Skip to content

Bump com.mchange:c3p0 from 0.9.5.5 to 0.12.0#55

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/maven/com.mchange-c3p0-0.12.0
Open

Bump com.mchange:c3p0 from 0.9.5.5 to 0.12.0#55
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/maven/com.mchange-c3p0-0.12.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 28, 2026

Copy link
Copy Markdown
Contributor

Bumps com.mchange:c3p0 from 0.9.5.5 to 0.12.0.

Changelog

Sourced from com.mchange:c3p0's changelog.

-- Ensure sessions are marked as endRequest() is called prior to check-in, to eliminate race between DBMS cleanup and checkout by a new client. Thanks Krrish (ota0912 on github). -- Take generic JavaBeanObjectFactory out of the whitelist of object factories, com.mchange.v2.naming.objectFactoryWhitelist, mchange-commons-java ReferenceableUtils is willing to dereference. Only C3P0JavaBeanObjectFactory should be used. -- Modify C3P0JavaBeanObjectFactory to use C3P0JavaBeanReferencePropertyOverrider. -- Modify the JavaBeanReferenceMaker employed by c3p0 beans to use C3P0JavaBeanReferencePropertyOverrider -- Define C3P0JavaBeanReferencePropertyOverrider, supporting the serialization and deserialization of user-defined config key value pairs (the 'extensions' property) -- Add support for extensions, in the form of JavaBeanReferencePropertyOverrider, that allow javax.naming.Referenceable JavaBeans that include non-String, non-coerceable-to-string, non-SecurelyStringifiable properties to use some custom serialization to a Reference. Add support both the JavaBeanReferenceMaker and JavaBeanObjectFactory for supporting such extensions. -- Replace with a CSV format internal use of Java serialization by JavaBeanObjectFactory and JavaBeanReferenceMaker when tracking reference properties. [in mchange-commons-java] -- Eliminate support for decoding BinaryRefAddrs via Java (de)serialization in JavaBeanObjectFactory. The capability still exists, but one must explicitly extend JavaBeanObjectFactory in order to support it. No existing classes in c3p0 or mchange-commons-java now use Java serialization to unpickle objects from References. -- Add support for SecurelySerializable to c3p0's code-generated bean superclasses, and to the concrete derived beans as well. -- Define CsvSecurelyStringifiableBeangenGeneratorExtension to enable code-generated Java beans that support the new SecurelyStringifiable alternative serialization [in mchange-commons-java] -- When generating references with JavaBeanReferenceMaker, gate use of Java-serialization to define properties behind a new false-biased configuration parameter, com.mchange.v2.naming.generateSerializedObjectBinaryRefAddr. (This should almost never be reset to true.) [in mchange-commons-java] -- Define in com.mchange.v2.naming a SecurelyStringifiable mechanism, intended to replace the use of dangerous Java serialization in the construction of references [in mchange-commons-java] c3p0-0.12.0 -- Replace com.mchange.v2.naming.permitNonlocalJndiNames with more configurable com.mchange.v2.naming.nameGuardClassName. By default, it is null, and the same "apparently local" restriction previously enforced by com.mchange.v2.naming.permitNonlocalJndiNames is enforced. But users can supply custom com.mchange.v2.naming.NameGuard instances to control what names are permissible, and four implementations of NameGuard are provided. (See the main docs.) -- Documentation updates. -- Disable by default reflective instantiation of javax.naming.spi.ObjectFactory instances unless their classname is included on a whitelist. Define properties-style config parameter com.mchange.v2.naming.objectFactoryWhitelist where the comma-separated whitelist can be provided. By default this parameter contains the two ObjectFactory classes c3p0 includes in references it creates. -- Change the format of userOverridesAsString, which is just a String representation of Map<String,Map<String,String>>. Use a CSV-inspired format, and the mchange-commons-java fastcsv utility, rather than dangerous Java Object serialization of the Map of Maps. -- Disable by default support for resolving references serialized with their own InitialContext custom environment. Define properties-style config parameter

... (truncated)

Commits
  • afbb946 Bump version for c3p0-0.12.0 final.
  • c5f2445 Documentation updates, RELEASE_NOTES-0.12.0, cap CHANGELOG for c3p0-0.12.0.
  • d0d1c50 Modify MarshallUnmarshallDataSourcesJUnitTestCase to include C3P0 config when...
  • a42833d Update mchange-commons-java version to 0.4.0.
  • 415662b Claude-generated tests of deserialization-gadget mitigations.
  • 69dab9c CHANGELOG and documentation updates.
  • 5cb3247 Track changes to com.mchange.ser.naming, more flexible control of whether nam...
  • 9bef1f6 Update CHANGELOG and docs to more accurately reflect the necessarily imperfec...
  • c6f5d11 Centralize some of the jndiName-remoteness testing code, gate mbean- and jbos...
  • 155be12 Small documentation fixes.
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [com.mchange:c3p0](https://github.com/swaldman/c3p0) from 0.9.5.5 to 0.12.0.
- [Changelog](https://github.com/swaldman/c3p0/blob/0.13.x/CHANGELOG)
- [Commits](swaldman/c3p0@c3p0-0.9.5.5...v0.12.0)

---
updated-dependencies:
- dependency-name: com.mchange:c3p0
  dependency-version: 0.12.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants