Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM-332 - MEND - Update dependency com.squareup.retrofit2:converter-jackson to v2.10.0 #19

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

VM-332 - MEND - Update dependency com.squareup.retrofit2:converter-jackson to v2.10.0 #19

wants to merge 1 commit into from

Conversation

copper-mend-app[bot]
Copy link

@copper-mend-app copper-mend-app bot commented May 23, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.squareup.retrofit2:converter-jackson 2.6.0 -> 2.10.0 age adoption passing confidence

This PR resolves the vulnerabilities described in Issue #17

Version 2.6.0
Risk Change Critical High Medium Low
N/A 15 37 2 0
Version 2.10.0
Risk Change Critical High Medium Low
-100% 0 (-15 ) 1 (-36 ) 0 (-2 ) 0 (--)

Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.

Release Notes

square/retrofit (com.squareup.retrofit2:converter-jackson)

v2.10.0

Compare Source

New

  • Support using Unit as a response type. This can be used for non-body HTTP methods like HEAD or body-containing HTTP methods like GET where the body will be discarded without deserialization.

  • kotlinx.serialization converter!

    This was imported from github.com/JakeWharton/retrofit2-kotlinx-serialization-converter/ and remains unchanged from its 1.0.0 release.

    The Maven coordinates are com.squareup.retrofit2:converter-kotlinx-serialization.

  • JAXB 3 converter!

    The Maven coordinates are com.squareup.retrofit2:converter-jaxb3.

  • @Header, @Headers, and @HeaderMap can now set non-ASCII values through the allowUnsafeNonAsciiValues annotation property. These are not technically compliant with the HTTP specification, but are often supported or required by services.

  • Publish a BOM of all modules. The Maven coordinates are com.squareup.retrofit2:retrofit-bom.

  • Invocation now exposes the service Class<?> and the instance on which the method was invoked. This disambiguates the source when service inheritence is used.

  • A response type keeper annotation processor is now available for generating shrinker rules for all referenced types in your service interface. In some cases, it's impossible for static shrinker rules to keep the entirety of what Retrofit needs at runtime. This annotation processor generates those additional rules. For more info see its README.

Changed

  • Add shrinker rules to retain the generic signatures of built-in types (Call, Response, etc.) which are used via reflection at runtime.
  • Remove backpressure support from RxJava 2 and 3 adapters. Since we only deliver a single value and the Reactive Streams specification states that callers must request a non-zero subscription value, we never need to honor backpressure.
  • Kotlin Retrofit.create function now has a non-null lower bound. Even if you specified a nullable type before this function would never return null.
  • Suspend functions now capture and defer all Throwable subtypes (not just Exception subtypes) to avoid Java's UndeclaredThrowableException when thrown synchronously.
  • Eagerly reject suspend fun functions that return Call<Body>. These are never correct, and should declare a return type of Body directly.
  • Support for Java 14-specific and Java 16-specific reflection needed to invoke default methods on interfaces have been moved to separate versions of a class through a multi-release jar. This should have no observable impact other than the jar now contains classes which target Java 14 and Java 16 bytecode that might trip up some static analysis tools which are not aware of multi-release jars.
  • Parameter names are now displayed in exception messages when available in the underlying Java bytecode.
  • Jackson converter now supports binary formats by using byte streams rather than character streams in its implementation. Use the create(ObjectMapper, MediaType) overload to supply the value of the Content-Type header for your format.

Fixed

  • Do not include synthetic methods when doing eager validation.
  • Use per-method rather than per-class locking when parsing annotations. This eliminates contention when multiple calls are made in quick succession at the beginning of the process lifetime.

v2.9.0

Compare Source

  • New: RxJava 3 adapter!

    The Maven coordinates are com.squareup.retrofit2:adapter-rxjava3.

    Unlike the RxJava 1 and RxJava 2 adapters, the RxJava 3 adapter's create() method will produce asynchronous HTTP requests by default. For synchronous requests use createSynchronous() and for synchronous on a scheduler use createWithScheduler(..).

v2.8.2

  • Fix: Detect running on the Android platform by using system property rather than the presence of classes.
    This ensures that even when you're running on the JVM with Android classes present on the classpath you
    get JVM semantics.
  • Fix: Update to OkHttp 3.14.9 which contains an associated Android platform detection fix.

v2.8.1

  • Fix: Do not access MethodHandles.Lookup on Android API 24 and 25. The class is only available
    on Android API 26 and higher.

v2.8.0

  • New: Add Call.timeout() which returns the okio.Timeout of the full call.
  • Fix: Change Call.awaitResponse() to accept a nullable response type.
  • Fix: Support default methods on Java 14+. We had been working around a bug in earlier versions of
    Java. That bug was fixed in Java 14, and the fix broke our workaround.

v2.7.2

  • Fix: Update to OkHttp 3.14.7 for compatibility with Android R (API 30).

v2.7.1

  • Fix: Support 'suspend' functions in services interfaces when using 'retrofit-mock' artifact.

v2.7.0

This release changes the minimum requirements to Java 8+ or Android 5+.
See this blog post for more information on the change.

  • New: Upgrade to OkHttp 3.14.4. Please see its changelog for 3.x.
  • Fix: Allow service interfaces to extend other interfaces.
  • Fix: Ensure a non-null body is returned by Response.error.

v2.6.4

  • Fix: Support 'suspend' functions in services interfaces when using 'retrofit-mock' artifact.

v2.6.3

  • Fix: Change mechanism for avoiding UndeclaredThrowableException in rare cases from using yield
    an explicit dispatch which ensures that it will work even on dispatchers which do not support yielding.

v2.6.2

  • Fix: Avoid IOExceptions being wrapped in UndeclaredThrowableException in rare cases when using
    Response<..> as a return type for Kotlin 'suspend' functions.

v2.6.1

  • Fix: Avoid IOExceptions being wrapped in UndeclaredThrowableException in rare cases.
  • Fix: Include no-content ResponseBody for responses created by Response.error.
  • Fix: Update embedded R8/ProGuard rules to not warn about nested classes used for Kotlin extensions.
  • If you want to rebase/retry this PR, check this box

@copper-mend-app copper-mend-app bot added the security fix Security fix generated by Mend label May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants