Update Mend: high confidence minor and patch dependency updates

[mend-for-github.amrom.workers.dev]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.postgresql:postgresql (source)	42.3.1 -> 42.7.8
org.javassist:javassist (source)	3.27.0-GA -> 3.30.2-GA
com.auth0:java-jwt	4.0.0 -> 4.5.0
io.jsonwebtoken:jjwt	0.9.1 -> 0.13.0
org.yaml:snakeyaml	1.21 -> 1.33
org.projectlombok:lombok (source)	1.18.20 -> 1.18.42
org.apache.httpcomponents:httpasyncclient (source)	4.1.4 -> 4.1.5
org.jsoup:jsoup (source)	1.10.2 -> 1.21.2
org.apache.poi:poi-ooxml	3.9 -> 3.17
org.apache.poi:poi	3.10-FINAL -> 3.17
com.thoughtworks.xstream:xstream (source)	1.4.10 -> 1.4.21
commons-net:commons-net (source)	3.6 -> 3.12.0
org.jolokia:jolokia-core (source)	1.6.0 -> 1.7.2
org.apache.logging.log4j:log4j-api (source)	2.9.1 -> 2.25.2
org.apache.logging.log4j:log4j-core (source)	2.9.1 -> 2.25.2
org.apache.httpcomponents:httpclient (source)	4.5.12 -> 4.5.14
commons-lang:commons-lang (source)	2.4 -> 2.6
commons-collections:commons-collections	3.1 -> 3.2.2
com.google.guava:guava	23.0 -> 23.6.1-jre
org.jdom:jdom2 (source)	2.0.6 -> 2.0.6.1
com.alibaba:fastjson	1.2.24 -> 1.2.83_noneautotype
mysql:mysql-connector-java	8.0.12 -> 8.0.33
org.springframework.boot:spring-boot-starter-parent (source)	1.5.1.RELEASE -> 1.5.22.RELEASE

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.8

Added

• feat: Add configurable boolean-to-numeric conversion for ResultSet getters PR #​3796

Changed

• perf: remove QUERY_ONESHOT flag when calling getMetaData PR #​3783
• perf: use BufferedInputStream with FileInputStream PR #​3750
• perf: enable server-prepared statements for DatabaseMetaData

Fixed

• fix: avoid NullPointerException when cancelling a query if cancel key is not known yet
• fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" PR #​3774
• fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength PR #​3746
• fix: make sure getImportedExportedKeys returns columns in consistent order
• fix: Add "SELF_REFERENCING_COL_NAME" field to getTables' ResultSetMetaData to fix NullPointerException PR #​3660
• fix: unable to open replication connection to servers < 12
• fix: avoid closing statement caused by driver's internal ResultSet#close()
• fix: return empty metadata for empty catalog names as it was before
• fix: Incorrect class comparison in PGXmlFactoryFactory validation

v42.7.7

Security

• security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
  Fix channel binding required handling to reject non-SASL authentication
  Previously, when channel binding was set to "require", the driver would silently ignore this
  requirement for non-SASL authentication methods. This could lead to a false sense of security
  when channel binding was explicitly requested but not actually enforced. The fix ensures that when
  channel binding is set to "require", the driver will reject connections that use
  non-SASL authentication methods or when SASL authentication has not completed properly.
  See the Security Advisory for more detail. Reported by George MacKerron
  The following CVE-2025-49146 has been issued

Added

• test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features

• fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513

Performance Improvements

• performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
• feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

v42.7.5

Added

• ci: Test with Java 23 PR #​3381

Fixed

• regression: revert change in fc60537 PR #​3476
• fix: PgDatabaseMetaData implementation of catalog as param and return value PR #​3390
• fix: Support default GSS credentials in the Java Postgres client PR #​3451
• fix: return only the transactions accessible by the current_user in XAResource.recover PR #​3450
• feat: don't force send extra_float_digits for PostgreSQL >= 12 fix Issue #​3432 PR #​3446
• fix: exclude "include columns" from the list of primary keys PR #​3434
• perf: Enhance the meta query performance by specifying the oid. PR #​3427
• feat: support getObject(int, byte[].class) for bytea PR #​3274
• docs: document infinity and some minor edits PR #​3407
• fix: Added way to check for major server version, fixed check for RULE PR #​3402
• docs: fixed remaining paragraphs PR #​3398
• docs: fixed paragraphs in javadoc comments PR #​3397
• fix: Reuse buffers and reduce allocations in GSSInputStream addresses Issue #​3251 PR #​3255
• chore: Update Gradle to 8.10.2 PR #​3388
• fix: getSchemas() PR #​3386
• fix: Update rpm postgresql-jdbc.spec.tpl with scram-client PR #​3324
• fix: Clearing thisRow and rowBuffer on close() of ResultSet Issue #​3383 PR #​3384
• fix: Package was renamed to maven-bundle-plugin PR #​3382
• fix: As of version 18 the RULE privilege has been removed PR #​3378
• fix: use buffered inputstream to create GSSInputStream PR #​3373
• test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 PR #​3372
• Changed docker-compose version and renamed script file in instructions to match the real file name PR #​3363
• test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest PR #​3364
• try to categorize dependencies PR #​3362

v42.7.4

Added

• chore: SCRAM dependency to 3.1 and support channel binding PR #​3188
• chore: Add PostgreSQL 15, 16, and 17beta1 to CI tests PR #​3299
• test: Update to 17beta3 PR #​3308
• chore: Implement direct SSL ALPN connections PR #​3252
• translation: Add Korean translation file PR #​3276

Fixed

• fix: PgInterval ignores case for represented interval string PR #​3344
• perf: Avoid extra copies when receiving int4 and int2 in PGStream PR #​3295
• fix: Add support for Infinity::numeric values in ResultSet.getObject PR #​3304
• fix: Ensure order of results for getDouble PR #​3301
• perf: Replace BufferedOutputStream with unsynchronized PgBufferedOutputStream, allow configuring different Java and SO_SNDBUF buffer sizes PR #​3248
• fix: Fix SSL tests PR #​3260
• fix: Support bytea in preferQueryMode=simple PR #​3243
• fix: Fix #​3234 - Return -1 as update count for stored procedure calls PR #​3235
• fix: Fix #​3224 - conversion for TIME '24:00' to LocalTime breaks in binary-mode PR #​3225
• perf: Speed up getDate by parsing bytes instead of String PR #​3141
• fix: support PreparedStatement.setBlob(1, Blob) and PreparedStatement.setClob(1, Clob) for lobs that return -1 for length PR #​3136
• fix: Validates resultset Params in PGStatement constructor. uses assertThro… PR #​3171
• fix: Validates resultset parameters PR #​3167
• docs: Replace greater to with greater than PR #​3315
• docs: Clarify binaryTransfer and prepareThreshold PR #​3338
• docs: use.md, typo PR #​3314
• test: Use docker v2 which changes docker-compose to docker compose #​3339
• refactor: Merge PgPreparedStatement#setBinaryStream int and long methods PR #​3165
• test: Test both binaryMode=true,false when creating connections in DatabaseMetaDataTest PR #​3231
• docs: Fixed typos in all source code and documentations PR #​3242
• chore: Remove self-hosted runner PR #​3227
• docs: Add cancelSignalTimeout in README PR #​3190
• docs: Document READ_ONLY_MODE in README PR #​3175
• test: Test for +/- infinity double values PR #​3294
• test: Switch localhost and auth-test around for test-gss PR #​3343
• fix: remove preDescribe from internalExecuteBatch PR #​2883
• deps: Update dependency om.ongres.scram:scram-client to 3.2

Deprecated

• test: Deprecate all PostgreSQL versions older than 9.1 PR #​3335

v42.7.3

Changed

• chore: gradle config enforces 17+ PR #​3147

Fixed

• fix: boolean types not handled in SimpleQuery mode PR #​3146
  • make sure we handle boolean types in simple query mode
  • support uuid as well
  • handle all well known types in text mode and change else if to switch
• fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with NoSuchMethodError on ByteBuffer#position when running on Java 8

v42.7.2

Security

• security: SQL Injection via line comment generation, it is possible in SimpleQuery mode to generate a line comment by having a placeholder for a numeric with a -
  such as -?. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment.
  This has been fixed in this version fixes CVE-2024-1597. Reported by Paul Gerste. See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.

Changed

• fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed PR #​3101
• perf: Avoid autoboxing bind indexes by @​bokken in PR #​1244
• refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by @​vlsi in PR #​3084

Added

• feat: Add PasswordUtil for encrypting passwords client side PR #​3082

v42.7.1

Changed

• perf: improve performance of PreparedStatement.setBlob, BlobInputStream, and BlobOutputStream with dynamic buffer sizing PR #​3044

Fixed

• fix: Apply connectTimeout before SSLSocket.startHandshake to avoid infinite wait in case the connection is broken PR #​3040
• fix: support waffle-jna 2.x and 3.x by using reflective approach for ManagedSecBufferDesc PR #​2720 Fixes Issue #​2690.
• fix: NoSuchMethodError on ByteBuffer#position When Running on Java 8 when accessing arrays, fixes Issue #​3014
• Revert "PR #​2925 Use canonical DateStyle name" PR #​3035
  Fixes Issue #​3008
• Revert "PR ##​2973 feat: support SET statements combining with other queries with semicolon in PreparedStatement" PR #​3010
  Fixes Issue #​3007
• fix: avoid timezone conversions when sending LocalDateTime to the database #​2852 Fixes Issue #​1390
  ,Issue #​2850
  Closes [Issue #​1391(#​1391)

v42.7.0

Changed

• fix: Deprecate for removal PGPoint.setLocation(java.awt.Point) to cut dependency to java.desktop module. PR #​2967
• feat: return all catalogs for getCatalogs metadata query closes ISSUE #​2949 PR #​2953
• feat: support SET statements combining with other queries with semicolon in PreparedStatement PR ##​2973

Fixed

• chore: add styleCheck Gradle task to report style violations PR #​2980
• fix: Include currentXid in "Error rolling back prepared transaction" exception message PR #​2978
• fix: add varbit as a basic type inside the TypeInfoCache PR #​2960
• fix: Fix failing tests for version 16. PR #​2962
• fix: allow setting arrays with ANSI type name PR #​2952
• feat: Use KeepAlive to confirm LSNs PR #​2941
• fix: put double ' around log parameter PR #​2936 fixes ISSUE #​2935
• fix: Fix Issue #​2928 number of ports not equal to number of servers in datasource PR #​2929
• fix: Use canonical DateStyle name (#​2925) fixes pgbouncer issue
• fix: Method getFastLong should be able to parse all longs PR #​2881
• docs: Fix typos in info.html PR #​2860
• fix: Return correct default from PgDatabaseMetaData.getDefaultTransactionIsolation PR #​2992 fixes Issue #​2991
• test: fix assertion in RefCursorFetchTestultFetchSize rows
• test: use try-with-resources in LogicalReplicationStatusTest

v42.6.0

Changed

• fix: use PhantomReferences instead of Obejct.finalize() to track Connection leaks PR #​2847

  The change replaces all uses of Object.finalize with PhantomReferences.
  The leaked resources (Connections) are tracked in a helper thread that is active as long as
  there are connections in use. By default, the thread keeps running for 30 seconds after all
  the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property.

• refactor:(loom) replace the usages of synchronized with ReentrantLock PR #​2635
  Fixes Issue #​1951

v42.5.4

Fixed

• fix: fix testGetSQLTypeQueryCache by searching for xid type. We used to search for box type but it is now cached. xid is not cached, this nuance is required for the test.
• fix OidValueCorrectnessTest BOX_ARRAY OID, by adding BOX_ARRAY to the oidTypeName map [PR #​2810]((#​2810).
• fixes Issue #​2804.
• fix: Make sure that github CI runs tests on all(https://github.com/pgjdbc/pgjdbc/pull/2809)dbc/pgjdbc/pull/2809\)).

v42.5.3

Fixed

• fix: Add box to TypeInfoCache, fixes Issue #​2746 PR #​2747
• fix: regression in PgResultSet LONG_MIN copy and paste error fixes Issue #​2748 PR#2749

v42.5.2

Changed

• regression: This release has 2 known regressions which make it unusable see the notes above. We advise people to use 42.5.3 instead.
• docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes #Issue 2671 PR #​2686
• docs: clarify binaryTransfer and add it to README PR# 2698
• docs: Document the need to encode reserved characters in the connection URL PR #​2700
• feat: Define binary transfer for custom types dynamically/automatically fixes Issue #​2554 PR #​2556

Added

• fix: added gssResponseTimeout as part of PR #​2687 to make sure we don't wait forever on a GSS RESPONSE

Fixed

• fix: Ensure case of XML tags in Maven snippet is correct PR #​2682
• fix: Make sure socket is closed if an exception is thrown in createSocket fixes Issue #​2684 PR #​2685
• fix: Apply patch from Issue #​2683 to fix hanging ssl connections PR #​2687
• fix - binary conversion of (very) long numeric values (longer than 4 * 2^15 digits) PR #​2697 fixes Issue #​2695
• minor: enhance readability connection of startup params PR #​2705

v42.5.1

Security

• security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).
  This has been fixed in this version fixes CVE-2022-41946 see the security advisory for more details. Reported by Jonathan Leitschuh This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.

Fixed

• fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 PR #​2552
• fix: binary decoding of bool values PR #​2640
• perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns PR #​2634
• chore: fix various spelling errors PR #​2592
• chore: Feature/urlparser improve URLParser PR #​2641

v42.5.0

Changed

• fix: revert change in PR #​1986 where float was aliased to float4 from float8.
  float now aliases to float8 PR #​2598 fixes Issue #​2597

v42.4.2

Changed

• fix: add alias to the generated getUDT() query for clarity (PR #​2553)[#​2553]

Added

• fix: make setObject accept UUID array PR #​2587

Fixed

• fix: regression with GSS. Changes introduced to support building with Java 17 caused failures Issue #​2588
• fix: set a timeout to get the return from requesting SSL upgrade. PR #​2572
• feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)

v42.4.1

Security

• fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
  • Previously, the column names for both key and data columns in the table were copied as-is into the generated
    SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
    executed as multiple separate commands.
  • Also adds a new test class ResultSetRefreshTest to verify this change.
  • Reported by Sho Kato

Changed

• chore: skip publishing pgjdbc-osgi-test to Central
• chore: bump Gradle to 7.5
• test: update JUnit to 5.8.2

Added

• chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
• chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI
• chore: support building pgjdbc with Java 17
• feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)

v42.4.0

Changed

• fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group
  startup parameters in a transaction (default=false like 42.2.x) fixes Issue #​2425
  pgbouncer cannot deal with transactions in statement pooling mode PR #​2425

Fixed

• fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767)
  PR #​2525, Issue #​1311
• fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings.
  Regression since 42.2.13. PR #​2531, issue #​2527
• fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
• doc: add Vladimir Sitnikov's PGP key
• fix: return correct base type for domain from getUDTs PR #​2520 Issue #​2522
• perf: utcTz static and renamed to UTC_TIMEZONE PR #​2519
• doc: fix release version for #​2377 (it should be 42.3.6, not 42.3.5)

v42.3.6

Changed

Added

Fixed

• fix: close refcursors when underlying cursor==null instead of relying on defaultRowFetchSize PR #​2377

v42.3.5

Changed

• test: polish TimestampUtilsTest
• chore: use GitHub Action concurrency feature to terminate CI jobs on fast PR pushes

Added

• Added KEYS file to allow for verifying artifacts PR 2499

Fixed

• perf: enable tcpNoDelay by default PR 2495.
  This is a regression from 42.2.x versions where tcpNoDelay defaulted to true
• docs: fix readme.md after PR 2495 PR 2496
• feat: targetServerType=preferPrimary connection parameter PR 2483
• fix: revert removal of toOffsetDateTime(String timestamp) fixes Issue #​2497 PR 2501

v42.3.4

Changed

• fix: change name of build cache PR 2471
• feat: add support for ResultSet#getObject(OffsetTime.class) and PreparedStatement#setObject(OffsetTime.class) PR 2467
• fix: Use non-synchronized getTimeZone in TimestampUtils PR 2451
• docs: Fix CHANGELOG.md misformatted markdown headings PR 2461
• docs: remove loggerLevel and loggerFile from docs and issues PR 2489
• feat: use direct wire format -> LocalDate conversion without resorting to java.util.Date, java.util.Calendar,
  and default timezones PR 2464 fixes Issue #​2221

Added

Fixed

• docs: Update testing documentation PR 2446
• fix: Throw an exception if the driver cannot parse the URL instead of returning NULL fixes Issue #​2421 PR 2441
• fix: Use PGProperty instead of the property names directly PR 2444
• docs: update changelog, missing links at bottom and formatting PR 2460
• fix: Remove isDeprecated from PGProperty. It was originally intended to help produce automated docs. Fixes Issue #​2479 PR 2480
• fix: change PGInterval parseISO8601Format to support fractional second PR 2457
• fix: GSS login to use TGT from keytab fixes Issue #​2469 PR 2470
• fix: More test and fix for issues discovered by PR #​2476 PR #​2488

v42.3.3

Changed

• fix: Removed loggerFile and loggerLevel configuration. While the properties still exist.
  They can no longer be used to configure the driver logging. Instead use java.util.logging
  configuration mechanisms such as logging.properties.

Added

Fixed

v42.3.2

Security

• CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName,
  sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
  However, the driver did not verify if the class implements the expected interface before instantiating the class. This
  would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit

Changed

• perf: read in_hot_standby GUC on connection PR #​2334
• test: materialized view privileges PR #​2209 fixes Issue #​2060
• docs: add info about convenience maven project PR #​2407
• docs: Document timezone reversal from POSIX to ISO PR #​2413
• fix: we will ask the server if it supports GSS Encryption if gssEncryption
  is prefer or require PR #​2396 remove the need to have a ticket in the cache before asking the server if gss encryptions are supported
• docs: remove Java 6 and 7 references from contributing PR #​2385
• style: remove Java 8 / JDBC 4.2 checks PR #​2383 Remove all remaining checks whether the source is lower than Java 8
  or JDBC 4.2.
• fix: throw SQLException for #getBoolean BIT(>1) PR #​2386 Throw SQLException instead of ClassCastException when calling
  CallableStatement#getBoolean(int) on BIT(>1).
• style: import java.time types in more classes PR #​2382 Use imports for java.time types in all remaining classes.
• style: import java.time types in TimestampUtils PR #​2380 Use imports for java.time types in TimestampUtils.
• refactor: Change internal constructors to pass only connection Properties
  Changes internal constructors for PgConnection and related classes to only accept the connection properties object and
  remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map.
• test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+
• perf: read in_hot_standby GUC on connection PR #​2334
• doc: improv doc around binary decoding of numeric data #​2331
• Add cert key type checking to chooseClientAlias PR #​2417

Added

• feat: Add authenticationPluginClassName option to provide passwords at runtime
  Adds authenticationPluginClassName connection property that allows end users to specify a class
  that will provide the connection passwords at runtime. Users implementing that interface must
  ensure that each invocation of the method provides a new char[] array as the contents
  will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char[] directly wherever possible.
  This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char[] for internal usage.
  This allows configuring a connection with a password that must be generated on the fly or periodically changes. PR #​2369 original issue Issue #​2102
• feat: add tcpNoDelay option PR #​2341 fixes Issue #​2324
• feat: pg_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) PR #​2260 fixes Issue #​2278

Fixed

• Use local TimestampUtil in PgStatement and PgResultset for thread safety PR #​2291
  fixes Issue #​921 synchronize modification of shared calendar
• fix: PgObject isNull() was reporting the opposite fixes Issue #​2411 PR #​2414
• fix: default file name is ".pg_service.conf" on Windows (not "pg_service.conf") PR #​2398 fixes Issue #​2278
• test: Fix RefCursorFetchTest on older platforms
• fix: do not close refcursor after reading if fetchsize has been set fixes Issue #​2227 PR #​2371
• fix: rework gss authentication to use the principal name to get the credentials fixes Issue #​2235 PR #​2352
• fix: return getIndexInfo metadata columns in UPPER CASE [PR #​2368](https://github.com/pgjdbc/pgjd

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box