dependabot[bot] opened a new pull request, #21946: URL: https://github.com/apache/camel/pull/21946
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 4.0.10 to 4.0.11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.11</h2> <h3>Fixed</h3> <ul> <li><strong>WebSocket XSS sanitization bypass.</strong> Disabled HTML sanitization for WebSocket transport — HTML-encoding JSON in WebSocket frames broke the AI streaming wire protocol.</li> <li><strong>XSS and insecure cookie hardening.</strong> Sanitize HTML output in write methods and set the <code>Secure</code> flag on cookies over HTTPS.</li> </ul> <h3>Changed</h3> <ul> <li><strong>Token → Streaming Text rename.</strong> All AI module APIs, javadoc, and the atmosphere.js client now use "streaming text" instead of "token" to describe LLM output chunks. This affects method names (<code>onToken</code> → <code>onStreamingText</code>, <code>totalTokens</code> → <code>totalStreamingTexts</code>), field names, and the wire protocol message type (<code>"token"</code> → <code>"streaming-text"</code>). This is a <strong>breaking change</strong> for atmosphere.js consumers and custom <code>AiStreamBroadcastFilter</code> implementations.</li> <li><strong>Javadoc published to GitHub Pages.</strong> API docs for <code>atmosphere-runtime</code> are now deployed automatically to <code>async-io.org/apidocs</code>.</li> <li><strong>Starlight tutorial site.</strong> A 20-chapter tutorial book is now available at the project documentation site.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's changelog</a>.</em></p> <blockquote> <h2>[4.0.11] - 2026-03-11</h2> <h3>Fixed</h3> <ul> <li><strong>WebSocket XSS sanitization bypass.</strong> Disabled HTML sanitization for WebSocket transport — HTML-encoding JSON in WebSocket frames broke the AI streaming wire protocol.</li> <li><strong>XSS and insecure cookie hardening.</strong> Sanitize HTML output in write methods and set the <code>Secure</code> flag on cookies over HTTPS.</li> </ul> <h3>Changed</h3> <ul> <li><strong>Token → Streaming Text rename.</strong> All AI module APIs, javadoc, and the atmosphere.js client now use "streaming text" instead of "token" to describe LLM output chunks. This affects method names (<code>onToken</code> → <code>onStreamingText</code>, <code>totalTokens</code> → <code>totalStreamingTexts</code>), field names, and the wire protocol message type (<code>"token"</code> → <code>"streaming-text"</code>). This is a <strong>breaking change</strong> for atmosphere.js consumers and custom <code>AiStreamBroadcastFilter</code> implementations.</li> <li><strong>Javadoc published to GitHub Pages.</strong> API docs for <code>atmosphere-runtime</code> are now deployed automatically to <code>async-io.org/apidocs</code>.</li> <li><strong>Starlight tutorial site.</strong> A 20-chapter tutorial book is now available at the project documentation site.</li> </ul> <h2>[4.0.3] - 2026-02-22</h2> <h3>Fixed</h3> <ul> <li><strong>Room Protocol broadcast bug.</strong> <code>DefaultRoom.broadcast()</code> now wraps messages in <code>RawMessage</code> to bypass <code>@Message</code> decoder mangling. Room JSON envelopes (join/leave/message events) are delivered intact to clients.</li> <li><strong><code>enableHistory()</code> NPE.</strong> <code>UUIDBroadcasterCache</code> is now properly configured before use, preventing <code>NullPointerException</code> when room history is enabled.</li> <li><strong>Native Image build.</strong> Spring Boot samples use <code>process-aot</code> and <code>exec</code> classifier in the <code>native</code> profile so GraalVM can find the main class.</li> </ul> <h3>Added</h3> <ul> <li><strong><code>RawMessage</code> API</strong> (<code>org.atmosphere.cpr.RawMessage</code>) — first-class public wrapper for pre-encoded messages that bypass <code>@Message</code> decoder/encoder pipelines. <code>ManagedAtmosphereHandler.Managed</code> is deprecated in favor of <code>RawMessage</code>.</li> <li><strong>Playwright E2E tests</strong> for all sample applications (chat, spring-boot-chat, embedded-jetty, quarkus-chat, AI samples, durable-sessions, MCP server).</li> </ul> <h3>Changed</h3> <ul> <li><strong>Unified parent POM.</strong> All samples now inherit from <code>atmosphere-project</code>, making <code>mvn versions:set</code> update every module in a single command.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/27f88d9a782449c356a95d09ca54a52c71acf574";><code>27f88d9</code></a> release: Atmosphere 4.0.11</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/e71eba79d41821ef91b6a985519f612988f7b3f0";><code>e71eba7</code></a> refactor(embabel): rename token to streaming text in Kotlin module</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/375d7dfc21064c587aef146c45adbbe135967425";><code>375d7df</code></a> docs: update READMEs and CHANGELOG for 4.0.11 release</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/b3166ac639cc0bbd7b4b669e9782c5623e5f67be";><code>b3166ac</code></a> refactor(ai): complete token-to-streaming-text rename across codebase</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/62cc1bee514699bab344eabcd9b5ebca966ffeb8";><code>62cc1be</code></a> refactor(ai): rename token to streaming text across AI module and samples</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/a15c080f29832a8fc09a66be6c7d77c87bdde84b";><code>a15c080</code></a> docs: rename AI/LLM token references to streaming text</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f05d29a5228034b76850ec06d37a96bf0bd8753d";><code>f05d29a</code></a> docs: fix last 2.x release version in CHANGELOG (2.7.16 not 2.6.5)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f5510c801859be90f558cfe5ed2a1f5b6024b903";><code>f5510c8</code></a> ci(release): generate rich release notes from CHANGELOG or commits</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/0f1ed89b1e36de684f6c2aa638a15ab447186ed3";><code>0f1ed89</code></a> fix(cpr): skip XSS sanitization for WebSocket transport</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/fd1030b7aba45bb30195c6be2015521b7be67889";><code>fd1030b</code></a> ci: replace automatic dependency submission with custom workflow</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-4.0.10...atmosphere-4.0.11";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
