Skip to content

⬆️ Bump org.http4k:http4k-bom from 6.48.0.0 to 6.51.0.0 in /backend#1232

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/backend/org.http4k-http4k-bom-6.51.0.0
Closed

⬆️ Bump org.http4k:http4k-bom from 6.48.0.0 to 6.51.0.0 in /backend#1232
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/backend/org.http4k-http4k-bom-6.51.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown
Contributor

Bumps org.http4k:http4k-bom from 6.48.0.0 to 6.51.0.0.

Release notes

Sourced from org.http4k:http4k-bom's releases.

6.51.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

6.50.0.0

Changelog:

  • http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
  • http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.
  • http4k-ai-mcp-*: [Unlikely Break] MCP session and message IDs now derive from SecureRandom by default.
  • http4k-security-oauth: [Unlikely break] OAuth server now persists a nonce for any openid scope (previously only CodeIdToken) and validateNonceAfterToken fail-closes when the token-endpoint id_token is missing or its nonce mismatches.
  • http4k-format-xml: [Unlikely break] defaultXmlParsingConfig now sets disallow-doctype-decl and FEATURE_SECURE_PROCESSING, so Body.xml()/asXmlDocument() reject any document with a <!DOCTYPE>.
  • http4k-webhook: [Unlikely break] ServerFilters.VerifyWebhookSignature now also rejects messages whose webhook-timestamp is more than tolerance away from clock.instant() (default tolerance 5.minutes, clock Clock.systemUTC()), per the Standard Webhooks scheme. Captures of valid webhooks can no longer be replayed indefinitely. Pass a Clock.fixed(...) to control timing in tests.
  • http4k-multipart: [Unlikely break] MultipartFormBody.from, multipartIterator() and Body.multipartForm(...) cap the body at 10MB and 1000 parts by default. Pass maxStreamLength/maxPartCount to override.
  • http4k-serverless-lambda: [Unlikely break] Single-value headers from API Gateway/ALB events are no longer split on commas; values that legitimately contain commas (e.g. X-Forwarded-For: client, proxy1, proxy2) now reach the handler intact. True multi-values continue to flow via multiValueHeaders.
  • http4k-connect-github: [Fix] Header.X_HUB_SIGNATURE_256 lens no longer crashes on an X-Hub-Signature-256 header missing the sha256= prefix; VerifyGitHubSignatureSha256 now returns 401 for malformed signatures instead of 500.
  • http4k-ai-llm-azure: [Fix] AzureClient now attaches the API key as an outbound Authorization: Bearer header (was wired to the inbound ServerFilters.BearerAuth checker.
  • http4k-config: [Fix] Secret.toString() and Secret.hashCode() no longer expose a stable hash of the plaintext (was Secret(hashcode = <Arrays.hashCode-of-plaintext>)); Secret.equals returns false for non-Secret inputs instead of throwing ClassCastException.
  • http4k-multipart: [Fix] A multipart part whose first header line begins with whitespace (a folded-header continuation with nothing to continue) now raises a ParseError instead of crashing with NullPointerException.
  • http4k-ops-opentelemetry: [Fix] OpenTelemetry tracing strips user:pass@ userInfo from request URIs before writing them to span attributes (url.full, legacy http.url) and the default span name, so basic-auth-in-URL credentials no longer reach the tracing backend.
  • http4k-security-oauth: [Fix] Server-side PKCE is now enforced — code_challenge is stored at authorize and an S256 code_verifier is required at token. code_challenge_method=plain is rejected per RFC 7636 §7.2.
  • http4k-security-oauth: [Fix] Post-callback redirect strips scheme/authority and collapses leading / and \ runs, neutralizing open-redirects of the form //evil.com and /\evil.com.
  • http4k-security-oauth: [Fix] AuthRequest is re-validated at AuthenticationComplete; CSRF/nonce compare is null/blank-safe; several redirectUri!! NPEs replaced with typed InvalidAuthorizationRequest.
  • http4k-security-oauth: Adds opt-in requirePkce: Boolean = false on OAuthServer. When true, every authorize/token exchange must use PKCE (recommended per RFC 9700).
  • http4k-security-oauth: [Fix] AuthServerDiscovery rejects a scheme-less resource pointing at root.
  • http4k-security-oauth: requirePkce is exposed on the underlying GenerateAccessToken / GenerateAccessTokenForGrantType / AuthorizationCodeAccessTokenGenerator, mitigating potential PKCE downgrade.
  • http4k-security-digest: [Fix] DigestAuthProvider.verify now hashes with the configured algorithm instead of hardcoded MD5.
  • http4k-*: Secret-bearing value types are now hidden() so their raw value no longer surfaces in toString().

6.49.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
  • http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
  • http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
  • http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
  • http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
  • http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
  • http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
  • http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
  • http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
  • http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
  • http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
  • http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
  • http4k-bridge-vertx: Stream request and response bodies instead of buffering.
  • http4k-bridge-ratpack: Stream request and response bodies instead of buffering.
Changelog

Sourced from org.http4k:http4k-bom's changelog.

v6.51.0.0

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

v6.50.0.0

  • http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
  • http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.
  • http4k-ai-mcp-*: [Unlikely Break] MCP session and message IDs now derive from SecureRandom by default.
  • http4k-security-oauth: [Unlikely break] OAuth server now persists a nonce for any openid scope (previously only CodeIdToken) and validateNonceAfterToken fail-closes when the token-endpoint id_token is missing or its nonce mismatches.
  • http4k-format-xml: [Unlikely break] defaultXmlParsingConfig now sets disallow-doctype-decl and FEATURE_SECURE_PROCESSING, so Body.xml()/asXmlDocument() reject any document with a <!DOCTYPE>.
  • http4k-webhook: [Unlikely break] ServerFilters.VerifyWebhookSignature now also rejects messages whose webhook-timestamp is more than tolerance away from clock.instant() (default tolerance 5.minutes, clock Clock.systemUTC()), per the Standard Webhooks scheme. Captures of valid webhooks can no longer be replayed indefinitely. Pass a Clock.fixed(...) to control timing in tests.
  • http4k-multipart: [Unlikely break] MultipartFormBody.from, multipartIterator() and Body.multipartForm(...) cap the body at 10MB and 1000 parts by default. Pass maxStreamLength/maxPartCount to override.
  • http4k-serverless-lambda: [Unlikely break] Single-value headers from API Gateway/ALB events are no longer split on commas; values that legitimately contain commas (e.g. X-Forwarded-For: client, proxy1, proxy2) now reach the handler intact. True multi-values continue to flow via multiValueHeaders.
  • http4k-connect-github: [Fix] Header.X_HUB_SIGNATURE_256 lens no longer crashes on an X-Hub-Signature-256 header missing the sha256= prefix; VerifyGitHubSignatureSha256 now returns 401 for malformed signatures instead of 500.
  • http4k-ai-llm-azure: [Fix] AzureClient now attaches the API key as an outbound Authorization: Bearer header (was wired to the inbound ServerFilters.BearerAuth checker.
  • http4k-config: [Fix] Secret.toString() and Secret.hashCode() no longer expose a stable hash of the plaintext (was Secret(hashcode = <Arrays.hashCode-of-plaintext>)); Secret.equals returns false for non-Secret inputs instead of throwing ClassCastException.
  • http4k-multipart: [Fix] A multipart part whose first header line begins with whitespace (a folded-header continuation with nothing to continue) now raises a ParseError instead of crashing with NullPointerException.
  • http4k-ops-opentelemetry: [Fix] OpenTelemetry tracing strips user:pass@ userInfo from request URIs before writing them to span attributes (url.full, legacy http.url) and the default span name, so basic-auth-in-URL credentials no longer reach the tracing backend.
  • http4k-security-oauth: [Fix] Server-side PKCE is now enforced — code_challenge is stored at authorize and an S256 code_verifier is required at token. code_challenge_method=plain is rejected per RFC 7636 §7.2.
  • http4k-security-oauth: [Fix] Post-callback redirect strips scheme/authority and collapses leading / and \ runs, neutralizing open-redirects of the form //evil.com and /\evil.com.
  • http4k-security-oauth: [Fix] AuthRequest is re-validated at AuthenticationComplete; CSRF/nonce compare is null/blank-safe; several redirectUri!! NPEs replaced with typed InvalidAuthorizationRequest.
  • http4k-security-oauth: Adds opt-in requirePkce: Boolean = false on OAuthServer. When true, every authorize/token exchange must use PKCE (recommended per RFC 9700).
  • http4k-security-oauth: [Fix] AuthServerDiscovery rejects a scheme-less resource pointing at root.
  • http4k-security-oauth: requirePkce is exposed on the underlying GenerateAccessToken / GenerateAccessTokenForGrantType / AuthorizationCodeAccessTokenGenerator, mitigating potential PKCE downgrade.
  • http4k-security-digest: [Fix] DigestAuthProvider.verify now hashes with the configured algorithm instead of hardcoded MD5.
  • http4k-*: Secret-bearing value types are now hidden() so their raw value no longer surfaces in toString().

v6.49.0.0

  • http4k-*: Upgrade versions
  • http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
  • http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
  • http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
  • http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
  • http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
  • http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
  • http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
  • http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
  • http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
  • http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
  • http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
  • http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
  • http4k-bridge-vertx: Stream request and response bodies instead of buffering.
  • http4k-bridge-ratpack: Stream request and response bodies instead of buffering.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
⬆️ Bump org.http4k:http4k-bom in /backend
5290c63 
Bumps [org.http4k:http4k-bom](https://github.com/http4k/http4k) from 6.48.0.0 to 6.51.0.0.
- [Release notes](https://github.com/http4k/http4k/releases)
- [Changelog](https://github.com/http4k/http4k/blob/master/CHANGELOG.md)
- [Commits](http4k/http4k@6.48.0.0...6.51.0.0)

---
updated-dependencies:
- dependency-name: org.http4k:http4k-bom
  dependency-version: 6.51.0.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #1239.

@dependabot dependabot Bot closed this Jun 4, 2026
@dependabot dependabot Bot deleted the dependabot/gradle/backend/org.http4k-http4k-bom-6.51.0.0 branch June 4, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@obecker obecker

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@obecker