dependabot[bot] opened a new pull request, #1273: URL: https://github.com/apache/knox/pull/1273
Bumps [org.apache.shiro:shiro-core](https://github.com/apache/shiro) from 1.13.0 to 2.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apache/shiro/releases";>org.apache.shiro:shiro-core's releases</a>.</em></p> <blockquote> <h2>Apache Shiro 2.2.1</h2> <h2>Bug fixes</h2> <ul> <li>chore(jacoco): added exclusion for weld client proxy by <a href="https://github.com/lprimak";><code>@lprimak</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2769";>apache/shiro#2769</a></li> </ul> <h2>Security Improvements</h2> <ul> <li><a href="https://redirect.github.com/apache/shiro/issues/2704";>#2704</a> <a href="https://redirect.github.com/apache/shiro/issues/2710";>#2710</a> Fixed Session fixation-related regressions by <a href="https://github.com/lprimak";><code>@lprimak</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2711";>apache/shiro#2711</a></li> <li><a href="https://redirect.github.com/apache/shiro/issues/2758";>#2758</a> Deprecate RandomSessionIdGenerator due to insufficient entropy by <a href="https://github.com/lprimak";><code>@lprimak</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2770";>apache/shiro#2770</a></li> <li><a href="https://github.com/apache/shiro/commit/bd278bcc360938161abb7c4740c8e1c4a1e44831";>enh(jakarta-ee): strip out the host part of the referer header</a></li> <li><a href="https://github.com/apache/shiro/commit/9063406e70acbb90a6d1c1f3c69e01b8893bd1dd";>Using Rdn.escapeValues()</a></li> </ul> <h2>Improvements</h2> <ul> <li>Switch pre-commit to ASF approved prek-action by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2705";>apache/shiro#2705</a></li> <li>Add AGENTS.md + SECURITY.md linking the project's security model by <a href="https://github.com/potiuk";><code>@potiuk</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2702";>apache/shiro#2702</a></li> <li>[CI] Add pre-commit hook to validate the CITATION file; Add missing required field <code>message</code> by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2717";>apache/shiro#2717</a></li> <li>[CI] Add hook to validate dependabot.yml with pre-commit by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2716";>apache/shiro#2716</a></li> <li>chore: add branch protection rules by <a href="https://github.com/lprimak";><code>@lprimak</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2701";>apache/shiro#2701</a></li> <li><a href="https://github.com/apache/shiro/commit/2a1c4da29ca5767c4fcea6cd2551d556e3806272";>chore: removed branch protection from main, update github ruleset to include additional branches</a></li> <li>[CI] Pin to sha all pre-commit hooks and clean up by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2730";>apache/shiro#2730</a></li> <li>Configure EditorConfig for more file types by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2747";>apache/shiro#2747</a></li> <li>Update and expand the CITATION file by <a href="https://github.com/jbampton";><code>@jbampton</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2766";>apache/shiro#2766</a></li> <li><a href="https://redirect.github.com/apache/shiro/issues/2760";>#2760</a> chore: update shiro.doap file with more recent versions and maintainers by <a href="https://github.com/lprimak";><code>@lprimak</code></a> in <a href="https://redirect.github.com/apache/shiro/pull/2768";>apache/shiro#2768</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/potiuk";><code>@potiuk</code></a> made their first contribution in <a href="https://redirect.github.com/apache/shiro/pull/2702";>apache/shiro#2702</a></li> </ul> <h2>Dependency Updates</h2> <ul> <li>chore(deps): bump <a href="https://github.com/zizmorcore/zizmor-pre-commit";>https://github.com/zizmorcore/zizmor-pre-commit</a> from v1.24.1 to 1.25.2 in the pre-commit-hooks group by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2709";>apache/shiro#2709</a></li> <li>chore(deps): bump org.apache:apache from 37 to 38 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2700";>apache/shiro#2700</a></li> <li>chore(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.25.6 to 0.25.7 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2699";>apache/shiro#2699</a></li> <li>chore(deps): bump slf4j.version from 2.0.17 to 2.0.18 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2694";>apache/shiro#2694</a></li> <li>chore(deps): bump log4j.version from 2.25.4 to 2.26.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2697";>apache/shiro#2697</a></li> <li>chore(deps): bump org.apache.johnzon:johnzon-jsonb from 1.2.22 to 1.3.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2698";>apache/shiro#2698</a></li> <li>chore(deps): bump org.apache.cxf:cxf-rt-rs-client from 3.6.10 to 3.6.11 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2729";>apache/shiro#2729</a></li> <li>chore(deps): bump org.apache.cxf:cxf-bom from 3.6.10 to 3.6.11 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2728";>apache/shiro#2728</a></li> <li>chore(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.25.7 to 0.26.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2727";>apache/shiro#2727</a></li> <li>chore(deps): bump org.omnifaces:omnifaces from 3.14.20 to 3.14.21 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2725";>apache/shiro#2725</a></li> <li>chore(deps): bump org.apache.commons:commons-configuration2 from 2.15.0 to 2.15.1 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2724";>apache/shiro#2724</a></li> <li>chore(deps): bump the github-actions-dependencies group with 3 updates by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2723";>apache/shiro#2723</a></li> <li>chore(deps-dev): bump arquillian.core.version from 1.10.1.Final to 1.10.2.Final by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2722";>apache/shiro#2722</a></li> <li>chore(deps-dev): bump org.apache.cxf:cxf-rt-frontend-jaxrs from 3.6.10 to 3.6.11 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2721";>apache/shiro#2721</a></li> <li>chore(deps): bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2748";>apache/shiro#2748</a></li> <li>chore(deps): bump ch.qos.logback:logback-core from 1.5.32 to 1.5.34 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2749";>apache/shiro#2749</a></li> <li>chore(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.14 to 0.8.15 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2765";>apache/shiro#2765</a></li> <li>chore(deps): bump the github-actions-dependencies group across 1 directory with 2 updates by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2756";>apache/shiro#2756</a></li> <li>chore(deps): bump org.codehaus.gmavenplus:gmavenplus-plugin from 4.3.1 to 5.0.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2753";>apache/shiro#2753</a></li> <li>chore(deps): bump org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom from 3.3.6 to 3.3.7 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2750";>apache/shiro#2750</a></li> <li>chore(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.26.0 to 0.26.1 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2751";>apache/shiro#2751</a></li> <li>chore(deps): bump bytebuddy.version from 1.18.8 to 1.18.10 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/apache/shiro/pull/2752";>apache/shiro#2752</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/apache/shiro/compare/shiro-root-2.2.0...shiro-root-2.2.1";>https://github.com/apache/shiro/compare/shiro-root-2.2.0...shiro-root-2.2.1</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/apache/shiro/blob/main/RELEASE-NOTES";>org.apache.shiro:shiro-core's changelog</a>.</em></p> <blockquote> <h1>Licensed to the Apache Software Foundation (ASF) under one</h1> <h1>or more contributor license agreements. See the NOTICE file</h1> <h1>distributed with this work for additional information</h1> <h1>regarding copyright ownership. The ASF licenses this file</h1> <h1>to you under the Apache License, Version 2.0 (the</h1> <h1>"License"); you may not use this file except in compliance</h1> <h1>with the License. You may obtain a copy of the License at</h1> <h1></h1> <h1><a href="http://www.apache.org/licenses/LICENSE-2.0";>http://www.apache.org/licenses/LICENSE-2.0</a></h1> <h1></h1> <h1>Unless required by applicable law or agreed to in writing,</h1> <h1>software distributed under the License is distributed on an</h1> <h1>"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY</h1> <h1>KIND, either express or implied. See the License for the</h1> <h1>specific language governing permissions and limitations</h1> <h1>under the License.</h1> <h4>DEPRECATED</h4> <p>Currently Apache Shiro uses GitHub releases for release notes, so this file is no longer being updated. It will be removed in a future release.</p> <h4>DEPRECATED</h4> <p>This is not an official release notes document. It exists for Shiro developers to jot down their notes while working in the source code. These notes will be combined with Jira’s auto-generated release notes during a release for the total set.</p> <p>###########################################################</p> <h1>2.0.0</h1> <p>###########################################################</p> <p>Improvement</p> <pre><code>[SHIRO-290] Implement bcrypt and argon2 KDF algorithms </code></pre> <h2>Backwards Incompatible Changes</h2> <ul> <li>Changed default DefaultPasswordService.java algorithm to "Argon2id".</li> <li>PasswordService.encryptPassword(Object plaintext) will now throw a NullPointerException on null parameter. It was never specified how this method would behave.</li> <li>Made salt non-nullable.</li> <li>Removed methods in PasswordMatcher.</li> </ul> <p>###########################################################</p> <h1>1.7.1</h1> <p>###########################################################</p> <p>Bug</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apache/shiro/commit/9182c1df7b1363f8095fbe3d1ac728d0354bf8c1";><code>9182c1d</code></a> [maven-release-plugin] prepare release shiro-root-2.2.1</li> <li><a href="https://github.com/apache/shiro/commit/744128df61c5f6342b891d4ef53f79858f1d6398";><code>744128d</code></a> Deprecate RandomSessionIdGenerator due to insufficient entropy (<a href="https://redirect.github.com/apache/shiro/issues/2770";>#2770</a>)</li> <li><a href="https://github.com/apache/shiro/commit/e384e9d4c8e2f4fa6661cd631d84e8c48b091680";><code>e384e9d</code></a> chore(jacoco): added exclusion for weld client proxy (<a href="https://redirect.github.com/apache/shiro/issues/2769";>#2769</a>)</li> <li><a href="https://github.com/apache/shiro/commit/eed8ab006e12633810889678024d865c62422b3f";><code>eed8ab0</code></a> chore: update shiro.doap file with more recent versions and maintainers (<a href="https://redirect.github.com/apache/shiro/issues/2768";>#2768</a>)</li> <li><a href="https://github.com/apache/shiro/commit/049952468f7b36553ebd99d913597d0db3917395";><code>0499524</code></a> chore(deps): bump bytebuddy.version from 1.18.8 to 1.18.10 (<a href="https://redirect.github.com/apache/shiro/issues/2752";>#2752</a>)</li> <li><a href="https://github.com/apache/shiro/commit/bc928d0e4c434f888df72b12775b1ce2e468dd52";><code>bc928d0</code></a> Update and expand the CITATION file (<a href="https://redirect.github.com/apache/shiro/issues/2766";>#2766</a>)</li> <li><a href="https://github.com/apache/shiro/commit/dd5d0966dccc033c92d09080d7218fe714754717";><code>dd5d096</code></a> Configure EditorConfig for more file types (<a href="https://redirect.github.com/apache/shiro/issues/2747";>#2747</a>)</li> <li><a href="https://github.com/apache/shiro/commit/3b54e7132583cf903a08064e3a0a5b2552f1e6f7";><code>3b54e71</code></a> [CI] Pin to sha all pre-commit hooks and clean up (<a href="https://redirect.github.com/apache/shiro/issues/2730";>#2730</a>)</li> <li><a href="https://github.com/apache/shiro/commit/5da6b13e1e4ecd3aed65898c2e1fbe2fe1a6c706";><code>5da6b13</code></a> chore(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin (<a href="https://redirect.github.com/apache/shiro/issues/2751";>#2751</a>)</li> <li><a href="https://github.com/apache/shiro/commit/169f55a79342123038a3d208bca0a5cfa8cc8c8a";><code>169f55a</code></a> chore(deps): bump org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom (<a href="https://redirect.github.com/apache/shiro/issues/2750";>#2750</a>)</li> <li>Additional commits viewable in <a href="https://github.com/apache/shiro/compare/shiro-root-1.13.0...shiro-root-2.2.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/knox/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
