling. InfoQ will follow up with a more detailed news story.
OpenXava
The release of OpenXava 7.2.3 ships with bug fixes, dependency upgrades and improvements such as: a warning message logged or an exception thrown if the failOnAnnotationMisuse
property is set to true
when using @Condition
for the @ManyToMany
annotation; a warning message logged when an old version of OpenXava is being used; and new common use labels that may be used in applications. Further details on this release may be found in the release notes.
JetBrains Ktor
JetBrains has released version 2.3.8 of Ktor, the asynchronous framework for creating microservices and web applications, that include improvements and fixes such as: a NumberFormatException
when the value of the max-age
property, defined in the CacheControl
class, is greater than Int.MAX_VALUE
; a ReferenceError
due to the self property when using a URLBuilder
in a custom JavaScript engine; and an implementation of the toString() method in the RequestConnectionPoint
interface for improved logging. More details on this release may be found in the changelog.
Keycloak
The release of Keycloak 23.0.5 released delivers bug fixes and new features/enhancements such as: change references of Red Hat Data Grid to Infinispan in the documentation; a resolution to the role mapping tab no longer visible when using fine grained permissions; and an update to the AWS Route 53 guide to be compatible with Red Hat OpenShift Service on AWS (ROSA) and Openshift 4.14.x.
LangChain for Java
Version 0.26.0 of LangChain for Java (LangChain4j) provides many bug fixes, new integrations and new features: a foundation for advanced Retrieval-Augmented Generation (RAG) inspired by this article and this white paper; support for multimodality with an implementation of image inputs in the LangChain4j Chat API along with integrations of OpenAI and Gemini; and the addition of metadata in the execute()
method defined in the ConversationalRetrievalChain
class to allow the user to add extra information when appending the retrieved document information. Further details on this release may be found in the release notes.
Gradle
Gradle 8.6 has been released featuring: support for custom encryption keys in the configuration cache via the GRADLE_ENCRYPTION_KEY
environment variable; improvements in error and warning reporting; improvements in the Build Init Plugin to support various types of projects; and enhanced build authoring for plugin authors and build engineers to develop custom build logic. More details on this release may be found in the release notes.