)]}' { "log": [ { "commit": "45a5a0ff2689803bf60fa1c2abe639df065d8d5f", "tree": "a3447275b276e4f305d58a990fd0f0a0eda5382f", "parents": [ "f95ffd012828e04aa9de8064a8d6f3251209841e" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Thu Jun 11 12:43:03 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Thu Jun 11 12:43:20 2026 +0200" }, "message": "copyright 2026\n" }, { "commit": "f95ffd012828e04aa9de8064a8d6f3251209841e", "tree": "71d7c5fc004a7775f8a5588e29d0915ca4aaaee4", "parents": [ "983489538e05301a2839cfc4b8368c2393ffd21f" ], "author": { "name": "jungm", "email": "jungm@users.noreply.github.com", "time": "Mon Jun 08 11:54:20 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Mon Jun 08 13:57:14 2026 +0200" }, "message": "Minor: Regenerated BOMs for 983489538e05301a2839cfc4b8368c2393ffd21f\n\nSigned-off-by: GitHub \u003cnoreply@github.com\u003e\n" }, { "commit": "983489538e05301a2839cfc4b8368c2393ffd21f", "tree": "271d96587d20f0ef3e62d63ad1702812fe4be521", "parents": [ "fb75619d625a77e859b097fccc7faee8629bb66c" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon Jun 08 13:07:58 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon Jun 08 13:07:58 2026 +0200" }, "message": "jakartaee-api 11.0.0-M1 released\n" }, { "commit": "fb75619d625a77e859b097fccc7faee8629bb66c", "tree": "0d9b5c147446fc766d19698aacf446522f5e829d", "parents": [ "2f7000616c929ed73a55354aa478ad3a513091a9" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri Jun 05 20:54:53 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri Jun 05 20:54:53 2026 +0200" }, "message": "fix BasicSlf4jWebappTest after dependency updates\n" }, { "commit": "2f7000616c929ed73a55354aa478ad3a513091a9", "tree": "5ec2418e4859e2b5e7dfadf34ae5a48ba2746ae9", "parents": [ "58d247d292c86c9af4174c00381cdb953117745e" ], "author": { "name": "github-actions[bot]", "email": "41898282+github-actions[bot]@users.noreply.github.com", "time": "Fri Jun 05 13:08:07 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Jun 05 13:08:07 2026 +0200" }, "message": "Minor: Regenerated BOMs for 9d27b18e152e335fdc2d486fd67574aa925cddad (#2710)\n\nSigned-off-by: GitHub \u003cnoreply@github.com\u003e\nCo-authored-by: jungm \u003cjungm@users.noreply.github.com\u003e" }, { "commit": "58d247d292c86c9af4174c00381cdb953117745e", "tree": "41849f8f60447c79b1087f8f1c860efdb2b52c10", "parents": [ "f475de258fa3c498d6ca01669bb598b9d5d9cd1c" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:44:30 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 10:01:12 2026 +0200" }, "message": "Bump org.codehaus.gmavenplus:gmavenplus-plugin from 4.3.1 to 5.0.0\n\nBumps [org.codehaus.gmavenplus:gmavenplus-plugin](https://github.com/groovy/GMavenPlus) from 4.3.1 to 5.0.0.\n- [Release notes](https://github.com/groovy/GMavenPlus/releases)\n- [Commits](https://github.com/groovy/GMavenPlus/compare/4.3.1...5.0.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.codehaus.gmavenplus:gmavenplus-plugin\n dependency-version: 5.0.0\n dependency-type: direct:development\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "f475de258fa3c498d6ca01669bb598b9d5d9cd1c", "tree": "3763c3e14e69973098d3fd254ac109922f32c7b0", "parents": [ "59b457d0fd80f74e2f0ee531bf7bf257149f8012" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:44:35 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 10:00:21 2026 +0200" }, "message": "Bump org.projectlombok:lombok from 1.18.42 to 1.18.46\n\nBumps [org.projectlombok:lombok](https://github.com/projectlombok/lombok) from 1.18.42 to 1.18.46.\n- [Changelog](https://github.com/projectlombok/lombok/blob/master/doc/changelog.markdown)\n- [Commits](https://github.com/projectlombok/lombok/compare/v1.18.42...v1.18.46)\n\n---\nupdated-dependencies:\n- dependency-name: org.projectlombok:lombok\n dependency-version: 1.18.46\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "59b457d0fd80f74e2f0ee531bf7bf257149f8012", "tree": "5accd044708550a2a0a1f234da8ed5fd67a9910f", "parents": [ "9d27b18e152e335fdc2d486fd67574aa925cddad" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:45:44 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 10:00:01 2026 +0200" }, "message": "Bump surefire.version from 3.5.5 to 3.5.6\n\nBumps `surefire.version` from 3.5.5 to 3.5.6.\n\nUpdates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6\n- [Release notes](https://github.com/apache/maven-surefire/releases)\n- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.5...surefire-3.5.6)\n\nUpdates `org.apache.maven.plugins:maven-surefire-report-plugin` from 3.5.5 to 3.5.6\n- [Release notes](https://github.com/apache/maven-surefire/releases)\n- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.5...surefire-3.5.6)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-surefire-plugin\n dependency-version: 3.5.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.maven.plugins:maven-surefire-report-plugin\n dependency-version: 3.5.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "9d27b18e152e335fdc2d486fd67574aa925cddad", "tree": "c34dfa6f3ef750e697bfafa1f75ef30afdbaf996", "parents": [ "cce5ef222e84c6eb89b2b20effe1d06ba6cba70d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:46:18 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:59:47 2026 +0200" }, "message": "Bump net.bytebuddy:byte-buddy from 1.18.9 to 1.18.10\n\nBumps [net.bytebuddy:byte-buddy](https://github.com/raphw/byte-buddy) from 1.18.9 to 1.18.10.\n- [Release notes](https://github.com/raphw/byte-buddy/releases)\n- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)\n- [Commits](https://github.com/raphw/byte-buddy/compare/byte-buddy-1.18.9...byte-buddy-1.18.10)\n\n---\nupdated-dependencies:\n- dependency-name: net.bytebuddy:byte-buddy\n dependency-version: 1.18.10\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "cce5ef222e84c6eb89b2b20effe1d06ba6cba70d", "tree": "3734047735c1e021de9beadfa8d84e5e916d389b", "parents": [ "4444369bfcbd82782bf3eb59be92ae7ea1f86f07" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:47:34 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:58:43 2026 +0200" }, "message": "Bump org.apache.maven.plugins:maven-dependency-plugin\n\nBumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.10.0 to 3.11.0.\n- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)\n- [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.10.0...maven-dependency-plugin-3.11.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-dependency-plugin\n dependency-version: 3.11.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "4444369bfcbd82782bf3eb59be92ae7ea1f86f07", "tree": "9484bd96ef046526e0569fe417f79ed064b1e12c", "parents": [ "191773a55c269275bfd708382397e1850ddd3743" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:48:35 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:58:13 2026 +0200" }, "message": "Bump org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom\n\nBumps [org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom](https://github.com/shrinkwrap/resolver) from 3.3.5 to 3.3.7.\n- [Release notes](https://github.com/shrinkwrap/resolver/releases)\n- [Commits](https://github.com/shrinkwrap/resolver/compare/3.3.5...3.3.7)\n\n---\nupdated-dependencies:\n- dependency-name: org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom\n dependency-version: 3.3.7\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "191773a55c269275bfd708382397e1850ddd3743", "tree": "79703fb4e51a6a192dba16daaed38f038dd2324f", "parents": [ "0ad8c5b8738842bb1589c476482789f5c1c5a228" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:49:15 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:57:53 2026 +0200" }, "message": "Bump org.slf4j:slf4j-simple from 2.0.17 to 2.0.18\n\nBumps org.slf4j:slf4j-simple from 2.0.17 to 2.0.18.\n\n---\nupdated-dependencies:\n- dependency-name: org.slf4j:slf4j-simple\n dependency-version: 2.0.18\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "0ad8c5b8738842bb1589c476482789f5c1c5a228", "tree": "a8ac813cdc12e31be80744155feb110d0a2229b0", "parents": [ "cd11ca4c915828ea88818ad765bbf8eca4d956ea" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Jun 05 07:53:24 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:57:24 2026 +0200" }, "message": "Bump com.nimbusds:nimbus-jose-jwt from 10.9 to 10.9.1\n\nBumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 10.9 to 10.9.1.\n- [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt)\n- [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/10.9.1..10.9)\n\n---\nupdated-dependencies:\n- dependency-name: com.nimbusds:nimbus-jose-jwt\n dependency-version: 10.9.1\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "cd11ca4c915828ea88818ad765bbf8eca4d956ea", "tree": "97158306e627ee5e3a262056b36d2b787720add0", "parents": [ "9ac974aa75b7bc2d353c9922d0b3b2032296e0bb" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri Jun 05 09:46:31 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri Jun 05 09:46:31 2026 +0200" }, "message": "reduce dependabot noise for asm updates\n" }, { "commit": "9ac974aa75b7bc2d353c9922d0b3b2032296e0bb", "tree": "49cc39e834b93b1123fa073a274ee9b381e6ad1f", "parents": [ "7bc544a9c65b3e28889f0ce2efda841504830914" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:26:16 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:41:33 2026 +0200" }, "message": "Bump org.ow2.asm:asm-util from 9.9.1 to 9.10.1\n\nBumps org.ow2.asm:asm-util from 9.9.1 to 9.10.1.\n\n---\nupdated-dependencies:\n- dependency-name: org.ow2.asm:asm-util\n dependency-version: 9.10.1\n dependency-type: direct:development\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "7bc544a9c65b3e28889f0ce2efda841504830914", "tree": "65fba1d93bdaea5f37d9d1fa67b602d6e332f9de", "parents": [ "7fc3fa58ed27b21e7c988b61acc86fe5a3e41fd5" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:26:51 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:40:44 2026 +0200" }, "message": "Bump joda-time:joda-time from 2.14.0 to 2.14.2\n\nBumps [joda-time:joda-time](https://github.com/JodaOrg/joda-time) from 2.14.0 to 2.14.2.\n- [Release notes](https://github.com/JodaOrg/joda-time/releases)\n- [Changelog](https://github.com/JodaOrg/joda-time/blob/main/RELEASE-NOTES.txt)\n- [Commits](https://github.com/JodaOrg/joda-time/compare/v2.14.0...v2.14.2)\n\n---\nupdated-dependencies:\n- dependency-name: joda-time:joda-time\n dependency-version: 2.14.2\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "7fc3fa58ed27b21e7c988b61acc86fe5a3e41fd5", "tree": "a95bfc76b09c00b3861703b677b0f1c903151115", "parents": [ "b2bc764be3a6d6c1596f7d380c6a67e5558d79d9" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:27:47 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:40:16 2026 +0200" }, "message": "Bump org.apache.sshd:sshd-core from 2.17.1 to 2.18.0\n\nBumps [org.apache.sshd:sshd-core](https://github.com/apache/mina-sshd) from 2.17.1 to 2.18.0.\n- [Release notes](https://github.com/apache/mina-sshd/releases)\n- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)\n- [Commits](https://github.com/apache/mina-sshd/compare/sshd-2.17.1...sshd-2.18.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.sshd:sshd-core\n dependency-version: 2.18.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "b2bc764be3a6d6c1596f7d380c6a67e5558d79d9", "tree": "c056c3828560622f851e44556f92ef572fe93425", "parents": [ "3b737ccf6e7e14b0a72c45a9b12d0b63a99bbb01" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:28:02 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:40:07 2026 +0200" }, "message": "Bump org.codehaus.jettison:jettison from 1.3.4 to 1.5.5\n\nBumps [org.codehaus.jettison:jettison](https://github.com/jettison-json/jettison) from 1.3.4 to 1.5.5.\n- [Release notes](https://github.com/jettison-json/jettison/releases)\n- [Commits](https://github.com/jettison-json/jettison/compare/jettison-1.3.4...jettison-1.5.5)\n\n---\nupdated-dependencies:\n- dependency-name: org.codehaus.jettison:jettison\n dependency-version: 1.5.5\n dependency-type: direct:development\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "3b737ccf6e7e14b0a72c45a9b12d0b63a99bbb01", "tree": "3c994f756e3bf2509cbe6d831ea96f48b338c8f4", "parents": [ "d42abb3e0d916226d2930108f97fe7319dd4db6e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:28:53 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:39:22 2026 +0200" }, "message": "Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.6.3\n\nBumps [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) from 3.5.0 to 3.6.3.\n- [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases)\n- [Commits](https://github.com/mojohaus/exec-maven-plugin/compare/3.5.0...3.6.3)\n\n---\nupdated-dependencies:\n- dependency-name: org.codehaus.mojo:exec-maven-plugin\n dependency-version: 3.6.3\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "d42abb3e0d916226d2930108f97fe7319dd4db6e", "tree": "f7199b62c497b4e1e9d77fa28d96e4e2db782f55", "parents": [ "e5f88b9826df40befa1ad2662df9f3dfaacea9a7" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:29:06 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:37:51 2026 +0200" }, "message": "Bump org.jboss.logging:jboss-logging from 3.6.2.Final to 3.6.3.Final\n\nBumps [org.jboss.logging:jboss-logging](https://github.com/jboss-logging/jboss-logging) from 3.6.2.Final to 3.6.3.Final.\n- [Release notes](https://github.com/jboss-logging/jboss-logging/releases)\n- [Commits](https://github.com/jboss-logging/jboss-logging/compare/v3.6.2.Final...v3.6.3.Final)\n\n---\nupdated-dependencies:\n- dependency-name: org.jboss.logging:jboss-logging\n dependency-version: 3.6.3.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "e5f88b9826df40befa1ad2662df9f3dfaacea9a7", "tree": "cf9724d6f1424915b0a318f7979b2b277b56bc71", "parents": [ "a40aeebcde5ac4d328663de22d9201d572fab251" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:29:21 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:36:44 2026 +0200" }, "message": "Bump org.ow2.asm:asm from 9.9.1 to 9.10.1\n\nBumps org.ow2.asm:asm from 9.9.1 to 9.10.1.\n\n---\nupdated-dependencies:\n- dependency-name: org.ow2.asm:asm\n dependency-version: 9.10.1\n dependency-type: direct:development\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "a40aeebcde5ac4d328663de22d9201d572fab251", "tree": "36764bbbc0c99b13fb51bbe2badfb05b826dc7b5", "parents": [ "a7999b17e4a4bb03c9379d0e10737f6a2b3f3a9a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 14:29:46 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:35:58 2026 +0200" }, "message": "Bump commons-io:commons-io from 2.21.0 to 2.22.0\n\nBumps commons-io:commons-io from 2.21.0 to 2.22.0.\n\n---\nupdated-dependencies:\n- dependency-name: commons-io:commons-io\n dependency-version: 2.22.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "a7999b17e4a4bb03c9379d0e10737f6a2b3f3a9a", "tree": "f481f474db18dae529fa2695510f4d3ec95ab1b0", "parents": [ "758d6cdc8e0e6912033463cdfc5dc123fc6b1b13" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Jun 03 17:39:15 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Fri Jun 05 09:33:49 2026 +0200" }, "message": "Bump actions/checkout from 6.0.2 to 6.0.3\n\nBumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.\n- [Release notes](https://github.com/actions/checkout/releases)\n- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)\n\n---\nupdated-dependencies:\n- dependency-name: actions/checkout\n dependency-version: 6.0.3\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "758d6cdc8e0e6912033463cdfc5dc123fc6b1b13", "tree": "5a64f2e357cf3ab39828ae40d95f95b7468f4fa3", "parents": [ "fc211398e0ebcb75ea801d2a8050a982a13b311c" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed Jun 03 10:40:45 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed Jun 03 10:40:45 2026 +0200" }, "message": "update SECURITY.md with feedback from ASF Security team\n" }, { "commit": "fc211398e0ebcb75ea801d2a8050a982a13b311c", "tree": "1022855b5a1df97acace79d9a5a8f5a8943fa911", "parents": [ "ced85289b447cad9ade4f3cf3b7ea2efb84c38d0" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:11:35 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 16:16:31 2026 +0200" }, "message": "Bump com.sun.xml.messaging.saaj:saaj-impl from 3.0.4 to 3.0.5\n\nBumps com.sun.xml.messaging.saaj:saaj-impl from 3.0.4 to 3.0.5.\n\n---\nupdated-dependencies:\n- dependency-name: com.sun.xml.messaging.saaj:saaj-impl\n dependency-version: 3.0.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "ced85289b447cad9ade4f3cf3b7ea2efb84c38d0", "tree": "8c231e9c1898d61ef0c9beb6e356ecbd9599fa9f", "parents": [ "2ed43a48cb88286df567ab6d6b34bc34ef426f80" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:15:13 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:51:12 2026 +0200" }, "message": "Bump org.apache:apache from 37 to 38\n\nBumps [org.apache:apache](https://github.com/apache/maven-apache-parent) from 37 to 38.\n- [Release notes](https://github.com/apache/maven-apache-parent/releases)\n- [Commits](https://github.com/apache/maven-apache-parent/commits)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache:apache\n dependency-version: \u002738\u0027\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "2ed43a48cb88286df567ab6d6b34bc34ef426f80", "tree": "b87b010a42661e0465082f70c914cf4622fc8a80", "parents": [ "c38de8b21a0930101037813ad48ac16e73aeb244" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:15:08 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:50:48 2026 +0200" }, "message": "Bump version.activemq from 6.2.5 to 6.2.6\n\nBumps `version.activemq` from 6.2.5 to 6.2.6.\n\nUpdates `org.apache.activemq:activemq-jdbc-store` from 6.2.5 to 6.2.6\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6)\n\nUpdates `org.apache.activemq:activemq-ra` from 6.2.5 to 6.2.6\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6)\n\nUpdates `org.apache.activemq:activemq-client` from 6.2.5 to 6.2.6\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6)\n\nUpdates `org.apache.activemq:activemq-broker` from 6.2.5 to 6.2.6\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6)\n\nUpdates `org.apache.activemq:activemq-openwire-legacy` from 6.2.5 to 6.2.6\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.activemq:activemq-jdbc-store\n dependency-version: 6.2.6\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-ra\n dependency-version: 6.2.6\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-client\n dependency-version: 6.2.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-broker\n dependency-version: 6.2.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-openwire-legacy\n dependency-version: 6.2.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "c38de8b21a0930101037813ad48ac16e73aeb244", "tree": "3ee8c23a77ee587f00cd7f4b8a065f043a0e0530", "parents": [ "cadc55d58cf384217551b3de90f40f4cf20bf614" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:14:09 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:50:33 2026 +0200" }, "message": "Bump com.google.code.gson:gson from 2.2.4 to 2.14.0\n\nBumps [com.google.code.gson:gson](https://github.com/google/gson) from 2.2.4 to 2.14.0.\n- [Release notes](https://github.com/google/gson/releases)\n- [Changelog](https://github.com/google/gson/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/google/gson/compare/gson-2.2.4...gson-parent-2.14.0)\n\n---\nupdated-dependencies:\n- dependency-name: com.google.code.gson:gson\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "cadc55d58cf384217551b3de90f40f4cf20bf614", "tree": "ddf14a25c3b6399e5090086ea15f1632819dd51f", "parents": [ "62f516ecf98ef5f595102717ee14b48853334c07" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:13:53 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:48:18 2026 +0200" }, "message": "Bump net.bytebuddy:byte-buddy from 1.18.8 to 1.18.9\n\nBumps [net.bytebuddy:byte-buddy](https://github.com/raphw/byte-buddy) from 1.18.8 to 1.18.9.\n- [Release notes](https://github.com/raphw/byte-buddy/releases)\n- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)\n- [Commits](https://github.com/raphw/byte-buddy/compare/byte-buddy-1.18.8...byte-buddy-1.18.9)\n\n---\nupdated-dependencies:\n- dependency-name: net.bytebuddy:byte-buddy\n dependency-version: 1.18.9\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "62f516ecf98ef5f595102717ee14b48853334c07", "tree": "dda14367b315f358bd85da4c1d7daa91dd5273b8", "parents": [ "9bb65a8bbf41581fc8a65e9a156df6318e9b83c4" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:13:26 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:45:51 2026 +0200" }, "message": "Bump version.hibernate.orm from 7.3.0.Final to 7.4.0.Final\n\nBumps `version.hibernate.orm` from 7.3.0.Final to 7.4.0.Final.\n\nUpdates `org.hibernate.orm:hibernate-core` from 7.3.0.Final to 7.4.0.Final\n- [Release notes](https://github.com/hibernate/hibernate-orm/releases)\n- [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.0/changelog.txt)\n- [Commits](https://github.com/hibernate/hibernate-orm/compare/7.3.0...7.4.0)\n\nUpdates `org.hibernate.orm:hibernate-processor` from 7.3.0.Final to 7.4.0.Final\n- [Release notes](https://github.com/hibernate/hibernate-orm/releases)\n- [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.0/changelog.txt)\n- [Commits](https://github.com/hibernate/hibernate-orm/compare/7.3.0...7.4.0)\n\nUpdates `org.hibernate.orm:hibernate-jcache` from 7.3.0.Final to 7.4.0.Final\n- [Release notes](https://github.com/hibernate/hibernate-orm/releases)\n- [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.0/changelog.txt)\n- [Commits](https://github.com/hibernate/hibernate-orm/compare/7.3.0...7.4.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.hibernate.orm:hibernate-core\n dependency-version: 7.4.0.Final\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: org.hibernate.orm:hibernate-processor\n dependency-version: 7.4.0.Final\n dependency-type: direct:development\n update-type: version-update:semver-minor\n- dependency-name: org.hibernate.orm:hibernate-jcache\n dependency-version: 7.4.0.Final\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "9bb65a8bbf41581fc8a65e9a156df6318e9b83c4", "tree": "81b9da383c7afbc02c23155c9d738830edb4b948", "parents": [ "894ee79741f010c6e4da4b027612c3847595155e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:12:06 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:45:33 2026 +0200" }, "message": "Bump version.johnzon from 2.0.2 to 2.1.0\n\nBumps `version.johnzon` from 2.0.2 to 2.1.0.\n\nUpdates `org.apache.johnzon:johnzon-core` from 2.0.2 to 2.1.0\n\nUpdates `org.apache.johnzon:johnzon-mapper` from 2.0.2 to 2.1.0\n\nUpdates `org.apache.johnzon:johnzon-jaxrs` from 2.0.2 to 2.1.0\n\nUpdates `org.apache.johnzon:johnzon-jsonb` from 2.0.2 to 2.1.0\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.johnzon:johnzon-core\n dependency-version: 2.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: org.apache.johnzon:johnzon-mapper\n dependency-version: 2.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: org.apache.johnzon:johnzon-jaxrs\n dependency-version: 2.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: org.apache.johnzon:johnzon-jsonb\n dependency-version: 2.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "894ee79741f010c6e4da4b027612c3847595155e", "tree": "26f733bd96493ffc7ef8da0538b4e06f21c1a707", "parents": [ "fc182ec6cf8684b670f3ed3a7060f3d23d3648de" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 13:11:14 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 15:44:41 2026 +0200" }, "message": "Bump org.apache.maven.plugins:maven-invoker-plugin from 3.8.0 to 3.10.1\n\nBumps [org.apache.maven.plugins:maven-invoker-plugin](https://github.com/apache/maven-invoker-plugin) from 3.8.0 to 3.10.1.\n- [Release notes](https://github.com/apache/maven-invoker-plugin/releases)\n- [Commits](https://github.com/apache/maven-invoker-plugin/compare/maven-invoker-plugin-3.8.0...maven-invoker-plugin-3.10.1)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-invoker-plugin\n dependency-version: 3.10.1\n dependency-type: direct:development\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "fc182ec6cf8684b670f3ed3a7060f3d23d3648de", "tree": "b37b345ceea5d2e916a25b75940bde8b244ca62c", "parents": [ "884b960c3c222ca46e7cf5c1e1f96719c07509bb" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 06:47:55 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 14:52:47 2026 +0200" }, "message": "Bump org.mockito:mockito-core from 5.22.0 to 5.23.0\n\nBumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.22.0 to 5.23.0.\n- [Release notes](https://github.com/mockito/mockito/releases)\n- [Commits](https://github.com/mockito/mockito/compare/v5.22.0...v5.23.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.mockito:mockito-core\n dependency-version: 5.23.0\n dependency-type: direct:development\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "884b960c3c222ca46e7cf5c1e1f96719c07509bb", "tree": "3e762cc068cd600554e626cb52f093eb988d0053", "parents": [ "70fae736d1ff7cce816aed8bc7cb50c2d2617a07" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 06:46:36 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 14:50:44 2026 +0200" }, "message": "Bump version.microprofile.impl.opentelemetry from 2.12.0 to 2.14.0\n\nBumps `version.microprofile.impl.opentelemetry` from 2.12.0 to 2.14.0.\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-api` from 2.12.0 to 2.14.0\n- [Release notes](https://github.com/smallrye/smallrye-opentelemetry/releases)\n- [Commits](https://github.com/smallrye/smallrye-opentelemetry/compare/2.12.0...2.14.0)\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-cdi` from 2.12.0 to 2.14.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-rest` from 2.12.0 to 2.14.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-config` from 2.12.0 to 2.14.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-propagation` from 2.12.0 to 2.14.0\n\n---\nupdated-dependencies:\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-api\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-cdi\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-rest\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-config\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-propagation\n dependency-version: 2.14.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "70fae736d1ff7cce816aed8bc7cb50c2d2617a07", "tree": "698675e0115c65e99ba4036eb9b44969e32b6b96", "parents": [ "02946bb97130e36ed0f12a30f9a3d147c82bfbef" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Tue Jun 02 14:48:02 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Tue Jun 02 14:48:02 2026 +0200" }, "message": "Mojarra 4.1.9\n" }, { "commit": "02946bb97130e36ed0f12a30f9a3d147c82bfbef", "tree": "604d85c7795cbe4eda993e4b17b82f8b6352b4af", "parents": [ "25011b5ec8423bc1109abfe84b9161e19f729eac" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 06:45:26 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 14:28:31 2026 +0200" }, "message": "Bump info.cukes:cucumber-core from 1.2.5 to 1.2.6\n\nBumps info.cukes:cucumber-core from 1.2.5 to 1.2.6.\n\n---\nupdated-dependencies:\n- dependency-name: info.cukes:cucumber-core\n dependency-version: 1.2.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "25011b5ec8423bc1109abfe84b9161e19f729eac", "tree": "a1660ab62286f566c597dbf5a02129eb2d2388a2", "parents": [ "6e34fdb57aa4e8ab507f3c0bdd67ae72f76c2896" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 06:44:57 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 14:19:36 2026 +0200" }, "message": "Bump org.codehaus.plexus:plexus-classworlds from 2.9.0 to 2.12.0\n\nBumps [org.codehaus.plexus:plexus-classworlds](https://github.com/codehaus-plexus/plexus-classworlds) from 2.9.0 to 2.12.0.\n- [Release notes](https://github.com/codehaus-plexus/plexus-classworlds/releases)\n- [Commits](https://github.com/codehaus-plexus/plexus-classworlds/compare/plexus-classworlds-2.9.0...plexus-classworlds-2.12.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.codehaus.plexus:plexus-classworlds\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "6e34fdb57aa4e8ab507f3c0bdd67ae72f76c2896", "tree": "241b785b7d8cf0c1b4825a35706804f48df7d3d0", "parents": [ "6c06712eb86835821b48d5d58bfc065d10e61ad5" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Jun 02 06:43:33 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 14:17:41 2026 +0200" }, "message": "Bump version.shrinkwrap.resolver.bom from 3.3.5 to 3.3.7\n\nBumps `version.shrinkwrap.resolver.bom` from 3.3.5 to 3.3.7.\n\nUpdates `org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven` from 3.3.5 to 3.3.7\n- [Release notes](https://github.com/shrinkwrap/resolver/releases)\n- [Commits](https://github.com/shrinkwrap/resolver/compare/3.3.5...3.3.7)\n\nUpdates `org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom` from 3.3.5 to 3.3.7\n- [Release notes](https://github.com/shrinkwrap/resolver/releases)\n- [Commits](https://github.com/shrinkwrap/resolver/compare/3.3.5...3.3.7)\n\n---\nupdated-dependencies:\n- dependency-name: org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven\n dependency-version: 3.3.7\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom\n dependency-version: 3.3.7\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "6c06712eb86835821b48d5d58bfc065d10e61ad5", "tree": "9d1a52dc0d98b4d1c731ce1afcb4b2ea614c1914", "parents": [ "954b87062feb15333088face550160e1f22bb7ef" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Sun May 17 16:49:31 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Tue Jun 02 12:06:21 2026 +0200" }, "message": "initial AGENTS.md/SECURITY.md\n" }, { "commit": "954b87062feb15333088face550160e1f22bb7ef", "tree": "0b85ce7210ce5ad4af578d6b8173aa9e2e151596", "parents": [ "985ae9648e4f6934d926da0dfad5d8fb9dd81e7f" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:22:33 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 08:27:08 2026 +0200" }, "message": "Bump org.ehcache:ehcache from 3.11.1 to 3.12.0\n\nBumps [org.ehcache:ehcache](https://github.com/ehcache/ehcache3) from 3.11.1 to 3.12.0.\n- [Release notes](https://github.com/ehcache/ehcache3/releases)\n- [Commits](https://github.com/ehcache/ehcache3/compare/v3.11.1...v3.12.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.ehcache:ehcache\n dependency-version: 3.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "985ae9648e4f6934d926da0dfad5d8fb9dd81e7f", "tree": "bfb75cfceafa56a193cfbec28b7e03e16a94754b", "parents": [ "5c5a311d930460404d46b7cf85854ea7a6a03609" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:25:37 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 08:26:59 2026 +0200" }, "message": "Bump commons-codec:commons-codec from 1.21.0 to 1.22.0\n\nBumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.21.0 to 1.22.0.\n- [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt)\n- [Commits](https://github.com/apache/commons-codec/compare/rel/commons-codec-1.21.0...rel/commons-codec-1.22.0)\n\n---\nupdated-dependencies:\n- dependency-name: commons-codec:commons-codec\n dependency-version: 1.22.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "5c5a311d930460404d46b7cf85854ea7a6a03609", "tree": "98d64b64d093fa9079c6b816343fb6496610a400", "parents": [ "c00985ded5e2f581eec990581dee9325459ea527" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:26:53 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 08:17:11 2026 +0200" }, "message": "Bump version.myfaces from 4.1.2 to 4.1.3\n\nBumps `version.myfaces` from 4.1.2 to 4.1.3.\n\nUpdates `org.apache.myfaces.core:myfaces-api` from 4.1.2 to 4.1.3\n\nUpdates `org.apache.myfaces.core:myfaces-impl` from 4.1.2 to 4.1.3\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.myfaces.core:myfaces-api\n dependency-version: 4.1.3\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.myfaces.core:myfaces-impl\n dependency-version: 4.1.3\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "c00985ded5e2f581eec990581dee9325459ea527", "tree": "d74b66c6572522afaf5c153f0383393590573fb8", "parents": [ "bc636ff03925b99746c65a9b508148fcd63d885e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:26:08 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 08:17:01 2026 +0200" }, "message": "Bump version.slf4j from 2.0.17 to 2.0.18\n\nBumps `version.slf4j` from 2.0.17 to 2.0.18.\n\nUpdates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18\n\nUpdates `org.slf4j:slf4j-jdk14` from 2.0.17 to 2.0.18\n\n---\nupdated-dependencies:\n- dependency-name: org.slf4j:slf4j-api\n dependency-version: 2.0.18\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.slf4j:slf4j-jdk14\n dependency-version: 2.0.18\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "bc636ff03925b99746c65a9b508148fcd63d885e", "tree": "3a9e47a5982df8c74c9db1f41632ef4420751b7c", "parents": [ "bc1823a38b18a31086a579e11825e4464ec83fe6" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:25:41 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 08:16:33 2026 +0200" }, "message": "Bump org.apache.rat:apache-rat-plugin from 0.17 to 0.18\n\nBumps org.apache.rat:apache-rat-plugin from 0.17 to 0.18.\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.rat:apache-rat-plugin\n dependency-version: \u00270.18\u0027\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "bc1823a38b18a31086a579e11825e4464ec83fe6", "tree": "03b92344033822b4eacc8fabcf0cbf73bcf5eef5", "parents": [ "79cb3f97fe73914ce97f56aa87202cc5e2d7e646" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:25:28 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 07:58:25 2026 +0200" }, "message": "Bump org.apache.maven.plugins:maven-resources-plugin from 3.4.0 to 3.5.0\n\nBumps [org.apache.maven.plugins:maven-resources-plugin](https://github.com/apache/maven-resources-plugin) from 3.4.0 to 3.5.0.\n- [Release notes](https://github.com/apache/maven-resources-plugin/releases)\n- [Commits](https://github.com/apache/maven-resources-plugin/compare/v3.4.0...maven-resources-plugin-3.5.0)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-resources-plugin\n dependency-version: 3.5.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "79cb3f97fe73914ce97f56aa87202cc5e2d7e646", "tree": "2474fcdcf962806f93dd1e9b3f730d130a27ac5e", "parents": [ "4c1cab771153bb40b7035278293652984b0c5b4a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:25:17 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 07:41:22 2026 +0200" }, "message": "Bump version.groovy from 5.0.5 to 5.0.6\n\nBumps `version.groovy` from 5.0.5 to 5.0.6.\n\nUpdates `org.apache.groovy:groovy-jsr223` from 5.0.5 to 5.0.6\n- [Commits](https://github.com/apache/groovy/commits)\n\nUpdates `org.apache.groovy:groovy-json` from 5.0.5 to 5.0.6\n- [Commits](https://github.com/apache/groovy/commits)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.groovy:groovy-jsr223\n dependency-version: 5.0.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.groovy:groovy-json\n dependency-version: 5.0.6\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "4c1cab771153bb40b7035278293652984b0c5b4a", "tree": "320f6d942737c46cae1716d134a9119eb00097f7", "parents": [ "be57e297b40b6965f16c8bb834591dfdfcb77307" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:24:55 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 07:41:06 2026 +0200" }, "message": "Bump version.log4j2 from 2.25.4 to 2.26.0\n\nBumps `version.log4j2` from 2.25.4 to 2.26.0.\n\nUpdates `org.apache.logging.log4j:log4j-api` from 2.25.4 to 2.26.0\n\nUpdates `org.apache.logging.log4j:log4j-jul` from 2.25.4 to 2.26.0\n\nUpdates `org.apache.logging.log4j:log4j-core` from 2.25.4 to 2.26.0\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.logging.log4j:log4j-api\n dependency-version: 2.26.0\n dependency-type: direct:development\n update-type: version-update:semver-minor\n- dependency-name: org.apache.logging.log4j:log4j-jul\n dependency-version: 2.26.0\n dependency-type: direct:development\n update-type: version-update:semver-minor\n- dependency-name: org.apache.logging.log4j:log4j-core\n dependency-version: 2.26.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "be57e297b40b6965f16c8bb834591dfdfcb77307", "tree": "9c71ff264545b8e8402b17ce50c6e4f5982bc1e7", "parents": [ "6271f6652e95389fb607ac01d9076826d49387f2" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:24:30 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 07:40:07 2026 +0200" }, "message": "Bump version.arquillian from 1.10.1.Final to 1.10.2.Final\n\nBumps `version.arquillian` from 1.10.1.Final to 1.10.2.Final.\n\nUpdates `org.jboss.arquillian.testng:arquillian-testng-container` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.junit5:arquillian-junit5-container` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.testng:arquillian-testng-core` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.test:arquillian-test-spi` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.config:arquillian-config-impl-base` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.container:arquillian-container-spi` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.container:arquillian-container-test-spi` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.core:arquillian-core-spi` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.junit:arquillian-junit-container` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.config:arquillian-config-api` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.core:arquillian-core-impl-base` from 1.10.1.Final to 1.10.2.Final\n\nUpdates `org.jboss.arquillian.testenricher:arquillian-testenricher-cdi` from 1.10.1.Final to 1.10.2.Final\n\n---\nupdated-dependencies:\n- dependency-name: org.jboss.arquillian.testng:arquillian-testng-container\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.junit5:arquillian-junit5-container\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.testng:arquillian-testng-core\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.test:arquillian-test-spi\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.config:arquillian-config-impl-base\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.container:arquillian-container-spi\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.container:arquillian-container-test-spi\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.core:arquillian-core-spi\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.junit:arquillian-junit-container\n dependency-version: 1.10.2.Final\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.config:arquillian-config-api\n dependency-version: 1.10.2.Final\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.core:arquillian-core-impl-base\n dependency-version: 1.10.2.Final\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.jboss.arquillian.testenricher:arquillian-testenricher-cdi\n dependency-version: 1.10.2.Final\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "6271f6652e95389fb607ac01d9076826d49387f2", "tree": "3df8bff7e5aee9d91cd70d1081fcbce2fb83b865", "parents": [ "f2406998e7cd8f020e69d0307ec45b72d3d41f7e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Jun 01 08:22:39 2026 +0000" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Tue Jun 02 07:37:41 2026 +0200" }, "message": "Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6\n\nBumps [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) from 3.5.5 to 3.5.6.\n- [Release notes](https://github.com/apache/maven-surefire/releases)\n- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.5...surefire-3.5.6)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-failsafe-plugin\n dependency-version: 3.5.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "f2406998e7cd8f020e69d0307ec45b72d3d41f7e", "tree": "b3170110d119ee6f7d17542a795883243843de7c", "parents": [ "701e3e9d1ed333c76be295e7645b82b612a709ad" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri May 29 15:04:22 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Fri May 29 15:04:22 2026 +0200" }, "message": "fix jaxrs failures introduced by 76345242\n" }, { "commit": "701e3e9d1ed333c76be295e7645b82b612a709ad", "tree": "afe40427d57e1a306c452d3971ebd31390b49da0", "parents": [ "a3060c6d00fe8b9767c3153dd9e6cc04cac84c9a" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 09:52:03 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 09:52:03 2026 +0200" }, "message": "Clarify reason for jax-rs TCK exclusion\n" }, { "commit": "a3060c6d00fe8b9767c3153dd9e6cc04cac84c9a", "tree": "ee3474aad24b17e0f8430a9cc09fc15daaeb14ce", "parents": [ "76345242343cc2dbefc3c84599fc42c06f376595" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 09:41:08 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 09:41:08 2026 +0200" }, "message": "Clarify reason for jax-rs TCK exclusion\n" }, { "commit": "76345242343cc2dbefc3c84599fc42c06f376595", "tree": "d364cb72efd10945ad08d2c454c450d066e26698", "parents": [ "cf6e00a8716ed5df4bd9fb20a45ca7d8066930df" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 08:09:44 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed May 27 08:09:44 2026 +0200" }, "message": "Unwrap InternalApplication before passing to CXF\n" }, { "commit": "cf6e00a8716ed5df4bd9fb20a45ca7d8066930df", "tree": "54a049deadd43af1ad8e7650884d7660ee714f76", "parents": [ "73aff4d92b9dac603025b5a5294018434a23881d" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon May 25 14:17:18 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon May 25 14:17:18 2026 +0200" }, "message": "tck/jax-rs: exclude UriInfo40ClientIT pending CXF-9217\n\nUriInfoImpl#getMatchedResourceTemplate() omits the @ApplicationPath\nfrom the returned template, causing the four getMatchedResourceTemplate*\ntests in jaxrs40 UriInfo40ClientIT to fail. Exclude the class in both\nthe standalone and embedded TCK runs until CXF-9217 is fixed upstream.\n" }, { "commit": "73aff4d92b9dac603025b5a5294018434a23881d", "tree": "6f016df6a7bc43efd0029ea09d31d10e41015bcc", "parents": [ "cf273fff302c7113c515e0059ddf99c54b4c895b" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Sun May 24 19:48:31 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Sun May 24 19:48:31 2026 +0200" }, "message": "tck/rest-client: align WireMock/SSE Jetty stack to Jetty 11\n\nThe reactor manages jetty-server/http/io/security/util to Jetty 12, but\nWireMock 3.x and the MP Rest Client TCK\u0027s SSE HttpSseServer run on Jetty 11.\nThe version split left jetty-servlet:11 (ServletHandler) resolving against\njetty-server:12, where org.eclipse.jetty.server.handler.ScopedHandler was\nremoved, so the SSE mock server failed to start with NoClassDefFoundError.\nOverride the affected test-scope artifacts back to Jetty 11.0.24 in this\nmodule only so the WireMock/SSE Jetty stack is coherent again.\n" }, { "commit": "cf273fff302c7113c515e0059ddf99c54b4c895b", "tree": "2054f770b55425a9f45b2bccccca79c196cf518a", "parents": [ "ead1b188dfc9f8b57aba75739a8bd426e057c640" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 20:02:34 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 20:02:34 2026 +0200" }, "message": "security/openid: guard null context path in cookie-based storage\n\nCookieBasedOpenIdStorageHandler.contextPath() called String.isEmpty()\ndirectly on HttpServletRequest.getContextPath(), throwing an NPE when\nthe value is null. Treat null the same as the empty root-context path\nand fall back to \"/\". Fixes the six CookieBased/DefinitionAware\nOpenIdStorageHandler unit tests that mock the request.\n" }, { "commit": "ead1b188dfc9f8b57aba75739a8bd426e057c640", "tree": "8dbef8ec20a86e05fd06d848dfa2659d6514a7ef", "parents": [ "635956b674f9c01018ad55c9e86cc4bda6fdcf3d" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:41:14 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:41:14 2026 +0200" }, "message": "examples: use Jakarta EE 11 API and drop obsolete endorsed-dirs setup\n\n- Bump jakartaee-api 10.0 -\u003e 11.0.0-SNAPSHOT in rest-sse-example,\n polling-client, tomee-jersey-eclipselink and mp-jsonb-configuration.\n- datasource-definition: remove the geronimo-property-plugin / endorsed\n dirs machinery and the pre-Jakarta geronimo-annotation_1.3_spec\n dependency. The endorsed-dirs mechanism was removed in Java 9+ and\n java.endorsed.dirs prevents JVM startup on Java 17; the @DataSourceDefinition\n annotation is provided by jakartaee-api.\n" }, { "commit": "635956b674f9c01018ad55c9e86cc4bda6fdcf3d", "tree": "c82f86dcd5ef9eb33b949f23d51ca3cfbdc76aa6", "parents": [ "a61d57c257228fd4d31fba32b616e453041c93e6" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:40:58 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:40:58 2026 +0200" }, "message": "examples: align MicroProfile and WebSocket API versions for TomEE 11\n\nTomEE 11 ships MicroProfile 7.1. Update example spec versions that were\nstill pinned to MicroProfile 6.x (or older) levels:\n\n- MicroProfile JWT 1.1 -\u003e 2.1\n- MicroProfile Rest Client 3.0.1 -\u003e 4.0\n- MicroProfile OpenAPI 3.1.1 -\u003e 4.1 (SmallRye impl 3.13.0 -\u003e 4.2.4)\n- MicroProfile Fault Tolerance 4.0.2 -\u003e 4.1\n- MicroProfile Config 3.0.2 -\u003e 3.1\n- Jakarta WebSocket API 2.0.0 -\u003e 2.2.0\n\nAlso bump jakartaee-api 10.0 -\u003e 11.0.0-SNAPSHOT in mp-faulttolerance-retry\nand mp-rest-jwt-public-key.\n" }, { "commit": "a61d57c257228fd4d31fba32b616e453041c93e6", "tree": "3b47ae1e4c41eb7cfdb39f9ae2d456da4d52fe92", "parents": [ "62b2106e69cf3f4905a14c6d19433ccd11d87d71" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:40:42 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:40:42 2026 +0200" }, "message": "examples: set Java compiler target to 17\n\nTomEE 11 requires Java 17. Bump the Java source/target/release (and\nmaven.compiler.* properties) from 1.8 / 11 to 17 in examples that still\npinned an older level.\n" }, { "commit": "62b2106e69cf3f4905a14c6d19433ccd11d87d71", "tree": "f1f94eae543d008f6be5faa2fa77c3f49e474a6e", "parents": [ "ef00da3d475f400f1a63961937ad0e2a3ec7b112" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:26:31 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:28:01 2026 +0200" }, "message": "docs: fix broken/dead links, stale versions and Jakarta EE terminology\n\n- Broken internal links: directory-structure -\u003e file-layout rename,\n de-link long-gone tutorial pages, repoint website pages (downloads,\n mailing-lists, examples) to absolute URLs, fix a path escaping docs/\n- Version placeholders: jakartaee-api and tomee-embedded dependency\n snippets bumped to 11.0.0-SNAPSHOT\n- Dead external links: java.sun.com JavaDoc -\u003e Oracle Java 17 JavaDoc;\n remove dead people.apache.org/jrg.me.uk screenshot images; svn checkout\n commands -\u003e git clone; de-link defunct hosts (www.openejb.org, onjava.com,\n java.net, fusesource, eclipsezilla, springframework); upgrade live links\n to https\n- Terminology: \"Java EE\"/\"J2EE\" -\u003e \"Jakarta EE\" only where describing\n present-day TomEE (historical references left intact)\n" }, { "commit": "ef00da3d475f400f1a63961937ad0e2a3ec7b112", "tree": "184e7bf61ec19f146fe373d6896980472063b03b", "parents": [ "4fccf43a9056bda1eab23e14f3230f8a047e1d2b" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:26:15 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:28:01 2026 +0200" }, "message": "docs: repair Confluence/wiki/markdown conversion artifacts\n\nThese pages still contained leftover markup from the old wiki-to-AsciiDoc\nmigration that rendered as literal garbage. Convert them to valid AsciiDoc:\n\n- markdown links [text](url) and wiki links [text|target] -\u003e link:url[text]\n- openejbx30:/openejb: page references and [OPENEJB:...] markers\n- Confluence block macros {note}/{tip}/{warning}/{panel}/{anchor}/{include}\n /{color} -\u003e AsciiDoc admonitions, anchors and plain text\n- {snippet:url\u003dopenejb3/examples/...} macros -\u003e links to the live example\n sources on GitHub\n- dead !http://...! image macros removed; stray section headings and\n mangled inline emphasis fixed\n" }, { "commit": "4fccf43a9056bda1eab23e14f3230f8a047e1d2b", "tree": "7c675d5aa3ac9c8401089c688273ea348db3d99d", "parents": [ "37fdaf55be6892d2b17aa103a95dd3edc7d89d48" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:26:03 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:28:01 2026 +0200" }, "message": "docs: update comparison page for Jakarta EE 11 and MicroProfile 7.1\n\nThe specification comparison was still describing Jakarta EE 10 /\nMicroProfile 6.0 / TomEE 10.x and contradicted the actual shipped\nversions. Update it to reflect TomEE 11:\n\n- Jakarta EE 11 spec levels (Servlet 6.1, JSP 4.0, EL 6.0, CDI 4.1,\n Faces 4.1, JPA 3.2, JAX-RS 4.0, Bean Validation 3.1, Interceptors 2.2,\n Concurrency 3.1, Security 4.0, JACC 3.0, Annotations 3.0, JAXB/JAX-WS 4.0,\n SAAJ 3.0, ...) and add Jakarta Data 1.0\n- MicroProfile 7.1 (Config 3.1, Fault Tolerance 4.1, Health 4.0.1, JWT 2.1,\n OpenAPI 4.1, Telemetry 2.1, Rest Client 4.0; Metrics dropped)\n- Implementation versions: Tomcat 11.0.x, CXF 4.2.x, OpenJPA 4.1.x,\n EclipseLink 5.0.x, MyFaces/OWB 4.1.x, Johnzon 2.0.x, ActiveMQ 6.2.x,\n Hibernate 7.3.x\n- Remove the broken self-referential xref\n" }, { "commit": "37fdaf55be6892d2b17aa103a95dd3edc7d89d48", "tree": "5a714cdbe80dce799694c15a953fe01da1367b1f", "parents": [ "11932ac572523306bc3bd06ae4b6c4a2423bf423" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:25:52 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 15:28:01 2026 +0200" }, "message": "docs: remove obsolete pages and clean up documentation index\n\nDelete pages that document removed features or are no longer relevant for\nTomEE 11:\n\n- jakartaee-9/ - 2020 work-in-progress notes on the Jakarta EE 8-\u003e9\n namespace migration (contained TBD/??? placeholders)\n- manual-installation.adoc - manual OpenEJB-on-Tomcat-6 install walkthrough\n- spring.adoc, spring-and-openejb-3.0.adoc, spring-ejb-and-jpa.adoc - the\n OpenEJB Spring integration module and its examples were removed\n- advanced/tomee-embedded/foo.ado - empty stray file\n\nUpdate documentation.adoc to drop the Spring section and the nav entries\npointing to pages that no longer exist.\n" }, { "commit": "11932ac572523306bc3bd06ae4b6c4a2423bf423", "tree": "1554422301eef1440adb9a708a8cfe32704bf186", "parents": [ "2cf31a87ee1bc8bc9c749c01a735608d07840710" ], "author": { "name": "github-actions[bot]", "email": "41898282+github-actions[bot]@users.noreply.github.com", "time": "Fri May 22 12:55:26 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 22 12:55:26 2026 +0200" }, "message": "Minor: Regenerated BOMs for 2cf31a87ee1bc8bc9c749c01a735608d07840710 (#2666)\n\nSigned-off-by: GitHub \u003cnoreply@github.com\u003e\nCo-authored-by: rzo1 \u003crzo1@users.noreply.github.com\u003e" }, { "commit": "2cf31a87ee1bc8bc9c749c01a735608d07840710", "tree": "d12b0527a2ef75d443bdf62a643db1db0cb1d24b", "parents": [ "9aaa5454d657a1f07785dab01d721ef70e52b7c5" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 12:32:15 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 12:32:47 2026 +0200" }, "message": "EclipseLink 5.0.0\n" }, { "commit": "9aaa5454d657a1f07785dab01d721ef70e52b7c5", "tree": "623bb945c37cee2ff7c41b9b1036e0196e2b27a8", "parents": [ "fc6dc64823c64b3890781293aff0a4b489fb42ee" ], "author": { "name": "Richard Zowalla", "email": "13417392+rzo1@users.noreply.github.com", "time": "Fri May 22 12:26:34 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 22 12:26:34 2026 +0200" }, "message": "Security 4.0 (#2632)\n\n* tck/security: avoid OpenID keytool alias collisions\n\n* security/jacc: integrate PolicyFactory and PrincipalMapper\n\n* security/cdi: wire mechanism handlers and OpenID routing\n\n* catalina: delegate jakarta.faces classes to container\n\n* tck(security): stabilize OpenID truststore setup\n\n* tck(security): pin tomee http port for OpenID TCK flows\n\n* security/openid: remove trust-all TLS bypass helper\n\nOpenIdHttpClientSupport shipped a default-on X509TrustManager that\naccepted any cert for loopback HTTPS endpoints (CWE-295/297). Drop\nthe helper entirely and let JAX-RS and jose4j use the JVM default\nSSLSocketFactory; tests that need localhost trust must configure\njavax.net.ssl.trustStore properly.\n\nThe companion localhost metadata-rewrite fallback in\nAutoResolvingProviderMetadata depended on the same helper and is\nremoved too; the simple .well-known/openid-configuration fetch is\nenough when the provider URI resolves normally.\n\n* security/cdi: dedupe mechanism definitions collected in ProcessBean\n\nProcessBean can fire more than once for the same annotated type\n(e.g. when CDI synthesises observer/interceptor beans on it), so\nList.addAll accumulated duplicate @*AuthenticationMechanismDefinition\ninstances. After c723b38920 started registering one bean per\ncollected definition, this produced multiple beans with identical\nqualifier sets and AmbiguousResolutionException on startup -- the\ntomee-security servlet tests failed to deploy.\n\nSwitch the four *MechanismDefinitions collections to LinkedHashSet\n(annotations are value-equal) and snapshot them to ordered lists at\nAfterBeanDiscovery time so the indexed bean-id scheme still works.\n\nAlso update OpenIdAuthenticationMechanismUnitTest to set the\ndefinition through the supplier hook rather than reflecting into a\nfield that no longer exists.\n\n* tck(security): seed JDK truststore and regenerate OpenID certs\n\nThe OpenID modules ship self-signed certs that expired in March\n2023, which is why the TLS bypass in OpenIdHttpClientSupport was\nrequired. Now that the bypass is gone we need JSSE to validate\nthese connections on its own.\n\nIn the download-tck antrun phase:\n - seed ${glassfish.root}/glassfish8/.../cacerts.jks from the JDK\u0027s\n default cacerts (146 trusted CAs) so Maven metadata fetches and\n any other public HTTPS calls during the invoker run still\n validate; the TCK\u0027s keytool-maven-plugin step appends the\n localhost cert on top in pre-integration-test.\n - regenerate localhost-rsa.jks + tomcat.cert per app-openid* dir\n with a fresh 10-year validity, replacing the expired TCK files.\n - replace the two hard-coded \u003calias\u003e rewrites with a loop that\n handles any app-openidN directory.\n\nIn the injected tomee-remote profile:\n - point javax.net.ssl.trustStore at the seeded keystore so the\n failsafe JVM (HtmlUnit test driver) trusts the localhost cert.\n - add tomee.catalina_opts so arquillian-tomee-remote forwards the\n same -Djavax.net.ssl.trustStore/Password to the forked TomEE\n JVM (the OpenID relying party).\n\nFull Jakarta Security 4.0 TCK is green against this configuration\nwithout any trust-all fallback.\n\n* security/openid: harden callback URL guard and stop trusting Host header\n\nJakarta Security 4.0 §2.4.4.2 says a callback whose URL matches\nneither the configured redirectURI nor the stored original-request\nURL MUST return CredentialValidationResult.NOT_VALIDATED_RESULT.\nPreviously the check was conditional on redirectToOriginalResource,\nso with the default (false) any request carrying a state parameter\ndrove a token-endpoint exchange.\n\nThe comparison was also based on HttpServletRequest.getRequestURL(),\nwhich folds in the client-supplied Host header (CWE-350) -- behind a\nmisconfigured reverse proxy this is attacker-influenced.\n\n- Drop the \u0026\u0026 redirectToOriginalResource() conjunct so the guard\n runs unconditionally.\n- Compare by path: request.getRequestURI() against the path\n component of the configured redirectURI (memoised via a new\n redirectPath() helper) and against the path of the stored\n ORIGINAL_REQUEST. Storage values are unchanged -- SavedRequest\n restoration still uses the full URL.\n\nAdded three focused unit tests covering spoofed Host headers with\nmatching / non-matching paths under both redirectToOriginalResource\nsettings.\n\n* security: implement SecurityContext.getAllDeclaredCallerRoles\n\nJakarta Security 4.0 §4.2 adds SecurityContext#getAllDeclaredCallerRoles\nreturning every application-declared role the current caller has.\nIt was unimplemented and threw UnsupportedOperationException.\n\nResolve the current Catalina Request via OpenEJBSecurityListener\n(same pattern as registerContainerAboutLogin) and iterate\nContext#findSecurityRoles() -- the servlet-declared roles. For each\nrole, evaluate Jakarta Authorization 3.0\u0027s Policy with a\nWebRoleRefPermission(\"\", role) against the current Subject from\nTomcatSecurityService#getCurrentSubject. Wrap the evaluation in the\nsame save/restore PolicyContext.getContextID() try/finally used by\nhasAccessToWebResource. Returns a LinkedHashSet so iteration is\nstable; empty set if the request, context, security service, or\npolicy is unavailable.\n\nAdded an integration test that deploys a @DeclareRoles-annotated\nservlet under BASIC auth, logs in as the tomcat user, and verifies\nthe method returns only the roles the caller actually holds.\n\nScope: web-module declared roles only; EJB security-role-ref\nintegration is out of scope and deferred.\n\n* security/jacc: simplify PrincipalMapper handling and prefer Jakarta CallerPrincipal\n\nTwo cleanups in AbstractSecurityService:\n\n1. Drop the java.lang.reflect.Proxy branch that re-exposed\n DefaultPrincipalMapper across a foreign TCCL. jakarta.security.jacc\n is a container-delegated package via URLClassLoaderFirst, so the\n proxy path is dead code. getContext(PRINCIPAL_MAPPER, ...) now\n returns the field directly.\n\n2. Tighten DefaultPrincipalMapper#getCallerPrincipal lookup order so\n a jakarta.security.enterprise.CallerPrincipal instance wins over\n any other non-Group principal. Previously only the TomEE-internal\n @org.apache.openejb.spi.CallerPrincipal annotation had precedence;\n a Subject with both a Jakarta CallerPrincipal and an unrelated\n Principal resolved non-deterministically via the first-non-Group\n fallback.\n\nThe inner class is now a static nested class so tests can\ninstantiate it directly, with a package-private\ngetPrincipalMapper() accessor. New DefaultPrincipalMapperTest covers\nboth CallerPrincipal forms, group skipping, empty/null subjects,\nand the Group-\u003erole mapping.\n\n* security/openid: harden state/nonce cookies\n\nOIDC callbacks are cross-site, so state/nonce cookies need both the\nSecure flag and SameSite\u003dNone. The previous implementation set\nSecure conditionally on request.isSecure() (misbehaves behind TLS-\nterminating proxies), never set SameSite, and the delete() path\nomitted the attributes needed for the browser to overwrite the\ncookie.\n\n- set(): Secure is now unconditional behind\n tomee.security.openid.state-cookie-secure (default true); adds\n Path\u003d/ and SameSite\u003dNone; Base64 encoding now uses\n StandardCharsets.UTF_8 explicitly on both sides.\n- delete(): mirrors Path, Secure, HttpOnly, SameSite so browsers\n accept the replacement cookie with maxAge\u003d0.\n- get(): null-guards request.getCookies() so the handler tolerates\n requests without any cookie jar.\n\nNew CookieBasedOpenIdStorageHandlerTest captures cookies via Mockito\nArgumentCaptor and asserts all four attributes on set and delete,\nexercises the override property, covers the null-cookies path, and\nround-trips a unicode string through Base64 to confirm the UTF-8\nencoding.\n\n* security: implement @InMemoryIdentityStoreDefinition\n\nJakarta Security 4.0 §3.4 introduces @InMemoryIdentityStoreDefinition\nfor small apps that don\u0027t want to stand up a database or LDAP. The\nextension already collected TomcatUser/Database/LDAP stores but\nsilently ignored the in-memory one, so any app declaring it got no\nIdentityStore registered.\n\nTomEEInMemoryIdentityStore is @ApplicationScoped, honours useFor()\n(NOT_VALIDATED when VALIDATE is absent; getCallerGroups returns\nempty when PROVIDE_GROUPS is absent), and uses MessageDigest.isEqual\non UTF-8 bytes so password comparison is constant-time. The full\ndeclared-credentials array is walked once per validate() so runtime\nis roughly independent of caller position / presence.\n\nTomEESecurityExtension gains an inMemoryStore AtomicReference,\nmatching detection in processBean, and Supplier +\nTomEEInMemoryIdentityStore bean registrations in\nregisterAuthenticationMechanism mirroring the LDAP/Database pattern.\nThe TomEEELInvocationHandler proxy transparently resolves the\n*Expression siblings.\n\nUnit test coverage (16 cases):\n- happy path returns VALID with declared groups\n- wrong password / unknown caller / non-UPC credential\n- useFor permutations (VALIDATE-only, PROVIDE_GROUPS-only, both)\n- empty store, empty password, case-sensitive caller name\n- caller + right-password-from-another-entry stays INVALID\n- priority() reflects annotation (spec default 90, custom value)\n- validationTypes() reflects useFor\n- duplicate caller entries: first match wins deterministically\n- Unicode caller/password/groups round-trip (UTF-8)\n- declared-group uniqueness across callers\n- 8-thread / 200-iteration concurrent validate stays consistent\n\n* security/jacc: make PolicyFactory authoritative in TomEERealm\n\nJakarta Authorization 3.0 expects the installed Policy to be the\nsingle source of truth for web-resource authorization. TomEERealm\nwas running Policy.implies() as an additive \"grant only\" shortcut\nin front of the Catalina default check -- a JACC deny was\ndiscarded, and a Catalina grant could override a missing JACC\ndecision.\n\n- JaccProvider#DefaultPolicy gains an isSentinel() marker and\n JaccProvider.isSentinelPolicy(Policy) exposes it package-publicly\n so TomEERealm can distinguish \"no application policy installed\n for this context\" from a real allow/deny verdict.\n- evaluatePolicyFactory(Request) (renamed from isGrantedByPolicyFactory)\n now returns Boolean tri-state: TRUE \u003d application Policy allowed,\n FALSE \u003d application Policy denied, null \u003d sentinel / missing /\n runtime error. hasResourcePermission returns the Boolean directly\n when non-null; the super.hasResourcePermission fallback runs only\n for the null case.\n- PolicyContext.setHandlerData is saved and restored around the\n implies() call instead of being nulled in finally, so a nested\n authorization check on the same thread doesn\u0027t lose its handler\n data.\n- A previously silent catch (RuntimeException) now logs at DEBUG\n under OPENEJB_SECURITY and returns null (unknown) so the\n fallback decides, making misconfiguration diagnosable.\n\n* security/cdi: fail deployment on duplicate mechanism qualifier sets\n\nC1.5 made ProcessBean idempotent so IDENTICAL mechanism definitions\ncollapse. Two DIFFERENT @*AuthenticationMechanismDefinition\ninstances that share the same qualifier set (e.g. two\n@BasicAuthenticationMechanismDefinition with the same default\nBasicAuthenticationMechanism qualifier but different realmName) are\nnot equal, stay as separate entries, and both register beans with\nthe same qualifier set -- OWB then throws AmbiguousResolutionException\non first access at runtime.\n\nObserve AfterDeploymentValidation and group each mechanism type\u0027s\ncollected definitions by their effective qualifier set (wrapped in\na LinkedHashSet so intra-array order and duplicates don\u0027t mask\nclashes). Any group with size \u003e 1 becomes one\nafterDeploymentValidation.addDeploymentProblem(DeploymentException)\ncarrying the annotation simple name, the conflicting qualifier\nclasses, the offending instances\u0027 toString, and a hint pointing at\nqualifiers \u003d { ... }. All four mechanism types are checked in one\nobserver so the error surfaces every violation at once.\n\nTest coverage (5 cases in TomEESecurityExtensionQualifierValidationTest)\nexercises the extracted package-private helper\nvalidateQualifierUniqueness: single def passes, two defs with same\ndefault qualifier and different realmName fails with both realms\nnamed, distinct qualifier sets pass, reordered qualifier arrays\nstill collide, empty input is a no-op.\n\n* Revert \"catalina: delegate jakarta.faces classes to container\"\n\nThis reverts commit 562eba686a23603d0f237a8838edf45934ac46d6.\n\nThe change rode along on the Security 4.0 branch but isn\u0027t needed\nfor any of its TCK modules (none exercise Jakarta Faces) and it\nremoves the explicit `delegate \u003d false` synchronous path that the\noriginal loader used for `jakarta.faces.*`, which existed to avoid\na MyFaces + OWB class-init ordering issue. If the delegation\nrewrite is still desired it should land under its own TOMEE ticket\nwith a MyFaces-CDI smoke test.\n\n* security/openid: prefer client_secret_basic at the token endpoint\n\nOIDC Core 1.0 §9 lists client_secret_basic as the default client\nauthentication method at the token endpoint, and both OP and RP are\nexpected to support it. client_secret_post works too but puts the\nsecret in the request body, which ends up in HTTP access logs and\nWAF / proxy trace dumps.\n\n- Factor out preferBasicAuth() and basicAuthHeader() helpers shared\n by refreshTokens() and performAuthentication().\n- When Basic is preferred, send Authorization: Basic\n base64(clientId:clientSecret) and drop client_id / client_secret\n from the form body.\n- preferBasicAuth() reflectively reads the spec-pending\n tokenEndpointAuthMethodsSupported() accessor on\n OpenIdProviderMetadata (absent in the bundled\n jakarta.security.enterprise-api:4.0.0 jar). Missing accessor,\n empty/null return, or the presence of client_secret_basic all\n select Basic; a non-empty array advertising only\n client_secret_post selects form-parameter posting.\n\nTwo new unit tests spin up a com.sun.net.httpserver.HttpServer,\ncapture the /token request, and assert:\n- default path emits the Authorization: Basic header and omits\n client_id / client_secret from the form body, and\n- client_secret_post-only configuration omits the header and keeps\n client_id / client_secret in the form body.\n\n* security: include EJB declared roles in getAllDeclaredCallerRoles\n\nThe initial implementation only enumerated servlet \u003csecurity-role\u003e\nentries via Catalina\u0027s Context.findSecurityRoles(). Spec §4.2 says\nthe method must return every application-declared role the caller\nholds, which in an EE app also covers the current EJB\u0027s\n\u003csecurity-role-ref\u003e / @DeclareRoles.\n\nBeanContext gains getSecurityRoleReferences() returning a\ndefensive LinkedHashSet view of the internal map\u0027s keys (it\u0027s the\nonly accessor we own; the map was previously exposed only through\na per-role lookup).\n\nTomEESecurityContext.getAllDeclaredCallerRoles now runs two\nindependent passes, each under its own PolicyContext.getContextID()\nsave/restore:\n- web pass under toAppContext(servletContext, contextPath) using\n WebRoleRefPermission(\"\", role) against the current Request\u0027s\n Context.findSecurityRoles().\n- EJB pass under BeanContext.getModuleID() using\n EJBRoleRefPermission(ejbName, role) against\n BeanContext.getSecurityRoleReferences(). Runs whenever\n ThreadContext.getThreadContext() is non-null.\n\nResults merge into a LinkedHashSet (web first, then EJB). Empty\nset only when both the Request and ThreadContext are null.\n\nTest extension: a @Stateless @DeclareRoles({\"tomcat\",\n\"ejb-only-role\"}) bean is invoked from a servlet that reports the\nmerged set. The servlet declares \"user\"/\"unassigned\" so the test\nproves \"tomcat\" came from the EJB branch and \"ejb-only-role\" is\nnot included because the caller doesn\u0027t have it.\n\n* security: produce a @Default Principal bean\n\nJakarta Security 4.0 §1.2.4 says the container must expose a\njava.security.Principal bean with the @Default qualifier that\nresolves to the current caller. TomEE-security did not register\none -- @Inject Principal failed with UnsatisfiedResolutionException\nunless the app declared its own producer.\n\nAdd a small @ApplicationScoped CallerPrincipalProducer that\ndelegates to SecurityContext.getCallerPrincipal() and is registered\nby TomEESecurityExtension.observeBeforeBeanDiscovery alongside the\nexisting BaseUrlProducer. The producer method is @Dependent so\nevery injection site sees the live caller identity rather than a\ncached reference from whenever the owning bean was constructed.\n\nThree unit tests cover the happy path, the unauthenticated null\ncase, and the per-call reevaluation contract.\n\n* security/openid: honour discovered token_endpoint_auth_methods, harden in-memory store\n\npreferBasicAuth() previously reflected on tokenEndpointAuthMethodsSupported() which\ndoes not exist on jakarta.security.enterprise-api 4.0 OpenIdProviderMetadata; the\nNoSuchMethodException path always fired, making the form-fallback branch unreachable.\nMove the decision onto CompositeOpenIdProviderMetadata (which already owns the\ndiscovery JsonObject) via a new tokenEndpointAuthMethodsSupported() accessor, and\nreplace the reflection with an instanceof check. Plain-annotation deployments still\nfall through to the OIDC Core §9 default of client_secret_basic.\n\nAlso:\n\n- TomEEInMemoryIdentityStore: encode the supplied password char[] to UTF-8 via\n StandardCharsets.UTF_8.encode(CharBuffer.wrap(...)) instead of new String(chars),\n so plaintext no longer lands in the String pool; scrub the temporary byte[] in a\n finally block. Caller-name comparison now uses MessageDigest.isEqual on UTF-8\n bytes (constant-time in the supplied length) instead of String.equals.\n\n- BeanContext.securityRoleReferences: HashMap -\u003e LinkedHashMap so\n getSecurityRoleReferences() iterates in registration order.\n\n- OpenIdAuthenticationMechanismUnitTest: rewrite the client_secret_post-only test\n against a real CompositeOpenIdProviderMetadata built from a discovery JSON so it\n exercises the production preferBasicAuth() path (dropping the subclass override);\n add tokenEndpointUsesClientSecretBasicWhenDiscoveryAdvertisesIt for the positive\n discovery case.\n\n* catalina: always delegate jakarta.faces.* to the container\n\nTomEE plus/plume ship MyFaces in the server lib/, so the impl classes are\nlinked against the container-loaded jakarta.faces.* API. When a WAR also\nbundles jakarta.faces-api the previous shouldSkipJsf size heuristic flipped\ndelegation off, two distinct Class objects for the same FQN ended up on\nthe path, and MyFaces\u0027 StartupServletContextListener died with a\nLinkageError - reproduced by the Jakarta Security 4.0 TCK app-mem-customform\nmodule which bundles jakarta.faces-api 4.1.0.\n\nDrop the heuristic from URLClassLoaderFirst.shouldSkipJsf so jakarta.faces.*\nis always loaded from the container exactly once. The matching prefix in\nTomEEWebappClassLoader.loadClass becomes redundant (the first if-branch now\ncatches it via shouldDelegateToTheContainer); leave the org.apache.webbeans.jsf\nlocal-load path intact so the OWB JSF integration still binds to the\nwebapp\u0027s CDI beans.\n\nAdd URLClassLoaderFirstTest cases that exercise both the multi-copy and\nsingle-copy classpath shapes to lock the behaviour down.\n\n* security/openid: pick token-endpoint auth method by OP-advertised order\n\npreferBasicAuth() previously returned true as soon as client_secret_basic\nappeared anywhere in token_endpoint_auth_methods_supported, ignoring the\nOP\u0027s advertised preference order. Form-only OPs that legally list both\nmethods with client_secret_post first - including the Jakarta Security 4.0\nTCK mock provider used by app-openid - therefore got an empty form body and\nreturned 500 invalid_client_id, propagating as HTTP 500 on /Callback.\n\nWalk the array in order and pick the first method we know how to speak;\nfall back to Basic only when no list is published or none of the listed\nmethods are implemented (RFC 6749 / OIDC Core §9 default).\n\nUpdate the existing unit test to assert order-driven selection (post-first\n\u003d\u003e Post wins, basic-first \u003d\u003e Basic wins) so the contract is locked in.\nWith this change Security 4.0 TCK app-openid (OpenIdDefaultIT,\nOpenIdWithELIT, InvalidRedirectURIIT) passes and the full security TCK\nreports 26/26 modules green.\n\n* Avoid ambiguous authentication handler lookup\n\n* Support custom qualifier instances\n\n* Revert \"security: produce a @Default Principal bean\"\n\nThis reverts commit 1f2438af6d4ae64d7ae0cd594b2d925a60b41d29.\n\n* Fix OpenID storage selection per mechanism\n\n* tck/security: extract tomee-remote profile fragment\n\nMove the inline tomee-remote profile out of the antrun \u003creplace\u003e\nvalue attribute and into src/test/resources/tomee-remote-profile.xml\nso it can be edited as plain XML without escaping or line-separator\nglue. The antrun task now \u003cloadfile\u003es the fragment (with property\nexpansion) and injects it before \u003c/profiles\u003e.\n\n* security: address review findings on JACC, InMemory groups, OIDC routing, basic auth\n\n- TomEERealm.evaluatePolicyFactory: set the per-webapp JACC context id around\n PolicyFactory.getPolicy()/Policy.implies() and restore the prior id, so reused\n Tomcat worker threads don\u0027t evaluate requests against another webapp\u0027s policy\n (or no policy at all). Mirrors Eclipse Exousia\u0027s checkPermissionScoped.\n- TomEEInMemoryIdentityStore.getCallerGroups: when invoked under PROVIDE_GROUPS,\n look up the caller in the locally declared credentials and return its groups\n instead of echoing the validating store\u0027s result. Matches Soteria\u0027s RI.\n- OpenIdIdentityStore: route JWT validation, audience/issuer checks, JWKS and\n userinfo through the per-mechanism definition pushed via withDefinition,\n falling back to @Default. Without this, a non-default qualified OIDC mechanism\n exchanged the code with provider B but validated tokens against provider A.\n- OpenIdAuthenticationMechanism.basicAuthHeader: form-encode client_id and\n client_secret with UTF-8 before joining and base64-encoding, per RFC 6749\n §2.3.1. Matches Nimbus oauth2-oidc-sdk ClientSecretBasic.\n\nTests: 4 TomEERealm contextID tests, 3 OIDC routing tests, 3 InMemory\nPROVIDE_GROUPS tests, 1 client_secret_basic URL-encoding test.\nJakarta Security 4.0 TCK: 24/24 modules SUCCESS, 132 tests, 0 failures.\n\n* security: pass BasicAuthenticationCredential directly to IdentityStoreHandler\n\nBasicAuthenticationCredential extends UsernamePasswordCredential per the\nJakarta Security spec, so wrapping it in a new UsernamePasswordCredential\nbefore validation was unnecessary and broke any IdentityStore that\ndiscriminates on instanceof BasicAuthenticationCredential. Pass the\ncredential directly, matching Soteria reference behaviour.\n\n* security: omit SameSite\u003dNone when Secure is disabled for OIDC cookies\n\nPer RFC 6265bis §4.1.2.7, browsers silently drop SameSite\u003dNone cookies\nthat lack the Secure attribute. When the state-cookie-secure\u003dfalse override\nis active, emitting SameSite\u003dNone made the OIDC state/nonce cookies\ninvisible to the browser, silently breaking every login attempt. Omitting\nSameSite when Secure is disabled lets browsers fall back to Lax, which\nworks for the standard top-level GET redirect callback flow.\n\n* security: memoize AutoResolvingProviderMetadata instance per OIDC supplier\n\nThe supplier returned by createOpenIdAuthenticationMechanismDefinitionSupplier\nwas constructing a new AutoResolvingProviderMetadata on every get() call,\ndiscarding the per-instance cached field and re-fetching the OIDC discovery\ndocument on each getDefinition() invocation (2-5 times per request). Wrap\nthe created instance in an AtomicReference so the discovery fetch is done\nonce and subsequent calls return the cached wrapper.\n\n* security: scope OIDC state/nonce cookies to webapp context path\n\nAvoids leaking state/nonce cookies to other webapps deployed in the same\nserver by using the webapp\u0027s context path instead of root \"/\" as the\ncookie path. Falls back to \"/\" for the root context.\n\n---------\n\nCo-authored-by: Markus Jung \u003cjungm@apache.org\u003e" }, { "commit": "fc6dc64823c64b3890781293aff0a4b489fb42ee", "tree": "927fcd5496d57ab509dfe71c70683a2e17f650a0", "parents": [ "7ee66f1cc0ff1980e6f33bd6f6086bebc8f44b92" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 08:17:28 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Fri May 22 08:17:52 2026 +0200" }, "message": "CXF 4.2.1\n" }, { "commit": "7ee66f1cc0ff1980e6f33bd6f6086bebc8f44b92", "tree": "e315ea52ba8a515ddeed2f04d2cd80f08439be39", "parents": [ "c1265958ab29ac297f3bd24803510849a139d375" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 19 20:06:44 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 19 20:06:44 2026 +0200" }, "message": "Bump org.apache.tomcat:tomcat-catalina from 11.0.21 to 11.0.22 (#2664)\n\nBumps org.apache.tomcat:tomcat-catalina from 11.0.21 to 11.0.22.\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.tomcat:tomcat-catalina\n dependency-version: 11.0.22\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "c1265958ab29ac297f3bd24803510849a139d375", "tree": "6b3b12ab5fedb281ef0c75e5a35d387f5c76b838", "parents": [ "e6380d85bf141242247c4ff67833e9431878cdc7" ], "author": { "name": "Florian Courault", "email": "49650082+florian-courault@users.noreply.github.com", "time": "Tue May 12 11:22:48 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue May 12 11:24:48 2026 +0200" }, "message": "TOMEE-4610 - RemoteException is not chained with AuthenticationException at openejb-client authentication (#2549)\n\n* RemoteException is not chained with AuthenticationException at openejb-client authentication\n\n* Apply same cause chaining to JNDIContext.logout()\n\nMirror the fix from authenticate(): when the RemoteException from\nClient.request fails the logout, wrap it via initCause so the original\ncause is preserved instead of only the localized message. Matches the\nexisting pattern used at the AUTH_DENIED branch a few lines below.\n\n---------\n\nCo-authored-by: Richard Zowalla \u003crzo1@apache.org\u003e" }, { "commit": "e6380d85bf141242247c4ff67833e9431878cdc7", "tree": "c00a1efc3dabb21ad3f21a81a5f19ac9c928d35d", "parents": [ "191759a566ad6ba554c0dee3161b257b55d44c0c" ], "author": { "name": "github-actions[bot]", "email": "41898282+github-actions[bot]@users.noreply.github.com", "time": "Tue May 12 11:23:49 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:23:49 2026 +0200" }, "message": "Minor: Regenerated BOMs for 191759a566ad6ba554c0dee3161b257b55d44c0c (#2660)\n\nSigned-off-by: GitHub \u003cnoreply@github.com\u003e\nCo-authored-by: rzo1 \u003crzo1@users.noreply.github.com\u003e" }, { "commit": "191759a566ad6ba554c0dee3161b257b55d44c0c", "tree": "b06c28748219608aa9804f7cef4a3d6b1aed1e2d", "parents": [ "dbab4dbe5ad87bddc6f2acbee184add9a4fcce4f" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue May 12 11:08:10 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue May 12 11:09:01 2026 +0200" }, "message": "TOMEE-4603 - Recover from duplicate proxy class definition in ClassDefiner\n\nWhen the JVM rejects a defineClass with LinkageError because that class\nname is already loaded in this ClassLoader, re-resolve the existing\nclass via Class.forName instead of failing. Mirrors the\nUnsafe.handleLinkageError fallback in OpenWebBeans, which only kicks in\nwhen no DefiningClassService is registered. Without this defence\nOpenWebBeans 4.0.x can generate the same proxy class FQN for two\ndistinct Bean\u003c?\u003e instances of the same erased type (e.g. MyFaces\u0027\n@FacesScoped Map producers requestScope/param/header/...) and the\nLinkageError propagates to the user. Logs a WARNING so the recovery\nremains visible.\n\nAdds an Arquillian reproducer in arquillian-tomee-webprofile-tests that\ndeploys a Facelet combining c:set in request scope with an EL reference\nto the implicit param map. Passes on tomee-embedded and reproduces the\nLinkageError on Map$$OwbNormalScopeProxy under the remote adapter\n(-Pall-adapters).\n\nSee also OWB-1462. Ported from #2633 (tomee-10.x).\n" }, { "commit": "dbab4dbe5ad87bddc6f2acbee184add9a4fcce4f", "tree": "f7a5f4df06c40a2d5848a6c108dc61eb740b9174", "parents": [ "7ece4348bf36cd09f7a149042e3e99d26f8d8999" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:03:37 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:03:37 2026 +0200" }, "message": "Bump org.eclipse.jetty:jetty-http from 11.0.20 to 12.1.8 (#2618)\n\n* Bump org.eclipse.jetty:jetty-http from 11.0.20 to 12.0.33\n\nBumps org.eclipse.jetty:jetty-http from 11.0.20 to 12.0.33.\n\n---\nupdated-dependencies:\n- dependency-name: org.eclipse.jetty:jetty-http\n dependency-version: 12.0.33\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\n\n* fix compile errors\n\n---------\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e\nCo-authored-by: Markus Jung \u003cjungm@apache.org\u003e" }, { "commit": "7ece4348bf36cd09f7a149042e3e99d26f8d8999", "tree": "948dddde8309dba0255d11c34d21dc80ea8df43f", "parents": [ "8623316ec9fb5d67590345e40cc9720f91a92948" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:02:47 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:02:47 2026 +0200" }, "message": "Bump version.groovy from 5.0.4 to 5.0.5 (#2635)\n\nBumps `version.groovy` from 5.0.4 to 5.0.5.\n\nUpdates `org.apache.groovy:groovy-jsr223` from 5.0.4 to 5.0.5\n- [Commits](https://github.com/apache/groovy/commits)\n\nUpdates `org.apache.groovy:groovy-json` from 5.0.4 to 5.0.5\n- [Commits](https://github.com/apache/groovy/commits)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.groovy:groovy-jsr223\n dependency-version: 5.0.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.groovy:groovy-json\n dependency-version: 5.0.5\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "8623316ec9fb5d67590345e40cc9720f91a92948", "tree": "208adfdde8e2b40bc2cb00dfa4609839b3b165f6", "parents": [ "c842aa3d23c2862ef36b8f0ef238f176111781b8" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:02:21 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:02:21 2026 +0200" }, "message": "Bump version.microprofile.impl.opentelemetry from 2.11.2 to 2.12.0 (#2637)\n\nBumps `version.microprofile.impl.opentelemetry` from 2.11.2 to 2.12.0.\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-api` from 2.11.2 to 2.12.0\n- [Release notes](https://github.com/smallrye/smallrye-opentelemetry/releases)\n- [Commits](https://github.com/smallrye/smallrye-opentelemetry/compare/2.11.2...2.12.0)\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-cdi` from 2.11.2 to 2.12.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-rest` from 2.11.2 to 2.12.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-config` from 2.11.2 to 2.12.0\n\nUpdates `io.smallrye.opentelemetry:smallrye-opentelemetry-propagation` from 2.11.2 to 2.12.0\n\n---\nupdated-dependencies:\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-api\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-cdi\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-rest\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-config\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.opentelemetry:smallrye-opentelemetry-propagation\n dependency-version: 2.12.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "c842aa3d23c2862ef36b8f0ef238f176111781b8", "tree": "1d68037a1609fc4945c1ca9d7743ff037be25fc6", "parents": [ "b37f648346c740acacb201a364b7f186bdcc185a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:01:51 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:01:51 2026 +0200" }, "message": "Bump version.microprofile.impl.config from 3.16.0 to 3.17.2 (#2641)\n\nBumps `version.microprofile.impl.config` from 3.16.0 to 3.17.2.\n\nUpdates `io.smallrye.config:smallrye-config-core` from 3.16.0 to 3.17.2\n\nUpdates `io.smallrye.config:smallrye-config-common` from 3.16.0 to 3.17.2\n- [Release notes](https://github.com/smallrye/smallrye-config/releases)\n- [Commits](https://github.com/smallrye/smallrye-config/compare/3.16.0...3.17.2)\n\nUpdates `io.smallrye.config:smallrye-config` from 3.16.0 to 3.17.2\n- [Release notes](https://github.com/smallrye/smallrye-config/releases)\n- [Commits](https://github.com/smallrye/smallrye-config/compare/3.16.0...3.17.2)\n\n---\nupdated-dependencies:\n- dependency-name: io.smallrye.config:smallrye-config-core\n dependency-version: 3.17.2\n dependency-type: direct:development\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.config:smallrye-config-common\n dependency-version: 3.17.2\n dependency-type: direct:production\n update-type: version-update:semver-minor\n- dependency-name: io.smallrye.config:smallrye-config\n dependency-version: 3.17.2\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "b37f648346c740acacb201a364b7f186bdcc185a", "tree": "d4d694615a9ab62b997cf3f3a3dc6839d1fe1fe7", "parents": [ "7ebe33a7a0ace4169e8291822ea1031a34ade5b0" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:01:27 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:01:27 2026 +0200" }, "message": "Bump version.jackson from 2.21.2 to 2.21.3 (#2643)\n\nBumps `version.jackson` from 2.21.2 to 2.21.3.\n\nUpdates `com.fasterxml.jackson.core:jackson-databind` from 2.21.2 to 2.21.3\n- [Commits](https://github.com/FasterXML/jackson/commits)\n\nUpdates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.21.2 to 2.21.3\n- [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.21.2...jackson-dataformats-text-2.21.3)\n\n---\nupdated-dependencies:\n- dependency-name: com.fasterxml.jackson.core:jackson-databind\n dependency-version: 2.21.3\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml\n dependency-version: 2.21.3\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "7ebe33a7a0ace4169e8291822ea1031a34ade5b0", "tree": "efd3745f036dfe86ea4556e8dad9ddeab43bb7f6", "parents": [ "3a5ab655fb8ade6ad9650565400119a33af431e1" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:00:54 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:00:54 2026 +0200" }, "message": "Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2 (#2644)\n\nBumps [org.apache.maven.plugins:maven-shade-plugin](https://github.com/apache/maven-shade-plugin) from 3.6.1 to 3.6.2.\n- [Release notes](https://github.com/apache/maven-shade-plugin/releases)\n- [Commits](https://github.com/apache/maven-shade-plugin/compare/maven-shade-plugin-3.6.1...maven-shade-plugin-3.6.2)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-shade-plugin\n dependency-version: 3.6.2\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "3a5ab655fb8ade6ad9650565400119a33af431e1", "tree": "c87c8fa9f03aed14c9788afba1b31c12b641943b", "parents": [ "7f3a24a7b5cb2766388573331873c0b75553ceed" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 11:00:17 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 11:00:17 2026 +0200" }, "message": "Bump version.spring-boot from 4.0.3 to 4.0.6 (#2646)\n\nBumps `version.spring-boot` from 4.0.3 to 4.0.6.\n\nUpdates `org.springframework.boot:spring-boot-starter-web` from 4.0.3 to 4.0.6\n- [Release notes](https://github.com/spring-projects/spring-boot/releases)\n- [Commits](https://github.com/spring-projects/spring-boot/compare/v4.0.3...v4.0.6)\n\nUpdates `org.springframework.boot:spring-boot-starter-tomcat` from 4.0.3 to 4.0.6\n- [Release notes](https://github.com/spring-projects/spring-boot/releases)\n- [Commits](https://github.com/spring-projects/spring-boot/compare/v4.0.3...v4.0.6)\n\nUpdates `org.springframework.boot:spring-boot-starter-test` from 4.0.3 to 4.0.6\n- [Release notes](https://github.com/spring-projects/spring-boot/releases)\n- [Commits](https://github.com/spring-projects/spring-boot/compare/v4.0.3...v4.0.6)\n\n---\nupdated-dependencies:\n- dependency-name: org.springframework.boot:spring-boot-starter-web\n dependency-version: 4.0.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.springframework.boot:spring-boot-starter-tomcat\n dependency-version: 4.0.6\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.springframework.boot:spring-boot-starter-test\n dependency-version: 4.0.6\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "7f3a24a7b5cb2766388573331873c0b75553ceed", "tree": "946b96ed41330b7b60fff666f89d4f689bc333b3", "parents": [ "eb28261f08c7ed62bd6665686fd36b0c0da73c92" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:59:20 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:59:20 2026 +0200" }, "message": "Bump com.nimbusds:nimbus-jose-jwt from 10.8 to 10.9 (#2647)\n\nBumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 10.8 to 10.9.\n- [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt)\n- [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/10.9..10.8)\n\n---\nupdated-dependencies:\n- dependency-name: com.nimbusds:nimbus-jose-jwt\n dependency-version: \u002710.9\u0027\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "eb28261f08c7ed62bd6665686fd36b0c0da73c92", "tree": "0d8c2f8ec8409f7492cdda08945807ff514f1023", "parents": [ "f1e713fc8fbabd96569f122514b3fb1f86d0c395" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:57:00 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:57:00 2026 +0200" }, "message": "Bump surefire.version from 3.5.3 to 3.5.5 (#2649)\n\nBumps `surefire.version` from 3.5.3 to 3.5.5.\n\nUpdates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.3 to 3.5.5\n- [Release notes](https://github.com/apache/maven-surefire/releases)\n- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.3...surefire-3.5.5)\n\nUpdates `org.apache.maven.plugins:maven-surefire-report-plugin` from 3.5.3 to 3.5.5\n- [Release notes](https://github.com/apache/maven-surefire/releases)\n- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.3...surefire-3.5.5)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.maven.plugins:maven-surefire-plugin\n dependency-version: 3.5.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.maven.plugins:maven-surefire-report-plugin\n dependency-version: 3.5.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "f1e713fc8fbabd96569f122514b3fb1f86d0c395", "tree": "f606faf867d17cd37aa5c4fac71d295470e35e38", "parents": [ "0f9e6c4285ab3cd7279f9f0d5ca25f34f2ec58da" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:56:09 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:56:09 2026 +0200" }, "message": "Bump net.bytebuddy:byte-buddy from 1.18.3 to 1.18.8 (#2651)\n\nBumps [net.bytebuddy:byte-buddy](https://github.com/raphw/byte-buddy) from 1.18.3 to 1.18.8.\n- [Release notes](https://github.com/raphw/byte-buddy/releases)\n- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)\n- [Commits](https://github.com/raphw/byte-buddy/compare/byte-buddy-1.18.3...byte-buddy-1.18.8)\n\n---\nupdated-dependencies:\n- dependency-name: net.bytebuddy:byte-buddy\n dependency-version: 1.18.8\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "0f9e6c4285ab3cd7279f9f0d5ca25f34f2ec58da", "tree": "2bbf0bdc743b8e0da5ede79ec2ce67e910d54586", "parents": [ "752f6bd1e53c16c1dedc9cb44e42901c0cee4dda" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:55:41 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:55:41 2026 +0200" }, "message": "Bump org.apache.activemq:activemq-broker (#2656)\n\nBumps [org.apache.activemq:activemq-broker](https://github.com/apache/activemq) from 6.2.4 to 6.2.5.\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.activemq:activemq-broker\n dependency-version: 6.2.5\n dependency-type: direct:development\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "752f6bd1e53c16c1dedc9cb44e42901c0cee4dda", "tree": "75e0be0945869057b24f440260603f05cc8f7d27", "parents": [ "8454a861303bd772e80aea806638b006327631c4" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:55:36 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:55:36 2026 +0200" }, "message": "Bump org.apache.activemq:activemq-broker (#2655)\n\nBumps [org.apache.activemq:activemq-broker](https://github.com/apache/activemq) from 6.2.4 to 6.2.5.\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.activemq:activemq-broker\n dependency-version: 6.2.5\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "8454a861303bd772e80aea806638b006327631c4", "tree": "bd520892958e80dd49d240f5ddb46072f6f97c17", "parents": [ "35055dd6663cf62271b43f9059cf5792682a9fac" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:54:28 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:54:28 2026 +0200" }, "message": "Bump version.activemq from 6.2.4 to 6.2.5 (#2639)\n\nBumps `version.activemq` from 6.2.4 to 6.2.5.\n\nUpdates `org.apache.activemq:activemq-jdbc-store` from 6.2.4 to 6.2.5\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\nUpdates `org.apache.activemq:activemq-ra` from 6.2.4 to 6.2.5\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\nUpdates `org.apache.activemq:activemq-client` from 6.2.4 to 6.2.5\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\nUpdates `org.apache.activemq:activemq-broker` from 6.2.4 to 6.2.5\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\nUpdates `org.apache.activemq:activemq-openwire-legacy` from 6.2.4 to 6.2.5\n- [Release notes](https://github.com/apache/activemq/releases)\n- [Commits](https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5)\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.activemq:activemq-jdbc-store\n dependency-version: 6.2.5\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-ra\n dependency-version: 6.2.5\n dependency-type: direct:development\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-client\n dependency-version: 6.2.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-broker\n dependency-version: 6.2.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n- dependency-name: org.apache.activemq:activemq-openwire-legacy\n dependency-version: 6.2.5\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "35055dd6663cf62271b43f9059cf5792682a9fac", "tree": "85d24021f5f07fea2b847e35e62d1fd2a215119b", "parents": [ "9b442f6165be6d8d3aacc93dd4c46bbeab72cebc" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue May 12 10:53:13 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 12 10:53:13 2026 +0200" }, "message": "Bump org.apache.neethi:neethi from 3.2.1 to 3.2.2 (#2659)\n\nBumps org.apache.neethi:neethi from 3.2.1 to 3.2.2.\n\n---\nupdated-dependencies:\n- dependency-name: org.apache.neethi:neethi\n dependency-version: 3.2.2\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9b442f6165be6d8d3aacc93dd4c46bbeab72cebc", "tree": "889df4f7123f51a01dbdbb7e35e011d8bc1e47e1", "parents": [ "f7fffcaa1686db72b3dbe5793bff7582362d76df" ], "author": { "name": "Krzysztof Śmigrodzki", "email": "ksmigrod@users.noreply.github.com", "time": "Thu May 07 17:18:26 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 07 17:18:26 2026 +0200" }, "message": "TOMEE-4604 - strip ssl keystore configuration params from outgoing URL. (#2658)\n\n* Refactor HttpConnectionTest\n\n* TOMEE-4604 strip ssl keystore configuration params from outgoing URL.\n\n* Formatting\n\n* Comment explaining split pattern with both \u0026 and ? on query stripping\n\n* Account for edge case where query parameter has no name." }, { "commit": "f7fffcaa1686db72b3dbe5793bff7582362d76df", "tree": "37ac89b48a5a12b3de9fb1b6c26ec466431833f6", "parents": [ "4c36ca4d4158cef1cfa14599372eee87c7da58c9" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Thu May 07 17:06:28 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Thu May 07 17:06:28 2026 +0200" }, "message": "Use released OWB 4.1.0\n" }, { "commit": "4c36ca4d4158cef1cfa14599372eee87c7da58c9", "tree": "590301b3c4c24131f910d7150f4c9ecfa2587218", "parents": [ "f14737ea767bcb472219b6c5530c319fdbae8219" ], "author": { "name": "Richard Zowalla", "email": "13417392+rzo1@users.noreply.github.com", "time": "Thu Apr 23 13:48:53 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Apr 23 13:48:53 2026 +0200" }, "message": "Concurrency 3.1 (#2577)\n\n* Setup Concurrency TCK\n\n* Implement @Asynchronous(runAt\u003d@Schedule(...)) for Jakarta Concurrency 3.1\n\nAdd support for scheduled recurring async methods as defined in Jakarta\nConcurrency 3.1. This addresses the largest block of TCK failures (28 tests)\nby enabling cron-based scheduling of CDI @Asynchronous methods via the new\nrunAt attribute.\n\n- ScheduleHelper: maps @Schedule annotations to API-provided CronTrigger,\n supports composite triggers (multiple schedules) and skipIfLateBy wrapping\n- AsynchronousInterceptor: branches on runAt presence — one-shot path\n unchanged, new scheduled path uses ManagedScheduledExecutorService\n- ManagedScheduledExecutorServiceImplFactory: adds lookup() with graceful\n fallback matching the ManagedExecutorServiceImplFactory pattern\n\n* Add virtual thread support and DD virtual attribute for Concurrency 3.1\n\nImplement opt-in virtual thread support (Java 21+) across\nManagedThreadFactory, ManagedExecutorService, and\nManagedScheduledExecutorService as required by Jakarta Concurrency 3.1.\n\nRuntime:\n- VirtualThreadHelper: reflection-based Java 21 API access, graceful\n fallback on Java 17 (isSupported check, no multi-release JARs)\n- ManagedThreadFactoryImpl: virtual path creates threads that do NOT\n implement ManageableThread (spec 3.4.4)\n- All three factory classes accept virtual property\n\nDeployment descriptor + annotation processing:\n- Boolean virtual field added to DD model classes in openejb-jee\n- Convert*Definitions pass virtual to Resource properties\n- AnnotationDeployer reads virtual() from @Managed*Definition annotations\n\nTests skip gracefully on Java \u003c21 via Assume.assumeTrue.\n\n* Remove unused code from Concurrency 3.1 implementation\n\n- ScheduleHelper: remove pass-through toMonths/toDaysOfWeek methods\n and unused DayOfWeek/Month imports\n- ManagedScheduledExecutorServiceImplFactory: wire virtual flag into\n fallback thread factory creation, remove unused import\n- VirtualThreadHelper: remove unused ofVirtualInterface variable\n\n* Add CronTrigger tests verifying ZonedTrigger works with existing scheduler\n\nVerify that API-provided CronTrigger (a ZonedTrigger) works transparently\nwith ManagedScheduledExecutorServiceImpl via default bridge methods. Tests\nconfirm recurring scheduling and LastExecution with ZonedDateTime work\nwithout any implementation changes.\n\n* Fix scheduled async interceptor to call setFuture before ctx.proceed\n\nThe TCK beans call Asynchronous.Result.getFuture() inside scheduled\nmethods. The interceptor must call setFuture() before ctx.proceed()\nfor both void and non-void return types, otherwise getFuture() throws\nIllegalStateException. Use Callable path for all scheduled methods\nto ensure proper future lifecycle.\n\n* Fix scheduled async lifecycle: stop on non-null return, reject invalid JNDI\n\nThree fixes for @Asynchronous(runAt\u003d@Schedule(...)) TCK compliance:\n\n1. Stop trigger loop when method returns non-null value (per spec:\n \"the method returns a non-null result value\" ends the schedule).\n Uses AtomicReference to cancel ScheduledFuture from inside Callable.\n\n2. Throw IllegalArgumentException for invalid executor JNDI names\n instead of silently falling back to default. Only default names\n get the graceful fallback.\n\n3. Add beans.xml archive processor for Concurrency TCK deployments\n (OWB needs bean-discovery-mode\u003d\"all\" to auto-enable @Priority\n interceptors).\n\n4. Add TCK-style unit test covering CompletedResult, IncompleteFuture,\n CompletedExceptionally, VoidReturn, and InvalidJNDIName scenarios.\n\n* Use bean-discovery-mode\u003dannotated in Concurrency TCK archive processor\n\nbean-discovery-mode\u003dall caused deployment failures for some TCK WARs\nby scanning too many classes. Switch to annotated mode which is the\nCDI 4.0 default and sufficient for discovering annotated beans.\n\n* Add multiple schedules and maxAsync unit tests for scheduled async\n\nExtend TCK-style test coverage with multipleSchedules (composite\ntrigger with two @Schedule annotations) and ignoresMaxAsync (concurrent\nscheduled method invocations). Both pass — remaining TCK failures for\nthese tests are JNDI scoping issues with java:module/ executor names.\n\n* Fix JNDI lookup for java:module/ and java:app/ scoped scheduled executors\n\nStrip java: prefix in ManagedScheduledExecutorServiceImplFactory.lookup()\nfallback path to match how resources are registered via cleanUpName().\nWithout this, java:module/concurrent/ScheduledExecutorB lookups fail\nbecause the resource is bound as module/concurrent/ScheduledExecutorB.\n\nAdd Arquillian test verifying both java:module/ and java:app/ scoped\n@ManagedScheduledExecutorDefinition work with scheduled async methods.\n\n* Support plain ManagedExecutorService as executor for scheduled async\n\nPer spec, @Asynchronous(executor\u003d..., runAt\u003d@Schedule(...)) may reference\na plain ManagedExecutorService, not just a ManagedScheduledExecutorService.\nWhen MSES lookup fails, verify the executor exists as MES and fall back to\nthe default MSES for scheduling capability.\n\n* Rewrite scheduled async with manual trigger loop and context preservation\n\nTwo fixes for the last Web-profile TCK failures:\n\n1. Context propagation: when executor is a plain MES (not MSES),\n extract the MES\u0027s ContextServiceImpl and compose a temporary MSES\n that uses the MES\u0027s context service with the default MSES\u0027s thread\n pool. This preserves third-party context propagation (e.g. StringContext).\n\n2. Thread pool starvation: replace mses.schedule(Callable, Trigger)\n with a manual trigger loop that schedules directly on the delegate\n ScheduledExecutorService. This avoids TriggerTask\u0027s double context\n wrapping and thread consumption between trigger fires.\n\n* Use default MSES delegate for scheduled async trigger loop\n\nPer spec, scheduled async methods are not subject to maxAsync\nconstraints. Use the default MSES\u0027s thread pool for the trigger loop\ninstead of the referenced executor\u0027s pool. This prevents thread\nstarvation when maxAsync threads are busy with blocking tasks.\n\n* Filter Concurrency TCK to Web profile using JUnit 5 tag\n\nReplace !eefull with web tag to properly exclude Full/EJB profile\ntests. The TCK 3.1.1 uses JUnit 5 @Tag annotations: @Web has tags\nweb+platform, @Platform has only platform. Filtering on web includes\nCore, Standalone, and Web tests while excluding Platform-only (Full).\n\n* Add qualifier and virtual DD element support for Concurrency 3.1\n\n- Add qualifier field (List\u003cString\u003e) to ContextService, ManagedExecutor,\n ManagedScheduledExecutor, ManagedThreadFactory DD model classes\n- Update SXC JAXB accessors to parse \u003cqualifier\u003e and \u003cvirtual\u003e XML\n elements (virtual was in the model but missing from SXC parsers)\n- Fix NPE in Convert*Definitions when \u003ccontext-service-ref\u003e is absent\n in deployment descriptor — defaults to java:comp/DefaultContextService\n- Add unit tests for null context service fallback and qualifier model\n- Add Arquillian test deploying WAR with web.xml containing \u003cvirtual\u003e\n\n* Allow virtual thread factory to work with ForkJoinPool\n\nForkJoinWorkerThread extends Thread (platform) and cannot be virtual.\nFall back to a platform ManagedForkJoinWorkerThread instead of throwing\nUnsupportedOperationException. The TCK expects ForkJoinPool to function\nwith virtual factories — the worker threads are platform but the pool\nstill operates correctly.\nm\u003e\n\n* Add CDI qualifier support for Concurrency 3.1 resource definitions\n\nRegister concurrency resources (ManagedExecutorService, ManagedScheduledExecutorService,\nManagedThreadFactory, ContextService) as CDI beans with qualifier support per\nConcurrency 3.1 spec Section 5.4.1.\n\n- ConcurrencyCDIExtension: CDI extension that observes AfterBeanDiscovery and creates\n synthetic ApplicationScoped beans for resources with qualifiers. Also registers\n default beans (@Default/@Any) for all four concurrency resource types.\n- AnnotationDeployer: Extract qualifiers() from @ManagedExecutorDefinition,\n @ManagedScheduledExecutorDefinition, @ManagedThreadFactoryDefinition,\n @ContextServiceDefinition annotations into JEE model objects.\n- Convert*Definitions: Pass Qualifiers as comma-separated Resource property.\n- OptimizedLoaderService: Register ConcurrencyCDIExtension alongside JMS2CDIExtension.\n\nTCK Web profile: 196/196 passing (0 failures, 0 errors).\n\n* Silently fall back to platform threads when virtual\u003dtrue on Java 17\n\nPer Concurrency 3.1 spec: \"When running on Java SE 17, the true value\nbehaves the same as the false value and results in platform threads\nbeing created rather than virtual threads.\"\n\nPreviously, virtual\u003dtrue unconditionally called VirtualThreadHelper\nmethods which throw UnsupportedOperationException on Java 17. Now\nchecks VirtualThreadHelper.isSupported() first and falls through to\nplatform thread creation when virtual threads are unavailable.\n\n* Fix InvocationContext reuse in scheduled async and add missing license headers\n\nReplace ctx.proceed() with direct Method.invoke() in scheduled async\nre-executions. InvocationContext\u0027s interceptor iterator is single-use,\nso re-calling proceed() would bypass TX/security interceptors after\nthe first scheduled execution. Context propagation is handled by\nContextService.enter/exit.\n\nAlso add Apache License headers to TCK resource files to fix RAT check.\n\n* Add regression test for scheduled async CDI interceptors\n\n* Route scheduled @Asynchronous through the interceptor stack\n\nRe-dispatch each scheduled firing through the CDI interceptor proxy so\nTX, security, and application interceptors run on every run. The prior\ncode called beanMethod.invoke(target, ...) directly and bypassed the\nchain; InvocationContext.proceed() cannot be reused because OWB\u0027s\nimplementation advances an index that never resets, so a second call\nfalls through to invoking the target method and skips every lower-\npriority interceptor.\n\nOWB coupling is isolated in ScheduledAsyncInvoker, which reuses the\nexisting OwbInterceptorProxy when the bean is normal-scoped and\notherwise builds a fresh interceptor proxy via\nInterceptorResolutionService.createProxiedInstance. Re-entry detection\nuses a precise (method, target) key, restored rather than cleared on\nexit so nested @Asynchronous calls on different methods or targets do\nnot collide.\n\nAlso routes scheduled firings to the executor named in\n@Asynchronous(executor\u003d...) via mses.getDelegate() rather than silently\nswitching to DefaultManagedScheduledExecutorService, so custom thread\nfactories, priorities, and virtual-thread settings take effect.\n\nAdds tests for interceptor ordering across firings and for routing the\nfiring thread to the requested executor vs. the default pool.\n\n* Honor virtual\u003dtrue on the default scheduled thread-factory path\n\nManagedScheduledExecutorServiceImplFactory used to resolve its thread\nfactory via ThreadFactories.findThreadFactory, which calls the no-arg\nManagedThreadFactoryImpl constructor reflectively. That constructor\nhard-codes virtual\u003dfalse, so @ManagedScheduledExecutorDefinition(\nvirtual\u003dtrue) was silently ignored unless the reflective lookup failed\nand the catch block instantiated the factory directly.\n\nShort-circuit the default class name to construct the factory with the\nconfigured virtual flag, matching the pattern already used in\nManagedExecutorServiceImplFactory. Adds regression tests asserting that\nvirtual\u003dtrue on the scheduled factory yields threads that do not\nimplement ManageableThread (per Concurrency 3.1 §3.4.4) and that the\ndefault path still produces platform threads.\n\n* Add declarative JRE gating for JUnit 4 tests\n\nIntroduces @EnabledForJreRange plus a small JreConditionRule so JUnit 4\ntests can declare a JRE feature-version range at the method level,\nmirroring the semantics of JUnit Jupiter\u0027s EnabledForJreRange. The rule\nreads the annotation from the test description and throws\nAssumptionViolatedException when the current JRE is outside the range,\nso Surefire reports out-of-range methods as skipped.\n\nMigrates VirtualThreadHelperTest off imperative Assume.assumeTrue /\nAssume.assumeFalse calls: Java 21+ cases use @EnabledForJreRange(min\u003d21),\nthe UnsupportedOperationException cases use @EnabledForJreRange(max\u003d20).\n\n* Add regression test for scheduled async maxAsync isolation\n\nMirrors the failing TCK scenario ManagedScheduledExecutorDefinitionWebTests.\ntestScheduledAsynchIgnoresMaxAsync in-process via ApplicationComposer: a\ncustom ManagedScheduledExecutorService with maxAsync\u003d1 is saturated with a\nblocking submit, then an @Asynchronous(runAt\u003d@Schedule) method targeting\nthat executor is invoked. Per Concurrency 3.1 the scheduled firing must not\nbe subject to maxAsync, but after routing scheduled firings onto\nmses.getDelegate() the firing is queued behind the saturating task because\nthe delegate\u0027s ScheduledThreadPoolExecutor has corePoolSize \u003d maxAsync.\n\n* Isolate scheduled @Asynchronous firings from maxAsync\n\nAdd a secondary ScheduledExecutorService to every\nManagedScheduledExecutorServiceImpl, dedicated to dispatching\n@Asynchronous(runAt\u003d@Schedule(...)) firings. The secondary pool shares\nthe primary\u0027s ManagedThreadFactory (preserving naming, virtual flag,\npriority, and context) but is sized independently via a new\nScheduledAsyncCore resource property (default 5). The interceptor now\ntriggers on the secondary pool, so scheduled firings are no longer\nthrottled by the primary pool\u0027s corePoolSize\u003dmaxAsync limit — satisfying\nConcurrency 3.1 §3.1 \"Scheduled asynchronous methods are treated similar\nto other scheduled tasks in that they are not subject to max-async\nconstraints\" without losing the clause from PR #2577 review that firings\nmust run on the executor named in @Asynchronous(executor\u003d).\n\nThe plain-MES fallback wrapper borrows the default MSES\u0027s secondary so\nshort-lived per-invocation wrappers do not leak a fresh pool each time;\nan ownership flag on the 4-arg constructor controls which pools\ndestroyResource() shuts down.\n\nAlso fix a pre-existing race in CUTriggerScheduledFuture: cancel() can\nrace ahead of the recursive scheduleNextRun(), leaving futureRef\npointing at the just-completed execution so the underlying future\nreports done rather than cancelled. isCancelled() now falls back to the\nTriggerTask\u0027s cancelled flag.\n\nTests:\n- ScheduledAsyncCustomFactoryTest — scheduled firing runs on a\n ManageableThread from the custom MSES\u0027s factory, not the primary pool.\n- ManagedScheduledExecutorSecondaryPoolLifecycleTest — owned secondary\n is shut down on destroyResource(); borrowed secondary is not.\n\nTCK Web profile back to 196/0/0/14.\n\n* Respect DD values when merging concurrency resource annotations\n\nAnnotationDeployer#buildManaged{Executor,ScheduledExecutor,ThreadFactory}Definition\nwas unconditionally overwriting deployment-descriptor values (name,\ncontext, hungTaskThreshold, maxAsync, virtual, priority) with annotation\nvalues whenever both sources shared a resource name. That violates the\nJakarta EE platform DD-wins rule (§EE.5.2.5); only qualifier was guarded.\n\nGuard every field assignment with a null check, mirroring the existing\nbuildContextServiceDefinition pattern, so DD values are preserved and the\nannotation only fills attributes the descriptor left unset.\n\n---------\n\nCo-authored-by: Markus Jung \u003cjungm@apache.org\u003e" }, { "commit": "f14737ea767bcb472219b6c5530c319fdbae8219", "tree": "190c6c6fab7b770485b78f6762c15fd697da1323", "parents": [ "ecf01542e9d984f9ac286b1df3b2698337e82235" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed Apr 22 13:49:49 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Wed Apr 22 13:49:49 2026 +0200" }, "message": "TOMEE-4602 - Bouncycastle use jdk18on artifacts instead of jdk15to18\n" }, { "commit": "ecf01542e9d984f9ac286b1df3b2698337e82235", "tree": "c887a088061971a0c78dcfbe59698419b970efb4", "parents": [ "18c24fc9eb81a547413599836e6b81d25da42e54" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 20:16:39 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 20:16:39 2026 +0200" }, "message": "Make JakartaDataNoGeneratedImplTest portable across JPA providers\n\nAdd standard jakarta.persistence.schema-generation.database.action\u003dcreate\nalongside the existing OpenJPA SynchronizeMappings property so the\nSimpleItem schema is generated under EclipseLink (plume) as well as\nOpenJPA (webprofile).\n" }, { "commit": "18c24fc9eb81a547413599836e6b81d25da42e54", "tree": "afbb053e57261c51ca261bdb83a84da295541f2c", "parents": [ "9da3d2558cb1ee74719729f3d2ce555b3beccbf3" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 12:56:37 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 12:56:37 2026 +0200" }, "message": "Restore cross-BDA injection fallback for WAR inside EAR\n\nTOMEE-4600 removed the openejb.cache.cdi-type-resolution-failure feature and,\nas collateral, also deleted WebAppInjectionResolver and its installation in\nWebappBeanManager. That resolver\u0027s fallback allowed a WAR\u0027s BeanManager to\nresolve beans declared in its parent EAR\u0027s library jars, which OWB\u0027s stock\nInjectionResolver does not do. Without it, CdiParentBeanTest fails with\nUnsatisfiedResolutionException for @Inject references from WAR code to\nEAR-lib CDI beans.\n\nReintroduce a minimal WebAppInjectionResolver that only contains the\ncross-BDA fallback (the cache-resolution-failure infrastructure stays\nremoved) and reinstall it from the WebappBeanManager constructor.\n" }, { "commit": "9da3d2558cb1ee74719729f3d2ce555b3beccbf3", "tree": "4f3bf24a7dc20f5c06b6ed69fac8c5abfb13410d", "parents": [ "b021f32ec257ccc969960958f854475a59e4d1d3" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 11:48:08 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 11:48:32 2026 +0200" }, "message": "Fix websocket-tls-basic-auth example test to pass SSLContext via ClientEndpointConfig\n\nTomcat 11\u0027s WsWebSocketContainer reads jakarta.websocket.ClientEndpointConfig#getSSLContext()\ndirectly and no longer honours the legacy org.apache.tomcat.websocket.SSL_TRUSTSTORE /\nSSL_TRUSTSTORE_PWD user-properties, so the test was falling back to the JDK default\ntruststore and failing the handshake against the example\u0027s self-signed cert. Build an\nSSLContext from the bundled keystore.jks and set it via\nClientEndpointConfig.Builder#sslContext(..).\n" }, { "commit": "b021f32ec257ccc969960958f854475a59e4d1d3", "tree": "94c341912fbe761bea98fbea74d2c483254bca09", "parents": [ "3bc27be9fee5049f40fef2f8de5cabd71c3e7c53" ], "author": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 11:47:57 2026 +0200" }, "committer": { "name": "Richard Zowalla", "email": "rzo1@apache.org", "time": "Tue Apr 21 11:48:32 2026 +0200" }, "message": "Register tomee-remote and tomee-remote-secpol Arquillian containers for Jakarta Data tests\n\nUnder -Pall-adapters the arquillian-tomee-tests parent POM runs four Surefire\nexecutions (embedded, tomee-remote, tomee-remote-secpol, tomee-remote-plume).\nThe data-tests arquillian.xml only declared tomee-embedded, so the three\nremote launches failed at init with \u0027No container or group found that match\ngiven qualifier\u0027. Add the missing qualifiers following the config-tests\npattern; tomee-remote-plume reuses the tomee-remote qualifier.\n" }, { "commit": "3bc27be9fee5049f40fef2f8de5cabd71c3e7c53", "tree": "75a7e3bbc218bd45542126d7d200e3d879caa664", "parents": [ "f07d233d7ab9c0b0092db94305cbdd09060cc568" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon Apr 20 08:20:15 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Mon Apr 20 08:20:15 2026 +0200" }, "message": "TOMEE-4601 - Bouncycastle 1.84\n" }, { "commit": "f07d233d7ab9c0b0092db94305cbdd09060cc568", "tree": "54a8ffafa094e0f8db6a0782b0014be23a2c7ed9", "parents": [ "19991826346c8a3a8235afd46f14f62aea0b6d2f" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Sun Apr 19 20:25:10 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Sun Apr 19 20:25:10 2026 +0200" }, "message": "TOMEE-4601 - Bouncycastle 1.84\n" }, { "commit": "19991826346c8a3a8235afd46f14f62aea0b6d2f", "tree": "b745172aeadf047247ddb1cbc79c58204cfc390f", "parents": [ "32efa5d2f2888572d8b788338e980a5301d8e8ea" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Sun Apr 19 20:24:24 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Sun Apr 19 20:24:24 2026 +0200" }, "message": "remove unused dependency\n" }, { "commit": "32efa5d2f2888572d8b788338e980a5301d8e8ea", "tree": "820f82c4f46c254c9306f5dcb8e43d823fa869ff", "parents": [ "38a5b7ffeb2a0c6358b733568c240002bba4fe32" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Thu Apr 16 07:55:38 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "mail@markus-jung.dev", "time": "Sun Apr 19 17:41:47 2026 +0200" }, "message": "TOMEE-4600 - remove openejb.cache.cdi-type-resolution-failure\n" }, { "commit": "38a5b7ffeb2a0c6358b733568c240002bba4fe32", "tree": "fd59e98ac2021eda7da4c381b2ab56968922c107", "parents": [ "2c0a66a3c3d27646bc136675763bee8754188471" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Apr 19 17:39:30 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 19 17:39:30 2026 +0200" }, "message": "TOMEE-4601 - Bouncycastle 1.84\n\n* Bump org.bouncycastle:bcprov-jdk15to18 in /server/openejb-cxf\n\nBumps [org.bouncycastle:bcprov-jdk15to18](https://github.com/bcgit/bc-java) from 1.83 to 1.84.\n- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)\n- [Commits](https://github.com/bcgit/bc-java/commits)\n\n---\nupdated-dependencies:\n- dependency-name: org.bouncycastle:bcprov-jdk15to18\n dependency-version: \u00271.84\u0027\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\n\n* Bump bouncycastle to 1.84\n\n---------\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e\nCo-authored-by: Markus Jung \u003cjungm@apache.org\u003e" }, { "commit": "2c0a66a3c3d27646bc136675763bee8754188471", "tree": "755622cfeb4c77331ce0104efefc6fcaeb22496e", "parents": [ "3429233a1ccd5063016d9d0c4245a7e7069ea384" ], "author": { "name": "Richard Zowalla", "email": "13417392+rzo1@users.noreply.github.com", "time": "Fri Apr 17 08:17:30 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 17 08:17:30 2026 +0200" }, "message": "Security 4.0 - TCK Setup (#2579)" }, { "commit": "3429233a1ccd5063016d9d0c4245a7e7069ea384", "tree": "2ca6348a08289d5303c4e84dec21bc7ce046c014", "parents": [ "85f405ad2d123a0c59ebda45f9ca877aafa4b2ca" ], "author": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Thu Apr 16 07:48:33 2026 +0200" }, "committer": { "name": "Markus Jung", "email": "jungm@apache.org", "time": "Thu Apr 16 07:48:33 2026 +0200" }, "message": "OWB remove explicit enabling of conversation support (OWB-1074)\n" } ], "next": "85f405ad2d123a0c59ebda45f9ca877aafa4b2ca" }