Update all dependencies (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/upload-artifact	action	major	v1 -> v2
jekyll		major	~> 3.8.7 -> ~> 4.2.0
com.squareup.okhttp3:mockwebserver (source)		major	3.13.1 -> 4.9.2

---

Release Notes

actions/upload-artifact

v2

Compare Source

square/okhttp

v4.9.2

2021-09-30

• Fix: Don't include potentially-sensitive header values in Headers.toString() or exceptions.
  This applies to Authorization, Cookie, Proxy-Authorization, and Set-Cookie headers.
• Fix: Don't crash with an InaccessibleObjectException when running on JDK17+ with strong
  encapsulation enabled.
• Fix: Strictly verify hostnames used with OkHttp's HostnameVerifier. Programs that make direct
  manual calls to HostnameVerifier could be defeated if the hostnames they pass in are not
  strictly ASCII. This issue is tracked as [CVE-2021-0341].

v4.9.1

2021-01-30

• Fix: Work around a crash in Android 10 and 11 that may be triggered when two threads
  concurrently close an SSL socket. This would have appeared in crash logs as
  NullPointerException: bio == null.

v4.9.0

2020-09-11

With this release, okhttp-tls no longer depends on Bouncy Castle and doesn't install the
Bouncy Castle security provider. If you still need it, you can do it yourself:

Security.addProvider(BouncyCastleProvider())

You will also need to configure this dependency:

dependencies {
  implementation "org.bouncycastle:bcprov-jdk15on:1.65"
}

• Upgrade: [Kotlin 1.4.10][kotlin_1_4_10]. We now use Kotlin 1.4.x [functional
  interfaces][fun_interface] for Authenticator, Interceptor, and others.
• Upgrade: Build with Conscrypt 2.5.1.

v4.8.1

2020-08-06

• Fix: Don't crash in HeldCertificate.Builder when creating certificates on older versions of
  Android, including Android 6. We were using a feature of SimpleDateFormat that wasn't
  available in those versions!

v4.8.0

2020-07-11

• New: Change HeldCertificate.Builder to use its own ASN.1 certificate encoder. This is part
  of our effort to remove the okhttp-tls module's dependency on Bouncy Castle. We think Bouncy
  Castle is great! But it's a large dependency (6.5 MiB) and its security provider feature
  impacts VM-wide behavior.

• New: Reduce contention for applications that make a very high number of concurrent requests.
  Previously OkHttp used its connection pool as a lock when making changes to connections and
  calls. With this change each connection is locked independently.

• Upgrade: [Okio 2.7.0][okio_2_7_0].

  implementation("com.squareup.okio:okio:2.7.0")

• Fix: Avoid log messages like "Didn't find class org.conscrypt.ConscryptHostnameVerifier" when
  detecting the TLS capabilities of the host platform.

• Fix: Don't crash in HttpUrl.topPrivateDomain() when the hostname is malformed.

• Fix: Don't attempt Brotli decompression if the response body is empty.

v4.7.2

2020-05-20

• Fix: Don't crash inspecting whether the host platform is JVM or Android. With 4.7.0 and 4.7.1 we
  had a crash IllegalArgumentException: Not a Conscrypt trust manager because we depended on
  initialization order of companion objects.

v4.7.1

2020-05-18

• Fix: Pass the right arguments in the trust manager created for addInsecureHost(). Without the
  fix insecure hosts crash with an IllegalArgumentException on Android.

v4.7.0

2020-05-17

• New: HandshakeCertificates.Builder.addInsecureHost() makes it easy to turn off security in
  private development environments that only carry test data. Prefer this over creating an
  all-trusting TrustManager because only hosts on the allowlist are insecure. From
  [our DevServer sample][dev_server]:

  val clientCertificates = HandshakeCertificates.Builder()
      .addPlatformTrustedCertificates()
      .addInsecureHost("localhost")
      .build()
  
  val client = OkHttpClient.Builder()
      .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager)
      .build()

• New: Add cacheHit, cacheMiss, and cacheConditionalHit() events to EventListener. Use
  these in logs, metrics, and even test cases to confirm your cache headers are configured as
  expected.

• New: Constant string okhttp3.VERSION. This is a string like "4.5.0-RC1", "4.5.0", or
  "4.6.0-SNAPSHOT" indicating the version of OkHttp in the current runtime. Use this to include
  the OkHttp version in custom User-Agent headers.

• Fix: Don't crash when running as a plugin in Android Studio Canary 4.1. To enable
  platform-specific TLS features OkHttp must detect whether it's running in a JVM or in Android.
  The upcoming Android Studio runs in a JVM but has classes from Android and that confused OkHttp!

• Fix: Include the header Accept: text/event-stream for SSE calls. This header is not added if
  the request already contains an Accept header.

• Fix: Don't crash with a NullPointerException if a server sends a close while we're sending a
  ping. OkHttp had a race condition bug.

v4.6.0

2020-04-28

• Fix: Follow HTTP 307 and 308 redirects on methods other than GET and POST. We're reluctant to
  change OkHttp's behavior in handling common HTTP status codes, but this fix is overdue! The new
  behavior is now consistent with [RFC 7231][rfc_7231_647], which is newer than OkHttp itself.
  If you want this update with the old behavior use [this interceptor][legacy_interceptor].

• Fix: Don't crash decompressing web sockets messages. We had a bug where we assumed deflated
  bytes in would always yield deflated bytes out and this isn't always the case!

• Fix: Reliably update and invalidate the disk cache on windows. As originally designed our
  internal DiskLruCache assumes an inode-like file system, where it's fine to delete files that
  are currently being read or written. On Windows the file system forbids this so we must be more
  careful when deleting and renaming files.

• Fix: Don't crash on Java 8u252 which introduces an API previously found only on Java 9 and
  above. See [Jetty's overview][jetty_8_252] of the API change and its consequences.

• New: MultipartReader is a streaming decoder for [MIME multipart (RFC 2045)][rfc_2045]
  messages. It complements MultipartBody which is our streaming encoder.

  val response: Response = call.execute()
  val multipartReader = MultipartReader(response.body!!)
  
  multipartReader.use {
    while (true) {
      val part = multipartReader.nextPart() ?: break
      process(part.headers, part.body)
    }
  }

• New: MediaType.parameter() gets a parameter like boundary from a media type like
  multipart/mixed; boundary="abc".

• New: Authenticator.JAVA_NET_AUTHENTICATOR forwards authentication requests to
  java.net.Authenticator. This obsoletes JavaNetAuthenticator in the okhttp-urlconnection
  module.

• New: CertificatePinner now offers an API for inspecting the configured pins.

• Upgrade: [Okio 2.6.0][okio_2_6_0].

  implementation("com.squareup.okio:okio:2.6.0")

• Upgrade: [publicsuffix.org data][public_suffix]. This powers HttpUrl.topPrivateDomain().
  It's also how OkHttp knows which domains can share cookies with one another.

• Upgrade: [Bouncy Castle 1.65][bouncy_castle_releases]. This dependency is required by the
  okhttp-tls module.

• Upgrade: [Kotlin 1.3.71][kotlin_1_3_71].

v4.5.0

2020-04-06

This release fixes a severe bug where OkHttp incorrectly detected and recovered from unhealthy
connections. Stale or canceled connections were incorrectly attempted when they shouldn't have
been, leading to rare cases of infinite retries. Please upgrade to this release!

• Fix: don't return stale DNS entries in DnsOverHttps. We were caching DNS results indefinitely
  rather than the duration specified in the response's cache-control header.
• Fix: Verify certificate IP addresses in canonical form. When a server presents a TLS certificate
  containing an IP address we must match that address against the URL's IP address, even when the
  two addresses are encoded differently, such as 192.168.1.1 and 0::0:0:FFFF:C0A8:101. Note
  that OkHttp incorrectly rejected valid certificates resulting in a failure to connect; at no
  point were invalid certificates accepted.
• New: OkHttpClient.Builder.minWebSocketMessageToCompress() configures a threshold for
  compressing outbound web socket messages. Configure this with 0L to always compress outbound
  messages and Long.MAX_VALUE to never compress outbound messages. The default is 1024L which
  compresses messages of size 1 KiB and larger. (Inbound messages are compressed or not based on
  the web socket server's configuration.)
• New: Defer constructing Inflater and Deflater instances until they are needed. This saves
  memory if web socket compression is negotiated but not used.

v4.4.1

2020-03-08

• Fix: Don't reuse a connection on redirect if certs match but DNS does not. For better
  locality and performance OkHttp attempts to use the same pooled connection across redirects and
  follow-ups. It independently shares connections when the IP addresses and certificates match,
  even if the host names do not. In 4.4.0 we introduced a regression where we shared a connection
  when certificates matched but the DNS addresses did not. This would only occur when following a
  redirect from one hostname to another, and where both hosts had common certificates.

• Fix: Don't fail on a redirect when a client has configured a 'trust everything' trust manager.
  Typically this would cause certain redirects to fail in debug and development configurations.

v4.4.0

2020-02-17

• New: Support canceled() as an event that can be observed by EventListener. This should be
  useful for splitting out canceled calls in metrics.

• New: Publish a [bill of materials (BOM)][bom] for OkHttp. Depend on this from Gradle or Maven to
  keep all of your OkHttp artifacts on the same version, even if they're declared via transitive
  dependencies. You can even omit versions when declaring other OkHttp dependencies.

  dependencies {
     api(platform("com.squareup.okhttp3:okhttp-bom:4.4.0"))
     api("com.squareup.okhttp3:okhttp")              // No version!
     api("com.squareup.okhttp3:logging-interceptor") // No version!
  }

• New: Upgrade to Okio 2.4.3.

  implementation("com.squareup.okio:okio:2.4.3")

• Fix: Limit retry attempts for HTTP/2 REFUSED_STREAM and CANCEL failures.

• Fix: Retry automatically when incorrectly sharing a connection among multiple hostnames. OkHttp
  shares connections when hosts share both IP addresses and certificates, such as squareup.com
  and www.squareup.com. If a server refuses such sharing it will return HTTP 421 and OkHttp will
  automatically retry on an unshared connection.

• Fix: Don't crash if a TLS tunnel's response body is truncated.

• Fix: Don't track unusable routes beyond their usefulness. We had a bug where we could track
  certain bad routes indefinitely; now we only track the ones that could be necessary.

• Fix: Defer proxy selection until a proxy is required. This saves calls to ProxySelector on
  calls that use a pooled connection.

v4.3.1

2020-01-07

• Fix: Don't crash with a NullPointerException when a web socket is closed before it connects.
  This regression was introduced in OkHttp 4.3.0.
• Fix: Don't crash with an IllegalArgumentException when using custom trust managers on
  Android 10. Android uses reflection to look up a magic checkServerTrusted() method and we
  didn't have it.
• Fix: Explicitly specify the remote server name when making HTTPS connections on Android 5. In
  4.3.0 we introduced a regression where server name indication (SNI) was broken on Android 5.

v4.3.0

2019-12-31

• Fix: Degrade HTTP/2 connections after a timeout. When an HTTP/2 stream times out it may impact
  the stream only or the entire connection. With this fix OkHttp will now send HTTP/2 pings after
  a stream timeout to determine whether the connection should remain eligible for pooling.

• Fix: Don't call EventListener.responseHeadersStart() or responseBodyStart() until bytes have
  been received. Previously these events were incorrectly sent too early, when OkHttp was ready to
  read the response headers or body, which mislead tracing tools. Note that the responseFailed()
  event always used to follow one of these events; now it may be sent without them.

• New: Upgrade to Kotlin 1.3.61.

• New: Match any number of subdomains with two asterisks in CertificatePinner. For example,
  **.squareup.com matches us-west.www.squareup.com, www.squareup.com and squareup.com.

• New: Share threads more aggressively between OkHttp's HTTP/2 connections, connection pool,
  web sockets, and cache. OkHttp has a new internal task runner abstraction for managed task
  scheduling. In your debugger you will see new thread names and more use of daemon threads.

• Fix: Don't drop callbacks on unexpected exceptions. When an interceptor throws an unchecked
  exception the callback is now notified that the call was canceled. The exception is still sent
  to the uncaught exception handler for reporting and recovery.

• Fix: Un-deprecate MockResponse.setHeaders() and other setters. These were deprecated in OkHttp
  4.0 but that broke method chaining for Java callers.

• Fix: Don't crash on HTTP/2 HEAD requests when the Content-Length header is present but is not
  consistent with the length of the response body.

• Fix: Don't crash when converting a HttpUrl instance with an unresolvable hostname to a URI.
  The new behavior strips invalid characters like " and { from the hostname before converting.

• Fix: Undo a performance regression introduced in OkHttp 4.0 caused by differences in behavior
  between Kotlin's assert() and Java's assert(). (Kotlin always evaluates the argument; Java
  only does when assertions are enabled.)

• Fix: Honor RequestBody.isOneShot() in HttpLoggingInterceptor.

v4.2.2

2019-10-06

• Fix: When closing a canceled HTTP/2 stream, don't send the END_STREAM flag. This could cause
  the server to incorrectly interpret the stream as having completed normally. This is most useful
  when a request body needs to cancel its own call.

v4.2.1

2019-10-02

• Fix: In 4.1.0 we introduced a performance regression that prevented connections from being
  pooled in certain situations. We have good test coverage for connection pooling but we missed
  this because it only occurs if you have proxy configured and you share a connection pool among
  multiple OkHttpClient instances.

  This particularly-subtle bug was caused by us assigning each OkHttpClient instance its own
  NullProxySelector when an explicit proxy is configured. But we don't share connections when
  the proxy selectors are different. Ugh!

v4.2.0

2019-09-10

• New: API to decode a certificate and private key to create a HeldCertificate. This accepts a
  string containing both a certificate and PKCS #​8-encoded private key.

  val heldCertificate = HeldCertificate.decode("""
      |-----BEGIN CERTIFICATE-----
      |MIIBYTCCAQegAwIBAgIBKjAKBggqhkjOPQQDAjApMRQwEgYDVQQLEwtlbmdpbmVl
      |cmluZzERMA8GA1UEAxMIY2FzaC5hcHAwHhcNNzAwMTAxMDAwMDA1WhcNNzAwMTAx
      |MDAwMDEwWjApMRQwEgYDVQQLEwtlbmdpbmVlcmluZzERMA8GA1UEAxMIY2FzaC5h
      |cHAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASda8ChkQXxGELnrV/oBnIAx3dD
      |ocUOJfdz4pOJTP6dVQB9U3UBiW5uSX/MoOD0LL5zG3bVyL3Y6pDwKuYvfLNhoyAw
      |HjAcBgNVHREBAf8EEjAQhwQBAQEBgghjYXNoLmFwcDAKBggqhkjOPQQDAgNIADBF
      |AiAyHHg1N6YDDQiY920+cnI5XSZwEGhAtb9PYWO8bLmkcQIhAI2CfEZf3V/obmdT
      |yyaoEufLKVXhrTQhRfodTeigi4RX
      |-----END CERTIFICATE-----
      |-----BEGIN PRIVATE KEY-----
      |MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCA7ODT0xhGSNn4ESj6J
      |lu/GJQZoU9lDrCPeUcQ28tzOWw==
      |-----END PRIVATE KEY-----
      """.trimMargin())
  val handshakeCertificates = HandshakeCertificates.Builder()
      .heldCertificate(heldCertificate)
      .build()
  val server = MockWebServer()
  server.useHttps(handshakeCertificates.sslSocketFactory(), false)

  Get these strings with HeldCertificate.certificatePem() and privateKeyPkcs8Pem().

• Fix: Handshake now returns peer certificates in canonical order: each certificate is signed by
  the certificate that follows and the last certificate is signed by a trusted root.

• Fix: Don't lose HTTP/2 flow control bytes when incoming data races with a stream close. If this
  happened enough then eventually the connection would stall.

• Fix: Acknowledge and apply inbound HTTP/2 settings atomically. Previously we had a race where we
  could use new flow control capacity before acknowledging it, causing strict HTTP/2 servers to
  fail the call.

v4.1.1

2019-09-05

• Fix: Don't drop repeated headers when validating cached responses. In our Kotlin upgrade we
  introduced a regression where we iterated the number of unique header names rather than then
  number of unique headers. If you're using OkHttp's response cache this may impact you.

v4.1.0

2019-08-12

• OkHttp's new okhttp-brotli module implements Brotli compression. Install the interceptor to
  enable Brotli compression, which compresses 5-20% smaller than gzip.

  val client = OkHttpClient.Builder()
      .addInterceptor(BrotliInterceptor)
      .build()
  

  This artifact has a dependency on Google's Brotli decoder (95 KiB).

• New: EventListener.proxySelectStart(), proxySelectEnd() events give visibility into the
  proxy selection process.

• New: Response.byteString() reads the entire response into memory as a byte string.

• New: OkHttpClient.x509TrustManager accessor.

• New: Permit [new WebSocket response codes][iana_websocket]: 1012 (Service Restart), 1013 (Try
  Again Later), and 1014 (invalid response from the upstream).

• New: Build with Kotlin 1.3.41, BouncyCastle 1.62, and Conscrypt 2.2.1.

• Fix: Recover gracefully when a coalesced connection immediately goes unhealthy.

• Fix: Defer the SecurityException when looking up the default proxy selector.

• Fix: Don't use brackets formatting IPv6 host names in MockWebServer.

• Fix: Don't permit cache iterators to remove entries that are being written.

v4.0.1

2019-07-10

• Fix: Tolerate null-hostile lists in public API. Lists created with List.of(...) don't like it
  when you call contains(null) on them!
• Fix: Retain binary-compatibility in okhttp3.internal.HttpHeaders.hasBody(). Some unscrupulous
  coders call this and we don't want their users to suffer.

v4.0.0

2019-06-26

This release upgrades OkHttp to Kotlin. We tried our best to make fast and safe to upgrade
from OkHttp 3.x. We wrote an [upgrade guide][upgrading_to_okhttp_4] to help with the migration and a
[blog post][okhttp4_blog_post] to explain it.

• Fix: Target Java 8 bytecode for Java and Kotlin.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.