search

philihp / weblabora

Ora et Labora boardgame simulation library
http://kennerspiel.com
Apache License 2.0
11 stars 2 forks source link

Update dependency com.google.code.gson:gson to v2.8.9 [SECURITY] #146

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.google.code.gson:gson 2.1 -> 2.8.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25647

The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.

Release Notes

google/gson (com.google.code.gson:gson) ### [`v2.8.9`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289) - Make OSGi bundle's dependency on `sun.misc` optional ([https://github.com/google/gson/pull/1993](https://togithub.com/google/gson/pull/1993)). - Deprecate `Gson.excluder()` exposing internal `Excluder` class ([https://github.com/google/gson/pull/1986](https://togithub.com/google/gson/pull/1986)). - Prevent Java deserialization of internal classes ([https://github.com/google/gson/pull/1991](https://togithub.com/google/gson/pull/1991)). - Improve number strategy implementation ([https://github.com/google/gson/pull/1987](https://togithub.com/google/gson/pull/1987)). - Fix LongSerializationPolicy null handling being inconsistent with Gson ([https://github.com/google/gson/pull/1990](https://togithub.com/google/gson/pull/1990)). - Support arbitrary Number implementation for Object and Number deserialization ([https://github.com/google/gson/pull/1290](https://togithub.com/google/gson/pull/1290)). - Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([https://github.com/google/gson/pull/1980](https://togithub.com/google/gson/pull/1980)). - Don't exclude static local classes ([https://github.com/google/gson/pull/1969](https://togithub.com/google/gson/pull/1969)). - Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([https://github.com/google/gson/pull/1959](https://togithub.com/google/gson/pull/1959)). - Improve Maven build ([https://github.com/google/gson/pull/1964](https://togithub.com/google/gson/pull/1964)). - Make dependency on `java.sql` optional ([https://github.com/google/gson/pull/1707](https://togithub.com/google/gson/pull/1707)). ### [`v2.8.8`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-288) - Fixed issue with recursive types ([https://github.com/google/gson/issues/1390](https://togithub.com/google/gson/issues/1390)). - Better behaviour with Java 9+ and `Unsafe` if there is a security manager ([https://github.com/google/gson/pull/1712](https://togithub.com/google/gson/pull/1712)). - `EnumTypeAdapter` now works better when ProGuard has obfuscated enum fields ([https://github.com/google/gson/pull/1495](https://togithub.com/google/gson/pull/1495)). ### [`v2.8.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-287) - Fixed `ISO8601UtilsTest` failing on systems with UTC+X. - Improved javadoc for `JsonStreamParser`. - Updated proguard.cfg ([https://github.com/google/gson/pull/1693](https://togithub.com/google/gson/pull/1693)). - Fixed `IllegalStateException` in `JsonTreeWriter` ([https://github.com/google/gson/issues/1592](https://togithub.com/google/gson/issues/1592)). - Added `JsonArray.isEmpty()` ([https://github.com/google/gson/pull/1640](https://togithub.com/google/gson/pull/1640)). - Added new test cases ([https://github.com/google/gson/pull/1638](https://togithub.com/google/gson/pull/1638)). - Fixed OSGi metadata generation to work on JavaSE < 9 ([https://github.com/google/gson/pull/1603](https://togithub.com/google/gson/pull/1603)). ### [`v2.8.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-286) *2019-10-04* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.5...gson-parent-2.8.6) - Added static methods `JsonParser.parseString` and `JsonParser.parseReader` and deprecated instance method `JsonParser.parse` - Java 9 module-info support ### [`v2.8.5`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-285) *2018-05-21* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.4...gson-parent-2.8.5) - Print Gson version while throwing AssertionError and IllegalArgumentException - Moved `utils.VersionUtils` class to `internal.JavaVersion`. This is a potential backward incompatible change from 2.8.4 - Fixed issue [https://github.com/google/gson/issues/1310](https://togithub.com/google/gson/issues/1310) by supporting Debian Java 9 ### [`v2.8.4`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-284) *2018-05-01* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.3...gson-parent-2.8.4) - Added a new FieldNamingPolicy, `LOWER_CASE_WITH_DOTS` that mapps JSON name `someFieldName` to `some.field.name` - Fixed issue [https://github.com/google/gson/issues/1305](https://togithub.com/google/gson/issues/1305) by removing compile/runtime dependency on `sun.misc.Unsafe` ### [`v2.8.3`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-283) *2018-04-27* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.2...gson-parent-2.8.3) - Added a new API, `GsonBuilder.newBuilder()` that clones the current builder - Preserving DateFormatter behavior on JDK 9 - Numerous other bugfixes ### [`v2.8.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-282) *2017-09-19* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.1...gson-parent-2.8.2) - Introduced a new API, `JsonElement.deepCopy()` - Numerous other bugfixes ### [`v2.8.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-281) *2017-05-30* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.0...gson-parent-2.8.1) - New: `JsonObject.keySet()` - `@JsonAdapter` annotation can now use `JsonSerializer` and `JsonDeserializer` as well. ### [`v2.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-27) *2016-06-14* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6.2...gson-parent-2.7) - Added support for JsonSerializer/JsonDeserializer in [@​JsonAdapter](https://togithub.com/JsonAdapter) annotation - Exposing Gson properties excluder(), fieldNamingStrategy(), serializeNulls(), htmlSafe() - Added JsonObject.size() method - Added JsonWriter.value(Boolean value) method - Using ArrayDeque, ConcurrentHashMap, and other JDK 1.6 features - Better error reporting - Plenty of other bug fixes ### [`v2.6.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-262) *2016-02-26* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6.1...gson-parent-2.6.2) - Fixed an NPE bug with [@​JsonAdapter](https://togithub.com/JsonAdapter) annotation - Added back OSGI manifest - Some documentation typo fixes ### [`v2.6.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-261) *2016-02-11* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6...gson-parent-2.6.1) - Fix: The 2.6 release targeted Java 1.7, but we intend to target Java 1.6. The 2.6.1 release is identical to 2.6, but it targets Java 1.6. ### [`v2.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-262) *2016-02-26* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6.1...gson-parent-2.6.2) - Fixed an NPE bug with [@​JsonAdapter](https://togithub.com/JsonAdapter) annotation - Added back OSGI manifest - Some documentation typo fixes ### [`v2.5`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-25) *2015-11-24* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.4...gson-parent-2.5) - Updated minimum JDK version to 1.6 - Improved Date Deserialization by accepting many date formats - Added support for `java.util.Currency`, `AtomicLong`, `AtomicLongArray`, `AtomicInteger`, `AtomicIntegerArray`, `AtomicBoolean`. This change is backward-incompatible because the earlier version of Gson used the default serialization which wasn't intuitive. We hope that these classes are not used enough to actually cause problems in the field. - Improved debugging information when some exceptions are thrown ### [`v2.4`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-24) *2015-10-04* - **Drop `IOException` from `TypeAdapter.toJson()`.** This is a binary-compatible change, but may cause compiler errors where `IOExceptions` are being caught but no longer thrown. The correct fix for this problem is to remove the unnecessary `catch` clause. - New: `Gson.newJsonWriter` method returns configured `JsonWriter` instances. - New: `@SerializedName` now works with \[AutoValue’s]\[autovalue] abstract property methods. - New: `@SerializedName` permits alternate names when deserializing. - New: `JsonWriter#jsonValue` writes raw JSON values. - New: APIs to add primitives directly to `JsonArray` instances. - New: ISO 8601 date type adapter. Find this in *extras*. - Fix: `FieldNamingPolicy` now works properly when running on a device with a Turkish locale. \[autovalue]: https://togithub.com/google/auto/tree/main/value ### [`v2.3.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-231) *2014-11-20* - Added support to serialize objects with self-referential fields. The self-referential field is set to null in JSON. Previous version of Gson threw a StackOverflowException on encountering any self-referential fields. - The most visible impact of this is that Gson can now serialize Throwable (Exception and Error) - Added support for [@​JsonAdapter](https://togithub.com/JsonAdapter) annotation on enums which are user defined types - Fixed bug in getPath() with array of objects and arrays of arrays - Other smaller bug fixes ### [`v2.3`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-231) *2014-11-20* - Added support to serialize objects with self-referential fields. The self-referential field is set to null in JSON. Previous version of Gson threw a StackOverflowException on encountering any self-referential fields. - The most visible impact of this is that Gson can now serialize Throwable (Exception and Error) - Added support for [@​JsonAdapter](https://togithub.com/JsonAdapter) annotation on enums which are user defined types - Fixed bug in getPath() with array of objects and arrays of arrays - Other smaller bug fixes ### [`v2.2.4`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-224) *2013-05-13* - Fix internal map (LinkedHashTreeMap) hashing bug. - Bug fix (Issue 511) ### [`v2.2.3`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-223) *2013-04-12* - Fixes for possible DoS attack due to poor String hashing ### [`v2.2.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-222) *2012-07-02* - Gson now allows a user to override default type adapters for Primitives and Strings. This behavior was allowed in earlier versions of Gson but was prohibited started Gson 2.0. We decided to allow it again: This enables a user to parse 1/0 as boolean values for compatibility with iOS JSON libraries. - (Incompatible behavior change in `JsonParser`): In the past, if `JsonParser` encountered a stream that terminated prematurely, it returned `JsonNull`. This behavior wasn't correct because the stream had invalid JSON, not a null. `JsonParser` is now changed to throw `JsonSyntaxException` in this case. Note that if JsonParser (or Gson) encounter an empty stream, they still return `JsonNull`. ### [`v2.2.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-221) *2012-05-05* - Very minor fixes ### [`v2.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-224) *2013-05-13* - Fix internal map (LinkedHashTreeMap) hashing bug. - Bug fix (Issue 511)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.