Bump the maven group across 4 directories with 19 updates

[dependabot]

Bumps the maven group with 19 updates in the / directory:

Package	From	To
xalan:xalan	2.7.1	2.7.3
org.codehaus.groovy:groovy-all	2.3.11	2.4.21
commons-net:commons-net	3.0.1	3.9.0
commons-io:commons-io	2.1	2.14.0
commons-fileupload:commons-fileupload	1.3.3	1.5
org.apache.commons:commons-email	1.4	1.5
org.apache.xmlgraphics:xmlgraphics-commons	2.3	2.6
org.apache.xmlgraphics:batik-transcoder	1.10	1.17
xerces:xercesImpl	2.11.0	2.12.2
com.google.guava:guava	24.1.1-jre	32.0.0-jre
com.h2database:h2	1.3.174	2.2.220
org.springframework.data:spring-data-jpa	1.4.1.RELEASE	1.11.22.RELEASE
org.apache.pdfbox:pdfbox	2.0.19	2.0.24
org.jsoup:jsoup	1.14.3	1.15.3
org.json:json	20140107	20231013
org.owasp.esapi:esapi	2.3.0.0	2.6.0.0
com.amazonaws:aws-java-sdk-s3	1.11.618	1.12.261
com.google.code.gson:gson	2.7	2.8.9
com.jayway.jsonpath:json-path	2.4.0	2.9.0

Bumps the maven group with 15 updates in the /common directory:

Package	From	To
xalan:xalan	2.7.1	2.7.3
org.codehaus.groovy:groovy-all	2.3.11	2.4.21
commons-net:commons-net	3.0.1	3.9.0
commons-io:commons-io	2.1	2.14.0
commons-fileupload:commons-fileupload	1.3.3	1.5
org.apache.commons:commons-email	1.4	1.5
org.apache.xmlgraphics:xmlgraphics-commons	2.3	2.6
org.apache.xmlgraphics:batik-transcoder	1.10	1.17
xerces:xercesImpl	2.11.0	2.12.2
com.google.guava:guava	24.1.1-jre	32.0.0-jre
com.h2database:h2	1.3.174	2.2.220
org.springframework.data:spring-data-jpa	1.4.1.RELEASE	1.11.22.RELEASE
org.apache.pdfbox:pdfbox	2.0.19	2.0.24
org.jsoup:jsoup	1.14.3	1.15.3
org.json:json	20140107	20231013

Bumps the maven group with 16 updates in the /core directory:

Package	From	To
xalan:xalan	2.7.1	2.7.3
org.codehaus.groovy:groovy-all	2.3.11	2.4.21
commons-net:commons-net	3.0.1	3.9.0
commons-io:commons-io	2.1	2.14.0
commons-fileupload:commons-fileupload	1.3.3	1.5
org.apache.commons:commons-email	1.4	1.5
org.apache.xmlgraphics:xmlgraphics-commons	2.3	2.6
org.apache.xmlgraphics:batik-transcoder	1.10	1.17
xerces:xercesImpl	2.11.0	2.12.2
com.google.guava:guava	24.1.1-jre	32.0.0-jre
com.h2database:h2	1.3.174	2.2.220
org.springframework.data:spring-data-jpa	1.4.1.RELEASE	1.11.22.RELEASE
org.apache.pdfbox:pdfbox	2.0.19	2.0.24
org.jsoup:jsoup	1.14.3	1.15.3
org.owasp.esapi:esapi	2.3.0.0	2.6.0.0
com.amazonaws:aws-java-sdk-s3	1.11.618	1.12.261

Bumps the maven group with 16 updates in the /services directory:

Package	From	To
xalan:xalan	2.7.1	2.7.3
org.codehaus.groovy:groovy-all	2.3.11	2.4.21
commons-net:commons-net	3.0.1	3.9.0
commons-io:commons-io	2.1	2.14.0
commons-fileupload:commons-fileupload	1.3.3	1.5
org.apache.commons:commons-email	1.4	1.5
org.apache.xmlgraphics:xmlgraphics-commons	2.3	2.6
org.apache.xmlgraphics:batik-transcoder	1.10	1.17
xerces:xercesImpl	2.11.0	2.12.2
com.google.guava:guava	24.1.1-jre	32.0.0-jre
com.h2database:h2	1.3.174	2.2.220
org.springframework.data:spring-data-jpa	1.4.1.RELEASE	1.11.22.RELEASE
org.apache.pdfbox:pdfbox	2.0.19	2.0.24
org.jsoup:jsoup	1.14.3	1.15.3
com.google.code.gson:gson	2.7	2.8.9
com.jayway.jsonpath:json-path	2.4.0	2.9.0

Updates xalan:xalan from 2.7.1 to 2.7.3

Updates org.codehaus.groovy:groovy-all from 2.3.11 to 2.4.21

Commits

• See full diff in compare view

Updates commons-net:commons-net from 3.0.1 to 3.9.0

Updates commons-io:commons-io from 2.1 to 2.14.0

Updates commons-fileupload:commons-fileupload from 1.3.3 to 1.5

Updates org.apache.commons:commons-email from 1.4 to 1.5

Updates org.apache.xmlgraphics:xmlgraphics-commons from 2.3 to 2.6

Updates org.apache.xmlgraphics:batik-transcoder from 1.10 to 1.17

Updates xerces:xercesImpl from 2.11.0 to 2.12.2

Updates com.google.guava:guava from 24.1.1-jre to 32.0.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

32.0.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.0-jre</version>
  <!-- or, for Android: -->
  <version>32.0.0-android</version>
</dependency>

Jar files

• 32.0.0-jre.jar
• 32.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.0.0-jre
• 32.0.0-android

JDiff

• 32.0.0-jre vs. 31.1-jre
• 32.0.0-android vs. 31.1-android
• 32.0.0-android vs. 32.0.0-jre

Changelog

Security fixes

• Reimplemented Files.createTempDir and FileBackedOutputStream to further address CVE-2020-8908 (#4011) and CVE-2023-2976 (#2575). (feb83a1c8f)

While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.

Incompatible changes

Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava artifact.

One change could cause issues for Widows users, and a few other changes could cause issues for users in more usual situations:

• The new implementations of Files.createTempDir and FileBackedOutputStream throw an exception under Windows. This is fixed in 32.0.1. Sorry for the trouble.
• guava-gwt now requires GWT 2.10.0.
• This release makes a binary-incompatible change to a @Beta API in the separate artifact guava-testlib. Specifically, we changed the return type of TestingExecutors.sameThreadScheduledExecutor to ListeningScheduledExecutorService. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e435)

... (truncated)

Commits

• See full diff in compare view

Updates com.h2database:h2 from 1.3.174 to 2.2.220

Release notes

Sourced from com.h2database:h2's releases.

Version 2.2.220

Changes since 2.1.214 release:

... (truncated)

Commits

• See full diff in compare view

Updates org.springframework.data:spring-data-jpa from 1.4.1.RELEASE to 1.11.22.RELEASE

Updates org.apache.pdfbox:pdfbox from 2.0.19 to 2.0.24

Updates org.jsoup:jsoup from 1.14.3 to 1.15.3

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.15.3

jsoup 1.15.3 is out now, and includes a security fix for potential XSS attacks, along with other bug fixes and improvements, including more descriptive validation error messages.

Details:

• Security advisory
• Release notes
• Download

jsoup 1.15.2 is out now with a bunch of improvements and bug fixes.

jsoup 1.15.1 is out now with a bunch of improvements and bug fixes.

Changelog

Sourced from org.jsoup:jsoup's changelog.

jsoup changelog

Release 1.15.3 [2022-Aug-24]

• Security: fixed an issue where the jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled. GHSA-gp7f-rwcx-9369

• Improvement: the Cleaner will preserve the source position of cleaned elements, if source tracking is enabled in the original parse.

• Improvement: the error messages output from Validate are more descriptive. Exceptions are now ValidationExceptions (extending IllegalArgumentException). Stack traces do not include the Validate class, to make it simpler to see where the exception originated. Common validation errors including malformed URLs and empty selector results have more explicit error messages.

• Bugfix: the DataUtil would incorrectly read from InputStreams that emitted reads less than the requested size. This lead to incorrect results when parsing from chunked server responses, for e.g. jhy/jsoup#1807

• Build Improvement: added implementation version and related fields to the jar manifest. jhy/jsoup#1809

*** Release 1.15.2 [2022-Jul-04]

• Improvement: added the ability to track the position (line, column, index) in the original input source from where a given node was parsed. Accessible via Node.sourceRange() and Element.endSourceRange(). jhy/jsoup#1790

• Improvement: added Element.firstElementChild(), Element.lastElementChild(), Node.firstChild(), Node.lastChild(), as convenient accessors to those child nodes and elements.

• Improvement: added Element.expectFirst(cssQuery), which is just like Element.selectFirst(), but instead of returning a null if there is no match, will throw an IllegalArgumentException. This is useful if you want to simply abort processing if an expected match is not found.

• Improvement: when pretty-printing HTML, doctypes are emitted on a newline if there is a preceding comment. jhy/jsoup#1664

• Improvement: when pretty-printing, trim the leading and trailing spaces of textnodes in block tags when possible, so that they are indented correctly. jhy/jsoup#1798

• Improvement: in Element#selectXpath(), disable namespace awareness. This makes it possible to always select elements by their simple local name, regardless of whether an xmlns attribute was set. jhy/jsoup#1801

• Bugfix: when using the readToByteBuffer method, such as in Connection.Response.body(), if the document has not already been parsed and must be read fully, and there is any maximum buffer size being applied, only the default internal buffer size is read. jhy/jsoup#1774

... (truncated)

Commits

• c596417 [maven-release-plugin] prepare release jsoup-1.15.3
• d2d9ac3 Changelog for URL cleaner improvement
• 4ea768d Strip control characters from URLs when resolving absolute URLs
• 985f1fe Include help link for malformed URLs
• 6b67d05 Improved Validate error messages
• 653da57 Normalized API doc link
• 5ed84f6 Simplified the Test Server startup
• c58112a Set the read size correctly when capped
• fa13c80 Added jar manifest default implementation entries.
• 5b19390 Bump maven-resources-plugin from 3.2.0 to 3.3.0 (#1814)
• Additional commits viewable in compare view

Updates org.json:json from 20140107 to 20231013

Release notes

Sourced from org.json:json's releases.

20231013

Pull Request	Description
#793	Reverted #761
#792	update the docs for release 20231013
#783	optLong vs getLong inconsistencies
#782	Fix XMLTest.testIndentComplicatedJsonObjectWithArrayAndWithConfig() for Windows
#779	add validity check for JSONObject constructors
#778	Fix XMLTest.testIndentComplicatedJsonObjectWithArrayAndWithConfig() for Windows
#776	Update [JUnit to version 4.13.2
#774	Removing unneeded synchronization
#773	Add optJSONArray method to JSONObject with a default value
#772	Disallow nested objects and arrays as keys in objects
#779	Unit test cleanup
#769	Addressed Java 17 compile warnings
#764	Update CodeQL action version
#761	Add module-info
#759	JSON parsing should detect embedded
#753	Updated new object methods
#752	Fixes possible unit test bug when compiling/testing on Windows

20230618

Pull Request	Description
#749	Prep for release 20230618
#740	Fixed Flaky Tests Caused by JSON permutations
#734	Fixed Flaky Tests Caused by JSON permutations
#733	JSONTokener implemented java.io.Closeable
#731	Removing commented out code in JSONObject optDouble()
#729	Refactor ParserConfiguration class hierarchy

20230227

Pull Request	Description
#723	Protect JSONML from stack overflow exceptions caused by recursion
#720	Limit the XML nesting depth for CVE-2022-45688
#711	Revert pull 707 - interviewbit spam
#704	Move javadoc comments above the interface definition to make it visible
#703	Update Releases.md for JSONObject(Map): Throws NPE if key is null
#696	Update JSONPointerTest for NonDex compatibility
#694	Pretty print XML
#692	Example.md syntax highlight and indentation
#691	Create unit tests for various number formats

20220924

Pull Request	Description
#688	Update copyright to Public Domain
#687	Fix a typo
#685	JSONObject map type unit tests

... (truncated)

Changelog

Sourced from org.json:json's changelog.

20231013 First release with minimum Java version 1.8. Recent commits, including fixes for CVE-2023-5072.

20230618 Final release with Java 1.6 compatibility. Future releases will require Java 1.8 or greater.

20230227 Fix for CVE-2022-45688 and recent commits

20220924 New License - public domain, and some minor updates

20220320 Wrap StackOverflow with JSONException

20211205 Recent commits and some bug fixes for similar()

20210307 Recent commits and potentially breaking fix to JSONPointer

20201115 Recent commits and first release after project structure change

20200518 Recent commits and snapshot before project structure change

20190722 Recent commits

20180813 POM change to include Automatic-Module-Name (#431) JSONObject(Map) now throws an exception if any of a map keys are null (#405)

20180130 Recent commits

20171018 Checkpoint for recent commits.

20170516 Roll up recent commits.

20160810 Revert code that was breaking opt*() methods.

20160807 This release contains a bug in the JSONObject.opt*() and JSONArray.opt*() methods, it is not recommended for use. Java 1.6 compatability fixed, JSONArray.toList() and JSONObject.toMap(), RFC4180 compatibility, JSONPointer, some exception fixes, optional XML type conversion. Contains the latest code as of 7 Aug 2016

20160212 Java 1.6 compatibility, OSGi bundle. Contains the latest code as of 12 Feb 2016.

20151123 JSONObject and JSONArray initialization with generics. Contains the latest code as of 23 Nov 2015.

20150729 Checkpoint for Maven central repository release. Contains the latest code as of 29 July 2015.

Commits

• See full diff in compare view

Updates org.owasp.esapi:esapi from 2.3.0.0 to 2.6.0.0

Release notes

Sourced from org.owasp.esapi:esapi's releases.

2.6.0.0

Full Release Notes

Release notes for ESAPI release 2.6.0.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.6.0.0-release-notes.txt

What's Changed

• Preparation for ESAPI release 2.6.0.0 by @​kwwall in ESAPI/esapi-java-legacy#860

Full Changelog: ESAPI/esapi-java-legacy@esapi-2.5.5.0...esapi-2.6.0.0

Configuration Jar

Note the associated file "esapi-2.6.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.6.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

2.5.5.0

Full Release Notes

Release notes for ESAPI release 2.5.5.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.5.0-release-notes.txt

What's Changed

• Pom updates to address issue #847 by @​kwwall in ESAPI/esapi-java-legacy#848
• Update the logging properties to opt-out of the prefix events #844 by @​mickeyz07 in ESAPI/esapi-java-legacy#845
• Fix Typos by @​DarioViva42 in ESAPI/esapi-java-legacy#852
• Improved documentation by @​DebajitKumarPhukan in ESAPI/esapi-java-legacy#853
• Release prep 2.5.5.0 by @​kwwall in ESAPI/esapi-java-legacy#856

New Contributors

• @​mickeyz07 made their first contribution in ESAPI/esapi-java-legacy#845
• @​DarioViva42 made their first contribution in ESAPI/esapi-java-legacy#852
• @​DebajitKumarPhukan made their first contribution in ESAPI/esapi-java-legacy#853

Full Changelog: ESAPI/esapi-java-legacy@esapi-2.5.4.0...esapi-2.5.5.0

Configuration Jar

Note the associated file "esapi-2.5.5.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.5.5.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

2.5.4.0

Full release notes

Full release notes for ESAPI release 2.5.4.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.4.0-release-notes.txt

It contains important details, which you need to read as you MUST remove (or rename) 'esapi-java-logging.properties' if you are using ESAPI's default logging, which is JUL. Otherwise ESAPI will throw a ConfigurationException (which may appear as a java.lang.ExceptionInInitializerError or as a java.lang.NoClassDefFoundError, depending on circumstances). Please refer to the "Configuring the JavaLogFactory" wiki page for additional details.

YOU HAVE BEEN WARNED!!!

... (truncated)

Commits

• dcde6c2 A few minor documentation fixes.
• 5a10f77 Revert "Minor change to release steps document."
• 8b9f8f1 Minor change to release steps document.
• 4698c43 Bump release to new official release number.
• f185e5b Preparation for ESAPI release 2.6.0.0 (#860)
• 0b0f86c Update SECURITY.md
• 4879a08 Modifying pom.xml for next planned release.
• 3f2ff05 Fix release date.
• 19b739a Merge pull request #856 from kwwall/release-prep-2.5.5.0
• a160de0 Update section on commit / PR history.
• Additional commits viewable in compare view

Updates com.amazonaws:aws-java-sdk-s3 from 1.11.618 to 1.12.261

Changelog

Sourced from com.amazonaws:aws-java-sdk-s3's changelog.

1.12.261 2022-07-14

AWS Config

• Features

  • Update ResourceType enum with values for Route53Resolver, Batch, DMS, Workspaces, Stepfunctions, SageMaker, ElasticLoadBalancingV2, MSK types

AWS Glue

• Features

  • This release adds an additional worker type for Glue Streaming jobs.

AWS Outposts

• Features

  • This release adds the ShipmentInformation and AssetInformationList fields to the GetOrder API response.

AWSKendraFrontendService

• Features

  • This release adds AccessControlConfigurations which allow you to redefine your document level access control without the need for content re-indexing.

Amazon Athena

• Features

  • This release updates data types that contain either QueryExecutionId, NamedQueryId or ExpectedBucketOwner. Ids must be between 1 and 128 characters and contain only non-whitespace characters. ExpectedBucketOwner must be 12-digit string.

Amazon Elastic Compute Cloud

• Features

  • This release adds flow logs for Transit Gateway to allow customers to gain deeper visibility and insights into network traffic through their Transit Gateways.

Amazon S3

• Bugfixes

  • Fixed possible issue in TransferManager's downloadDirectory operation where files could be downloaded to some sibling directories of the destination directory if the key contained specially-crafted relative paths.

Amazon SageMaker Service

• Features

  • This release adds support for G5, P4d, and C6i instance types in Amazon SageMaker Inference and increases the number of hyperparameters that can be searched from 20 to 30 in Amazon SageMaker Automatic Model Tuning

AmazonNimbleStudio

• Features

  • Amazon Nimble Studio adds support for IAM-based access to AWS resources for Nimble Studio components and custom studio components. Studio Component scripts use these roles on Nimble Studio workstation to mount filesystems, access S3 buckets, or other configured resources in the Studio's AWS account

CodeArtifact

• Features

  • This release introduces Package Origin Controls, a mechanism used to counteract Dependency Confusion attacks. Adds two new APIs, PutPackageOriginConfiguration and DescribePackage, and updates the ListPackage, DescribePackageVersion and ListPackageVersion APIs in support of the feature.

Firewall Management Service

• Features

  • Adds support for strict ordering in stateful rule groups in Network Firewall policies.

Inspector2

• Features

  • This release adds support for Inspector V2 scan configurations through the get and update configuration APIs. Currently this allows configuring ECR automated re-scan duration to lifetime or 180 days or 30 days.

1.12.260 2022-07-13

... (truncated)

Commits

• cb66c50 AWS SDK for Java 1.12.261
• 685134e Update GitHub version number to 1.12.261-SNAPSHOT
• 5555d84 AWS SDK for Java 1.12.260
• ae88c8a Update GitHub version number to 1.12.260-SNAPSHOT
• 93a0a7f AWS SDK for Java 1.12.259
• 5ec7cb7 Update GitHub version number to 1.12.259-SNAPSHOT
• 75fe4e1 AWS SDK for Java 1.12.258
• 8b6bdb0 Update GitHub version number to 1.12.258-SNAPSHOT
• eba6423 AWS SDK for Java 1.12.257
• d2f0b05 Update GitHub version number to 1.12.257-SNAPSHOT
• Additional commits viewable in compare view

Updates com.google.code.gson:gson from 2.7 to 2.8.9

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#1986).
• Prevent Java deserialization of internal classes (#1991).
• Improve number strategy implementation (#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990).
• Support arbitrary Number implementation for Object and Number deserialization (#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#1980).
• Don't exclude static local classes (#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#1959).
• Improve Maven build (#1964).
• Make dependency on java.sql optional (#1707).

Gson 2.8.8

• Fixed issue with recursive types (#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (#1495).

Changelog

Sourced from com.google.code.gson:gson's changelog.

Version 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (google/gson#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (google/gson#1986).
• Prevent Java deserialization of internal classes (google/gson#1991).
• Improve number strategy implementation (google/gson#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (google/gson#1990).
• Support arbitrary Number implementation for Object and Number deserialization (google/gson#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (google/gson#1980).
• Don't exclude static local classes (google/gson#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (google/gson#1959).
• Improve Maven build (google/gson#1964).
• Make dependency on java.sql optional (google/gson#1707).

Version 2.8.8

• Fixed issue with recursive types (google/gson#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (google/gson#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (google/gson#1495).

Version 2.8.7

• Fixed ISO8601UtilsTest failing on systems with UTC+X.
• Improved javadoc for JsonStreamParser.
• Updated proguard.cfg (google/gson#1693).
• Fixed IllegalStateException in JsonTreeWriter (google/gson#1592).
• Added JsonArray.isEmpty() (google/gson#1640).
• Added new test cases (google/gson#1638).
• Fixed OSGi metadata generation to work on JavaSE < 9 (google/gson#1603).

Version 2.8.6

2019-10-04 GitHub Diff

• Added static methods JsonParser.parseString and JsonParser.parseReader and deprecated instance method JsonParser.parse
• Java 9 module-info support

Version 2.8.5

2018-05-21 GitHub Diff

• Print Gson version while throwing AssertionError and IllegalArgumentException
• Moved utils.VersionUtils class to internal.JavaVersion. This is a potential backward incompatible change from 2.8.4
• Fixed issue google/gson#1310 by supporting Debian Java 9

Version 2.8.4

2018-05-01 GitHub Diff

• Added a new FieldNamingPolicy, LOWER_CASE_WITH_DOTS that mapps JSON name someFieldName to some.field.name
• Fixed issue google/gson#1305 by removing compile/runtime dependency on sun.misc.Unsafe

Version 2.8.3

2018-04-27 GitHub Diff

• Added a new API, GsonBuilder.newBuilder() that clones the current builder
• Preserving DateFormatter behavior on JDK 9

... (truncated)

Commits

• 6a368d8 [maven-release-plugin] prepare release gson-parent-2.8.9
• ba96d53 Fix missing bounds checks for JsonTreeReader.getPath() (#2001)
• ca1df7f #1981: Optional OSGi bundle's dependency on sun.misc package (#1993)
• c54caf3 Deprecate Gson.excluder() exposing internal Excluder class (#1986)
• e6fae59 Prevent Java deserialization of internal classes (#1991)
• bda2e3d Improve number strategy implementation (#1987)
• cd748df Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990)
• fe30b85 Support arbitrary Number implementation for Object and Number deserialization...
• 1cc1627 Fix incorrect feature request template label (#1982)
• 7b9a283 Bump bnd-maven-plugin from 5.3.0 to 6.0.0 (#1985)
• Additional commits viewable in compare view

Updates com.jayway.jsonpath:json-path from 2.4.0 to 2.9.0

Release notes

Sourced from com.jayway.jsonpath:json-path's releases.

json-path-2.9.0

What's Changed

• Fix for CVE-2023-51074.
• update dependencies by @​SingingBush in json-path/JsonPath#965
• JPMS: define Automatic-Module-Name as json.path by @​SingingBush in json-path/JsonPath#966
• Bump json-smart version from 2.4.10 to 2.5.0 by @​shoothzj in json-path/JsonPath#945
• Fixed rendering error on $..book[?(@.price <= $['expensive'])] in README.md by @​lulunac27a in json-path/JsonPath#967
• [build] Remove deprecated gradle convetion usage by @​shoothzj in json-path/JsonPath#946
• Check for the existence of the next significant bracket by @​twobiers in json-path/JsonPath#985
• Update versions by @​kallestenflo in json-path/JsonPath#987

New Contributors

• @​lulunac27a made their first contribution in json-path/JsonPath#967
• @​twobiers made their first contribution in json-path/JsonPath#985

Full Changelog: json-path/JsonPath@json-path-2.8.0...json-path-2.9.0

json-path-2.8.0

Upgrade json-smart to fix https://www.cve.org/CVERecord?id=CVE-2023-1370

json-path-2.7.0

No release notes provided.

json-path-2.6.0

No release notes provided.

json-path-2.5.0

No release notes provided.

Commits

• af7e516 Release 2.9.0
• af4dfcc Make PropertyPathToken public, closes #955
• 49b1151 Update versions (#987)
• 71a09c1 Check for the existence of the next significant bracket (#985)
• 900ebfe Remove deprecated gradle usage (#946)
• 946274d Fixed rendering error on $..book[?(@.price <= $['expensive'])] in README.md...
• 425bcb1 Bump json-smart version from 2.4.10 to 2.5.0 (#945)
• 2d57ab3 JPMS: define Automatic-Module-Name as json.path (#966)
• 1a57f78 update dependencies (#965)
• 21de620 Prepare next version
• Additional commits viewable in compare view

Updates xalan:xalan from 2.7.1 to 2.7.3

Updates org.codehaus.groovy:groovy-all from 2.3.11 to 2.4.21

Commits

• See full diff in compare view

Updates commons-net:commons-net from 3.0.1 to 3.9.0

Updates commons-io:commons-io from 2.1 to 2.14.0

Updates commons-fileupload:commons-fileupload from 1.3.3 to 1.5

Updates org.apache.commons:commons-email from 1.4 to 1.5

Updates org.apache.xmlgraphics:xmlgraphics-commons from 2.3 to 2.6

Updates org.apache.xmlgraphics:batik-transcoder from 1.10 to 1.17

Updates xerces:xercesImpl from 2.11.0 to 2.12.2

Updates com.google.guava:guava from 24.1.1-jre to 32.0.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

32.0.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.0-jre</version>
  <!-- or, for Android: -->
  <version>32.0.0-android</version>
</dependency>

Jar files

• 32.0.0-jre.jar
• 32.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.0.0-jre
• 32.0.0-android

JDiff

• 32.0.0-jre vs. 31.1-jre
• 32.0.0-android vs. 31.1-android
• 32.0.0-android vs. 32.0.0-jre

Changelog

Security fixes

• Reimplemented Files.createTempDir and FileBackedOutputStream to further address CVE-2020-8908 (#4011) and CVE-2023-2976 (#2575). (feb83a1c8f)

While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.

Incompatible changes

Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava artifact.

One change could cause issues for Widows users, and a few other changes could cause issues for users in more usual situations:

• The new implementations of Files.createTempDir and FileBackedOutputStream throw an exception under Windows. This is fixed in 32.0.1. Sorry for the trouble.
• guava-gwt now requires GWT 2.10.0.
• This release makes a binary-incompatible change to a @Beta API in the separate artifact guava-testlib. Specifically, we changed the return type of TestingExecutors.sameThreadScheduledExecutor to ListeningScheduledExecutorService. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e435)

... (truncated)

Commits

• See full diff in compare view

Updates com.h2database:h2 from 1.3.174 to 2.2.220

Release notes

Sourced from com.h2database:h2's releases.

Version 2.2.220

Changes since 2.1.214 release:

... (truncated)

Commits

• See full diff in compare view

Updates org.springframework.data:spring-data-jpa from 1.4.1.RELEASE to 1.11.22.RELEASE

Updates org.apache.pdfbox:pdfbox from 2.0.19 to 2.0.24

Updates org.jsoup:jsoup from 1.14.3 to 1.15.3

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.15.3

jsoup 1.15.3 is out now, and includes a security fix for potential XSS attacks, along with other bug fixes and improvements, including more descriptive validation error messages.

Details:

• Security advisory
• Release notes
• Download

jsoup 1.15.2 is out now with a bunch of improvements and bug fixes.

jsoup 1.15.1 is out now with a bunch of improvements and bug fixes.

Changelog

Sourced from org.jsoup:jsoup's changelog.

jsoup changelog

Release 1.15.3 [2022-Aug-24]

• Security: fixed an issue where the jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled. GHSA-gp7f-rwcx-9369

• Improvement: the Cleaner will preserve the source position of cleaned elements, if source tracking is enabled in the original parse.

• Improvement: the error messages output from Validate are more descriptive. Exceptions are now ValidationExceptions (extending IllegalArgumentException). Stack traces do not include the Validate class, to make it simpler to see where the exception originated. Common validation errors including malformed URLs and empty selector results have more explicit error messages.

• Bugfix: the DataUtil would incorrectly read from InputStreams that emitted reads less than the requested size. This lead to incorrect results when parsing from chunked server responses, for e.g. jhy/jsoup#1807

• Build Improvement: added implementation version and related fields to the jar manifest. jhy/jsoup#1809

*** Release 1.15.2 [2022-Jul-04]

• Improvement: added the ability to track the position (line, column, index) in the original input source from where a given node was parsed. Accessible via Node.sourceRange() and Element.endSourceRange(). jhy/jsoup#1790

• Improvement: added Element.firstElementChild(), Element.lastElementChild(), Node.firstChild(), Node.lastChild(), as convenient accessors to those child nodes and elements.

• Improvement: added Element.expectFirst(cssQuery), which is just like Element.selectFirst(), but instead of returning a null if there is no match, will throw an IllegalArgumentException. This is useful if you want to simply abort processing if an expected match is not found.

• Improvement: when pretty-printing HTML, doctypes are emitted on a newline if there is a preceding comment. jhy/jsoup#1664

• Improvement: when pretty-printing, trim the leading and trailing spaces of textnodes in block tags when possible, so that they are indented correctly. Description has been truncated