Added a secure version of DocumentBuilderFactory and XPATHFactory to prevent XXE (XML External Entity) attack when reading pom.xml file (#539, thanks to @kshitizg for the pull request!).
classgraph-4.8.111
Allow globs when accepting/rejecting specific classes, e.g. new ClassGraph().acceptClasses("*.*Suffix") (#536, thanks to @cushon for the request!)
classgraph-4.8.110
Add method AnnotationInfo#getParameterValues(boolean includeDefaultValues) so that defaults don't have to be included (#535, thanks to @zerikv for requesting).
classgraph-4.8.109
Add support for Quarkus 1.13's new classloader. Thanks to @itmrat01 for the code contribution! (#531, #532).
classgraph-4.8.108
JDK 11 classfile format compatibility fix (JDK 11 added a constant pool tag, and the classfile can't be read without knowing how long the corresponding constant pool entry is expected to be). (#527, thanks to @haoyuf for reporting.)
classgraph-4.8.107
Fix classloader detection for TomEE JAX-RS endpoints (#515, thanks to @Restage for detailed assistance in debugging this weird issue!).
classgraph-4.8.106
Support TomEE classloaders for JAX-RS endpoints (#515, thanks to @Restage for the request)
Don't try reading user.dir (the current directory) unless it's on the classpath, since some security environments can't read the current directory (#520, thanks to @elkman for the bug report).
classgraph-4.8.105
Fix potential NPE in verbose logging
Fix for zipfiles between 2GB and 4GB in size, when a zip entry's start position was past the 2GB point in the file (#514, thanks to @cwmccann for the bug report)
classgraph-4.8.104
Improved verbose logging to include types of methods and fields.
Added a couple of missing methods to ClassInfoList for GraphViz visualization of inter-class dependency graphs.
classgraph-4.8.103
Fixed issue with duplication of automatic package roots (e.g. myjar.jar!/BOOT-INF/classes/BOOT-INF/classes/path/to/resource). (#505, thanks to @michael-simons for the bug report and reproducer code.)
Also fixed an issue where closing the InputStream returned by Resource#open() wasn't marking the Resource as closed (which meant the resource couldn't be opened a second time).
classgraph-4.8.102
Further improvements in robustness to invalid type signatures that may be generated by the Scala compiler. (#495, thanks to @jbracker.)
classgraph-4.8.101
Made type signature parsing more robust to errors -- the Scala compiler can generate illegal type signatures. (#495, thanks to @jbracker for the report.)
classgraph-4.8.99
Fixed parsing of type parameters and type variables in Scala (these can contain a $ character in Scala, but you don't see that in Java). (#495, thanks to @jbracker for the report and for submitting a minimal testcase.)
Fixed a couple of possible exceptions that could be thrown when parsing type annotations for type descriptors.
classgraph-4.8.98
Fix NPE in hashCode() and equals() methods of TypeArgument (#491, thanks to @Tagakov for the fix!).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kbeigl/jeets/network/alerts).
Bumps io.github.classgraph:classgraph from 4.8.87 to 4.8.112.
Release notes
Sourced from io.github.classgraph:classgraph's releases.
... (truncated)
Commits
b3bddc7[maven-release-plugin] prepare release classgraph-4.8.1125e32b91Source > Cleanup2a5dbf7Update README.md5d8d61dUpdate README.md2531599Merge pull request #539 from kshitizg/latest681362aAdding SecureDocumentBuilderFactory & SecureXPATHFactory to prevent XXE( XML ...71ba4a2[maven-release-plugin] prepare for next development iteration4aeda58[maven-release-plugin] prepare release classgraph-4.8.1112022d94Update JavaDocf191ba9Merge branch 'latest' of https://github.com/classgraph/classgraph into latestDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show