dependabot[bot] opened a new pull request, #5268: URL: https://github.com/apache/eventmesh/pull/5268
Bumps [com.rabbitmq:amqp-client](https://github.com/rabbitmq/rabbitmq-java-client) from 5.22.0 to 5.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rabbitmq/rabbitmq-java-client/releases">com.rabbitmq:amqp-client's releases</a>.</em></p> <blockquote> <h2>5.33.0</h2> <h1>Changes between 5.32.0 and 5.33.0</h1> <p>This is a maintenance release with bug fixes and dependency upgrades. It introduces minor breaking changes compared to 5.32.0 (see below for details). All users are encouraged to upgrade.</p> <p>The RabbitMQ team normally maintain strict backward compatibility in minor versions. However, this release includes exceptional breaking changes that were necessary to patch security gaps and enforce secure-by-default behavior.</p> <p>Breaking changes:</p> <ul> <li>Hostname verification is now enabled by default as soon as TLS is used.</li> <li><code>ConnectionFactory#useSslProtocol()</code> now utilizes the JVM's default <code>SSLContext</code>, which validates the server certificate. <ul> <li>Note: This should primarily affect test environments, as <code>useSslProtocol()</code> was never intended for production use.</li> <li>Action required: For test or development environments where certificate validation needs to be disabled, users can now explicitly switch to the new <code>ConnectionFactory#useTlsWithNoVerification()</code> method.</li> </ul> </li> <li>JSON-RPC support classes now introduce an "allowlist". This change only impacts installations that explicitly utilize these classes.</li> </ul> <h2>Harden RPC support classes</h2> <p>GitHub PR: <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2002">#2002</a></p> <h2>Enable hostname verification by default</h2> <p>GitHub issue: <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2005">#2005</a></p> <h2>Introduce helper for dev/test TLS setup</h2> <p>GitHub PR: <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2001">#2001</a></p> <h2>Enforce inbound frame max more strictly</h2> <p>GitHub PRs: <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/1995">#1995</a> <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/1998">#1998</a></p> <h2>Bump dependencies</h2> <p>GitHub issue: <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/1991">#1991</a></p> <h1>Dependency</h1> <h2>Maven</h2> <pre lang="xml"><code><dependency> <groupId>com.rabbitmq</groupId> <artifactId>amqp-client</artifactId> <version>5.33.0</version> </dependency> </code></pre> <h2>Gradle</h2> <pre lang="groovy"><code>compile 'com.rabbitmq:amqp-client:5.33.0' </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/a6ff07ecf96c1f001d611ea9b88ed8b6e045aa61"><code>a6ff07e</code></a> [maven-release-plugin] prepare release v5.33.0</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/a3cbc200936a02cf321ab0f1ae311718a34c13c0"><code>a3cbc20</code></a> Set release version to 5.33.0</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/7c33063f7f11433f620df70873b611cb4b2cd830"><code>7c33063</code></a> Recommend against replacing SocketConfigurator</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/43263bc7cd4717e8b1ce073e61d6bf35accdb8b7"><code>43263bc</code></a> Merge pull request <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2001">#2001</a> from rabbitmq/mergify/bp/v5.x/pr-1999</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/fd34d84ddc79f93be0f3f9bbc14cfcc0639146dd"><code>fd34d84</code></a> Document NIO configurators</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/4a05f2b774e3f7022c328228fbdb7c316cb61b70"><code>4a05f2b</code></a> Fix NIO test</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/f02566a5040872b80f79b811c941c342b5308f25"><code>f02566a</code></a> Merge pull request <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2002">#2002</a> from rabbitmq/mergify/bp/v5.x/pr-2000</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/38ef88e78faf203e45255d1e8530f5da60b76622"><code>38ef88e</code></a> Merge pull request <a href="https://redirect.github.com/rabbitmq/rabbitmq-java-client/issues/2004">#2004</a> from rabbitmq/dependabot/maven/v5.x/com.diffplug.spo...</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/66ef941fe058c436a32e1768a95960e3b1d62abc"><code>66ef941</code></a> Bump com.diffplug.spotless:spotless-maven-plugin from 3.7.0 to 3.8.0</li> <li><a href="https://github.com/rabbitmq/rabbitmq-java-client/commit/c6089b0224e4486a1eebb8efb83bbd89f9e250a0"><code>c6089b0</code></a> Fix conflicts</li> <li>Additional commits viewable in <a href="https://github.com/rabbitmq/rabbitmq-java-client/compare/v5.22.0...v5.33.0">compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | com.rabbitmq:amqp-client | [>= 5.17.a, < 5.18] | </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
