fix: add Java 23+/24+ compatibility JVM args and upgrade commons-lang3 to 3.20.0

[jamesfredley]

Summary

• Add version-conditional JVM arguments in GrailsGradlePlugin to suppress warnings on Java 23+ and 24+
• Override commons-lang3 from 3.17.0 (Spring Boot managed) to 3.20.0 in the Grails BOM
• Include Gradle TestKit functional tests for the JVM arg configuration

Changes

1. Java compatibility JVM args in GrailsGradlePlugin (#15216, #15343)

Adds configureJavaCompatibilityArgs(Project) which conditionally applies JVM flags to all Test and JavaExec tasks based on the target Java version (toolchain-aware, falls back to current JVM):

Flag	Java Version	Why
--sun-misc-unsafe-memory-access=allow	23+	JEP 471/498 - Netty 4.1.x uses sun.misc.Unsafe.allocateMemory for off-heap buffers. Terminal deprecation warnings appear on 23+. Suppresses until Netty migrates to MemorySegment (Netty 4.2+).
--enable-native-access=ALL-UNNAMED	24+	JEP 472 - hawtjni (JLine 2.x) and Netty call System.loadLibrary/native methods. Warning-only now, becomes mandatory deny in a future JDK.

Flags are not added on Java 17-22, avoiding Unrecognized option errors.

Note on #15343: The original issue suggested --add-opens=java.base/sun.misc=ALL-UNNAMED, but that flag addresses module visibility, not the sun.misc.Unsafe memory-access deprecation. The correct flag is --sun-misc-unsafe-memory-access=allow.

2. commons-lang3 BOM override to 3.20.0 (#15045)

Spring Boot 3.5.x manages commons-lang3 at 3.17.0, which has two issues:

• LANG-1786: FastDatePrinter uses deprecated three-letter timezone IDs (e.g. PST, CST, EST), causing a flood of WARNING: Use of the three-letter time zone ID "XYZ" is deprecated messages on Java 25
• CVE-2025-48924: StackOverflowError in ClassUtils.getClass with crafted input (fixed in 3.18.0+)

Non-breaking changes analysis (3.17.0 -> 3.20.0)

All versions in this range require Java 8+ (unchanged baseline). There are no breaking changes:

Category	Details
Removed methods	None
Changed signatures	None
Changed behavior	LocaleUtils.toLocale() now accepts 2-letter country codes it previously rejected (more lenient, not breaking)
New deprecations	Several methods deprecated in favor of newer alternatives - existing calls continue to work
New methods	Additions to StringUtils, ArrayUtils, ClassUtils, etc. - purely additive
Bug fixes	LANG-1786 (timezone), LANG-1770 (NumberUtils), LANG-1754 (DurationUtils), among others
Security fixes	CVE-2025-48924 (ClassUtils StackOverflow)

3. Tests

New GrailsGradlePluginJavaCompatSpec with 4 Gradle TestKit functional tests:

Test	Toolchain	Verifies
No toolchain (current JDK)	None	Args match current JDK version
Toolchain = current JDK	Dynamic	Args match current JDK version
Toolchain = 23	23	Only --sun-misc-unsafe-memory-access=allow
Toolchain = 24	24	Both flags on both Test and JavaExec tasks

Files Changed

• grails-gradle/plugins/.../GrailsGradlePlugin.groovy - Added configureJavaCompatibilityArgs(), resolveTargetJavaVersion(), new imports
• dependencies.gradle - Added commons-lang3.version: 3.20.0 and commons-lang3 BOM entry
• grails-gradle/plugins/.../GrailsGradlePluginJavaCompatSpec.groovy - New test spec
• grails-gradle/plugins/.../test-projects/java-compat-* - 4 new test fixture projects

Related Issues

• Closes WARNING: Use of the three-letter time zone ID "ABC" is deprecated and it will be removed in a future release #15045
• Closes grails-cli: java.lang.System::loadLibrary has been called by org.fusesource.hawtjni.runtime.Library in Java 25 #15216
• Closes sun.misc.Unsafe::allocateMemory has been called by io.netty.util.internal.PlatformDependent #15343