Bump classgraph from 4.8.47 to 4.8.52

[dependabot-preview]

Bumps classgraph from 4.8.47 to 4.8.52.

Release notes

Sourced from classgraph's releases.

classgraph-4.8.52

Remove the shutdown hook entirely (#376).

A shutdown hook has been in place for numerous releases, and its purpose was to call ScanResult#close() on any open ScanResult instances before JVM shutdown, in order to free up resources (delete any temporary files that had to be created to extract deflated nested jars; unmap mapped byte buffers; close open modules; close open files; free up allocated memory; etc.). However the JVM's own shutdown processes should take care of all of these steps, including the removal of any temporary files that are created, as they are marked for deletion on JVM shutdown. More importantly, ScanResult implements Autocloseable, and the ClassGraph documentation strongly recommends assigning ScanResult in a try-with-resources block so that each ScanResult is properly closed, so the shutdown hook was always just a fallback.

If you want to close all open (unclosed) ScanResult instances at once, you can call the new static method ScanResult.closeAll(). You might want to do this on container unload/destroy, in a containerized runtime.

ClassGraph automatically registers lifecycle listeners for servlet containers and Spring applications that call ScanResult.closeAll(), to ensure that resources are properly freed when containers are destroyed or unloaded.

Note that if you call ScanResult.closeAll(), you need to ensure that the lifecycle of the classloader matches the lifecycle of your application, or that two concurrent applications don't share the same classloader, otherwise one application might close another application's ScanResult instances while they are still in use.

classgraph-4.8.51

In servlet containers and Spring applications, rather than adding a shutdown hook to close any unclosed ScanResult objects (to prevent resource leaks), instead add an event listener that closes unclosed ScanResult objects when the container is being torn down. This prevents a leak of the container's classloader (#376, thanks to @​vimil for reporting).

Please report any regressions with servlet containers or Spring.

classgraph-4.8.50

No new functionality; only fixes static analysis warnings (switched on Eclipse JDT's nullability analysis warnings; fixed all warnings).

classgraph-4.8.49

Fix getClassInfo() cannot be called here exception for BaseTypeSignature triggered by having an annotation with an array of primitive type references, e.g. @MyAnnotation({ int.class }). Thanks to @​johndevs for reporting (#375).

classgraph-4.8.48

Fix serialization of Class<?> references (#368) -- thanks to @​petehale for reporting.

Commits

• 6b9c9e0 [maven-release-plugin] prepare release classgraph-4.8.52
• 05e33f4 Remove shutdown hook entirely (#376)
• ace3707 In OOM situation, call runFinalization() after gc()
• ca5f156 [maven-release-plugin] prepare for next development iteration
• 2150257 [maven-release-plugin] prepare release classgraph-4.8.51
• cf550ac Remove OSGi lifecycle listener (annotations don't work at runtime) #376
• c1ab20b Add OSGi lifecycle listener (untested) (#376)
• 6373188 Update Javadoc
• d0f4a3a TomcatLifeCycleListener -> ServletLifeCycleListener (#376)
• 0f1d390 Reformat
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #28.