[Tech] Bump the non-major-dependencies group in /backend with 19 updates

[dependabot]

Bumps the non-major-dependencies group in /backend with 19 updates:

Package	From	To
org.springframework.boot:spring-boot-dependencies	4.0.2	4.0.6
org.hibernate.orm:hibernate-spatial	7.2.1.Final	7.3.2.Final
org.geolatte:geolatte-geom	1.9.1	1.11
org.jetbrains.kotlinx:kotlinx-serialization-json	1.10.0	1.11.0
io.ktor:ktor-client-core	3.4.0	3.4.3
io.ktor:ktor-client-java	3.4.0	3.4.3
io.ktor:ktor-client-content-negotiation	3.4.0	3.4.3
io.ktor:ktor-serialization-kotlinx-json	3.4.0	3.4.3
io.ktor:ktor-client-mock	3.4.0	3.4.3
io.sentry:sentry	8.31.0	8.40.0
io.sentry:sentry-log4j2	8.31.0	8.40.0
org.springdoc:springdoc-openapi-starter-webmvc-ui	3.0.1	3.0.3
org.springframework.boot	4.0.2	4.0.6
jvm	2.2.21	2.3.21
plugin.spring	2.2.21	2.3.21
plugin.allopen	2.2.21	2.3.21
plugin.noarg	2.2.21	2.3.21
plugin.jpa	2.2.21	2.3.21
plugin.serialization	2.2.21	2.3.21

Updates org.springframework.boot:spring-boot-dependencies from 4.0.2 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.hibernate.orm:hibernate-spatial from 7.2.1.Final to 7.3.2.Final

Release notes

Sourced from org.hibernate.orm:hibernate-spatial's releases.

Release 7.3.2

Hibernate ORM 7.3.2.Final released

Today, we published a new release of Hibernate ORM 7.3: 7.3.2.Final.

You can find the full list of 7.3.2.Final changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.
• See the Migration Guide for details about migration.

Conclusion

For additional details, see:

• the release page
• the Migration Guide
• the Introduction Guide
• the User Guide
• the API docs

See also the following resources related to supported APIs:

• the compatibility policy
• the incubating API report (@Incubating)
• the deprecated API report (@Deprecated + @Remove)
• the internal API report (internal packages, @Internal)

Visit the website for details on getting in touch with us.

Release 7.3.1

Hibernate ORM 7.3.1.Final released

Today, we published a new release of Hibernate ORM 7.3: 7.3.1.Final.

You can find the full list of 7.3.1.Final changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.
• See the Migration Guide for details about migration.

Conclusion

... (truncated)

Changelog

Sourced from org.hibernate.orm:hibernate-spatial's changelog.

Changes in 7.3.2.Final (April 20, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38725

** Bug * HHH-20321 import.sql not executed when there are no @​Entity classes * HHH-20320 detached versioned entity parameter triggers auto-flush transient check * HHH-20317 Envers does not reflect @​DiscriminatorOptions for history entities * HHH-20313 Criteria query comparing double path to integer expression containing integer parameter fails

** Task * HHH-20334 Upgrade to Log4j 2.25.4

Changes in 7.3.1.Final (April 10, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38285

** Bug * HHH-20326 ClassCastException when joining array within embeddable * HHH-20287 DataException ( Parameter is not set) when updating only the version of an Entity with a PartitionKey * HHH-20283 key-based pagination appears to be broken * HHH-20281 Missing temporal precision for parameter coercion leading to ClassCastException * HHH-20274 Avoid mutating SqmSelectClause during type validation * HHH-20273 Failed to set List type field in Embeddable record * HHH-20272 JDBC locking pre-actions are not executed before the statement * HHH-20271 SybaseASE reports wrong lock metadata * HHH-20267 Hibernate processor: infinite generation of repositories when extending PanacheRepository * HHH-20266 Some unnesting array functions miss ordering on index on aggregation * HHH-20260 Session#find only logs LockTimeoutException instead of throwing it on PostgreSQL * HHH-20259 DdlTypeRegistry#addSqlType doesn't handle different type codes registered to same DDL type properly * HHH-20251 NPE: query with fetch graph and read-only hint on bytecode enhanced entities * HHH-20231 Errors when querying 2L-cached native queries with same SQL but different result type * HHH-20230 [Metamodel Generator] AnnotationMetaEntity fails to compile repository methods with unbounded wildcard Sort<?> * HHH-20209 Race Condition in JavaTypeRegistry causing SemanticException during parallel UNION queries with projection. * HHH-20126 NPE when querying with a lockMode/lockScope * HHH-20053 HQL grammar ambiguity for NOT keyword * HHH-19885 Wrong mapping of legacy XML "access" attribute in HbmXmlTransformer * HHH-19818 NPE with stateless insert when Envers is enabled * HHH-19429 ConcurrentModificationException observed while executing JPQL update query with VERSIONED clause * HHH-12986 ConfigLoader does not close file when loading hibernate.cfg.xml * HHH-12590 Postgres subselect: ERROR: subquery in FROM must have an alias

** Improvement * HHH-20256 Make ByteBuddy class generation build-reproducible * HHH-20227 Avoid using reflection and parsing annotations when initializing the Hibernate and JPA annotation descriptors

... (truncated)

Commits

• 926b61c [Jenkins release job] Preparing release 7.3.2.Final
• 70453b0 [Jenkins release job] changelog.txt updated by release build 7.3.2.Final
• 25d93fc HHH-20313 Fix JPA Criteria parameter type inference TCK failure
• 4f734ec HHH-20317 fix: Envers does not reflect @​DiscriminatorOptions for history enti...
• 7e04d5f Allow running the TCK manually
• aae3d0f Add BytecodeEnhancedTestEngine support for JUnit 5.13 and older for JPA
• c0b7799 Update to Jakarta Persistence TCK version 3.2.1
• 6c72319 HHH-20321 Remove pointless schema management in TransactionCommitFailureTest
• 56cf9a1 HHH-20321 Schema actions skipped when Metadata has no contributors
• 0c4f489 HHH-20334 Upgrade to Log4j 2.25.4
• Additional commits viewable in compare view

Updates org.geolatte:geolatte-geom from 1.9.1 to 1.11

Release notes

Sourced from org.geolatte:geolatte-geom's releases.

v1.11

What's Changed

• Bump outdated slf4j-api to lastest (2.0.17) by @​kamilkrzywanski in GeoLatte/geolatte-geom#176
• Add automatic module names to the published jars by @​marko-bekhta in GeoLatte/geolatte-geom#178
• Switch to central-publishing-maven-plugin for publishing by @​marko-bekhta in GeoLatte/geolatte-geom#179

New Contributors

• @​kamilkrzywanski made their first contribution in GeoLatte/geolatte-geom#176
• @​marko-bekhta made their first contribution in GeoLatte/geolatte-geom#178

Full Changelog: GeoLatte/geolatte-geom@v1.10...v1.11

v1.10

Fix for #172 Fix for #173

Minimum Java version is now 1.11

Commits

• c2ff95d Fix POM for release
• 93c6f2b Fix javadoc issues
• baba141 Publish release artefacts workflow
• 8da2765 Update maven version
• 7f31026 Use manual gpg import
• 561ebf7 Add CI snapshot publishing
• cae4f32 Merge branch 'master' of github.com:GeoLatte/geolatte-geom
• 5207c32 Switch to central-publishing-maven-plugin for publishing
• 5e3b204 Update dependencies
• eb1dec9 Merge branch 'master' of github.com:GeoLatte/geolatte-geom
• Additional commits viewable in compare view

Updates org.jetbrains.kotlinx:kotlinx-serialization-json from 1.10.0 to 1.11.0

Release notes

Sourced from org.jetbrains.kotlinx:kotlinx-serialization-json's releases.

1.11.0

This release is based on Kotlin 2.3.20 and provides a new Json exceptions API and some bugfixes and improvements.

Expose Json exceptions structure

To make working with exceptions easier and providing proper error codes in e.g., REST APIs, classes JsonException, JsonDecodingException, and JsonEncodingException are now public. They have relevant public properties, such as shortMessage, path, offset, and others. This API is currently experimental, and we're going to improve it further in the subsequent releases. See the linked issues for the details: #1930, #1877.

Ability to hide user input from exception messages for security/privacy reasons.

Historically, exception messages in kotlinx.serialization often included the input Json itself for debuggability reason. Such behavior may pose additional challenges for logging, analytics, and other systems, since a system is not always allowed to store user data due to privacy/security reasons, which imposes additional sanitation logic. To address this issue, a new property exceptionsWithDebugInfo is added to JsonConfiguration. Disable it to hide user input from exception messages. IMPORTANT: This behavior will be enabled by default when this property becomes stable. See #2590 for more details.

Bugfixes and improvements

• CBOR: Relax value range check when decoding numbers (#3167)
• Use a specialized writeDecimalLong method for IO stream integrations in Json (#3152)

Changelog

Sourced from org.jetbrains.kotlinx:kotlinx-serialization-json's changelog.

1.11.0 / 2026-04-10

This release is based on Kotlin 2.3.20 and provides new Json exceptions API and some bugfixes and improvements.

Expose Json exceptions structure

To make working with exceptions easier and providing proper error codes in e.g., REST APIs, classes JsonException, JsonDecodingException, and JsonEncodingException are now public. They have relevant public properties, such as shortMessage, path, offset, and others. This API is currently experimental, and we're going to improve it further in the subsequent releases. See the linked issues for the details: #1930, #1877.

Ability to hide user input from exception messages for security/privacy reasons.

Historically, exception messages in kotlinx.serialization often included the input Json itself for debuggability reason. Such behavior may pose additional challenges for logging, analytics, and other systems, since a system is not always allowed to store user data due to privacy/security reasons, which imposes additional sanitation logic. To address this issue, a new property exceptionsWithDebugInfo is added to JsonConfiguration. Disable it to hide user input from exception messages. IMPORTANT: This behavior will be enabled by default when this property becomes stable. See #2590 for more details.

Bugfixes and improvements

• CBOR: Relax value range check when decoding numbers (#3167)
• Use a specialized writeDecimalLong method for IO stream integrations in Json (#3152)

Commits

• 6956af2 Prepare 1.11 release
• 390d84c Merge remote-tracking branch 'origin/master' into dev
• 431fe2d Use local repo for publishing (#3171)
• 05c12b6 Add usage attribute to "testRepositories" configuration
• a4e1f08 Bump Kover version to 0.9.8 release (#3174)
• 304e858 Expose Json exceptions structure (#3145)
• 4a0338e Included G Play SDK verification file for core-jvm (#3169)
• 421f64c CBOR: Relax value range check when decoding numbers (#3167)
• 85a4f12 KT-84955: mark apple x64 tagets as deprecated error
• bd38b0e Remove dead code
• Additional commits viewable in compare view

Updates io.ktor:ktor-client-core from 3.4.0 to 3.4.3

Release notes

Sourced from io.ktor:ktor-client-core's releases.

3.4.3

Published 22 April 2026

Bugfixes

• KTOR-9451 OpenAPI schema inference not working for custom nested generics
• KTOR-9490 OpenAPI: Self-referential schema $ref uses FQN while schema is registered with a simple name
• KTOR-9463 OpenAPI: schema inference StackOverflow
• KTOR-8938 WebSockets: WebSockets handler does not inherit server coroutine context
• KTOR-8989 Shared engine is closed when a client created with config method is closed
• KTOR-9485 Apache5: FutureCallback never called, breaking Java agent instrumentation
• KTOR-9497 Darwin: SIGABRT crash when close() races with in-flight execute() since 3.4.2
• KTOR-9431 SuspendFunctionGun: ThreadContextElement leaks across requests when interceptor suspends
• KTOR-9423 CannotTransformContentToTypeException leaks internal class names in response body
• KTOR-9461 Incorrect link to the OWASP cheatsheet in the KDoc for CSRF plugin
• KTOR-9476 Unable to update/remove session data if no response content
• KTOR-9343 HttpRequestLifecycle plugin with cancelCallOnClose on, cancels subsequent requests when CallLogging plugin with callIdMdc is installed

3.4.2

Published 27 March 2026

Improvements

• KTOR-9327 Curl: The WebSockets maxFrameSize option does not have an effect
• KTOR-9383 CaseInsensitiveString: reduce allocations
• KTOR-9385 Netty: Allocation micro-optimizations
• KTOR-9403 Darwin: Unnecessary ByteArray copy for each received response chunk
• KTOR-9412 KDoc for formFieldLimit documents incorrect default value (64 KB instead of 50 MiB)

Bugfixes

• KTOR-9351 OpenAPI: Incorrect schema generated for nested classes with lists
• KTOR-9361 WebSockets: JsWebSocketSession._closeReason is completed twice
• KTOR-9437 Fix GraalVM Compatibility
• KTOR-9424 Logging: OkHttp format should log the full requested URL
• KTOR-8540 Logging: IllegalStateException is thrown when response is cached and deserialization fails
• KTOR-9370 OpenAPI: NoSuchMethodError - getLOCAL_FUNCTION_FOR_LAMBDA with Kotlin 2.3.20-*
• KTOR-9421 Netty: active SSE connection blocks HTTP/2 response flushing for other requests
• KTOR-3390 JS browser: "Failed to execute 'digest' on 'SubtleCrypto'" error when using digest auth
• KTOR-5977 Compression: The encoders buffer streaming response
• KTOR-9393 Certificate pinning matches against all pins instead of hostname-scoped pins
• KTOR-8751 DI: AmbiguousDependencyException when named dependency is overridden in testApplication
• KTOR-9039 Bearer Auth: Request body transformed with jsonIO isn't sent over again after refreshToken request
• KTOR-9404 Darwin: Memory leak in KtorNSURLSessionDelegate
• KTOR-9399 LinkageError when running Ktor app with development mode inside Spring Boot / Amper fat-JAR
• KTOR-9402 NoSuchMethodError on RawWebSocket after 3.4.0
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly
• KTOR-9387 ZstdEncoder decode fails when source data is split into multiple Zstd frames

3.4.1

Published 3 March 2026

Improvements

... (truncated)

Changelog

Sourced from io.ktor:ktor-client-core's changelog.

3.4.3

Published 22 April 2026

Bugfixes

• KTOR-9451 OpenAPI schema inference not working for custom nested generics
• KTOR-9490 OpenAPI: Self-referential schema $ref uses FQN while schema is registered with a simple name
• KTOR-9463 OpenAPI: schema inference StackOverflow
• KTOR-8938 WebSockets: WebSockets handler does not inherit server coroutine context
• KTOR-8989 Shared engine is closed when a client created with config method is closed
• KTOR-9485 Apache5: FutureCallback never called, breaking Java agent instrumentation
• KTOR-9497 Darwin: SIGABRT crash when close() races with in-flight execute() since 3.4.2
• KTOR-9431 SuspendFunctionGun: ThreadContextElement leaks across requests when interceptor suspends
• KTOR-9423 CannotTransformContentToTypeException leaks internal class names in response body
• KTOR-9461 Incorrect link to the OWASP cheatsheet in the KDoc for CSRF plugin
• KTOR-9476 Unable to update/remove session data if no response content
• KTOR-9343 HttpRequestLifecycle plugin with cancelCallOnClose on, cancels subsequent requests when CallLogging plugin with callIdMdc is installed

3.4.2

Published 27 March 2026

Improvements

• KTOR-9327 Curl: The WebSockets maxFrameSize option does not have an effect
• KTOR-9383 CaseInsensitiveString: reduce allocations
• KTOR-9385 Netty: Allocation micro-optimizations
• KTOR-9403 Darwin: Unnecessary ByteArray copy for each received response chunk
• KTOR-9412 KDoc for formFieldLimit documents incorrect default value (64 KB instead of 50 MiB)

Bugfixes

• KTOR-9351 OpenAPI: Incorrect schema generated for nested classes with lists
• KTOR-9361 WebSockets: JsWebSocketSession._closeReason is completed twice
• KTOR-9437 Fix GraalVM Compatibility
• KTOR-9424 Logging: OkHttp format should log the full requested URL
• KTOR-8540 Logging: IllegalStateException is thrown when response is cached and deserialization fails
• KTOR-9370 OpenAPI: NoSuchMethodError - getLOCAL_FUNCTION_FOR_LAMBDA with Kotlin 2.3.20-*
• KTOR-9421 Netty: active SSE connection blocks HTTP/2 response flushing for other requests
• KTOR-3390 JS browser: "Failed to execute 'digest' on 'SubtleCrypto'" error when using digest auth
• KTOR-5977 Compression: The encoders buffer streaming response
• KTOR-9393 Certificate pinning matches against all pins instead of hostname-scoped pins
• KTOR-8751 DI: AmbiguousDependencyException when named dependency is overridden in testApplication
• KTOR-9039 Bearer Auth: Request body transformed with jsonIO isn't sent over again after refreshToken request
• KTOR-9404 Darwin: Memory leak in KtorNSURLSessionDelegate
• KTOR-9399 LinkageError when running Ktor app with development mode inside Spring Boot / Amper fat-JAR
• KTOR-9402 NoSuchMethodError on RawWebSocket after 3.4.0
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly
• KTOR-9387 ZstdEncoder decode fails when source data is split into multiple Zstd frames

3.4.1

Published 3 March 2026

... (truncated)

Commits

• 5d9a998 Release 3.4.3 (#5547)
• 6a11a76 KTOR-8989 Close or cancel engine only when the client reference count… (#5525)
• 3acb8ea KTOR-8938 Inherit server coroutine context in WebSocket session (#5426)
• cec7d38 Fix flaky test failures on native platforms (#5485)
• bd8bea1 KTOR-9507 Update Jackson to 2.21 and 3.1.0
• 5e29515 KTOR-9507 Update netty to 4.2.12
• 733b8e1 KTOR-9373 Make ConcurrentMap iteration safe on Native (#5407)
• 1f83f21 KTOR-9451 Support nested generic types (#5500)
• 2440990 Apache 5 Client. Don't ignore resultCallback (#5526)
• 430f320 Follow-up: KTOR-9497 Preventing a fatal crash in DarwinSession on close (#5533)
• Additional commits viewable in compare view

Updates io.ktor:ktor-client-java from 3.4.0 to 3.4.3

Release notes

Sourced from io.ktor:ktor-client-java's releases.

3.4.3

Published 22 April 2026

Bugfixes

• KTOR-9451 OpenAPI schema inference not working for custom nested generics
• KTOR-9490 OpenAPI: Self-referential schema $ref uses FQN while schema is registered with a simple name
• KTOR-9463 OpenAPI: schema inference StackOverflow
• KTOR-8938 WebSockets: WebSockets handler does not inherit server coroutine context
• KTOR-8989 Shared engine is closed when a client created with config method is closed
• KTOR-9485 Apache5: FutureCallback never called, breaking Java agent instrumentation
• KTOR-9497 Darwin: SIGABRT crash when close() races with in-flight execute() since 3.4.2
• KTOR-9431 SuspendFunctionGun: ThreadContextElement leaks across requests when interceptor suspends
• KTOR-9423 CannotTransformContentToTypeException leaks internal class names in response body
• KTOR-9461 Incorrect link to the OWASP cheatsheet in the KDoc for CSRF plugin
• KTOR-9476 Unable to update/remove session data if no response content
• KTOR-9343 HttpRequestLifecycle plugin with cancelCallOnClose on, cancels subsequent requests when CallLogging plugin with callIdMdc is installed

3.4.2

Published 27 March 2026

Improvements

• KTOR-9327 Curl: The WebSockets maxFrameSize option does not have an effect
• KTOR-9383 CaseInsensitiveString: reduce allocations
• KTOR-9385 Netty: Allocation micro-optimizations
• KTOR-9403 Darwin: Unnecessary ByteArray copy for each received response chunk
• KTOR-9412 KDoc for formFieldLimit documents incorrect default value (64 KB instead of 50 MiB)

Bugfixes

• KTOR-9351 OpenAPI: Incorrect schema generated for nested classes with lists
• KTOR-9361 WebSockets: JsWebSocketSession._closeReason is completed twice
• KTOR-9437 Fix GraalVM Compatibility
• KTOR-9424 Logging: OkHttp format should log the full requested URL
• KTOR-8540 Logging: IllegalStateException is thrown when response is cached and deserialization fails
• KTOR-9370 OpenAPI: NoSuchMethodError - getLOCAL_FUNCTION_FOR_LAMBDA with Kotlin 2.3.20-*
• KTOR-9421 Netty: active SSE connection blocks HTTP/2 response flushing for other requests
• KTOR-3390 JS browser: "Failed to execute 'digest' on 'SubtleCrypto'" error when using digest auth
• KTOR-5977 Compression: The encoders buffer streaming response
• KTOR-9393 Certificate pinning matches against all pins instead of hostname-scoped pins
• KTOR-8751 DI: AmbiguousDependencyException when named dependency is overridden in testApplication
• KTOR-9039 Bearer Auth: Request body transformed with jsonIO isn't sent over again after refreshToken request
• KTOR-9404 Darwin: Memory leak in KtorNSURLSessionDelegate
• KTOR-9399 LinkageError when running Ktor app with development mode inside Spring Boot / Amper fat-JAR
• KTOR-9402 NoSuchMethodError on RawWebSocket after 3.4.0
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly
• KTOR-9387 ZstdEncoder decode fails when source data is split into multiple Zstd frames

3.4.1

Published 3 March 2026

Improvements

... (truncated)

Changelog

Sourced from io.ktor:ktor-client-java's changelog.

3.4.3

Published 22 April 2026

Bugfixes

• KTOR-9451 OpenAPI schema inference not working for custom nested generics
• KTOR-9490 OpenAPI: Self-referential schema $ref uses FQN while schema is registered with a simple name
• KTOR-9463 OpenAPI: schema inference StackOverflow
• KTOR-8938 WebSockets: WebSockets handler does not inherit server coroutine context
• KTOR-8989 Shared engine is closed when a client created with config method is closed
• KTOR-9485 Apache5: FutureCallback never called, breaking Java agent instrumentation
• KTOR-9497 Darwin: SIGABRT crash when close() races with in-flight execute() since 3.4.2
• KTOR-9431 SuspendFunctionGun: ThreadContextElement leaks across requests when interceptor suspends
• KTOR-9423 CannotTransformContentToTypeException leaks internal class names in response body
• KTOR-9461 Incorrect link to the OWASP cheatsheet in the KDoc for CSRF plugin
• KTOR-9476 Unable to update/remove session data if no response content
• KTOR-9343 HttpRequestLifecycle plugin with cancelCallOnClose on, cancels subsequent requests when CallLogging plugin with callIdMdc is installed

3.4.2

Published 27 March 2026

Improvements

• KTOR-9327 Curl: The WebSockets maxFrameSize option does not have an effect
• KTOR-9383 CaseInsensitiveString: reduce allocations
• KTOR-9385 Netty: Allocation micro-optimizations
• KTOR-9403 Darwin: Unnecessary ByteArray copy for each received response chunk
• KTOR-9412 KDoc for formFieldLimit documents incorrect default value (64 KB instead of 50 MiB)

Bugfixes

• KTOR-9351 OpenAPI: Incorrect schema generated for nested classes with lists
• KTOR-9361 WebSockets: JsWebSocketSession._closeReason is completed twice
• KTOR-9437 Fix GraalVM Compatibility
• KTOR-9424 Logging: OkHttp format should log the full requested URL
• KTOR-8540 Logging: IllegalStateException is thrown when response is cached and deserialization fails
• KTOR-9370 OpenAPI: NoSuchMethodError - getLOCAL_FUNCTION_FOR_LAMBDA with Kotlin 2.3.20-*
• KTOR-9421 Netty: active SSE connection blocks HTTP/2 response flushing for other requests
• KTOR-3390 JS browser: "Failed to execute 'digest' on 'SubtleCrypto'" error when using digest auth
• KTOR-5977 Compression: The encoders buffer streaming response
• KTOR-9393 Certificate pinning matches against all pins instead of hostname-scoped pins
• KTOR-8751 DI: AmbiguousDependencyException when named dependency is overridden in testApplication
• KTOR-9039 Bearer Auth: Request body transformed with jsonIO isn't sent over again after refreshToken request
• KTOR-9404 Darwin: Memory leak in KtorNSURLSessionDelegate
• KTOR-9399 LinkageError when running Ktor app with development mode inside Spring Boot / Amper fat-JAR
• KTOR-9402 NoSuchMethodError on RawWebSocket after 3.4.0
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly
• KTOR-9387 ZstdEncoder decode fails when source data is split into multiple Zstd frames

3.4.1

Published 3 March 2026

... (truncated)

Commits

• 5d9a998 Release 3.4.3 (#5547)
• 6a11a76 KTOR-8989 Close or cancel engine only when the client reference count… (#5525)
• 3acb8ea KTOR-8938 Inherit server coroutine context in WebSocket session (#5426)
• cec7d38 Fix flaky test failures on native platforms (#5485)
• bd8bea1 KTOR-9507 Update Jackson to 2.21 and 3.1.0
• 5e29515 KTOR-9507 Update netty to 4.2.12
• 733b8e1 KTOR-9373 Make ConcurrentMap iteration safe on Native (#5407)
• 1f83f21 KTOR-9451 Support nested generic types (#5500)
• 2440990 Apache 5 Client. Don't ignore resultCallback (#5526)
• 430f320 Follow-up: KTOR-9497 Preventing a fatal crash in DarwinSession on close (#5533)
• Additional commits viewable in compare view

Updates io.ktor:ktor-client-content-negotiation from 3.4.0 to 3.4.3

Release notes

Sourced from io.ktor:ktor-client-content-negotiation's releases.

3.4.3

Published 22 April 2026

Bugfixes

• KTOR-9451 OpenAPI schema inference not working for custom nested generics
• KTOR-9490 OpenAPI: Self-referential schema $ref uses FQN while schema is registered with a simple name
• KTOR-9463 OpenAPI: schema inference StackOverflow
• KTOR-8938 WebSockets: WebSockets handler does not inherit server coroutine context
• KTOR-8989 Shared engine is closed when a client created with config method is closed
• KTOR-9485 Apache5: FutureCallback never called, breaking Java agent instrumentation
• KTOR-9497 Darwin: SIGABRT crash when close() races with in-flight execute() since 3.4.2
• KTOR-9431 SuspendFunctionGun: ThreadContextElement leaks across requests when interceptor suspends
• KTOR-9423 CannotTransformContentToTypeException leaks internal class names in response body
• KTOR-9461 Incorrect link to the OWASP cheatsheet in the KDoc for CSRF plugin
• KTOR-9476 Unable to update/remove session data if no response content
• KTOR-9343 HttpRequestLifecycle plugin with cancelCallOnClose on, cancels subsequent requests when CallLogging plugin with callIdMdc is installed

3.4.2

Published 27 March 2026

Improvements

• KTOR-9327 Curl: The WebSockets maxFrameSize option does not have an effect
• KTOR-9383 CaseInsensitiveString: reduce allocations
• KTOR-9385 Netty: Allocation micro-optimizations
• KTOR-9403 Darwin: Unnecessary ByteArray copy for each received response chunk
• KTOR-9412 KDoc for formFieldLimit documents incorrect default value (64 KB instead of 50 MiB)

Bugfixes

• KTOR-9351 OpenAPI: Incorrect schema generated for nested classes with lists
• KTOR-9361 WebSockets: JsWebSocketSession._closeReason is completed twice
• KTOR-9437 Fix GraalVM Compatibility
• KTOR-9424 Logging: OkHttp format should log the full requested URL
• KTOR-8540 Logging: IllegalStateException is thrown when response is cached and deserialization fails
• KTOR-9370 OpenAPI: NoSuchMethodError - getLOCAL_FUNCTION_FOR_LAMBDA with Kotlin 2.3.20-*
• KTOR-9421 Netty: active SSE connection blocks HTTP/2 response flushing for other requests
• KTOR-3390 JS browser: "Failed to execute 'digest' on 'SubtleCrypto'" error when using digest auth
• KTOR-5977 Compression: The encoders buffer streaming response
• KTOR-9393 Certificate pinning matches against all pins instead of hostname-scoped pins
• KTOR-8751 DI: AmbiguousDependencyException when named dependency is overridden in testApplication
• KTOR-9039 Bearer Auth: Request body transformed with jsonIO isn't sent over again after refreshToken request
• KTOR-9404 Darwin: Memory leak in KtorNSURLSessionDelegate
• KTOR-9399 LinkageError when running Ktor app with development mode inside Spring Boot / Amper fat-JAR
• KTOR-9402 NoSuchMethodError on RawWebSocket after 3.4.0
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly
• KTOR-9387Description has been truncated

[tristanrobert]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud