Update all non-major maven dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.maven.plugins:maven-remote-resources-plugin (source)	1.6.0 → 1.7.0
com.github.ben-manes.caffeine:caffeine	2.8.1 → 2.9.3
org.keycloak:keycloak-spring-security-adapter (source)	17.0.0 → 17.0.1
org.keycloak:keycloak-admin-client (source)	17.0.0 → 17.0.1
org.jboss.resteasy:resteasy-jaxb-provider (source)	4.5.8.Final → 4.7.10.Final
org.jboss.resteasy:resteasy-jackson2-provider (source)	4.5.8.Final → 4.7.10.Final
org.jboss.resteasy:resteasy-multipart-provider (source)	4.5.8.Final → 4.7.8.Final
org.jboss.resteasy:resteasy-client (source)	4.5.8.Final → 4.6.0.Final

GitHub Vulnerability Alerts

CVE-2023-0482

Impact

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

Patches

Fixed in the following pull requests:

• https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1)
• https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final)
• https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final)
• https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final)
• https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final)

Workarounds

There is no workaround for this issue.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-0482
• https://bugzilla.redhat.com/show_bug.cgi?id=2166004
• GHSA-jrmh-v64j-mjm9

CVE-2020-1695

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

---

Release Notes

ben-manes/caffeine (com.github.ben-manes.caffeine:caffeine)

v2.9.3: 2.9.3

Compare Source

Cache

• Fixed reference eviction when used with a broken executor (JDK-8274349)
• Reduced the entry overhead by 8 bytes when using weak or soft values
• Suppressed log warnings if a future is cancelled or times out (#​597)
• Fixed Map.entrySet.contains(o) to use reference equality
• Fixed early expiration of in-flight async loads (#​625)

JCache

• close() will now shutdown the executor and wait for in-flight loads to finish

v2.9.2: 2.9.2

Compare Source

Cache

• Fixed reading an intermittent null weak/soft value during a concurrent write (#​568)
• Fixed extraneous eviction when concurrently removing a collected entry after a writer resurrects it with a new mapping (#​568)
• Fixed excessive retries of discarding an expired entry when the fixed duration period is extended, thereby resurrecting it (#​568)

v2.9.1: 2.9.1

Compare Source

Cache

• Added cancellation of the next scheduled expiration cleanup when the cache becomes empty (#​542)
• Improved how variable expiration reorganizes the timer events (#​541)
• Added putIfAbsent optimistic fastpath (#​506)

v2.9.0: 2.9.0

Compare Source

Cache

• Added Caffeine.evictionListener which is notified within the atomic operation when an entry is automatically removed
• Added triggering cache maintenance if an iterator observes an expired entry for more aggressive eviction (#​487)
• Improved eager eviction of an added or updated entry if it exceeds the cache's maximum weight
• Deprecated CacheWriter. Please use asMap computations or an eviction listener instead
• Added CacheStats.of(...) to allow for becoming a value-based class in a future release

v2.8.8: 2.8.8

Compare Source

Cache

• Fixed NPE when running on the bootclasspath (#​481, google/error-prone#1986)

v2.8.7: 2.8.7

Compare Source

Cache

• Fixed asMap().keySet().toArray() to not return expired mappings (#​472)
• Added support for ISO-8601 durations to CaffeineSpec (#​466)
• Fixed put update optimization for variable expiration (#​478)

v2.8.6: 2.8.6

Compare Source

Cache

• Changed false sharing protection to comply with JDK 15's field layout (Java Objects Inside Out)
• Suppressed the removal listener notification when an AsyncCache future value resolves to null
• Improved the implementations of AsyncCache.synchronous().asMap() conditional methods
• Added Jandex index for assisting GraalVM AOT (quarkusio/quarkus#10420)
• Deprecated UnsafeAccess and SingleConsumerQueue

JCache

• Changed to an OSGi Component to avoid coupling consumers to the provider (#​447)
• Added the ability to record native statistics (#​460)

v2.8.5: 2.8.5

Compare Source

Cache

• Fixed expiration delay for scheduled cleanup (#​431)

v2.8.4: 2.8.4

Compare Source

Cache

• Schedule maintenance on an absent getIfPresent if there is pending work (#​420)

v2.8.3: 2.8.3

Compare Source

Cache

• Added Policy.getIfPresentQuietly to lookup without affecting the metadata (#​418)

v2.8.2: 2.8.2

Compare Source

Cache

• Added optimistic fast path for putIfAbsent to avoid locking (apache/openwhisk#2797)
• Fixed race causing an incorrect removal cause (#​412)
• Fixed SCM connection URLs (#​394)

JCache

• Prefer the thread context classloader (#​387)

keycloak/keycloak (org.keycloak:keycloak-spring-security-adapter)

v17.0.1

Compare Source

resteasy/resteasy (org.jboss.resteasy:resteasy-jaxb-provider)

v4.7.10.Final

Compare Source

What's Changed

• [RESTEASY-3380] Introduce an ExceptionMapper which handles JsonProces… by @​jamezp in #​3931
  *- RESTEASY-2831: #​3524/

• RESTEASY-2992: #​3632
• RESTEASY-3369: #​3766
• RESTEASY-3585: #​4525

Full Changelog: resteasy/resteasy@4.7.9.Final...v4.7.10.Final

v4.7.9.Final

Compare Source

What's Changed

• Revert - [RESTEASY-2845] ResteasyWebTarget.proxy(Class) problem with questionmark in @​Path with Regex by @​jamezp in #​3434
• [RESTEASY-3290] Avoid an NPE if the temporary directory is null and e… by @​jamezp in #​3438

Full Changelog: resteasy/resteasy@4.7.8.Final...4.7.9.Final

v4.7.8.Final

Compare Source

What's Changed

Bug

• [RESTEASY-2845] - ResteasyWebTarget.proxy(Class) problem with questionmark in `@Path` with Regex
• [RESTEASY-2874] - Web Target Proxy not overriding content type header
• [RESTEASY-3177] - ClientInvocation may not always submit requests asynchronously
• [RESTEASY-3217] - MultipartFormDataOutput should use an ordered map instead of a HashMap
• [RESTEASY-3256] - CDI managed beans do not inject `@Context` injection targets
• [RESTEASY-3286] - CVE-2023-0482 RESTEasy: creation of insecure temp files

Task

• [RESTEASY-3283] - Do not throw an exception for OPTIONS request

Component Upgrade

• [RESTEASY-3287] - Upgrade Spring to 5.3.25

Full Changelog: resteasy/resteasy@4.7.7.Final...4.7.8.Final

v4.7.7.Final

Compare Source

Release Notes

Bug

• [RESTEASY-3089] - ContainerResponseFilter will not allow null entities to be set
• [RESTEASY-3123] - ParamConverterProvider NullPointerException on methods with no params
• [RESTEASY-3134] - NPE when using MP Config with RESTEasy Client on the class path
• [RESTEASY-3144] - Ensure the client is closed when the bean is out of scope
• [RESTEASY-3155] - Concurrency issues in ResteasyViolationException

Task

• [RESTEASY-3143] - Removing the unnecessary warning when default exception mapper is disabled
• [RESTEASY-3161] - Change license header

Component Upgrade

• [RESTEASY-3158] - Upgrade Vert.x to 4.1.8
• [RESTEASY-3159] - Upgrade Netty to 4.1.78
• [RESTEASY-3160] - Upgrade Undertow to 2.2.18.Final

v4.7.6.Final

Compare Source

Release Notes

Bug

• [RESTEASY-3071] - Concurrent calls causes the server to hang during async response write
• [RESTEASY-3120] - VertxClientEngineTest hangs occasionally on CI
• [RESTEASY-3121] - VertxClientHttpEngine may not complete the future if an error occurs

Task

• [RESTEASY-3082] - Updated CI for RESTEasy to test with Java SE 17

Component Upgrade

• [RESTEASY-3116] - Upgrade Spring to 5.3.18
• [RESTEASY-3117] - Upgrade Jackson to 2.12.6 and jackason-databind to 2.12.6.1

v4.7.5.Final

Compare Source

Release Notes

Bug

• [RESTEASY-3069] - MultipartRelatedOutput with StreamingOutput parts throws java.lang.ClassCastException: class org.jboss.resteasy.plugins.providers.StreamingOutputProvider cannot be cast to class org.jboss.resteasy.spi.AsyncMessageBodyWriter
• [RESTEASY-3072] - UT010005: Cannot call getOutputStream(), getWriter() already called
• [RESTEASY-3073] - RESTEasy service loader file parser doesn&#​39;t account for comments

v4.7.4.Final: RESTEasy 4.7.4.Final

Compare Source

Release Notes

Bug

• [RESTEASY-3033] - Deadlock while sending sse events when first event is not yet send
• [RESTEASY-3043] - Resteasy SseEventSink can&#​39;t guarantee the event ordering
• [RESTEASY-3044] - SSE first message comes in second
• [RESTEASY-3045] - SSE loses last message when sink is closed after message delivery
• [RESTEASY-3046] - ProviderHelper&#​39;s writeTo stalls due to DeferredOutstream flush (on Tomcat)
• [RESTEASY-3049] - The StreamingOutputTest seems to periodically hang on CI runs
• [RESTEASY-3051] - SseEventSource should respect alwaysConnect after the SseEventSink is closed
• [RESTEASY-3053] - The new SseEventSinkTest.deadlockAtInitialization fails intermittently

Task

• [RESTEASY-3057] - Add a module dependency to Xerces

v4.7.3.Final: RESTEasy 4.7.3.Final

Compare Source

Release Notes

Bug

• [RESTEASY-2997] - RESTEASY003210 is appeared in response body when request resource is not found
• [RESTEASY-3019] - Content-Length header value with leading whitespaces causes Exception

Task

• [RESTEASY-3035] - Add documentation for match_cache parameters
• [RESTEASY-3036] - Add documentation for resteasy.patchfilter.legacy

v4.7.2.Final

Compare Source

Release Notes

Bug

• [RESTEASY-2914] - ResteasyViolationException#toString concurrency generate a java.util.ConcurrentModificationException
• [RESTEASY-2953] - testsuite no longer runs successfully using -Dserver.home
• [RESTEASY-2994] - Fix the search on the generated JavaDoc
• [RESTEASY-2996] - Reactor netty server adapter mix up response bytes for AsyncOutputStream write

Task

• [RESTEASY-3010] - Fix tests that require legacy security

Enhancement

• [RESTEASY-2880] - Threshold before writing to disk should be configurable
• [RESTEASY-3015] - Avoid a payload byte[] copy when using reactor-netty HTTP client engine

v4.7.1.Final

Compare Source

RESTEasy 4.7.1.Final

Bug

• [RESTEASY-2837] - Improve TS for WF 22.0.1.Final
• [RESTEASY-2966] - resteasy-core is missing from the RESTEasy BOM

v4.7.0.Final: RESTEasy 4.7.0.Final

Compare Source

Release Notes

Sub-task

• [RESTEASY-2895] - Upgrade Google Guice to 5.0.1
• [RESTEASY-2896] - Upgrade Undertow to 2.2.7
• [RESTEASY-2897] - Upgrade Weld to latest 3.1
• [RESTEASY-2898] - Upgrade WildFly Core dependencies to 15.0.1.Final
• [RESTEASY-2899] - Upgrade mockito to 3.10.0
• [RESTEASY-2900] - Upgrade Spring to 5.3.7
• [RESTEASY-2902] - Only use Elytron for authentication configurations
• [RESTEASY-2903] - Ignore remote EJB tests until WildFly ships with the new EJB client
• [RESTEASY-2904] - Upgrade testing WildFly version to 23.0.2.Final

Feature Request

• [RESTEASY-1859] - @​BeanParam beans should allow private no-arg constructors
• [RESTEASY-2700] - Reactor-netty as a server-adapter
• [RESTEASY-2886] - JDK 16 support
• [RESTEASY-2907] - Require a minimum of Java 11 for compiling RESTEasy
• [RESTEASY-2943] - Support reactive publishers at the HttpClientEngine level

Bug

• [RESTEASY-1721] - ServerResponseWriter sets HTTP status 204 even though response was written to HttpServletResponse
• [RESTEASY-2673] - Unable to set cookies per request while retaining ResteasyClient reusability
• [RESTEASY-2779] - ResourcePropertyInjector injects twice
• [RESTEASY-2801] - RestClientDefinitionException on Closeable#close due to wrong template
• [RESTEASY-2812] - MediaTypeHeaderDelegate cache can be poisoned by erroroneous semi-colons
• [RESTEASY-2818] - Sporadic ArrayIndexOutOfBoundsException on first few calls
• [RESTEASY-2819] - Remove the isAsynStreamProvider check in SseEventSinkInteceptor
• [RESTEASY-2826] - resteasy-vertx: Response Headers with String value of same type are overwritten
• [RESTEASY-2834] - The RestClientExtension for the Eclipse MicroProfile client leaks the bean manager
• [RESTEASY-2842] - Java 2 Security issues with Mime4JWorkaround
• [RESTEASY-2850] - Server Sent Events repeatedly sent
• [RESTEASY-2854] - Incorrect behavior: Resteasy Server Sent Events implementation incorrectly triggers an OnError event when an HTTP 503 occurs.
• [RESTEASY-2857] - resteasy-multipart-provider erroneously depends on resteasy-client
• [RESTEASY-2865] - Cannot extend timeout from JAX-RS timeout handler
• [RESTEASY-2868] - VertxClientEngineTest fails on Windows CI frequently
• [RESTEASY-2870] - Spring Web: @​ExceptionHandler response does not override @​ResponseStatus
• [RESTEASY-2872] - Multipart annotation ignored when using async rest client
• [RESTEASY-2884] - Missing AccessController.doPrivileged() calls in DefaultConfiguration cause Java 2 Security errors.
• [RESTEASY-2892] - If the MP Config API is not being used the ServletContext init parameters are not searched
• [RESTEASY-2905] - HeaderUtils requires --add-opens on JDK 16+
• [RESTEASY-2910] - Do not skip the install or JAR plugins
• [RESTEASY-2912] - Incorrect naming of JsonpMPtest class
• [RESTEASY-2913] - Remove JacksonDataTypeTest#testDatatypeNotSupportedDuration
• [RESTEASY-2925] - Inconsitent NewCookie parsing when unknown attributes is found
• [RESTEASY-2932] - FormParam splitting may truncate the value of a parameter

Task

• [RESTEASY-2816] - Update the RESTEasy Spring document
• [RESTEASY-2864] - Fix code bug in Chapter 52 of User Guide
• [RESTEASY-2876] - Move Arquillian related resources out of the resteasy-dependencies BOM
• [RESTEASY-2888] - Update the POM&#​39;s to have a parent of their direct parent
• [RESTEASY-2889] - Migrate the resteasy-client-reactor-netty to use JBoss Logging instead of slf4j
• [RESTEASY-2924] - Remove Travis CI config
• [RESTEASY-2930] - Resolve deprecated Netty methods and classes
• [RESTEASY-2934] - Replace deprecated class org.bouncycastle.openssl.PEMWriter
• [RESTEASY-2936] - Resolve runtime deprecation warnings for Integer, Float, Byte, Short, Double, Long
• [RESTEASY-2937] - Resolve deprecation warnings for class constructor newInstance()
• [RESTEASY-2938] - Replaced deprecated method Assert.assertThat with MatcherAssert.assertThat
• [RESTEASY-2939] - Resolve deprecated infinispan EvictionType methods
• [RESTEASY-2940] - Update the Eclipse code style configuration and add a code style configuration for other IDE&#​39;s
• [RESTEASY-2941] - Migrate the checkstyle configuration to a new project
• [RESTEASY-2954] - Synchronize main with the 4.6 dependencies
• [RESTEASY-2955] - Do not use the org.jboss.resteasy:resteasy-jaxrs-all for the resteasy-bom parent
• [RESTEASY-2958] - Update the jboss-modules to match what is in WildFly

Component Upgrade

• [RESTEASY-2862] - Upgrade Vert.X to 4.0.3 and Netty to 4.1.60.Final
• [RESTEASY-2879] - Upgrade Jackson to 2.12.3
• [RESTEASY-2933] - Upgrade Hibernate Validator to 6.0.22.Final
• [RESTEASY-2942] - Upgrade dependencies to match Quarkus and WildFly

Enhancement

• [RESTEASY-2843] - RESTEasy responds with a stack trace for NotFoundException
• [RESTEASY-2866] - Ensure @​Context-injected proxies implement all interfaces
• [RESTEASY-2869] - Cache the hasDecorator result in Jackson2Provider

v4.6.2.Final

Compare Source

v4.6.1.Final

Compare Source

v4.6.0.Final

Compare Source

v4.5.12.Final

Compare Source

v4.5.11.Final

Compare Source

v4.5.10.Final

Compare Source

v4.5.9.Final

Compare Source

v4.5.8.SP1

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.