New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PasswordUtil for encrypting passwords client side #3082
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall. +1 for adding a method to PGConnection. I left comments inline.
Below are some some more ideas, hovewer, I am not sure about them.
I wonder if it makes sense to use builders to configure parameters instead of string/string overloads.
* | ||
* @param user The username of the database user | ||
* @param password The plain text of the user's password | ||
* @param encryptionType The encryption type for which to encode the user's |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Coulo you add the meaning of null
to the docs?
pgjdbc/src/test/java/org/postgresql/test/util/PasswordUtilTest.java
Outdated
Show resolved
Hide resolved
Assert.assertTrue("Query should have returned exactly one row but none was found: " + sql, rs.next()); | ||
String value = rs.getString(1); | ||
Assert.assertFalse("Query should have returned exactly one row but more than one found: " + sql, rs.next()); | ||
rs.close(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try-with-resources?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's copy-pasta from it's sibling method without the arg.
|
So the reason the tests are failing is because you assume scram for anything above 10, however we have noscram tests for versions above 10. |
Good feedback. A lot of it aligns with things I was thinking about while working on this.
I considered that as well but scrapped it because the options would be different for If we go the options route, we'd need either a marker interface
The driver defaults could then just be some static value (i.e. scram with 4K iterations). And the server default could would be responsible for instantiating some variant of that. Thoughts? Any other ways to handle the divergent args? |
That's weird. One of the failing tests in the matrix is for running SCRAM on 8.4 but that shouldn't have executed. Maybe the skip annotations I added aren't being used correctly. Why wouldn't SCRAM work for >=10 (v.s. >10)? It added in that version. |
If you look at the docker scripts you can see that if scram is not specified then it creates a user using MD5. This is why in my tests I read pg_shadow for the user to determine the encryption to use. |
Why would that matter for any new user created in CI though? I thought the server's default is just the default if it interprets your password as plain text and you're asking it to handle the hashing. If it has the magic |
Before you create the user you need to set the encryption method on the connection |
Not according to the docs: https://www.postgresql.org/docs/current/sql-createrole.html
|
What I meant is you need to say |
You only need to do that if the password string is not already encoded. The server checks if it has the magic prefix and then uses it as is:
Note how |
hmmm... well that was the only way I could get the tests to pass. |
ah, I think the problem is that in the docker script we specify md5 or scram in pg_hba.conf. If we specified password instead that would work. |
Pushed a series of commits that address the feedback. If this looks good I'll rebase it to clean up the commits. Figure it's easier to review with the individual commits as each one addresses a specific piece of feedback. I didn't add the try-with-resources to the new @davecramer I had forgotten to include the Also, trying to fix the test for 8.4 lead me to realize that the
I think this is good to go. Let me know if any other thoughts and I'll rebase, run through CI, and merge. |
Actually hang on ... need to add one more to change the password arg to be a |
Pushed another commit that changes the API to use a |
*/ | ||
public static String encodeMd5(String user, char[] password) { | ||
byte[] userBytes = user.getBytes(StandardCharsets.UTF_8); | ||
String passwordText = String.valueOf(password); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WDYT of Arrays.fill(password, ' ')
as soon as the password was consumed? (e.g. after conversion no string)
A slightly better approach would probably be CharBuffer.wrap(password)
, then encode it to byte array with Charset.encode, then zero out both arrays.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's the job of the encoder to wipe out the caller's data structures. The caller can choose to do that if necessary.
That would make more sense if the function signature was something like:
public static String encodeMd5(String user, Supplier<char[]> passwordSource) {
char[] password = passwordSource.get();
// do stuff
Arrays.fill(password, ' '); // clear password array
}
In that situation we "own" the array and it'd be our responsibility for clearing it.
I'm of two minds here ... partly think we should go that route as it's the most flexible. And partly think nobody is going to care about this and we should just make String encode(String user, String password)
overloads as that's what 99% of people are going to use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two points of using char[]
for passwords:
- The API that uses the password can erase the password shortly after use so it minimizes the time window when the password can be grabbed from the memory dump
- There are much fewer chances of logging the passwords as
char[].toString()
would not dump contents.
In this case, as soon as you compute MD5, you can erase the char[]
array so the password is not accidentally leaked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know why it's being done. I'm the one that suggested it in Dave's original PR!
I'm saying the reality of how people program in Java lends itself to this being a moot point because the caller is going to have the password in a String and simply convert it to a char[] at the call site.
Regardless, destroying the contents of an argument (like we'd be doing here without changing the method signature) isn't the same as destroying the contents of the return value of a function (e.g. what AuthenticationPluginManager does).
In this specific case it'd be weird because it'd break the most common use case of this function:
char[] password = generateNewPassword();
conn.alterUserPassword(user, password);
saveNewPasswordSomewhere(password);
The user owns the char[] so the user is responsible for clearing it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the user wants saving the password, they should clone the array
Couple more to address @vlsi last feedback. And one to refactor the way the connection tests throw errors to get the details in the logs. It doesn't change any of the output of the tests themselves but helped debug when things weren't working because the SCRAM library mandates >=4096 iterations: ongres/scram#20 (comment) |
Added the "on"/"off" tests and a note to CHANGELOG referencing the PR (kind of funny how you have to create the PR then push that after you know the PR number...). I'm happy with this and will rebase and merge this tomorrow. |
What do you think @vlsi ? |
* @param encryptionType The type of password encryption to use or null if the database server default should be used. | ||
* @throws SQLException If the password could not be altered | ||
*/ | ||
default void alterUserPassword(String user, Supplier<char[]> passwordSource, @Nullable String encryptionType) throws SQLException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the purpose of Supplier
in the signature?
I think a regular char[]
should be enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rationale is that by providing a callback rather than a value, it's explicit that the ownership of the char[] object lies with the method and not the caller. This also matches how we provide passwords in the auth callbacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A simple use case would match the tests where a string is simply converted to a char[].
A more elaborate use case could have the callback itself read from a KMS. It's the ultimate in flexibility while ensuring the char[] never lingers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need to have supplier for that. Just document that in the javadoc: password will be erased after use
and that is it. Supplier makes it harder for the clients to pass the value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the caller is supplying a char[] then the caller owns that object and the caller must wipe it.
If we want to wipe it within the method, we need to own the char[] and the way to signify that is to have it's creation happen via the supplier. Plus we get the flexibility for the more elaborate use cases.
Plus it's actually easier with the supplier style as the only usage within the driver of the password is wrapped around the supplier which ensures that the raw char[] value never lingers.
If the method signature has the char[]
and overload A calls overload B (which is supposed to eventually wipe the password), how do you ensure the password was wiped and something else did not throw an exception before that step?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. We declare in javadoc who owns the object and that is it.
how do you ensure the password was wiped and something else did not throw an exception before that step?
Wipe the password in finally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's my point. You end up with the same code in every overload as otherwise you never know if a change to the overload impacts when exactly the password gets cleared.
Anyway, I'm not keen to change it. The callback method is the most versatile and covers all the more complex use cases I've described.
If we're deadlocked on this, then get someone else to agree to the change in the signature. Otherwise I'm done with this and plan to rebase and merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You end up with the same code in every overload
There are only a few methods dealing with passwords, and, yes, security code is not the most easy to implement correctly.
Neither https://docs.oracle.com/javase%2Ftutorial%2Fuiswing%2F%2F/components/passwordfield.html nor https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html suggest using Supplier
in the method parameters.
} | ||
|
||
@Test | ||
public void testServerDefault() throws SQLException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically speaking, JUnit4 does not use test..
method naming. test...
method prefix comes from JUnit3 when @Test
annotation did not exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still like it though as it makes the method name an imperative mood. Without the prefix we get public void serverDefault()
which sounds like it returns a value. Could be more clever and do something like "validateServerDefault" but meh...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
testServerDefault
does not explain what the test verifies though
I'm +1 to just using char[] in the signature and we zero it out. We are after all providing the user with a utility method to "take care of it for them" |
2d55e24
to
6474418
Compare
if (password == null) { | ||
throw new NullPointerException("password is null"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Objects.
if (password == null) { | |
throw new NullPointerException("password is null"); | |
} | |
Objects.requireNonNull(password, "password"); |
String passwordText = String.valueOf(password); | ||
byte[] passwordBytes = passwordText.getBytes(StandardCharsets.UTF_8); | ||
final MessageDigest md = MessageDigest.getInstance("MD5"); | ||
|
||
md.update(passwordBytes); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
String passwordText = String.valueOf(password); | |
byte[] passwordBytes = passwordText.getBytes(StandardCharsets.UTF_8); | |
final MessageDigest md = MessageDigest.getInstance("MD5"); | |
md.update(passwordBytes); | |
byte[] passwordBytes = StandardCharsets.UTF_8.encode(CharBuffer.wrap(password)).array(); | |
try { | |
MessageDigest md = MessageDigest.getInstance("MD5"); | |
md.update(passwordBytes); | |
} finally { | |
Arrays.fill(passwordBytes, (byte) 0); | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope that doesn't work. Was going nuts trying to figure out why as it broke a bunch of the md5 tests. Turns out the .array()
call returns the backing array of the ByteBuffer which is not necessarily the same size as the encoded password. In the tests it ends up being 38 bytes (extra zeros at the end) vs. 35 bytes and the extra zeros get included in the digest.
Going to try something similar to see if we can avoid the extra String in between. I think we can write the ByteBuffer directly to the MessageDigest then clear it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes the ByteBuffer worked when directly writing it to the MessageDigest. That way it's aware of the contents and not the entire backing array.
6474418
to
80820bc
Compare
Force pushed a commit that replaces the password callbacks with wiping the char[] in each method. Also adds to the tests to check that the char[] arrays have bene wiped. And a new test for a "bad encryption type" to ensure that even in that situation the password is wiped. |
…crypting passwords client side Add a PasswordUtil helper that provides methods for encoding a given password client side so that it may be used for ALTER USER and CREATE USER statement without sending the plaintext password over the wire. Also adds a helper to PGConnection that generates the ALTER USER command necessary to update a user's password and executes it. The helpers default to encoding the password using SCRAM-SHA-256 if used directly or using the server's default password_encryption setting if used via the PGConnection helper. Co-authored-by: Sehrope Sarkuni <sehrope@jackdb.com> Co-authored-by: Dave Cramer <davecramer@gmail.com>
e4cac3b
to
330ed0e
Compare
Rebased atop master, squashed down the intermediate commits, and updated the commit message to reflect the additional function in Once this runs through CI I'll merge it in. |
No clue why one of the test matrix entries never started and the other has been hanging for 1h30m. Going to try manually bouncing them. Probably some transient GitHub Actions issue. |
The ARM matrix is taking forever and my suspicion is that SecureRandom is trying to use /dev/random and the ARM runner does not have enough entropy. On modern kernels it shouldn't hang after boot but I bet it's an older one that still treats them separately. The entropy pool must be drained and it's hanging waiting for random network activity to the host to give it enough jitter to supply more bits. Looks like this is the first we're directly using that class in the project:
Should be able to force it to use /dev/urandom via: Going to see if I can figure out how to inject it just for that one build. I wonder if this caused less (but similar) slow down in other tests simply from the TLS stack pulling from the same source. |
Force use of /dev/urandom as the source of entropy for the internal state of the secure RNG by setting java.security.egd. This is needed to prevent a poorly configured runner from draining its entropy by using the default of /dev/random. This is not needed on modern kernels as they do not block after boot. However it may be required for older kernels that will otherwise refuse to return back random bits unless they think they have enough tracked entropy in /dev/random. Specifically, this corrects an issue with one of the hosted CI runners that was hanging fetching bytes from SecureRandom.
I pushed a fix for the RNG thing that applies the JVM flag to all environments generated by the matrix. I couldn't figure an easy way of only applying it to the ARM builds and it should be harmless elsewhere. With the fix it passed through CI and did execute on an ARM combo. Unfortunately due to the matrix randomization it's not exactly the same combination as before so I don't know 100% if the fix did anything (JDK 22 failed but JDK 8 succeeded). I'm going to merge this and we'll see if anything else comes up later. |
byte[] storedKey = ScramFunctions.storedKey(ScramMechanisms.SCRAM_SHA_256, clientKey); | ||
byte[] serverKey = ScramFunctions.serverKey(ScramMechanisms.SCRAM_SHA_256, saltedPassword); | ||
|
||
return "SCRAM-SHA-256" // |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why adding empty comments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why show up with feedback on lines that have not changed since the PR was first opened after the PR is merged?
Are you just looking for something to nitpick?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You did not fix javadocs (see #3082 (comment)), and I thought it would be easier and faster to just wait for you to merge the PR and then fix the style issues
* Encode the given password using the driver's default encryption method. | ||
* | ||
* @param user The username of the database user | ||
* @param password The plain text of the user's password | ||
* @return The encoded password | ||
* @throws SQLException If an error occurs encoding the password | ||
*/ | ||
public static String encodePassword(String user, char[] password) throws SQLException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the method is not reliable from the users' perspective.
What does driver's default
mean?
What if somebody uses the method, and then they upgrade the driver some time later. Is the driver allowed to change the default encoding method?
Apparently, for backward compatibility, we can't change the method. In that regard, encodePassword
duplicates encodeScramSha256
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the method is not reliable from the users' perspective. What does driver's default mean?
It means the driver encodes the password with whatever the latest version of password encoding the driver wants, using the defaults built into the driver.
What if somebody uses the method, and then they upgrade the driver some time later. Is the driver allowed to change the default encoding method?
Yes. That's exactly the point. So that code targeting that method uses the latest, most recommended method of encoding passwords without being connected to a specific server.
Apparently, for backward compatibility, we can't change the method. In that regard, encodePassword duplicates encodeScramSha256.
Compatibility with what? We haven't haven't released anything yet. Are you suggesting changing the signature?
It doesn't duplicate the SCRAM-SHA-256 function, it it delegates to it because that's the current driver default.
If in the future if the SCRAM-SHA-256 default is replaced with SCRAM-SHA-512 or something else entirely, we'd change that delegation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If in the future if the SCRAM-SHA-256 default is replaced with SCRAM-SHA-512 or something else entirely, we'd change that delegation
If we ever make such a change, then we effectively break backward compatibility. That means we can't easily make such a change.
So, please suggest what is the use case for having "driver's default" encodePassword
method. Why add the method assuming there's not a single use case for it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we ever make such a change, then we effectively break backward compatibility. That means we can't easily make such a change.
We don't break anything because the definition of that method is encoding the password with whatever the driver considers to be the most secure and recommended approach. The user is delegating to this driver, as the de facto Java driver for PosgreSQL, to make a determination of how the user should be encoding passwords.
If a user wants to use a specific algo or parameters then there's other overloads to use instead.
So, please suggest what is the use case for having "driver's default" encodePassword method. Why add the method assuming there's not a single use case for it?
It's in the original PR description:
Splitting out the encoding allows the same functions to be used for CREATE USER ... (again without passing the credentials in plaintext).
A user can leverage that to generate their own SQL that involves encoding passwords.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we ever make such a change, then we effectively break backward compatibility. That means we can't easily make such a change.
We don't break anything because the definition of that method is encoding the password with whatever the driver considers to be the most secure and recommended approach. The user is delegating to this driver, as the de facto Java driver for PosgreSQL, to make a determination of how the user should be encoding passwords.
I think the issue is that if the server uses SCRAM-512 for the latest version and previous versions use SCRAM-256 using the latest driver would fail on older versions of the server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you mean if the driver is bumped to SCRAM-512 and the server does not yet support it, then it would fail.
Yes, that's expected because the output of that method is not for a particular server. It's for generating literals for the encoded password using the latest recommended method per the driver. I'd see it being used by something that is generating it's own SQL, potentially for future execution out of band. The tie in to the driver is that the driver, as the de factor Java driver for PostgreSQL, is aware of the recommended password encoding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you mean if the driver is bumped to SCRAM-512 and the server does not yet support it, then it would fail.
Yes, that's expected because the output of that method is not for a particular server. It's for generating literals for the encoded password using the latest recommended method per the driver. I'd see it being used by something that is generating it's own SQL, potentially for future execution out of band. The tie in to the driver is that the driver, as the de factor Java driver for PostgreSQL, is aware of the recommended password encoding.
No, what I mean is server version 17 comes out with SCRAM-512. The driver uses SCRAM-512 as the default
and now the default only works for server version 17.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't follow ... isn't that the same situation I described in my previous comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose it is, but we can't break backward compatibility. If a user upgrades the driver their code should continue to work.
Generally if we do a major version upgrade we would mention that we have breaking changes but a breaking change to a default
seems wrong somehow
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I don't see it as a break as the functional meaning of the method ("encode my password using the recommended...) has not changed. I see it like the following changing over server versions:
CREATE USER foo WITH PASSWORD 'abcd1234';
SELECT passwd FROM pg_shadow WHERE usename = 'foo'
It'd be md5 encoded in <=10 and some variant SCRAM after that. Though that's not as user facing so maybe not the best example.
The original goal was to have a method that users could rely on when making things like SQL script generating tooling that they know will always be the latest recommendation. That way when SCRAM-SHA-256 is replaced with SCRAM-SHA-512 or something else entirely, a user that bumps their driver to the latest pgjdbc would automatically get the newer recommendation.
If that doesn't make sense as valid use case or if you foresee misuse of it causing complication, then let's remove it.
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.225.0` -> `^0.233.0`](https://renovatebot.com/diffs/npm/flow-bin/0.225.1/0.233.0) | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.7.1` -> `42.7.3` | | [org.liquibase.ext:liquibase-hibernate5](https://github.com/liquibase/liquibase-hibernate/wiki) ([source](https://github.com/liquibase/liquibase-hibernate)) | build | minor | `4.25.1` -> `4.27.0` | | [org.liquibase:liquibase-maven-plugin](http://www.liquibase.org/liquibase-maven-plugin) ([source](https://github.com/liquibase/liquibase)) | build | minor | `4.25.1` -> `4.27.0` | | [io.hypersistence:hypersistence-utils-hibernate-62](https://github.com/vladmihalcea/hypersistence-utils) | compile | patch | `3.7.0` -> `3.7.3` | | [org.hibernate.orm:hibernate-envers](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.4.1.Final` -> `6.4.4.Final` | | [org.hibernate.orm:hibernate-core](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.4.1.Final` -> `6.4.4.Final` | | [com.blazebit:blaze-persistence-bom](https://persistence.blazebit.com) ([source](https://github.com/Blazebit/blaze-persistence)) | import | patch | `1.6.10` -> `1.6.11` | | [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.41.1` -> `2.43.0` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.6.4` -> `3.9.2` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | minor | `3.6.4` -> `3.9.2` | | [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) | build | minor | `3.12.1` -> `3.13.0` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.233.0`](https://github.com/flowtype/flow-bin/compare/6e34f048ec7f5146297e258a60250c8e5af37bcc...2ebcdf3a8f03993e8ccab9e9fb6742000b54f929) [Compare Source](https://github.com/flowtype/flow-bin/compare/6e34f048ec7f5146297e258a60250c8e5af37bcc...2ebcdf3a8f03993e8ccab9e9fb6742000b54f929) ### [`v0.232.0`](https://github.com/flowtype/flow-bin/compare/69ee58d99676a48984158d2cafcdb3b3f5ad5f15...6e34f048ec7f5146297e258a60250c8e5af37bcc) [Compare Source](https://github.com/flowtype/flow-bin/compare/69ee58d99676a48984158d2cafcdb3b3f5ad5f15...6e34f048ec7f5146297e258a60250c8e5af37bcc) ### [`v0.231.0`](https://github.com/flowtype/flow-bin/compare/5c84049e450b37833fca5b547c1c2cb678436ef1...69ee58d99676a48984158d2cafcdb3b3f5ad5f15) [Compare Source](https://github.com/flowtype/flow-bin/compare/5c84049e450b37833fca5b547c1c2cb678436ef1...69ee58d99676a48984158d2cafcdb3b3f5ad5f15) ### [`v0.230.0`](https://github.com/flowtype/flow-bin/compare/2c3181fa7aa928bd3735a7fad09e1be271c96c95...5c84049e450b37833fca5b547c1c2cb678436ef1) [Compare Source](https://github.com/flowtype/flow-bin/compare/2c3181fa7aa928bd3735a7fad09e1be271c96c95...5c84049e450b37833fca5b547c1c2cb678436ef1) ### [`v0.229.2`](https://github.com/flowtype/flow-bin/compare/82b999003b85e827cd4dd36a8d3593979f1a9599...2c3181fa7aa928bd3735a7fad09e1be271c96c95) [Compare Source](https://github.com/flowtype/flow-bin/compare/82b999003b85e827cd4dd36a8d3593979f1a9599...2c3181fa7aa928bd3735a7fad09e1be271c96c95) ### [`v0.229.0`](https://github.com/flowtype/flow-bin/compare/3d62fc76bf9b0ff63ec56d049c669958ef41f6b8...82b999003b85e827cd4dd36a8d3593979f1a9599) [Compare Source](https://github.com/flowtype/flow-bin/compare/3d62fc76bf9b0ff63ec56d049c669958ef41f6b8...82b999003b85e827cd4dd36a8d3593979f1a9599) ### [`v0.228.0`](https://github.com/flowtype/flow-bin/compare/15db2846c1c63d3f26905f51e8c96c801cbc017b...3d62fc76bf9b0ff63ec56d049c669958ef41f6b8) [Compare Source](https://github.com/flowtype/flow-bin/compare/15db2846c1c63d3f26905f51e8c96c801cbc017b...3d62fc76bf9b0ff63ec56d049c669958ef41f6b8) ### [`v0.227.0`](https://github.com/flowtype/flow-bin/compare/6fbe6faecdcb24e9ee660a0616705d46b9bd3c40...15db2846c1c63d3f26905f51e8c96c801cbc017b) [Compare Source](https://github.com/flowtype/flow-bin/compare/6fbe6faecdcb24e9ee660a0616705d46b9bd3c40...15db2846c1c63d3f26905f51e8c96c801cbc017b) ### [`v0.226.0`](https://github.com/flowtype/flow-bin/compare/23ec6163cf6921d4ef74da53e1aaf4a35f798384...6fbe6faecdcb24e9ee660a0616705d46b9bd3c40) [Compare Source](https://github.com/flowtype/flow-bin/compare/23ec6163cf6921d4ef74da53e1aaf4a35f798384...6fbe6faecdcb24e9ee660a0616705d46b9bd3c40) </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.7.3`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4273-2024-04-14-145100--0400) ##### Changed - chore: gradle config enforces 17+ [MR #​3147](https://github.com/pgjdbc/pgjdbc/pull/3147) ##### Fixed - fix: boolean types not handled in SimpleQuery mode [MR #​3146](https://github.com/pgjdbc/pgjdbc/pull/3146) - make sure we handle boolean types in simple query mode - support uuid as well - handle all well known types in text mode and change `else if` to `switch` - fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with `NoSuchMethodError on ByteBuffer#position` when running on Java 8 ### [`v42.7.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4272-2024-02-21-082300--0500) ##### Security - security: SQL Injection via line comment generation, it is possible in `SimpleQuery` mode to generate a line comment by having a placeholder for a numeric with a `-` such as `-?`. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment. This has been fixed in this version fixes [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597). Reported by [Paul Gerste](https://github.com/paul-gerste-sonarsource). See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds. ##### Changed - fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed [MR #​3101](https://github.com/pgjdbc/pgjdbc/pull/3101) - perf: Avoid autoboxing bind indexes by [@​bokken](https://github.com/bokken) in [MR #​1244](https://github.com/pgjdbc/pgjdbc/pull/1244) - refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by [@​vlsi](https://github.com/vlsi) in [MR #​3084](https://github.com/pgjdbc/pgjdbc/pull/3084) ##### Added - feat: Add PasswordUtil for encrypting passwords client side [MR #​3082](https://github.com/pgjdbc/pgjdbc/pull/3082) </details> <details> <summary>liquibase/liquibase</summary> ### [`v4.27.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4270-is-a-major-release) [Compare Source](https://github.com/liquibase/liquibase/compare/v4.26.0...v4.27.0) > Liquibase 4.27.0 contains several New Capabilities and Notable Enhancements for Liquibase Pro users: DATABASECHANGELOGHISTORY table, Quality Checks Chains, Rollback Reports > See the [Liquibase 4.27.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.27.0.html) for the complete set of release information. ### [`v4.26.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4260-is-a-major-release) [Compare Source](https://github.com/liquibase/liquibase/compare/v4.25.1...v4.26.0) > \[!IMPORTANT] > Liquibase 4.26.0 contains several Notable Changes for Liquibase Pro users: Advanced IF conditionals, Simpler Regex-based pattern checks, and Checks Run Reports. > \[!NOTE] > See the [Liquibase 4.26.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-4.26.0.html) for the complete set of release information. </details> <details> <summary>vladmihalcea/hypersistence-utils</summary> ### [`v3.7.3`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-373---February-16-2024) \================================================================================ "java.lang.ClassCastException: class \[Ljava.lang.String; cannot be cast to class \[B" thrown when using multiLoad with Hibernate 6.4 [#​700](https://github.com/vladmihalcea/hypersistence-utils/issues/700) ### [`v3.7.2`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-372---February-08-2024) \================================================================================ Expecting BasicPluralJavaType for array class \[Ljava.util.UUID;, but got \`com.vladmihalcea.hibernate.type.array.internal.UUIDArrayTypeDescriptor error with Hibernate 6.4 [#​698](https://github.com/vladmihalcea/hypersistence-utils/issues/698) ### [`v3.7.1`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-371---January-30-2024) \================================================================================ Add support for Hibernate 6.4 [#​685](https://github.com/vladmihalcea/hypersistence-utils/issues/685) Remove hypersistence-utils-hibernate-5 module [#​693](https://github.com/vladmihalcea/hypersistence-utils/issues/693) </details> <details> <summary>hibernate/hibernate-orm</summary> ### [`v6.4.4.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.3...6.4.4) [Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.3...6.4.4) ### [`v6.4.3.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.2...6.4.3) [Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.2...6.4.3) ### [`v6.4.2.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.1...6.4.2) [Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.1...6.4.2) </details> <details> <summary>Blazebit/blaze-persistence</summary> ### [`v1.6.11`](https://github.com/Blazebit/blaze-persistence/blob/HEAD/CHANGELOG.md#​1611) [Compare Source](https://github.com/Blazebit/blaze-persistence/compare/1.6.10...1.6.11) 10/01/2024 - [Release tag](https://github.com/Blazebit/blaze-persistence/releases/tag/1.6.11) [Resolved issues](https://github.com/Blazebit/blaze-persistence/issues?q=is%3Aissue+milestone%3A1.6.11+is%3Aclosed+sort%3Aupdated-desc) ##### New features - Special case mappings with limit of 1 to use `=` instead of `IN` predicate - Added support for extended GraphlQL types, for example support DateTime (please read `Backwards-incompatible changes` below ) ##### Bug fixes - Fix over-fetching of entity view data with dynamic fetches - Fix Spring 6.1 compatibility - Fix Hibernate 6.4.0.Final compatibility - Disallow repository sorting by anything other than entity or entity view attribute paths ##### Backwards-incompatible changes - If you use the GraphQL integration and you are loading the [graphql-java-extended-scalars](https://github.com/graphql-java/graphql-java-extended-scalars), you might need to migrate your `LocalDataTime` EntityViews to `OffsetDateTime`. Dates will no longer be represented as String in the GraphQl-Schema, but as [DateTime](https://the-guild.dev/graphql/scalars/docs/scalars/date-time). </details> <details> <summary>diffplug/spotless</summary> ### [`v2.43.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2430---2023-11-27) ##### Added - Support custom rule sets for Ktlint. ([#​1896](https://github.com/diffplug/spotless/pull/1896)) ##### Fixed - Fix Eclipse JDT on some settings files. ([#​1864](https://github.com/diffplug/spotless/pull/1864) fixes [#​1638](https://github.com/diffplug/spotless/issues/1638)) ##### Changes - Bump default `ktlint` version to latest `1.0.0` -> `1.0.1`. ([#​1855](https://github.com/diffplug/spotless/pull/1855)) - Add a Step to remove semicolons from Groovy files. ([#​1881](https://github.com/diffplug/spotless/pull/1881)) ### [`v2.42.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2420---2023-09-28) ##### Added - Support for biome. The Rome project [was renamed to Biome](https://biomejs.dev/blog/annoucing-biome/). The configuration is still the same, but you should switch to the new `biome` tag / function and adjust the version accordingly. ([#​1804](https://github.com/diffplug/spotless/issues/1804)). - Support for `google-java-format`'s `skip-javadoc-formatting` option. ([#​1793](https://github.com/diffplug/spotless/pull/1793)) - Support configuration of mirrors for P2 repositories in Maven DSL ([#​1697](https://github.com/diffplug/spotless/issues/1697)). - New line endings mode `GIT_ATTRIBUTES_FAST_ALLSAME`. ([#​1838](https://github.com/diffplug/spotless/pull/1838)) ##### Fixed - Fix support for plugins when using Prettier version `3.0.0` and newer. ([#​1802](https://github.com/diffplug/spotless/pull/1802)) - Fix configuration cache issue around `external process started '/usr/bin/git --version'`. ([#​1806](https://github.com/diffplug/spotless/issues/1806)) ##### Changes - Bump default `flexmark` version to latest `0.64.0` -> `0.64.8`. ([#​1801](https://github.com/diffplug/spotless/pull/1801)) - Bump default `ktlint` version to latest `0.50.0` -> `1.0.0`. ([#​1808](https://github.com/diffplug/spotless/pull/1808)) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v3.9.2`](https://github.com/quarkusio/quarkus/releases/tag/3.9.2) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.9.1...3.9.2) ##### Complete changelog - [#​38964](https://github.com/quarkusio/quarkus/pull/38964) - Add smallrye metrics capability - [#​39668](https://github.com/quarkusio/quarkus/pull/39668) - Recompute cache when the redis connection pool is exhausted - [#​39705](https://github.com/quarkusio/quarkus/pull/39705) - WebSockets Next: error handlers part 1 - [#​39717](https://github.com/quarkusio/quarkus/issues/39717) - OIDC code flow access token verification is enforced even if the application code does not use it as JWT - [#​39718](https://github.com/quarkusio/quarkus/pull/39718) - Enforce OIDC code flow access token verification only if JWT is in the application code - [#​39725](https://github.com/quarkusio/quarkus/pull/39725) - Setting the correct CodeFlowVerifyAccessTokenDisabledTest test class name - [#​39742](https://github.com/quarkusio/quarkus/pull/39742) - Fix a remaining reference to quarkus.resteasy-reactive. prefix - [#​39746](https://github.com/quarkusio/quarkus/issues/39746) - ScheduledExecutorService: cannot remove future task from the scheduler - [#​39763](https://github.com/quarkusio/quarkus/pull/39763) - WebSockets Next: error handlers part 2 - [#​39766](https://github.com/quarkusio/quarkus/pull/39766) - Properly handle array class types to be looked up - [#​39770](https://github.com/quarkusio/quarkus/pull/39770) - Improve the multipart encoded mode handling in the rest client - [#​39776](https://github.com/quarkusio/quarkus/issues/39776) - Cannot build native image after 3.9.1 upgrade - missing configuration properties but they exist - [#​39777](https://github.com/quarkusio/quarkus/issues/39777) - Bean Param init issue - java.lang.NoClassDefFoundError: io/quarkus/generated/int$quarkusrestparamConverter$ - [#​39790](https://github.com/quarkusio/quarkus/pull/39790) - Add quarkus-credentials-deployment where it's missing - [#​39794](https://github.com/quarkusio/quarkus/pull/39794) - Bump org.jboss.threads:jboss-threads from 3.6.0.Final to 3.6.1.Final - [#​39797](https://github.com/quarkusio/quarkus/pull/39797) - Docs: fix typo in OIDC tenant resolution by configuration - [#​39798](https://github.com/quarkusio/quarkus/issues/39798) - Update documentation for QUARKUS AND GRADLE - Development mode: quarkusDev#workingDir has been deprecated - [#​39804](https://github.com/quarkusio/quarkus/pull/39804) - Always record profiles - [#​39823](https://github.com/quarkusio/quarkus/pull/39823) - Ensure ParameterConverter is loaded from the TCCL - [#​39829](https://github.com/quarkusio/quarkus/pull/39829) - Use quarkusDev#workingDirectory - [#​39835](https://github.com/quarkusio/quarkus/pull/39835) - Bump maven-model-helper to 36 ### [`v3.9.1`](https://github.com/quarkusio/quarkus/releases/tag/3.9.1) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.9.0...3.9.1) ##### Complete changelog - [#​25682](https://github.com/quarkusio/quarkus/issues/25682) - Dev Services for Postgresql not working with Rancher - [#​36736](https://github.com/quarkusio/quarkus/pull/36736) - Manage Jose4j dependency in the bom - [#​36737](https://github.com/quarkusio/quarkus/issues/36737) - Add OpenAPI Filter usage to documentation - [#​39088](https://github.com/quarkusio/quarkus/issues/39088) - Solve POM formatting issues when creating project/adding extension/removing extension - [#​39224](https://github.com/quarkusio/quarkus/issues/39224) - WebSockets Next: support method parameter injection - [#​39313](https://github.com/quarkusio/quarkus/issues/39313) - prod-profile configuration pollutes test profile in integration tests - [#​39371](https://github.com/quarkusio/quarkus/pull/39371) - Avoid resolving plugin command after the first option - [#​39382](https://github.com/quarkusio/quarkus/pull/39382) - Preserve POM format when extensions are added/removed - [#​39385](https://github.com/quarkusio/quarkus/issues/39385) - smallrye-health should hande the case when Vert.x current context is null - [#​39388](https://github.com/quarkusio/quarkus/issues/39388) - Hibernate runtime property persisting after build - [#​39394](https://github.com/quarkusio/quarkus/pull/39394) - Handle null Vert.x context in smallrye-health - [#​39426](https://github.com/quarkusio/quarkus/pull/39426) - Do not record active profile configuration name if a profile one exists - [#​39443](https://github.com/quarkusio/quarkus/pull/39443) - Use Quarkus wide version of jna-platform in azure-functions - [#​39496](https://github.com/quarkusio/quarkus/issues/39496) - Gradle build cache prevents source packages to be installed to local Maven repository - [#​39513](https://github.com/quarkusio/quarkus/issues/39513) - `@SecureField` in members of the response class isn't applied - [#​39528](https://github.com/quarkusio/quarkus/issues/39528) - (Doc issue) Getting token using blocking or non blocking calls - [#​39544](https://github.com/quarkusio/quarkus/issues/39544) - OidcClient: Getting exception when trying to use tokenHelper - [#​39546](https://github.com/quarkusio/quarkus/issues/39546) - Make maxParameters of MultiPartUploadHandler configurable - [#​39549](https://github.com/quarkusio/quarkus/pull/39549) - Make max parameters of multipart handling configurable - [#​39564](https://github.com/quarkusio/quarkus/pull/39564) - Fix Quarkus REST Jackson `@SecureField` detection on subclasses, interface implementors, fileds of the fields, parametrized types and arrays - [#​39572](https://github.com/quarkusio/quarkus/pull/39572) - Remove mvnpm and webjars from the 404 page - [#​39574](https://github.com/quarkusio/quarkus/pull/39574) - Add a section about openapi filters in the doc - [#​39576](https://github.com/quarkusio/quarkus/pull/39576) - Fix semconv-stability.opt-in property name - [#​39578](https://github.com/quarkusio/quarkus/pull/39578) - Update quarkus-project-develocity-extension to 1.0.7 - [#​39579](https://github.com/quarkusio/quarkus/pull/39579) - Don't run CDI interceptors on class-level exception mappers - [#​39580](https://github.com/quarkusio/quarkus/pull/39580) - Fix directory name in vertx.adoc - [#​39581](https://github.com/quarkusio/quarkus/issues/39581) - The http metrics provide a path instead of REDIRECTION and NOT_FOUND when possible - [#​39583](https://github.com/quarkusio/quarkus/pull/39583) - Keep the URIs in the metrics tag if they match a client or server pattern - [#​39586](https://github.com/quarkusio/quarkus/issues/39586) - RestMulti is not sending headers if there is no content - [#​39587](https://github.com/quarkusio/quarkus/pull/39587) - Properly use headers from RestMulti when the multi is empty - [#​39589](https://github.com/quarkusio/quarkus/pull/39589) - Only Add OTel Security Events when span is recording - [#​39594](https://github.com/quarkusio/quarkus/pull/39594) - Redis: add documentation for replicas usage - [#​39595](https://github.com/quarkusio/quarkus/pull/39595) - Update one of OIDC certificate chain tests to use TenantConfigResolver - [#​39598](https://github.com/quarkusio/quarkus/issues/39598) - ClassNotFoundException for beanparam class with generics in external artifact - [#​39599](https://github.com/quarkusio/quarkus/issues/39599) - JsonObject is empty when used with resteasy-reactive - [#​39604](https://github.com/quarkusio/quarkus/pull/39604) - Do not record local sources in runtime config defaults. - [#​39615](https://github.com/quarkusio/quarkus/pull/39615) - Allow JsonObject and JsonArray to be used in any POJO for JSON handling - [#​39623](https://github.com/quarkusio/quarkus/issues/39623) - Type not consistent in sample code - [#​39626](https://github.com/quarkusio/quarkus/pull/39626) - Update parameter type to be consistent across the doc - [#​39628](https://github.com/quarkusio/quarkus/pull/39628) - Bump smallrye-jwt.version from 4.4.0 to 4.5.0 - [#​39630](https://github.com/quarkusio/quarkus/pull/39630) - Bump smallrye-reactive-messaging.version from 4.18.0 to 4.19.0 - [#​39638](https://github.com/quarkusio/quarkus/pull/39638) - Avoid all caching in DevModeClient - [#​39642](https://github.com/quarkusio/quarkus/pull/39642) - WebSocket Next: endpoint callback arguments injection - [#​39645](https://github.com/quarkusio/quarkus/pull/39645) - Improve the OIDC Client Quickstart document - [#​39651](https://github.com/quarkusio/quarkus/pull/39651) - Bump io.quarkus.bot:build-reporter-maven-extension from 3.5.0 to 3.6.0 - [#​39656](https://github.com/quarkusio/quarkus/pull/39656) - Bump maven-model-helper to 35 - [#​39661](https://github.com/quarkusio/quarkus/pull/39661) - Fix property name in OIDC docs - [#​39679](https://github.com/quarkusio/quarkus/pull/39679) - Bump mime4j version to 0.8.11 - [#​39682](https://github.com/quarkusio/quarkus/pull/39682) - Fix postgres datasource devservice not working with rancher-desktop on mac arm - [#​39691](https://github.com/quarkusio/quarkus/pull/39691) - Fix dev-mode issue with generated classes for Quarkus REST converters - [#​39699](https://github.com/quarkusio/quarkus/issues/39699) - UpxCompressionBuildStep Not Executed Since Quarkus 3.8.2 - [#​39702](https://github.com/quarkusio/quarkus/pull/39702) - Bring back erroneously removed `@BuildStep` - [#​39706](https://github.com/quarkusio/quarkus/pull/39706) - Use --no-daemon when calling gradle update ### [`v3.9.0`](https://github.com/quarkusio/quarkus/releases/tag/3.9.0) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.3...3.9.0) ##### Complete changelog - [#​25101](https://github.com/quarkusio/quarkus/issues/25101) - \[CI] - quarkus-devtools-compat + Quarkus main - [#​27374](https://github.com/quarkusio/quarkus/issues/27374) - Update Quarkus CLI doc for installing specific version of the CLI to avoid printing warnings - [#​39144](https://github.com/quarkusio/quarkus/issues/39144) - WebSockets Next: documentation - [#​39315](https://github.com/quarkusio/quarkus/issues/39315) - `@ConfigMapping` handling of Maps is not compatible with old config classes - [#​39344](https://github.com/quarkusio/quarkus/issues/39344) - Avro schemas aren't generated in isolation - [#​39345](https://github.com/quarkusio/quarkus/pull/39345) - Isolate Avro schema code generation when using multiple schema files - [#​39363](https://github.com/quarkusio/quarkus/pull/39363) - Initial version of the WebSocket Next documentation - [#​39413](https://github.com/quarkusio/quarkus/pull/39413) - Refresh documentation (and some tests) of the Hibernate Search + ORM extension - [#​39427](https://github.com/quarkusio/quarkus/issues/39427) - Enforce authorization code flow access token verification if `JsonWebToken` is injected - [#​39428](https://github.com/quarkusio/quarkus/issues/39428) - Enforce OIDC UserInfo acquisition if `UserInfo` is injected - [#​39441](https://github.com/quarkusio/quarkus/issues/39441) - RESTEasy Reactive dependency added to deployment classpath of nearly all Quarkus apps - [#​39445](https://github.com/quarkusio/quarkus/pull/39445) - Remove Quarkus REST deployment dependency from Vertx HTTP deployment - [#​39447](https://github.com/quarkusio/quarkus/pull/39447) - Save concat indy allocations on JarResource::getResourceURL - [#​39454](https://github.com/quarkusio/quarkus/pull/39454) - Bump org.jboss.threads:jboss-threads from 3.5.1.Final to 3.6.0.Final - [#​39458](https://github.com/quarkusio/quarkus/pull/39458) - Enforce OIDC UserInfo acquisition and authorization code flow access token verification if UserInfo and JsonWebToken beans are injected - [#​39467](https://github.com/quarkusio/quarkus/pull/39467) - Fix codestarts compatibility with older CLI - [#​39468](https://github.com/quarkusio/quarkus/issues/39468) - ChainBuildException - Cycle detected after [#​39352](https://github.com/quarkusio/quarkus/issues/39352) MR - [#​39470](https://github.com/quarkusio/quarkus/pull/39470) - Remove the old MetricBuildItem SPI - [#​39471](https://github.com/quarkusio/quarkus/pull/39471) - Update to Vert.x 4.5.5 - [#​39472](https://github.com/quarkusio/quarkus/pull/39472) - Update SmallRye Config to 3.7.0 - [#​39474](https://github.com/quarkusio/quarkus/pull/39474) - Use explicit jar reference instead of GAV to avoid duplicate log warning - [#​39476](https://github.com/quarkusio/quarkus/pull/39476) - Fix the broken link to the OIDC client reference doc - [#​39477](https://github.com/quarkusio/quarkus/pull/39477) - Adjust toggle names in OTel InstrumentBuildTimeConfig - [#​39479](https://github.com/quarkusio/quarkus/issues/39479) - 3.9.0.CR2: NoClassDefFoundError: io/quarkus/security/spi/runtime/SecurityEvent - [#​39480](https://github.com/quarkusio/quarkus/pull/39480) - Fix security spi dependency on OTel - [#​39487](https://github.com/quarkusio/quarkus/pull/39487) - Allow occasional pin events in ShouldNotPin - [#​39491](https://github.com/quarkusio/quarkus/pull/39491) - Ignore the split access and refresh token cookies for resolving the tenant - [#​39519](https://github.com/quarkusio/quarkus/issues/39519) - OpenTelemetry - respect proxy settings in VertxGrpcExporter and VertxHttpExporter - [#​39522](https://github.com/quarkusio/quarkus/pull/39522) - Fix typos in rest doc - [#​39530](https://github.com/quarkusio/quarkus/pull/39530) - Update profile section in building-native-image.adoc - [#​39531](https://github.com/quarkusio/quarkus/pull/39531) - Use SmallRye Commons Inet - [#​39533](https://github.com/quarkusio/quarkus/issues/39533) - Class loader leak in configuration - [#​39536](https://github.com/quarkusio/quarkus/pull/39536) - Bump org.postgresql:postgresql from 42.7.2 to 42.7.3 - [#​39541](https://github.com/quarkusio/quarkus/pull/39541) - Update SmallRye Config to 3.7.1 - [#​39543](https://github.com/quarkusio/quarkus/pull/39543) - Enable proxy configuration for OpenTelemetry exporters - [#​39562](https://github.com/quarkusio/quarkus/pull/39562) - Bump io.smallrye.config:smallrye-config-source-yaml from 3.7.0 to 3.7.1 in /devtools/gradle ### [`v3.8.3`](https://github.com/quarkusio/quarkus/releases/tag/3.8.3) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.2...3.8.3) ##### Complete changelog - [#​25453](https://github.com/quarkusio/quarkus/issues/25453) - Mutiny is not compatible with quarkus opentelemetry - [#​31497](https://github.com/quarkusio/quarkus/issues/31497) - Enabled micrometer.binder.http-server should also capture parameterized sub-resources - [#​39047](https://github.com/quarkusio/quarkus/issues/39047) - Reactive pg datasource with enabled health check opens more connections than configured - [#​39145](https://github.com/quarkusio/quarkus/issues/39145) - Hibernate schema validation is flaky and fails due missing tables (while the tables are present) - [#​39162](https://github.com/quarkusio/quarkus/pull/39162) - Add mapping to a Map\<String, ConfigObject> in the documentation - [#​39178](https://github.com/quarkusio/quarkus/pull/39178) - Update grpc-service-implementation.adoc - [#​39192](https://github.com/quarkusio/quarkus/pull/39192) - Make HTTP templates for observability work with subresources - [#​39197](https://github.com/quarkusio/quarkus/issues/39197) - Qute is not adding the right NativeImageResourceBuildItem when using a custom template root - [#​39204](https://github.com/quarkusio/quarkus/issues/39204) - Update partial extension names to include full extension names - [#​39216](https://github.com/quarkusio/quarkus/pull/39216) - Unwrap processing exception from REST Client when returning a Uni - [#​39223](https://github.com/quarkusio/quarkus/pull/39223) - Fix WithSpan uni and multi - [#​39225](https://github.com/quarkusio/quarkus/pull/39225) - Upgrade to Mutiny 2.5.8 - [#​39242](https://github.com/quarkusio/quarkus/issues/39242) - e quarkus-azure-functions-http generationg function.json with missing method. - [#​39245](https://github.com/quarkusio/quarkus/issues/39245) - dev-ui shows wrong property for rest-client - [#​39251](https://github.com/quarkusio/quarkus/pull/39251) - Make mutiny version of pool use the already configured vertx pool - [#​39252](https://github.com/quarkusio/quarkus/pull/39252) - Explicitly set all HTTP methods for Azure Functions - [#​39255](https://github.com/quarkusio/quarkus/pull/39255) - Fix config key for dev-ui - [#​39257](https://github.com/quarkusio/quarkus/issues/39257) - Quarkus 3.8.1: Use GraalVM sdk 23.1.2 over 23.0.1 - [#​39260](https://github.com/quarkusio/quarkus/pull/39260) - Bump GraalVM SDK version to 23.1.2 - [#​39265](https://github.com/quarkusio/quarkus/pull/39265) - Properly support sending InputStream in REST Client - [#​39266](https://github.com/quarkusio/quarkus/issues/39266) - ./mvnw --file $(pwd)/./pom.xml broken since quarkus 3.7.1 - [#​39270](https://github.com/quarkusio/quarkus/issues/39270) - Update the title of dev-ui.adoc - [#​39271](https://github.com/quarkusio/quarkus/pull/39271) - Update the title of dev-ui.adoc and fix minor typos - [#​39294](https://github.com/quarkusio/quarkus/pull/39294) - Qute: add correct NativeImageResourceBuildItem for custom template root - [#​39309](https://github.com/quarkusio/quarkus/pull/39309) - Normalize POM path - [#​39310](https://github.com/quarkusio/quarkus/issues/39310) - Wrong reference on list of injected beans - [#​39311](https://github.com/quarkusio/quarkus/pull/39311) - Be more consistent with extension names in datasource.adoc - [#​39316](https://github.com/quarkusio/quarkus/issues/39316) - Empty container-group not allowed in Quarkus 3.8.2 - [#​39319](https://github.com/quarkusio/quarkus/pull/39319) - org.graalvm.js:js was renamed to org.graalvm.polyglot:js-community - [#​39337](https://github.com/quarkusio/quarkus/pull/39337) - Fix rest-client-mutiny mention in the docs - [#​39350](https://github.com/quarkusio/quarkus/issues/39350) - Exception when building application with a lot of dependencies, String too large to record error - [#​39352](https://github.com/quarkusio/quarkus/pull/39352) - Make Hibernate / Micrometer integration run after schema creation - [#​39353](https://github.com/quarkusio/quarkus/pull/39353) - Allow config empty values in the Gradle worker - [#​39354](https://github.com/quarkusio/quarkus/pull/39354) - Add note about pre-matching filters execution model - [#​39368](https://github.com/quarkusio/quarkus/issues/39368) - Submodule on second level fails to find itself in dev mode - [#​39372](https://github.com/quarkusio/quarkus/pull/39372) - Replace `org.graalvm.sdk:graal-sdk` dependency with `org.graalvm.sdk:nativeimage` - [#​39379](https://github.com/quarkusio/quarkus/pull/39379) - Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.1 - [#​39383](https://github.com/quarkusio/quarkus/pull/39383) - Typo at OIDC Client Mutual TLS config properties - [#​39386](https://github.com/quarkusio/quarkus/pull/39386) - Update to Brotli4J 1.16.0 - [#​39402](https://github.com/quarkusio/quarkus/pull/39402) - ArC: fix creation of synthetic beans - [#​39411](https://github.com/quarkusio/quarkus/pull/39411) - Fix typo in Building my first extension - [#​39418](https://github.com/quarkusio/quarkus/pull/39418) - Use the value of project/default-codestart from the platform descriptor as the default codestart instead of a hardcoded value - [#​39430](https://github.com/quarkusio/quarkus/pull/39430) - Fix misleading error message when REST Client interface has been indexed - [#​39434](https://github.com/quarkusio/quarkus/pull/39434) - Qute: fix the NoRestartTemplatesDevModeTest on Windows - [#​39437](https://github.com/quarkusio/quarkus/pull/39437) - Make sure the current project location isn't overridden by other modules with the same groupId and artifactId - [#​39440](https://github.com/quarkusio/quarkus/issues/39440) - graal-sdk in 23.1.x brings in `org.graalvm.polyglot` which causes a couple of issues (wrap up) - [#​39442](https://github.com/quarkusio/quarkus/pull/39442) - Exclude org.graalvm.polyglot:polyglot from graal-sdk ### [`v3.8.2`](https://github.com/quarkusio/quarkus/releases/tag/3.8.2) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.1...3.8.2) ##### Complete changelog - [#​19849](https://github.com/quarkusio/quarkus/issues/19849) - Reactive rest client invoke MessageBodyReader.isReadable with null value of annotations parameter - [#​27999](https://github.com/quarkusio/quarkus/issues/27999) - quarkus.datasource."datasource-name".jdbc.min-size not honored if max-lifetime is set - [#​35993](https://github.com/quarkusio/quarkus/issues/35993) - Event-loop thread blocked when connecting to an unavailable OIDC server - [#​37984](https://github.com/quarkusio/quarkus/issues/37984) - Custom SecretsKeyHandler not found after update to 3.6.4 - [#​38007](https://github.com/quarkusio/quarkus/issues/38007) - Failure to resolve encrypted configuration properties with the Gradle plugin - [#​38392](https://github.com/quarkusio/quarkus/issues/38392) - Application.properties string substitution does not work when using gradle variables - [#​38424](https://github.com/quarkusio/quarkus/issues/38424) - application-test.yml is not utilized during tests executed during gradle build - [#​38435](https://github.com/quarkusio/quarkus/pull/38435) - Fix CLI not recognizing installed plugins - [#​38900](https://github.com/quarkusio/quarkus/pull/38900) - Bump Smallrye Reactive Messaging from 4.16.2 to 4.17.0 - [#​38971](https://github.com/quarkusio/quarkus/pull/38971) - Clarify that `quarkus.profile` cannot be set from a profile aware file - [#​38988](https://github.com/quarkusio/quarkus/pull/38988) - Do not expand configuration for Gradle cache - [#​38989](https://github.com/quarkusio/quarkus/issues/38989) - cert chain public key resolver thumbprints - [#​39001](https://github.com/quarkusio/quarkus/pull/39001) - Update to Vert.x 4.5.4 and Netty 4.1.107 - [#​39021](https://github.com/quarkusio/quarkus/pull/39021) - Upgrade to testcontainers 1.19.6 - [#​39023](https://github.com/quarkusio/quarkus/pull/39023) - Remove selector field from generated Job manifest in docs - [#​39041](https://github.com/quarkusio/quarkus/issues/39041) - JAX-RS seeOther does not work with IPv6 - [#​39046](https://github.com/quarkusio/quarkus/pull/39046) - Make sure Response and RestResponse work properly with IPv6 addresses - [#​39057](https://github.com/quarkusio/quarkus/pull/39057) - Skip analysis of plugin executions with phases post quarkus:dev preparing for dev mode launch - [#​39059](https://github.com/quarkusio/quarkus/issues/39059) - Exception in blocking graphql query is wrapped - [#​39063](https://github.com/quarkusio/quarkus/pull/39063) - Fix the OIDC token verification failure with the inlined cert chain - [#​39067](https://github.com/quarkusio/quarkus/pull/39067) - Updates to Infinispan 14.0.25.Final - [#​39068](https://github.com/quarkusio/quarkus/pull/39068) - Optionally run DNS lookup for OIDC server requests on worker thread - [#​39069](https://github.com/quarkusio/quarkus/pull/39069) - Do not fail UPX if compression level is not given - [#​39070](https://github.com/quarkusio/quarkus/pull/39070) - Doc: add Pulsar in Dev Services Overview - [#​39072](https://github.com/quarkusio/quarkus/pull/39072) - Update to Agroal 2.3 - [#​39078](https://github.com/quarkusio/quarkus/pull/39078) - Unwrap actual GraphQL data fetching exception if it is wrapped - [#​39093](https://github.com/quarkusio/quarkus/pull/39093) - Fix cross-references in the Vert.x Reference Guide - [#​39094](https://github.com/quarkusio/quarkus/pull/39094) - Emphasize the need to add quarkus-junit5-mockito as a dependency to use mock injection - [#​39102](https://github.com/quarkusio/quarkus/pull/39102) - Properly pass annotations to MessageBodyReader in REST Client - [#​39120](https://github.com/quarkusio/quarkus/issues/39120) - Startup fails with Kafka Stream if topics for topics check not defined when check is disabled - [#​39121](https://github.com/quarkusio/quarkus/pull/39121) - Do not fail on resolve kafka streams topics when topics check disabled - [#​39122](https://github.com/quarkusio/quarkus/pull/39122) - Use bcrypt password mapper in elytron-security-jdbc docs - [#​39123](https://github.com/quarkusio/quarkus/issues/39123) - Quarkus Dev Services passes wrong volume path to Docker on Windows - [#​39130](https://github.com/quarkusio/quarkus/issues/39130) - When building images with jib the fast-jar-lib layer is always changed - [#​39136](https://github.com/quarkusio/quarkus/pull/39136) - Fix wrong volume host path being used on Windows - [#​39147](https://github.com/quarkusio/quarkus/pull/39147) - Keep the timestamps when copying jars and building JIB layers - [#​39160](https://github.com/quarkusio/quarkus/pull/39160) - Fail on conflicting deployment kinds - [#​39168](https://github.com/quarkusio/quarkus/pull/39168) - Remove misleading note from jacoco.enabled - [#​39169](https://github.com/quarkusio/quarkus/issues/39169) - Unable to produce multiple synthetic beans of same type having different identifiers - [#​39179](https://github.com/quarkusio/quarkus/pull/39179) - Allow setting the SettingsDecrypter when initializing a Maven artifact resolver - [#​39181](https://github.com/quarkusio/quarkus/pull/39181) - ArC: fix BeanConfiguratorBase#read() - [#​39201](https://github.com/quarkusio/quarkus/pull/39201) - Bump quarkus-http.version from 5.2.0.Final to 5.2.1.Final - [#​39203](https://github.com/quarkusio/quarkus/pull/39203) - Fix typo in testing Getting Started guide example ### [`v3.8.1`](https://github.com/quarkusio/quarkus/releases/tag/3.8.1) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.0...3.8.1) ##### Complete changelog - [#​5314](https://github.com/quarkusio/quarkus/issues/5314) - Subresouce init resource failed when using `ResourceContext.getResource` - [#​36427](https://github.com/quarkusio/quarkus/issues/36427) - Keycloak admin client fail with "authHeader" is null when using classic extensions - [#​37065](https://github.com/quarkusio/quarkus/issues/37065) - Azure Functions Http: missing HTTP method definitions for delete and patch - [#​37779](https://github.com/quarkusio/quarkus/issues/37779) - No healthcheck for default Agroal datasource if `quarkus.datasource.db-kind` is not set - [#​37962](https://github.com/quarkusio/quarkus/issues/37962) - Can't specify custom quarkus.profile when running tests - [#​38557](https://github.com/quarkusio/quarkus/issues/38557) - Overwriting application configuration does not work with .env File - [#​38798](https://github.com/quarkusio/quarkus/issues/38798) - Using custom header in REST client together with `@NotBody` annotated argument results in warning from EndpointIndexer - [#​38880](https://github.com/quarkusio/quarkus/issues/38880) - CronJob deployment doesn't work due to `selector` field - [#​38881](https://github.com/quarkusio/quarkus/pull/38881) - Remove selector field if it's empty from manifest - [#​38891](https://github.com/quarkusio/quarkus/pull/38891) - Reduce message log level - [#​38895](https://github.com/quarkusio/quarkus/pull/38895) - Make VertxGrpcExporter more robust - [#​38899](https://github.com/quarkusio/quarkus/pull/38899) - Fix Keycloak Admin Client Classic when used with the RESTEasy JSON-B and REST Client JSON-B extensions - [#​38901](https://github.com/quarkusio/quarkus/issues/38901) - OidcProvider throws NPE when certificate chain is configured with OIDC server which has no JWK keys at the startup - [#​38909](https://github.com/quarkusio/quarkus/pull/38909) - Bump org.postgresql:postgresql from 42.7.1 to 42.7.2 - [#​38923](https://github.com/quarkusio/quarkus/pull/38923) - Allow all HTTP methods in Azure functions - [#​38925](https://github.com/quarkusio/quarkus/pull/38925) - Improve shutdown of VertxHttpExporter and VertxGrpcExporter - [#​38927](https://github.com/quarkusio/quarkus/pull/38927) - Use supplier in order to properly have mutiny retry - [#​38928](https://github.com/quarkusio/quarkus/issues/38928) - quarkus-quartz: CDIAwareJob destroys instance of Quartz Job too early when Job is a `@Dependent` bean - [#​38932](https://github.com/quarkusio/quarkus/pull/38932) - Fix NPE when OIDC token must be verified with the chain with OIDC server returning no JWKs - [#​38934](https://github.com/quarkusio/quarkus/issues/38934) - Agroal Data Source Health check failing for reactive data source - [#​38935](https://github.com/quarkusio/quarkus/pull/38935) - Upgrade to Mutiny 2.5.7 - [#​38938](https://github.com/quarkusio/quarkus/pull/38938) - Propagate user.dir to Gradle worker - [#​38944](https://github.com/quarkusio/quarkus/pull/38944) - Bump smallrye-open-api.version from 3.9.0 to 3.10.0 - [#​38949](https://github.com/quarkusio/quarkus/issues/38949) - Postgresql bump causing detection of instance Random/SplittableRandom - [#​38952](https://github.com/quarkusio/quarkus/issues/38952) - Properly pass errors from JsonRPC backends to Dev UI - [#​38953](https://github.com/quarkusio/quarkus/pull/38953) - Unwrap the actual failure from JsonRPC if it's wrapped - [#​38955](https://github.com/quarkusio/quarkus/pull/38955) - Try to get more disk space - [#​38957](https://github.com/quarkusio/quarkus/pull/38957) - Quartz - fix `@Dependent` job creation/destruction when there is a re-fire - [#​38958](https://github.com/quarkusio/quarkus/pull/38958) - Runtime reinitialize org.postgresql.util.PasswordUtil$SecureRandomHolder - [#​38959](https://github.com/quarkusio/quarkus/pull/38959) - Agroal - Only generate health checks for JDBC datasources - [#​38978](https://github.com/quarkusio/quarkus/pull/38978) - Bump org.mariadb.jdbc:mariadb-java-client from 3.3.2 to 3.3.3 - [#​38979](https://github.com/quarkusio/quarkus/pull/38979) - Propagate quarkus.test.profile to Gradle worker - [#​38986](https://github.com/quarkusio/quarkus/pull/38986) - Add missing brace in property expression - [#​38990](https://github.com/quarkusio/quarkus/issues/38990) - Quarkus 3.7.4 java.lang.ClassNotFoundException when running devsevices with gradle - [#​38995](https://github.com/quarkusio/quarkus/pull/38995) - Take client methods into account in server endpoint indexer - [#​38997](https://github.com/quarkusio/quarkus/pull/38997) - Add hint about exporter collector protocol on generic gRPC error - [#​38999](https://github.com/quarkusio/quarkus/pull/38999) - Remove JetBrains `@Nullable` from RESTEasy Reactive code - [#​39006](https://github.com/quarkusio/quarkus/pull/39006) - Bump Keycloak version to 23.0.7 - [#​39020](https://github.com/quarkusio/quarkus/pull/39020) - Make VertxHttpExporter more robust - [#​39022](https://github.com/quarkusio/quarkus/issues/39022) - `JAVA_APP_DIR` should be set for container images - [#​39024](https://github.com/quarkusio/quarkus/pull/39024) - Set JAVA_APP_DIR env var when necessary - [#​39028](https://github.com/quarkusio/quarkus/pull/39028) - Make Sub Resources unremovable beans - [#​39029](https://github.com/quarkusio/quarkus/pull/39029) - Update to Brotli 1.14.0 - [#​39031](https://github.com/quarkusio/quarkus/pull/39031) - Add commons-codec to Dev Services dependencies ### [`v3.8.0`](https://github.com/quarkusio/quarkus/releases/tag/3.8.0) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.4...3.8.0) ##### Complete changelog - [#​35686](https://github.com/quarkusio/quarkus/issues/35686) - Sporadic "Failed to export spans. The request could not be executed. Full error message: Stream was closed" ### [`v3.7.4`](https://github.com/quarkusio/quarkus/releases/tag/3.7.4) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.3...3.7.4) ##### Complete changelog - [#​37608](https://github.com/quarkusio/quarkus/issues/37608) - gRPC starter app is using legacy approach, single HTTP server should be used instead - [#​38236](https://github.com/quarkusio/quarkus/issues/38236) - Adding a decorator causes bytecode error - [#​38504](https://github.com/quarkusio/quarkus/issues/38504) - NPE on oidc-client when quarkus.oidc-client.grant-options.password.password not provided - [#​38533](https://github.com/quarkusio/quarkus/issues/38533) - 'Unable to find a JDBC driver' for Hibernate Reactive after updating to 3.7.1 - [#​38683](https://github.com/quarkusio/quarkus/issues/38683) - Build time performance regression and bigger native binaries when migrating from 3.5 to 3.6 or 3.7 - [#​38688](https://github.com/quarkusio/quarkus/pull/38688) - Making sure deployment modules excluded in POM files aren't pulled in by the Gradle plugin - [#​38721](https://github.com/quarkusio/quarkus/issues/38721) - Java 21: `@VirtualThreadUnit` produces very slow tests - [#​38763](https://github.com/quarkusio/quarkus/issues/38763) - Enable an injection of the OIDC code flow access token verificaton material - [#​38767](https://github.com/quarkusio/quarkus/pull/38767) - Fail early if OIDC client password grant is misconfigured - [#​38771](https://github.com/quarkusio/quarkus/pull/38771) - Adds an implementation note about `@VirtualThreadUnit` limitations - [#​38775](https://github.com/quarkusio/quarkus/pull/38775) - Use the right MongoDB ClientSession interface - [#​38776](https://github.com/quarkusio/quarkus/issues/38776) - OidcRequestFilter with OidcEndpoint applied to all endpoints - [#​38777](https://github.com/quarkusio/quarkus/issues/38777) - OIDC Code flow access token verification goes ahead even if the ID token verification has failed - [#​38779](https://github.com/quarkusio/quarkus/pull/38779) - Fix OidcEndpoint annotation processing - [#​38784](https://github.com/quarkusio/quarkus/pull/38784) - Fix guide URL in RESTEasy Client extension - [#​38785](https://github.com/quarkusio/quarkus/pull/38785) - ArC: fix interception when some methods return void - [#​38798](https://github.com/quarkusio/quarkus/issues/38798) - Using custom header in REST client together with `@NotBody` annotated argument results in warning from EndpointIndexer - [#​38800](https://github.com/quarkusio/quarkus/pull/38800) - Don't warn about `@NotBody` use in `@GET` methods in REST Client - [#​38802](https://github.com/quarkusio/quarkus/issues/38802) - Multipart form data is interpreted as a file although it's not a file - [#​38803](https://github.com/quarkusio/quarkus/issues/38803) - OIDC server is erroneously shown as not available - [#​38810](https://github.com/quarkusio/quarkus/pull/38810) - Expand types which are considered text in multipart handling - [#​38815](https://github.com/quarkusio/quarkus/issues/38815) - Support security identity propagation in VT - [#​38816](https://github.com/quarkusio/quarkus/pull/38816) - Propagate Vert.x context on all ExecutorService methods for VirtualThreadExecutor - [#​38817](https://github.com/quarkusio/quarkus/issues/38817) - Mocking Singleton does not work even when using `@MockitoConfig`(convertScopes = true) - Bean produced from factory method - [#​38818](https://github.com/quarkusio/quarkus/pull/38818) - Allow `RunAndCheckMojoTestBase` subclasses to override how much memory extension tests are allowed - [#​38819](https://github.com/quarkusio/quarkus/pull/38819) - Add response text to the OIDC bootstrap log errors - [#​38821](https://github.com/quarkusio/quarkus/pull/38821) - Configure SISU bean filtering for the bootstrap Maven resolver - [#​38824](https://github.com/quarkusio/quarkus/issues/38824) - Memory leak when using FT Fallback with dependent beans - [#​38833](https://github.com/quarkusio/quarkus/issues/38833) - Keycloak Admin Client Reactive error id: [`9009f9b`](https://github.com/quarkusio/quarkus/commit/9009f9b4)-1d58-4011-9ff2-49b87bb59ddd-1: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "authHeader" is null - [#​38836](https://github.com/quarkusio/quarkus/pull/38836) - Fix Keycloak Admin Client Reactive Jackson reader provider priority so that the client can work when the JSONB REST client extension is present - [#​38837](https://github.com/quarkusio/quarkus/issues/38837) - Quarkus create new project fails when -DnoCode is used and artifactId is not set properly - [#​38843](https://github.com/quarkusio/quarkus/pull/38843) - Check the code flow access token after ID token - [#​38844](https://github.com/quarkusio/quarkus/pull/38844) - Fix copy/paste typo - [#​38849](https://github.com/quarkusio/quarkus/pull/38849) - Ensure that generated project GAV is always set - [#​38851](https://github.com/quarkusio/quarkus/issues/38851) - Kafka integration tests fail with latest Mandrel/GraalVM 24.1-dev builds - [#​38853](https://github.com/quarkusio/quarkus/pull/38853) - \[3.7] Perform security checks on inherited endpoints before payload deserialization in the RESTEasy Reactive - [#​38855](https://github.com/quarkusio/quarkus/pull/38855) - Make registration of OAuthBearerValidatorCallbackHandler conditional - [#​38858](https://github.com/quarkusio/quarkus/pull/38858) - Testing: fix `@MockitoConfig`(convertScopes=true) with auto-producers - [#​38859](https://github.com/quarkusio/quarkus/pull/38859) - Fix warning when launching dev mode specifying quarkus-maven-plugin GAV on the command line - [#​38865](https://github.com/quarkusio/quarkus/pull/38865) - Update commons-compress version to mitigate CVE-2024-25710 - [#​38866](https://github.com/quarkusio/quarkus/issues/38866) - Sporadic error in custom readiness check using `keycloak-admin-client`: `IllegalStateException: Client is closed` - [#​38868](https://github.com/quarkusio/quarkus/pull/38868) - Add config flag to disable jacoco - [#​38882](https://github.com/quarkusio/quarkus/pull/38882) - Quartz - prevent memory leak when Job instance is a `@Dependent` bean - [#​38886](https://github.com/quarkusio/quarkus/pull/38886) - Ignore `ValidationSchema` that results in registering all models - [#​38888](https://github.com/quarkusio/quarkus/pull/38888) - SmallRye Health: terminate request context properly - [#​38889](https://github.com/quarkusio/quarkus/issues/38889) - Kafka reactive messaging extension incompatible with Micrometer Prometheus extension for Quarkus 3.7.\* - [#​38890](https://github.com/quarkusio/quarkus/pull/38890) - Log resolved OIDC tenant id and how the bearer token is found - [#​38894](https://github.com/quarkusio/quarkus/pull/38894) - Disable messaging observation by default for backwards compatibility - [#​38897](https://github.com/quarkusio/quarkus/pull/38897) - Attempt to fix flaky DependentBeanJobTest ### [`v3.7.3`](https://github.com/quarkusio/quarkus/releases/tag/3.7.3) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.2...3.7.3) ##### Complete changelog - [#​36341](https://github.com/quarkusio/quarkus/issues/36341) - The API method KafkaStreams#cleanUp() is not applicable when use `@Produces` to build the topology - [#​37091](https://github.com/quarkusio/quarkus/pull/37091) - Fix VertxGrpcExporter reponse status handling - [#​37911](https://github.com/quarkusio/quarkus/pull/37911) - Store since JavaDoc tag in the configuration metadata, so that Quarkiverse projects can render it in their documentation if they like - [#​38055](https://github.com/quarkusio/quarkus/issues/38055) - Make annotation app.quarkus.io/vcs-uri optional in Kubernetes extension - [#​38079](https://github.com/quarkusio/quarkus/pull/38079) - Make OidcTestSecurityIdentityAugmentor faster by making privateKey's generation final and static - [#​38196](https://github.com/quarkusio/quarkus/pull/38196) - Use Vert.x pool with Jackson - [#​38477](https://github.com/quarkusio/quarkus/pull/38477) - Add disabled workflow to deploy snapshots in Quarkiverse extensions - [#​38489](https://github.com/quarkusio/quarkus/issues/38489) - OIDC authentication.extra-params not added to dev-services auth request - [#​38602](https://github.com/quarkusio/quarkus/issues/38602) - QuarkusComponentTest: `@TestConfigProperties` not applicable to method (override multiple config properties) - [#​38607](https://github.com/quarkusio/quarkus/pull/38607) - Gradle: fix IllegalStateException when resolving project deps - [#​38613](https://github.com/quarkusio/quarkus/issues/38613) - RabbitMQ Health Checks cannot be disabled from 3.7+ - [#​38615](https://github.com/quarkusio/quarkus/pull/38615) - Updates to Infinispan 14.0.24.Final - [#​38619](https://github.com/quarkusio/quarkus/pull/38619) - Pass extra authentication params in the OIDC DevUI code flow redirect URL - [#​38626](https://github.com/quarkusio/quarkus/pull/38626) - Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2 - [#​38650](https://github.com/quarkusio/quarkus/issues/38650) - UI doesn't work correct with umlauts - [#​38653](https://github.com/quarkusio/quarkus/pull/38653) - Enforce Dev UI charset to UTF-8 - [#​38655](https://github.com/quarkusio/quarkus/pull/38655) - Allow for multiple TestConfigProperty annotations on methods - [#​38656](https://github.com/quarkusio/quarkus/pull/38656) - Upgrade the Mutiny Vert.x bindings to 3.9.0 - [#​38658](https://github.com/quarkusio/quarkus/issues/38658) - Configure a REST Client ClientLogger vía CDI - [#​38662](https://github.com/quarkusio/quarkus/pull/38662) - Bump io.smallrye.config:smallrye-config-source-yaml from 3.5.2 to 3.5.4 in /devtools/gradle - [#​38663](https://github.com/quarkusio/quarkus/issues/38663) - ContainerRequestContext.getUriInfo().getMatchedURIs() IndexOutOfBoundsException - [#​38664](https://github.com/quarkusio/quarkus/pull/38664) - Bump Smallrye RM from 4.16.0 to 4.16.1 - [#​38670](https://github.com/quarkusio/quarkus/pull/38670) - Make ClientLogger beans unremovable - [#​38671](https://github.com/quarkusio/quarkus/pull/38671) - Redis Client: improve documentation for sentinel and cluster - [#​38672](https://github.com/quarkusio/quarkus/pull/38672) - Remove WATCH Command in absence of Optimistic Locking - [#​38673](https://github.com/quarkusio/quarkus/pull/38673) - Fix OidcRequestFiler typo in security docs - [#​38674](https://github.com/quarkusio/quarkus/pull/38674) - Improve flaky test - [#​38675](https://github.com/quarkusio/quarkus/pull/38675) - Correct example generated yaml in extension metadata docs - [#​38676](https://github.com/quarkusio/quarkus/issues/38676) - OpenAPI does not fill roles in SecurityScheme in schema - [#​38680](https://github.com/quarkusio/quarkus/pull/38680) - Log how Keycloak devservice maps resources - [#​38681](https://github.com/quarkusio/quarkus/pull/38681) - Upgrade to Hibernate ORM 6.4.4.Final / bytebuddy 1.14.11 - [#​38686](https://github.com/quarkusio/quarkus/pull/38686) - Make GraphQL Metrics End when Exceptional - [#​38692](https://github.com/quarkusio/quarkus/pull/38692) - Bump com.gradle:gradle-enterprise-maven-extension from 1.20 to 1.20.1 - [#​38693](https://github.com/quarkusio/quarkus/pull/38693) - Bump commons-codec:commons-codec from 1.16.0 to 1.16.1 - [#​38694](https://github.com/quarkusio/quarkus/pull/38694) - OpenAPI: remove check that avoids running auto-security at build - [#​38703](https://github.com/quarkusio/quarkus/issues/38703) - RESTEasy Reactive Multipart struggles with non-file binary uploads - [#​38705](https://github.com/quarkusio/quarkus/pull/38705) - Kafka Streams fire event after created and before scheduling the start - [#​38706](https://github.com/quarkusio/quarkus/issues/38706) - Elasticsearch container reuse creates a new container on each run - [#​38709](https://github.com/quarkusio/quarkus/pull/38709) - Don't provide empty paths when using a root prefix - [#​38710](https://github.com/quarkusio/quarkus/pull/38710) - Avoid Vert.x GraphQL deprecation warning - [#​38712](https://github.com/quarkusio/quarkus/pull/38712) - Bump Smallrye RM from 4.16.1 to 4.16.2 - [#​38713](https://github.com/quarkusio/quarkus/pull/38713) - Only configure shared network for Elasticsearch/OpenSearch containers where necessary - [#​38714](https://github.com/quarkusio/quarkus/pull/38714) - Don't assume that multipart part without filename is always text - [#​38728](https://github.com/quarkusio/quarkus/pull/38728) - Encode Kafka messages with UTF8 - [#​38730](https://github.com/quarkusio/quarkus/issues/38730) - Accept-Header in hibernate validator's ResteasyReactiveLocaleResolver is resolved case-sensitive - [#​38732](https://github.com/quarkusio/quarkus/issues/38732) - Quarkus should still allow to create project with Java 11 (for older streams and other platforms) - [#​38733](https://github.com/quarkusio/quarkus/pull/38733) - Allow Java 11 as LTS for older streams and other platforms - [#​38738](https://github.com/quarkusio/quarkus/pull/38738) - Make accept header check in validation case insensitive - [#​38748](https://github.com/quarkusio/quarkus/pull/38748) - Sanitize app.dekorate.io/vcs-url kubernetes annotation - [#​38755](https://github.com/quarkusio/quarkus/pull/38755) - Log when a RestEasy Reactive client close method is called - [#​38756](https://github.com/quarkusio/quarkus/pull/38756) - Bump Keycloak version to 23.0.6 - [#​38760](https://github.com/quarkusio/quarkus/pull/38760) - Set COMPILE_ONLY flag on relevant dependencies that appear on DEPLOYMENT_CP and RUNTIME_CP ### [`v3.7.2`](https://github.com/quarkusio/quarkus/releases/tag/3.7.2) [Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.1...3.7.2) ##### Complete changelog - [#​37807](https://github.com/quarkusio/quarkus/issues/37807) - SSL requests hang when returning a CompletableFuture - [#​38101](https://github.com/quarkusio/quarkus/issues/38101) - smallrye-openapi property `oidc-open-id-connect-url` might not be fixed at build time - [#​38231](https://github.com/quarkusio/quarkus/pull/38231) - OpenAPI: Always run OpenIDConnectSecurityFilter at runtime - [#​38310](https://github.com/quarkusio/quarkus/pull/38310) - Add note about the two quarkus-extension files - [#​38394](https://github.com/quarkusio/quarkus/issues/38394) - quarkus-cache: "keyGenerator" destroyed, even if it is annotated with "Singleton" - [#​38397](https://github.com/quarkusio/quarkus/pull/38397) - Use actions/setup-java GPG key feature - [#​38411](https://github.com/quarkusio/quarkus/pull/38411) - Cache: only dependent CacheKeyGenerator beans are destroyed after use - [#​38422](https://github.com/quarkusio/quarkus/issues/38422) - nested configurations in extension: sub-property is seen as nested entity. - [#​38431](https://github.com/quarkusio/quarkus/issues/38431) - `quarkus.oidc-token-propagation-reactive.enabled-during-authentication` does not work correctly in the code flow - [#​38442](https://github.com/quarkusio/quarkus/pull/38442) - Make sure the code flow access token is propagated during the authentication - [#​38444](https://github.com/quarkusio/quarkus/pull/38444) - Fix request hanging condition - [#​38451](https://github.com/quarkusio/quarkus/issues/38451) - Remove workaround for HHH-17683 in Panache - [#​38479](https://github.com/quarkusio/quarkus/issues/38479) - Stricter and false positive env variables validation after upgrade to 3.7.0 - [#​38483](https://github.com/quarkusio/quarkus/pull/38483) - Add a tool to check cross references - [#​38488](https://github.com/quarkusio/quarkus/pull/38488) - Update to Vert.x 4.5.2 - [#​38495](https://github.com/quarkusio/quarkus/pull/38495) - Add org.graalvm.regex:regex to runnerParentFirstArtifacts - [#​38499](https://github.com/quarkusio/quarkus/issues/38499) - Alpn property not work in rest client reactive - [#​38500](https://github.com/quarkusio/quarkus/pull/38500) - Make quarkus.rest-client.alpn work in programmatically created client - [#​38506](https://github.com/quarkusio/quarkus/issues/38506) - lombok warning when building with 3.7.1 - [#​38514](https://github.com/quarkusio/quarkus/issues/38514) - Alpn property not work for single rest client reactive - [#​38516](https://github.com/quarkusio/quarkus/pull/38516) - Add missing alpn config key handling from named config - [#​38521](https://github.com/quarkusio/quarkus/issues/38521) - Panache sorting no longer works for embedded fields in Quarkus 3.7.1 - [#​38525](https://github.com/quarkusio/quarkus/pull/38525) - Fix typo in RedisClientConfig JavaDoc - [#​38527](https://github.com/quarkusio/quarkus/pull/38527) - Revert "Escape column names with backticks in order by clause of hql query" - [#​38543](https://github.com/quarkusio/quarkus/issues/38543) - LinksProcessor ID field error for native class HalCollectionWrapper - [#​38545](https://github.com/quarkusio/quarkus/issues/38545) - Enhance Adding extension section in cli-tooling documentation page - [#​38546](https://github.com/quarkusio/quarkus/pull/38546) - Add globbing pattern to cli-tooling.adoc - [#​38548](https://github.com/quarkusio/quarkus/pull/38548…
Overall idea is the same as #3067 but couple changes to implementation and presesntation:
PasswordUtil
no longer concerns itself with connections. It just hashes passwords and encodes them for using in the DB.alterUserPassword(...)
toPGConnnection
. That's our "public API" for everything PG-specific so it seemed like a better home than havingPasswordUtil
deal with java.sql.*.Splitting out the encoding allows the same functions to be used for
CREATE USER ...
(again without passing the credentials in plaintext). The updated test:PGConnection
methodTests are run against the servers's default password encryption method, the driver's default password encryption method,
md5
, andscram-sha-256
(for v11+).If a new encryption method gets added to the server and is marked as the default then it should break our CI (which is good).
As part of this one more helper was added to TestUtil for executing SQL with a string arg. And an internal bytes-to-hex method in MD5Digest was marked public but it's not part of the "public API" package so I think that's fine.
@davecramer Besides the structure and hashing, take a peek at the comments too as I tried to explain what this is really doing despite the poor verbiage on the server (it's not "encryption", it's hashing...), whilst sticking to the server's language as much as possible.
===
All Submissions:
New Feature Submissions:
./gradlew styleCheck
pass ?