Skip to content

⬆️ Bump org.http4k:http4k-bom from 6.48.0.0 to 6.52.0.0 in /backend#1239

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/backend/org.http4k-http4k-bom-6.52.0.0
Closed

⬆️ Bump org.http4k:http4k-bom from 6.48.0.0 to 6.52.0.0 in /backend#1239
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/backend/org.http4k-http4k-bom-6.52.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps org.http4k:http4k-bom from 6.48.0.0 to 6.52.0.0.

Release notes

Sourced from org.http4k:http4k-bom's releases.

6.52.0.0

Changelog:

  • http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
  • http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
  • http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
  • http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
  • http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
  • http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
  • http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
  • http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
  • http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
  • http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
  • http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
  • http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
  • http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
  • http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
  • http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
  • http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
  • http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
  • http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
  • http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
  • http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
  • http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
  • http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
  • http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
  • http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
  • http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
  • http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
  • http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
  • http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
  • http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
  • http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
  • http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
  • http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

6.51.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

6.50.0.0

Changelog:

  • http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
  • http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.
  • http4k-ai-mcp-*: [Unlikely Break] MCP session and message IDs now derive from SecureRandom by default.

... (truncated)

Changelog

Sourced from org.http4k:http4k-bom's changelog.

v6.52.0.0

  • http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
  • http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
  • http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
  • http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
  • http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
  • http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
  • http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
  • http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
  • http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
  • http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
  • http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
  • http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
  • http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
  • http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
  • http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
  • http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
  • http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
  • http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
  • http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
  • http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
  • http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
  • http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
  • http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
  • http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
  • http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
  • http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
  • http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
  • http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
  • http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
  • http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
  • http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
  • http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
  • http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

v6.51.0.0

  • http4k-*: Upgrade versions
  • http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
  • http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
  • http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

v6.50.0.0

  • http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
  • http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.
  • http4k-ai-mcp-*: [Unlikely Break] MCP session and message IDs now derive from SecureRandom by default.
  • http4k-security-oauth: [Unlikely break] OAuth server now persists a nonce for any openid scope (previously only CodeIdToken) and validateNonceAfterToken fail-closes when the token-endpoint id_token is missing or its nonce mismatches.
  • http4k-format-xml: [Unlikely break] defaultXmlParsingConfig now sets disallow-doctype-decl and FEATURE_SECURE_PROCESSING, so Body.xml()/asXmlDocument() reject any document with a <!DOCTYPE>.
  • http4k-webhook: [Unlikely break] ServerFilters.VerifyWebhookSignature now also rejects messages whose webhook-timestamp is more than tolerance away from clock.instant() (default tolerance 5.minutes, clock Clock.systemUTC()), per the Standard Webhooks scheme. Captures of valid webhooks can no longer be replayed indefinitely. Pass a Clock.fixed(...) to control timing in tests.

... (truncated)

Commits
  • f7203cc Release 6.52.0.0
  • 4a1c2a0 General tidying
  • 297cb97 General tidying
  • cb62a56 Add PushNotificationUrlPolicy to enforce URL validation in push notification ...
  • bc79f72 Add PushNotificationUrlPolicy to validate URLs in push notification configura...
  • da974a0 Add optional CorsPolicy support for all MCP server types and enhance WebSocke...
  • 7fb75a7 Update CHANGELOG with consistent formatting and new entries for fixes, unlike...
  • 5a12ac5 URL-encode Storage.Http keys in request paths to safely handle reserved cha...
  • faafbab Escape HTML in MermaidDiagramView to prevent XSS and ensure legitimate cont...
  • e47837e Harden FreemarkerTemplates.safeConfiguration by setting `TemplateClassResol...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
⬆️ Bump org.http4k:http4k-bom in /backend
490bb13 
Bumps [org.http4k:http4k-bom](https://github.com/http4k/http4k) from 6.48.0.0 to 6.52.0.0.
- [Release notes](https://github.com/http4k/http4k/releases)
- [Changelog](https://github.com/http4k/http4k/blob/master/CHANGELOG.md)
- [Commits](http4k/http4k@6.48.0.0...6.52.0.0)

---
updated-dependencies:
- dependency-name: org.http4k:http4k-bom
  dependency-version: 6.52.0.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 4, 2026
@dependabot dependabot Bot mentioned this pull request Jun 4, 2026
Closed
@dependabot @github

dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #1241.

@dependabot dependabot Bot closed this Jun 8, 2026
@dependabot dependabot Bot deleted the dependabot/gradle/backend/org.http4k-http4k-bom-6.52.0.0 branch June 8, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@obecker obecker

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@obecker