⬆️ Bump org.http4k:http4k-bom from 6.48.0.0 to 6.53.0.0 in /backend

[dependabot]

Bumps org.http4k:http4k-bom from 6.48.0.0 to 6.53.0.0.

Release notes

Sourced from org.http4k:http4k-bom's releases.

6.53.0.0

Changelog:

• http4k-*: Upgrade versions including Kotlin to 2.4.0
• http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

6.52.0.0

Changelog:

• http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
• http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
• http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
• http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
• http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
• http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
• http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
• http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
• http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
• http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
• http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
• http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
• http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
• http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
• http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
• http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
• http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
• http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
• http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
• http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
• http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
• http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
• http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
• http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
• http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
• http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
• http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
• http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
• http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
• http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
• http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
• http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

6.51.0.0

Changelog:

• http4k-*: Upgrade versions
• http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
• http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
• http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

... (truncated)

Changelog

Sourced from org.http4k:http4k-bom's changelog.

v6.53.0.0

• http4k-*: Upgrade versions including Kotlin to 2.4.0
• http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

v6.52.0.0

• http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
• http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
• http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
• http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
• http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
• http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
• http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
• http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
• http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
• http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
• http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
• http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
• http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
• http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
• http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
• http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
• http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
• http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
• http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
• http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
• http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
• http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
• http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
• http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
• http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
• http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
• http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
• http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
• http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
• http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
• http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
• http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

v6.51.0.0

• http4k-*: Upgrade versions
• http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
• http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
• http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

v6.50.0.0

• http4k-template-pug4j: [Unlikely break] Pug4jTemplates.HotReload now canonicalizes the resolved template path against baseTemplateDir and rejects any ViewModel.template() that escapes the base.
• http4k-security-digest: [Unlikely break] DigestAuthProvider.verify now also rejects credentials whose uri parameter does not match the actual request URL.

... (truncated)

Commits

• afc30ca Release 6.53.0.0
• 6f5e3d0 CHANGELOG.md
• 197f61b CHANGELOG.md
• 06b56d4 Http4kWebDriver supports multiple file upload (#1557)
• 9f3bd2e CHANGELOG with Kotlin 2.4.0 upgrade entry
• 098ffec Upgrade to Kotlin 2.4.0
• f7203cc Release 6.52.0.0
• 4a1c2a0 General tidying
• 297cb97 General tidying
• cb62a56 Add PushNotificationUrlPolicy to enforce URL validation in push notification ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)