Bump com.cedarsoftware:java-util from 3.3.2 to 4.1.0

[dependabot]

Bumps com.cedarsoftware:java-util from 3.3.2 to 4.1.0.

Changelog

Sourced from com.cedarsoftware:java-util's changelog.

4.1.0

• FIXED: ClassUtilities.setUseUnsafe() is now thread-local instead of global, preventing race conditions in multi-threaded environments where concurrent threads need different unsafe mode settings

• IMPROVED: ClassUtilities comprehensive improvements from GPT-5 review:

  🔒 SECURITY FIXES:

  • Enhanced class loading security with additional blocked prefixes: Added blocking for jdk.nashorn. package to prevent Nashorn JavaScript engine exploitation; added blocking for java.lang.invoke.MethodHandles$Lookup class which can open modules reflectively and bypass security boundaries
  • Added percent-encoded path traversal blocking: Enhanced resource path validation to block percent-encoded traversal sequences (%2e%2e, %2E%2E, etc.) before normalization; prevents bypass attempts using URL encoding
  • Enhanced resource path security: Added blocking of absolute Windows drive paths (e.g., "C:/...", "D:/...") in resource loading to prevent potential security issues
  • Enhanced security blocking: Added package-level blocking for javax.script.* to prevent loading of any class in that package
  • Added belt-and-suspenders alias security: addPermanentClassAlias() now validates classes through SecurityChecker.verifyClass() to prevent aliasing to blocked classes
  • Fixed security bypass in cache hits: Alias and cache hits now properly go through SecurityChecker.verifyClass() to prevent bypassing security checks
  • Updated Unsafe permission check: Replaced outdated "accessClassInPackage.sun.misc" permission with custom "com.cedarsoftware.util.enableUnsafe" permission appropriate for modern JDKs
  • Simplified resource path validation: Removed over-eager validation that blocked legitimate resources, focusing on actual security risks (.., null bytes, backslashes)
  • Improved validateResourcePath() precision: Made validation more precise - now only blocks null bytes, backslashes, and ".." path segments (not substrings), allowing legitimate filenames like "my..proto"

  ⚡ PERFORMANCE OPTIMIZATIONS:

  • Optimized constructor matching performance: Eliminated redundant toArray() calls per constructor attempt by converting collection to array once
  • Optimized resource path validation: Replaced regex pattern matching with simple character checks, eliminating regex engine overhead
  • Optimized findClosest() performance: Pull distance map once from ClassHierarchyInfo to avoid repeated computeInheritanceDistance() calls
  • Optimized findLowestCommonSupertypesExcluding performance: Now iterates the smaller set when finding intersection
  • Optimized findInheritanceMatches hot path: Pre-cache ClassHierarchyInfo lookups for unique value classes
  • Optimized loadClass() string operations: Refactored JVM descriptor parsing to count brackets once upfront, reducing string churn
  • Optimized hot-path logging performance: Added isLoggable() guards to all varargs logging calls to prevent unnecessary array allocations
  • Optimized getParameters() calls: Cached constructor.getParameters() results to avoid repeated allocations
  • Optimized buffer creation: Cached zero-length ByteBuffer and CharBuffer instances to avoid repeated allocations
  • Optimized trySetAccessible caching: Fixed to actually use its accessibility cache, preventing repeated failed setAccessible() attempts
  • Added accessibility caching: Implemented caching for trySetAccessible using synchronized WeakHashMap for memory-safe caching
  • Prevented zombie cache entries: Implemented NamedWeakRef with ReferenceQueue to automatically clean up dead WeakReference entries

  🐛 BUG FIXES:

  • Fixed interface depth calculation: Changed ClassHierarchyInfo to use max BFS distance instead of superclass chain walking
  • Fixed tie-breaking for common supertypes: Changed findLowestCommonSupertypesExcluding to sort by sum of distances from both classes
  • Fixed JPMS SecurityException handling: Added proper exception handling for trySetAccessible calls under JPMS
  • Fixed nameToClass initialization inconsistency: Added "void" type to static initializer and included common aliases in clearCaches()
  • Fixed tie-breaker logic: Corrected shouldPreferNewCandidate() to properly prefer more specific types
  • Fixed areAllConstructorsPrivate() for implicit constructors: Method now correctly returns false for classes with no declared constructors
  • Fixed mutable buffer sharing: ByteBuffer, CharBuffer, and array default instances are now created fresh on each call
  • Fixed inner class construction: Inner class constructors with additional parameters beyond enclosing instance are now properly matched
  • Fixed varargs ArrayStoreException vulnerability: Added proper guards when packing values into varargs arrays
  • Fixed named-parameter gating: Constructor parameter name detection now checks ALL parameters have real names
  • Fixed Currency default creation: Currency.getInstance(Locale.getDefault()) now gracefully falls back to USD
  • Fixed generated-key Map ordering: Fixed bug where Maps with generated keys could inject nulls when keys had gaps
  • Fixed loadResourceAsBytes() leading slash handling: Added fallback to strip leading slash when ClassLoader.getResourceAsStream() fails
  • Fixed OSGi class loading consistency: OSGi framework classes now loaded using consistent classloader
  • Fixed ClassLoader key mismatch: Consistently resolve null ClassLoader to same instance
  • Fixed computeIfAbsent synchronization: Replaced non-synchronized computeIfAbsent with properly synchronized getLoaderCache()
  • Fixed off-by-one in class load depth: Now validates nextDepth instead of currentDepth
  • Fixed OSGi/JPMS classloader resolution: Simplified loadClass() to consistently use getClassLoader() method
  • Fixed permanent alias preservation: Split aliases into built-in and user maps so clearCaches() preserves user-added permanent aliases

... (truncated)

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.