Bump classgraph from 4.8.47 to 4.8.69

[dependabot-preview]

Bumps classgraph from 4.8.47 to 4.8.69.

Release notes

Sourced from classgraph's releases.

classgraph-4.8.69

Fixes "ClassGraph on Open Liberty doesn't find any classes from the application" (#414), for the Websphere Liberty / Open Liberty classloader in overlay mode (previously it only worked in war mode). Thanks to @michael-simons for reporting, and @cpierceworld for providing the fix.

classgraph-4.8.68

Fix "overrideClassLoaders(AppClassLoader) not no-op with Java 11" (#412, thanks to @chrisr3 for reporting).

classgraph-4.8.67

Fix "ClassGraph doesn't scan Application ClassLoader when provided as override on JDK11" (#411, thanks to @chrisr3 for reporting).

classgraph-4.8.66

• Added support for the Quarkus RuntimeClassLoader (#405, thanks to @mcollovati for the contribution!).
• Important bugfix: Fix buffer underflow issue with some large classes (#407, thanks to @enragedginger for the bug report and detective work).
• Made dependence on jdk.internal.misc, sun.misc and sun.nio.ch optional for OSGi projects (#408, #409 -- thanks to @skahmann for the contribution)
• Added support for the new record types -- currently only enabled in JDK 14 in preview mode.
  • ClassInfo#isRecord()
  • ClassInfoList#getRecords()
  • ScanResult#getAllRecords()

classgraph-4.8.65

Removed a hard runtime startup dependency on java.lang.management.ManagementFactory, so that ClassGraph does not fail on runtimes that do not include the java.management module or the java.lang.management package (e.g. the Android build system). (#404, thanks to @CreeJee for reporting.)

classgraph-4.8.64

Fix a binary compatibility issue with JDK 7/8 that was introduced in the previous release of ClassGraph (version 4.8.63). (#403, thanks to @TWiStErRob for reporting.)

classgraph-4.8.63

NOTE: Please use 4.8.64 instead of 4.8.63, as 4.8.64 contains a fix to a regression for JDK 7/8 compatibility.

Dramatically lowered the memory requirements of ClassGraph, and optimized file reading performance (#400 -- thanks to @TWiStErRob for the extremely detailed and well-researched error report and unit test!).

• The file access backend (which virtualizes access to file content across jarfiles, nested jarfiles, remote jarfiles, directories on disk, and modules) was rewritten to be faster and to have lower memory requirements. This was a large change -- please report any issues you come across.
• Mmap is now disabled by default (the new file reading backend uses FileChannel rather than MappedByteBuffer to read file content by default). Disabling mmap gives much more consistent scan times than in previous versions of ClassGraph, and causes significantly lower pressure on the memory limit when there are a large number of jarfiles (#400).

There may be a small performance penalty to disabling mmap by default. You can re-enable it by calling ClassGraph#enableMemoryMapping() before calling scan(). This will probably only make a difference with large classpaths consisting of many large jarfiles.

Also fixed numerous bugs, including:

• Fixed an infinite loop that could be triggered by OutOfMemoryError (which could be triggered by mmap'ing too many files) (#400)
• When a nested deflated jarfile is extracted to an array in memory so that its central directory can be read, the array containing the inflated jarfile is now trimmed to save on RAM. Previously, the full buffer default size of 64MB was retained for each jarfile, which wasted a lot of RAM. (This only affected scanning of projects with lots of nested jars, e.g. Spring-Boot jars, and only when the nested jars were deflated, not stored.) (#400)
• Fixed a few Windows compatibility issues, including an issue with encoding the : character after a drive letter using %3A in URIs, e.g. file:/C%3A/Users/Luke/Project (now instead, the proper URI of file:/C:/Users/Luke/Project is returned by Resource#getURI()).
• Fixed an issue where the default classpath was being scanned even if classloaders were overridden.

classgraph-4.8.62

Numerous robustness and correctness fixes for classloading via ClassInfo or ScanResult objects:

• Classloader delegation order now respects classpath and classloader override settings configured before starting the scan.
• If you load a class within a ScanResult try-with-resources block (i.e. before the ScanResult is closed), e.g. using ClassInfo#loadClass(), but then after the ScanResult is closed you access a field that has a type that has not yet been loaded, ClassGraph's own classloader used to throw an exception saying that the ScanResult was closed (#399, thanks to @CDPrete for reporting). This has now been mitigated to first attempt to load classes directly from classpath URLs, without accessing the ScanResult, and only as a last resort try loading the classfile through ScanResult#getResourcesWithPath().
  • This will now only fail in some obscure cases, e.g. when a classpath element used an http:// or https:// URI (so was downloaded to a temporary file, which is removed when ScanResult#close() is called), or when a classpath element was a nested jar that was included in an outer jar using deflate, rather than directly stored, and the inner jar is large (so the inner jar has to be extracted to a temporary file, rather than accessed directly using file slicing, or deflated to a temporary buffer in RAM).

classgraph-4.8.61

Made it possible to call getClasspath() before scan() on a single ClassGraph instance (#398, thanks to @CDPrete for reporting).

... (truncated)

Commits

• 917d45e [maven-release-plugin] prepare release classgraph-4.8.69
• 2ad71a2 Fix possible NPE (#414)
• 7897c3e Formatting and comments
• 53d71bd Source > Cleanup
• e7c80d8 Merge pull request #415 from cpierceworld/liberty-fix
• 446f0fa Fix for Libery running in "overlay"
• 4bb38c0 [maven-release-plugin] prepare for next development iteration
• 3742058 [maven-release-plugin] prepare release classgraph-4.8.68
• 02c1237 Fix indentation
• d36f701 Remove unit test (not a bug)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #65.