fix(deps): update ktor monorepo to v3.4.1

[svc-secops]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.ktor:ktor-server-websockets	3.3.2 -> 3.4.1
io.ktor:ktor-client-cio	3.3.2 -> 3.4.1
io.ktor:ktor-server-cors	3.3.2 -> 3.4.1
io.ktor:ktor-server-core	3.3.2 -> 3.4.1
io.ktor:ktor-server-netty	3.3.2 -> 3.4.1

---

Release Notes

ktorio/ktor (io.ktor:ktor-server-websockets)

v3.4.1

Compare Source

Published 3 March 2026

Improvements

• KTOR-9382 HttpProtocolVersion.parse: fast path for common versions
• KTOR-9381 GMTDate: reduce allocations
• KTOR-8971 Support "operationId" in Kdoc for OpenAPI spec. gen.
• KTOR-9333 WebSockets: Infinite spin and potential OOM vulnerabilities in the Inflater.inflateFully method
• KTOR-5616 Ktor always adds by default an Accept-Charset header
• KTOR-9291 OpenAPI: handle atypical route functions
• KTOR-9293 OpenAPI describe needs defaults
• KTOR-9304 OpenAPI: Order of path parameters is not preserved in the spec
• KTOR-9353 Routing: TailcardSelector missing toString(), which clutters the logs

Bugfixes

• KTOR-9281 OpenApi code inference misses lambda argument bodies
• KTOR-9273 OpenAPI static content path appears in resulting model
• KTOR-9004 OpenAPI: No respective formats detected for serializable types like UUID or Instant
• KTOR-9305 OpenAPI: "No mapping for symbol: VAR FOR_LOOP_VARIABLE" error with codeInferenceEnabled=true
• KTOR-9279 OpenAPI: UnsupportedOperationException for a function with a reified type parameter codeInferenceEnabled = true
• KTOR-9289 OpenAPI: Resource routes are missing inferred and comment-based documentation
• KTOR-9330 OpenAPI: Cannot override kotlinx.serialization module
• KTOR-9320 OpenAPI: jsonSchema() does not unwrap Kotlin value classes (inline classes)
• KTOR-9352 Authentication: Creating JWT verifier fails for JWK with kty=EC and alg=null
• KTOR-9344 Flow invariant error happens after update to Ktor 3.4.0
• KTOR-9362 testApplication: Race condition in timeout coroutine when response is streaming
• KTOR-9274 Curl: Undefined symbol errors when linking on Linux since 3.4.0
• KTOR-8782 NodeJS CIO: "Module 'os' could not be imported" error on resolving WORKING_DIRECTORY_PATH with es2015 target
• KTOR-9348 String.decodeBase64String fails to decode when the input has no padding since 3.4.0
• KTOR-9318 CIO engine rejects valid certificates with unsupported signature algorithms
• KTOR-9331 Curl: Segfaults when working with WebSockets
• KTOR-9334 Coroutines in route handlers are dispatched with Dispatchers.Unconfined since 3.2.0
• KTOR-9339 StreamResetException is not propagated to the caller of StreamRequestBody.writeTo since 3.4.0
• KTOR-9329 HTMX: "on" attributes extension not working
• KTOR-9316 WasmJS bad get and set implementations for Uint8Array and ArrayLike
• KTOR-9272 JSON schema inference does not recognize unsigned types
• KTOR-9211 SendCountExceedException when request is sent twice with maxRetries = 0 since 3.3.2
• KTOR-9285 RateLimit: Milliseconds in the Retry-After header are truncated
• KTOR-7512 JWT: Docs for validate method claim that it's optional, but it isn't
• KTOR-9269 Incorrect dependency declaration in swagger / openapi
• KTOR-9372 Frame.Text.readText() causes infinite loop and 100% CPU on Kotlin/Native when WebSocket frame data is malformed or connection drops unexpectedly

v3.4.0

Compare Source

Published 22 January 2026

Features

• KTOR-8316 Support OpenAPI specification for the Ktor Client and Server Application
  • KTOR-9085 Read OpenAPI security details from authentication plugin
  • KTOR-8993 Use runtime-generated spec for OpenAPI / Swagger plugins
  • KTOR-9086 Read OpenAPI default content type information from ContentNegotiation plugin
  • KTOR-8859 Routing documentation compiler plugin
  • KTOR-8936 Routing documentation runtime API
  • KTOR-9087 Generate JSON schema for type references when using Jackson and Gson
• KTOR-7075 Zstd support
• KTOR-9209 Support Jackson 3
• KTOR-9198 Auth/Bearer: Make BearerAuthProvider detect disguised Bearer scheme
• KTOR-8927 Support for respondResource
• KTOR-9162 Auth API key plugin
• KTOR-7882 Support HTTP QUERY method
• KTOR-8195 Partial HTML response
• KTOR-8985 EngineMain: Support reading trust store settings from the configuration
• KTOR-9066 Add duplex streaming for OkHttpClient
• KTOR-8180 Auth: Provide control over tokens to user code
• KTOR-8273 iOS native interop for WebRTC client
• KTOR-8956 DI: Allow file configuration
• KTOR-9157 Support SIGINT on web and SIGTERM on Native

Improvements

• KTOR-8890 Rename target jsAndWasmShared to web
• KTOR-9242 Upgrade to Kotlin 2.3
• KTOR-9243 Update libcurl to 8.18.0
• KTOR-9014 Deprecate DarwinLegacy engine
• KTOR-8931 Test iOS target of the WebRTC Client in Ktor-Chat
• KTOR-9199 Make HttpHeaders strings const
• KTOR-9208 Expose plusIsSpace in parseUrlEncodedParameters
• KTOR-2404 Ktor Oauth2 feature sends 401 response when the client secret is invalid
• KTOR-9097 Java: Use HTTP/2 by default
• KTOR-8740 HTMX: Missing DSL for some attributes
• KTOR-9171 Redesign ByteReadChannel.readUTF8Line API
• KTOR-4219 Make readUTF8LineTo return number of read symbols instead of boolean
• KTOR-6761 Apache5: Simplify configuration of ConnectionManager
• KTOR-9037 Multipart/form-data: Make formData's block inline
• KTOR-9126 Missing function ByteReadChannel.readTo(sink: RawSink, byteCount: Long)
• KTOR-9026 Introduce/reuse interfaces for logging selectors
• KTOR-6766 Deprecate Apache 4 engine
• KTOR-8642 Excessive memory allocations while writing bytes into write channel of TCP/IP socket
• KTOR-9137 ByteReadChannel.readUTF8Line is inefficient for long lines
• KTOR-8657 Remove kotlinx-datetime from ktor-server-default-headers dependencies
• KTOR-8941 Add override DI conflict policy

Bugfixes

• KTOR-9258 headers { } block does not affect the request in defaultRequest due to function name collision with io.ktor.http.headers
• KTOR-9235 HttpCookies: Support parsing non-compilant Expires dates of Set-Cookie header
• KTOR-8945 ByteReadChannel.readUTF8Line doesn't throw TooLongLineException when the limit is reached
• KTOR-8339 Curl: caPath is not set by default in the Curl client on linuxArm64
• KTOR-9188 WebRTC. IceServer.urls should be a list.
• KTOR-9148 Logging: Body logging of multipart/form-data requests hangs when OkHttp format is on
• KTOR-9166 CORS: Excessive logs on INFO level since 3.3.3
• KTOR-9130 Missing implementation of getPluginId method error with Kotlin 2.3.0-RC
• KTOR-9147 OpenAPI: "AssertionError: Cannot add a performance measurements" leading to StackOverflowError within a multimodule project
• KTOR-2162 JettyKtorHandler executor will never grow beyond core size
• KTOR-9201 audio/x-matroska is wrongly recognized as mkv type
• KTOR-9146 Run HttpStatement.execute on the engine's dispatcher
• KTOR-6300 Native engines should use Dispatchers.IO not Dispatchers.Unconfined
• KTOR-9098 Curl: HttpResponse.version always returns HTTP_1_1
• KTOR-9100 Curl always uses HTTP/1.1
• KTOR-7162 DefaultRequest: Configuration applied twice for client created with HttpClient.config
• KTOR-9102 SSE: Java engine does not close the underlying connection when SSE session is canceled
• KTOR-9108 SSE: The handler adds Connection: Keep-Alive header, which is incompatible with HTTP/2
• KTOR-7884 Auth: The MutableList cannot be accessed since 3.0.0
• KTOR-6569 Bearer auth: Don't cache client bearer token (option)
• KTOR-4946 Auth: Bearer authentication - unable to update tokens
• KTOR-4759 Auth: BearerAuthProvider caches result of loadToken until process death
• KTOR-9129 Fix SendCountExceedException when maxRetries = Int.MAX_VALUE
• KTOR-9113 Netty HTTP2 server hangs on the plugin exception
• KTOR-9135 buildOpenApi fails with unknown serializer
• KTOR-8285 Bearer Auth: request cancellation causes refresh token invalidation
• KTOR-5241 The decodeBase64Bytes method doesn't throw an exception on illegal base64 characters
• KTOR-8912 Incorrect KDoc of ApplicationConfig.tryGetStringList
• KTOR-9079 The ktor-server-test-host module, having junit-jupiter runtime dependency, causes conflicts
• KTOR-7713 HttpCallValidatorConfig.handleResponseException() should receive a CallExceptionHandler
• KTOR-7121 testApplication: Test HTTP client does not use specified coroutine dispatcher
• KTOR-8785 DI: JobCancellationException during cleanup
• KTOR-6198 Client/WebSocket/Darwin close code and reason are incorrect
• KTOR-7824 Ktor doesn't parse multiple headers

v3.3.3

Compare Source

Published 26 November 2025

Improvements

• KTOR-6837 Discrepancies when parsing URL host with CIO and Darwin engines compared to the rest engines
• KTOR-9050 Logging: SimpleLogger should be an object, not a class
• KTOR-9094 Jetty Client: Support HTTP/2 over cleartext (h2c)
• KTOR-9120 OpenAPI gen: missing operationId for KDoc fields
• KTOR-3019 Improve logging for CORS plugin

Bugfixes

• KTOR-8671 Netty: RejectedExecutionException during shutdown on MacOS when dev mode is enabled
• KTOR-9096 Darwin: New SSE handlers stop responding after canceling few SSE sessions
• KTOR-9125 Double ResponseSent invocation when exception is thrown after respond
• KTOR-8878 OpenAPI: StackOverflowError when a response object has property with @​Contextual serializer
• KTOR-8947 Java, ContentEncoding: IllegalHeaderNameException is thrown for ":status" pseudo header with HTTP/2
• KTOR-9092 NettyHttp2Handler throws IllegalArgumentException: 'ktor.ApplicationCall' is already in use
• KTOR-8924 Curl: Client sends both Transfer-Encoding and Content-Length headers for DELETE requests with body
• KTOR-8838 Exception handling issue in client cache

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

This PR has been generated by Renovate Bot.