Bump classgraph from 4.8.47 to 4.8.72

[dependabot-preview]

Bumps classgraph from 4.8.47 to 4.8.72.

Release notes

Sourced from classgraph's releases.

classgraph-4.8.72

Fix a memory leak issue, where static instances of BaseTypeSignature for the primitive types would inadvertently hold a reference to the ScanResult of the most recent scan, even after the ScanResult was closed, preventing garbage collection from collecting the ScanResult and its linked objects. (#419, thanks to @protogene for reporting.)

classgraph-4.8.71

• Exposes the class file major and minor version number in ClassInfo (#418, thanks to @adelel1 for requesting). Adds the methods:
  • ClassInfo#getClassfileMinorVersion()
  • ClassInfo#getClassfileMajorVersion()
• Ignores any classfile other than module-info.class in the default (empty) package, if a classpath element is a modular jar, when running under JDK 9+. (This is because JPMS doesn't allow classes to be in the default package in modules -- #417.)

classgraph-4.8.70

Fixes #417, a regression introduced in 4.8.66, in which the manifest file was not being added as the first or second entry in the jar, which is required by JDK jar processing logic. This stops the jar from being able to be read as a (non-automatic) module. Thanks to @blackdrag for reporting.

classgraph-4.8.69

Fixes "ClassGraph on Open Liberty doesn't find any classes from the application" (#414), for the Websphere Liberty / Open Liberty classloader in overlay mode (previously it only worked in war mode). Thanks to @michael-simons for reporting, and @cpierceworld for providing the fix.

classgraph-4.8.68

Fix "overrideClassLoaders(AppClassLoader) not no-op with Java 11" (#412, thanks to @chrisr3 for reporting).

classgraph-4.8.67

Fix "ClassGraph doesn't scan Application ClassLoader when provided as override on JDK11" (#411, thanks to @chrisr3 for reporting).

classgraph-4.8.66

• Added support for the Quarkus RuntimeClassLoader (#405, thanks to @mcollovati for the contribution!).
• Important bugfix: Fix buffer underflow issue with some large classes (#407, thanks to @enragedginger for the bug report and detective work).
• Made dependence on jdk.internal.misc, sun.misc and sun.nio.ch optional for OSGi projects (#408, #409 -- thanks to @skahmann for the contribution)
• Added support for the new record types -- currently only enabled in JDK 14 in preview mode.
  • ClassInfo#isRecord()
  • ClassInfoList#getRecords()
  • ScanResult#getAllRecords()

classgraph-4.8.65

Removed a hard runtime startup dependency on java.lang.management.ManagementFactory, so that ClassGraph does not fail on runtimes that do not include the java.management module or the java.lang.management package (e.g. the Android build system). (#404, thanks to @CreeJee for reporting.)

classgraph-4.8.64

Fix a binary compatibility issue with JDK 7/8 that was introduced in the previous release of ClassGraph (version 4.8.63). (#403, thanks to @TWiStErRob for reporting.)

classgraph-4.8.63

NOTE: Please use 4.8.64 instead of 4.8.63, as 4.8.64 contains a fix to a regression for JDK 7/8 compatibility.

Dramatically lowered the memory requirements of ClassGraph, and optimized file reading performance (#400 -- thanks to @TWiStErRob for the extremely detailed and well-researched error report and unit test!).

• The file access backend (which virtualizes access to file content across jarfiles, nested jarfiles, remote jarfiles, directories on disk, and modules) was rewritten to be faster and to have lower memory requirements. This was a large change -- please report any issues you come across.
• Mmap is now disabled by default (the new file reading backend uses FileChannel rather than MappedByteBuffer to read file content by default). Disabling mmap gives much more consistent scan times than in previous versions of ClassGraph, and causes significantly lower pressure on the memory limit when there are a large number of jarfiles (#400).

There may be a small performance penalty to disabling mmap by default. You can re-enable it by calling ClassGraph#enableMemoryMapping() before calling scan(). This will probably only make a difference with large classpaths consisting of many large jarfiles.

Also fixed numerous bugs, including:

• Fixed an infinite loop that could be triggered by OutOfMemoryError (which could be triggered by mmap'ing too many files) (#400)
• When a nested deflated jarfile is extracted to an array in memory so that its central directory can be read, the array containing the inflated jarfile is now trimmed to save on RAM. Previously, the full buffer default size of 64MB was retained for each jarfile, which wasted a lot of RAM. (This only affected scanning of projects with lots of nested jars, e.g. Spring-Boot jars, and only when the nested jars were deflated, not stored.) (#400)

... (truncated)

Commits

• e226cc1 [maven-release-plugin] prepare release classgraph-4.8.72
• 79c60cb Don't set scanResult in BaseTypeSignature (#419)
• 0670f2c [maven-release-plugin] prepare for next development iteration
• 87095ab [maven-release-plugin] prepare release classgraph-4.8.71
• 1e63185 Store the major and minor classfile format in ClassInfo (#418)
• bedec6e Ignore classfiles in default package of modular jars (#417)
• 1f2080d [maven-release-plugin] prepare for next development iteration
• 32c47ae [maven-release-plugin] prepare release classgraph-4.8.70
• b3d0cf4 Remove m2e directive
• 872e6d2 Remove m2e directive stripping execution (#417)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #67.