dependabot[bot] opened a new pull request, #3725: URL: https://github.com/apache/storm/pull/3725
Bumps [org.clojure:clojure](https://github.com/clojure/clojure) from 1.11.2 to 1.12.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clojure/clojure/blob/master/changes.md";>org.clojure:clojure's changelog</a>.</em></p> <blockquote> <h1>Changes to Clojure in Version 1.12.0</h1> <h2>1 Compatibility</h2> <h3>1.1 Java 8 - Compatiblity EOL notice</h3> <p>Clojure 1.12 produces Java 8 bytecode (same as Clojure 1.10 and 1.11), but this is expected to be the last release using a Java 8 baseline. Future releases will move the bytecode and minimum Java compatibility to a newer Java LTS release.</p> <h3>1.2 Java 21 - Virtual thread pinning from user code under <code>synchronized</code></h3> <p>Clojure users want to use virtual threads on JDK 21. Prior to 1.12, Clojure lazy-seqs and delays, in order to enforce run-once behavior, ran user code under synchronized blocks, which as of JDK 21 don't yet participate in cooperative blocking. Thus if that code did e.g. blocking I/O it would pin a real thread. JDK 21 may emit warnings for this when using <code>-Djdk.tracePinnedThreads=full</code>.</p> <p>To avoid this pinning, in 1.12 <code>lazy-seq</code> and <code>delay</code> use locks instead of synchronized blocks.</p> <p>See: <a href="https://clojure.atlassian.net/browse/CLJ-2804";>CLJ-2804</a></p> <h3>1.3 Security</h3> <p>Fix <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-22871";>CVE-2024-22871</a> detailed in <a href="https://github.com/advisories/GHSA-vr64-r9qj-h27f";>GHSA-vr64-r9qj-h27f</a>:</p> <ul> <li><a href="https://clojure.atlassian.net/browse/CLJ-2839";>CLJ-2839</a> <code>iterate</code>, <code>cycle</code>, <code>repeat</code> - infinite seqs have infinite <code>hashCode()</code></li> </ul> <h3>1.4 Serialization</h3> <p><a href="https://clojure.atlassian.net/browse/CLJ-1327";>CLJ-1327</a> explicitly sets the Java serialization identifier for the classes in Clojure that implement Java serialization. In Clojure 1.11.0 this changed for two classes unnecessarily and we reverted those changes in Clojure 1.11.1 - this completes that work for the rest of the classes.</p> <p>Clojure data types have implemented the Java serialization interfaces since Clojure 1.0. Java serialization is designed to save graphs of Java instances into a byte stream. Every class has an identifier (the serialVersionUID) that is automatically generated based on the class name, it's type hierarchy, and the serialized fields. At deserialization time, deserialization can only occur when the available class has an identifier that matches the class id recorded in the serialized bytes.</p> <p>Clojure has never provided a guarantee of serialization consistency across Clojure versions, but we do not wish to break compatibility any more than necessary and these changes will give us more control over that in the future.</p> <p>See: <a href="https://clojure.atlassian.net/browse/CLJ-1327";>CLJ-1327</a></p> <h3>1.5 Dependencies</h3> <p>Updated dependencies:</p> <ul> <li>spec.alpha dependency to 0.5.238 - <a href="https://github.com/clojure/spec.alpha/blob/master/CHANGES.md";>changes</a></li> <li>core.specs.alpha dependency to 0.4.74 - <a href="https://github.com/clojure/core.specs.alpha/blob/master/CHANGES.md";>changes</a></li> </ul> <p>See: <a href="https://clojure.atlassian.net/browse/CLJ-2852";>CLJ-2852</a></p> <h2>2 Features</h2> <h3>2.1 Add libraries for interactive use</h3> <p>There are many development-time cases where it would be useful to add a library interactively without restarting the JVM - speculative evaluation, adding a known dependency to your project, or adding a library to accomplish a specific task.</p> <p>Clojure now provides new functions to add libraries interactively, without restarting the JVM or losing the state of your work:</p> <ul> <li><a href="https://clojure.github.io/clojure/branch-master/clojure.repl-api.html#clojure.repl.deps/add-lib";>add-lib</a> takes a lib that is not available on the classpath, and makes it available by downloading (if necessary) and adding to the classloader. Libs already on the classpath are not updated. If the coordinate is not provided, the newest Maven or git (if the library has an inferred git repo name) version or tag are used.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/clojure/clojure/commit/d4bb93f0d1ab2004f89c6ead1b32449fd7ed1a6d";><code>d4bb93f</code></a> [maven-release-plugin] prepare release clojure-1.12.0</li> <li><a href="https://github.com/clojure/clojure/commit/23d0f989803d4312a6bacb8f9166ce7cb8a5cac6";><code>23d0f98</code></a> fix link in changelog</li> <li><a href="https://github.com/clojure/clojure/commit/90e7dd03afa7740efe269fad41ceea220d31143d";><code>90e7dd0</code></a> [maven-release-plugin] prepare for next development iteration</li> <li><a href="https://github.com/clojure/clojure/commit/b3bd4cdd325878ad9cec3410afb95041c0a61303";><code>b3bd4cd</code></a> [maven-release-plugin] prepare release clojure-1.12.0-rc2</li> <li><a href="https://github.com/clojure/clojure/commit/ad54fecd0bdff38bde8ae057887ad8b724fdd661";><code>ad54fec</code></a> CLJ-2881: Making asm-type function array class symbol aware.</li> <li><a href="https://github.com/clojure/clojure/commit/5ae95872738b3e0aacfa5d38069d528b590a5059";><code>5ae9587</code></a> CLJ-2873 add-libs - reload <em>data-readers</em> if new libs were added</li> <li><a href="https://github.com/clojure/clojure/commit/48b1fe5b50d48603f2c1fbd38223a7284520d1ed";><code>48b1fe5</code></a> Update changelog for 1.12.0-rc1</li> <li><a href="https://github.com/clojure/clojure/commit/faeda7a552dcb8fe5faf8059ec5ab6421121bd51";><code>faeda7a</code></a> [maven-release-plugin] prepare for next development iteration</li> <li><a href="https://github.com/clojure/clojure/commit/9a13d44a5b79bf50ba8c64392354e89652c30fcb";><code>9a13d44</code></a> [maven-release-plugin] prepare release clojure-1.12.0-rc1</li> <li><a href="https://github.com/clojure/clojure/commit/37b6f5a755f3d82295134a5419c7f3123013ef49";><code>37b6f5a</code></a> CLJ-2145 Fix clearing of closed overs in ^:once fns, recur to head of :once f...</li> <li>Additional commits viewable in <a href="https://github.com/clojure/clojure/compare/clojure-1.11.2...clojure-1.12.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@storm.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
