Bump classgraph from 4.8.110 to 4.8.117

[dependabot[bot]]

Bumps classgraph from 4.8.110 to 4.8.117.

Release notes

Sourced from classgraph's releases.

classgraph-4.8.117

First version that is fully compatible with JDK 16+.

The JDK team decided to switch on strong encapsulation in JDK 16+. That means that ClassGraph cannot find the classpath, if all of the following are true:

• You are running on JDK 16+
• You are using a legacy classloader (rather than the module system)
• The legacy classloader does not expose its classpath via a public field or method
• The classloader is loaded in a module that is not exported to the module your user code is running in (?? not sure on this one)

This is just the first step of trying to lock down Java's internals, so further restrictions are possible (e.g. it is likely that setAccessible(true) will fail in future JDK releases, even within a single module). Note that already, many widely-used libraries have ceased working on JDK 16. Some have been easily fixable, some have not been. Consequently, a tool for circumventing these lockdowns was necessary.

ClassGraph 4.8.117 uses ToolFactory to silently circumvent all of Java's security mechanisms (visibility/access checks, security manager restrictions, and strong encapsulation). ToolFactory is a collaboration between:

• Roberto Gentili (@​burningwave), author of Burningwave Core and toolfactory/jvm-driver, and
• Luke Hutchison (@​lukehutch), author of ClassGraph and toolfactory/narcissus.

Note that ClassGraph only uses ToolFactory to obtain the classpath from the visible classloader(s).

JVM-Driver and Narcissus provide very different mechanisms for circumventing Java's security mechanisms, which provides options for continuing to keep ClassGraph running. However, eventually if the JDK team is successful, all such loopholes for circumventing Java security mechanisms will be closed -- and at that point, ClassGraph may stop working for you. Before that happens, please check your classloader(s) and contact the developers if the classloader(s) do not publicly expose their classpath.

classgraph-4.8.116

• Handle unchecked exceptions such as UnsupportedOperationException (rather than dying), which may be thrown by filesystems when accessing a Path object discovered as a classpath element. (#553, thanks to @​wajda for the report and the helpful info on how to reproduce.)
• Specifically, ignore JrtFileSystem (which throws UnsupportedOperationException if you try to open a new FileChannel on a resource). This filesystem is not needed anyway, as ClassGraph already has the ability to scan all visible modules using the JPMS API.

classgraph-4.8.115

Merged pull request from @​larsgrefer to allow class references and not just class names to be used (e.g. to find all the subclasses of a given class). (#549, thanks Lars for the contribution!)

classgraph-4.8.114

Fixed bug where short constant values (e.g. short-typed annotation parameter values) were always being read as zero. Thanks to @​liangzengle for reporting the bug and tracing it right down to the source line that needed to be fixed!

classgraph-4.8.113

• Don't throw IllegalArgumentException if ClassInfo#getClassesImplementing() or ScanResult#getClassesImplementing() are called for a non-interface class.
• Don't throw IllegalArgumentException if ClassInfo#getClassesWithAnnotation() or ScanResult#getClassesWithAnnotation() are called for a non-annotation class.

#543, thanks to @​parttimenerd for the request.

classgraph-4.8.112

• Added a secure version of DocumentBuilderFactory and XPATHFactory to prevent XXE (XML External Entity) attack when reading pom.xml file (#539, thanks to @​kshitizg for the pull request!).

classgraph-4.8.111

Allow globs when accepting/rejecting specific classes, e.g. new ClassGraph().acceptClasses("*.*Suffix") (#536, thanks to @​cushon for the request!)

Commits

• 82d965f [maven-release-plugin] prepare release classgraph-4.8.117
• 1809312 Use toolfactory/jvm-driver for reflection
• 2612e46 Remove unnecessary annotation
• 2c33183 Merge pull request #557 from classgraph/dependabot/maven/org.assertj-assertj-...
• 799cfb8 Merge pull request #558 from classgraph/dependabot/maven/org.junit.jupiter-ju...
• 3fc55ae Enable testing on JDK 17
• d2f44e5 Bump junit-jupiter from 5.7.2 to 5.8.1
• 04267a4 Bump assertj-core from 3.20.2 to 3.21.0
• e80af3f Try to fetch ucp field (will only work with Narcissus)
• f00ff6b [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Superseded by #30.