Skip to content

build(deps): bump org.http4k:http4k-core from 5.46.0.0 to 6.49.0.0 in /bolt-http4k#1607

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/bolt-http4k/org.http4k-http4k-core-6.49.0.0
Open

build(deps): bump org.http4k:http4k-core from 5.46.0.0 to 6.49.0.0 in /bolt-http4k#1607
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/bolt-http4k/org.http4k-http4k-core-6.49.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps org.http4k:http4k-core from 5.46.0.0 to 6.49.0.0.

Release notes

Sourced from org.http4k:http4k-core's releases.

6.49.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
  • http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
  • http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
  • http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
  • http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
  • http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
  • http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
  • http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
  • http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
  • http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
  • http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
  • http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
  • http4k-bridge-vertx: Stream request and response bodies instead of buffering.
  • http4k-bridge-ratpack: Stream request and response bodies instead of buffering.

6.48.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-security-digest: [Break] Remove default Nonce verifier option so avoid bad config
  • http4k-core: [Break] Deprecate BasicCookieStorage (rename to InsecureCookieStorage) and replace with RFC 6265 compliant DefaultCookieStorage. This should be a drop-in replacement.
  • http4k-core: [Deprecation] Rename Java8HttpClient -> URLConnectionHttpCilent
  • http4k-core: [Fix] Handle brace quantifiers in UriTemplate regex patterns. H/T @​ukman48
  • http4k-connect-amazon-iamidentitycenter: Update amazon sso grant type wire values. H/T @​oharaandrew314
  • http4k-connect-amazon-s3: Allow content streaming for S3 via connect H/T @​asadmanji
  • http4k-core: Rejects illegal characters in Status description field (could break HTTP message)
  • http4k-client-okhttp: Fix request streaming

6.47.2.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-connect-amazon-kms-fake: FakeKMS to generate keys with an injectable SecureRandom; allowing for deterministic testing.

6.47.1.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-bridge-spring: Add support for SSE and WS bridging

6.47.0.0

Changelog:

  • http4k-*: Upgrade versions
  • http4k-platform-aws: [Unlikely break] - Fix #1533 Aws sig4 path canonicalization needs double encoding. H/T @​aharin
  • http4k-ai-mcp-a2a-bridge: [New Pro module!] Expose any A2A server as an MCP server, allowing for LLM -> LLM communication.
  • http4k-wiretap: Better recording of incoming HTTP requests.
  • http4k-connect-amazon-iamidentitycenter: [Fix] Use generated JSON adapters for SSOCacheManager. H/T @​oharaandrew314

6.46.1.0

Changelog:

... (truncated)

Changelog

Sourced from org.http4k:http4k-core's changelog.

v6.49.0.0

  • http4k-*: Upgrade versions
  • http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
  • http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
  • http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
  • http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
  • http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
  • http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
  • http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
  • http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
  • http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
  • http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
  • http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
  • http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
  • http4k-bridge-vertx: Stream request and response bodies instead of buffering.
  • http4k-bridge-ratpack: Stream request and response bodies instead of buffering.

v6.48.0.0

  • http4k-*: Upgrade versions
  • http4k-security-digest: [Break] Remove default Nonce verifier option so avoid bad config
  • http4k-core: [Break] Deprecate BasicCookieStorage (rename to InsecureCookieStorage) and replace with RFC 6265 compliant DefaultCookieStorage. This should be a drop-in replacement.
  • http4k-core: [Deprecation] Rename Java8HttpClient -> URLConnectionHttpCilent
  • http4k-core: [Fix] Handle brace quantifiers in UriTemplate regex patterns. H/T @​ukman48
  • http4k-connect-amazon-iamidentitycenter: Update amazon sso grant type wire values. H/T @​oharaandrew314
  • http4k-connect-amazon-s3: Allow content streaming for S3 via connect H/T @​asadmanji
  • http4k-core: Rejects illegal characters in Status description field (could break HTTP message)
  • http4k-client-okhttp: Fix request streaming

v6.47.2.0

  • http4k-*: Upgrade versions
  • http4k-connect-amazon-kms-fake: FakeKMS to generate keys with an injectable SecureRandom; allowing for deterministic testing.

v6.47.1.0

  • http4k-*: Upgrade versions
  • http4k-bridge-spring: Add support for SSE and WS bridging

v6.47.0.0

  • http4k-*: Upgrade versions
  • http4k-platform-aws: [Unlikely break] - Fix #1533 Aws sig4 path canonicalization needs double encoding. H/T @​aharin
  • http4k-ai-mcp-a2a-bridge: [New Pro module!] Expose any A2A server as an MCP server, allowing for LLM -> LLM communication.
  • http4k-wiretap: Better recording of incoming HTTP requests.
  • http4k-connect-amazon-iamidentitycenter: [Fix] Use generated JSON adapters for SSOCacheManager. H/T @​oharaandrew314

v6.46.1.0

  • http4k-*: Upgrade versions
  • http4k-*: Various Moshi adapters converted to be Factories instead of using annotation based lookup
  • http4k-connect-amazon-sts-*: Add GetCallerIdentity support to STS client and fake. H/T @​feknall

v6.46.0.0

  • http4k-*: Upgrade versions

... (truncated)

Commits
  • f90e7b8 Release 6.49.0.0
  • d70b6c1 Fix compile of ClientFiltersTest.kt
  • ddfc0a5 Use supportedOrNull to handle unsupported HTTP methods
  • 741a5d9 Replace toLong with toLongOrNull in Ktor bridge
  • 14c869e Change messages for oaith nonce and state mismatches
  • a5b94ab Add sensitive header stripping for cross-origin redirects in FollowRedirects ...
  • 2e06b73 Update OkHttp to use TLS instead of SSL for SSLContext
  • a6707f6 Use secureEquals for comparing tokens
  • 7c5e307 SecureEqual fails for null && null comparison
  • cff8fec Introduce robust handling for unsupported HTTP methods across serverless modu...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java This is a label that @dependabot automatically creates. We don't use it. labels Jun 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 23, 2026 11:59
Bumps [org.http4k:http4k-core](https://github.com/http4k/http4k) from 5.46.0.0 to 6.49.0.0.
- [Release notes](https://github.com/http4k/http4k/releases)
- [Changelog](https://github.com/http4k/http4k/blob/master/CHANGELOG.md)
- [Commits](http4k/http4k@5.46.0.0...6.49.0.0)

---
updated-dependencies:
- dependency-name: org.http4k:http4k-core
  dependency-version: 6.49.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/bolt-http4k/org.http4k-http4k-core-6.49.0.0 branch from 22bc712 to 370206a Compare July 10, 2026 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java This is a label that @dependabot automatically creates. We don't use it.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants