Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump org.clojure:clojure from 1.11.4 to 1.12.0 #1030

Merged
merged 1 commit into from
Sep 9, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 8, 2024

Bumps org.clojure:clojure from 1.11.4 to 1.12.0.

Changelog

Sourced from org.clojure:clojure's changelog.

Changes to Clojure in Version 1.12.0

1 Compatibility

1.1 Java 8 - Compatiblity EOL notice

Clojure 1.12 produces Java 8 bytecode (same as Clojure 1.10 and 1.11), but this is expected to be the last release using a Java 8 baseline. Future releases will move the bytecode and minimum Java compatibility to a newer Java LTS release.

1.2 Java 21 - Virtual thread pinning from user code under synchronized

Clojure users want to use virtual threads on JDK 21. Prior to 1.12, Clojure lazy-seqs and delays, in order to enforce run-once behavior, ran user code under synchronized blocks, which as of JDK 21 don't yet participate in cooperative blocking. Thus if that code did e.g. blocking I/O it would pin a real thread. JDK 21 may emit warnings for this when using -Djdk.tracePinnedThreads=full.

To avoid this pinning, in 1.12 lazy-seq and delay use locks instead of synchronized blocks.

See: CLJ-2804

1.3 Security

Fix CVE-2024-22871 detailed in GHSA-vr64-r9qj-h27f:

  • CLJ-2839 iterate, cycle, repeat - infinite seqs have infinite hashCode()

1.4 Serialization

CLJ-1327 explicitly sets the Java serialization identifier for the classes in Clojure that implement Java serialization. In Clojure 1.11.0 this changed for two classes unnecessarily and we reverted those changes in Clojure 1.11.1 - this completes that work for the rest of the classes.

Clojure data types have implemented the Java serialization interfaces since Clojure 1.0. Java serialization is designed to save graphs of Java instances into a byte stream. Every class has an identifier (the serialVersionUID) that is automatically generated based on the class name, it's type hierarchy, and the serialized fields. At deserialization time, deserialization can only occur when the available class has an identifier that matches the class id recorded in the serialized bytes.

Clojure has never provided a guarantee of serialization consistency across Clojure versions, but we do not wish to break compatibility any more than necessary and these changes will give us more control over that in the future.

See: CLJ-1327

1.5 Dependencies

Updated dependencies:

  • spec.alpha dependency to 0.5.238 - changes
  • core.specs.alpha dependency to 0.4.74 - changes

See: CLJ-2852

2 Features

2.1 Add libraries for interactive use

There are many development-time cases where it would be useful to add a library interactively without restarting the JVM - speculative evaluation, adding a known dependency to your project, or adding a library to accomplish a specific task.

Clojure now provides new functions to add libraries interactively, without restarting the JVM or losing the state of your work:

  • add-lib takes a lib that is not available on the classpath, and makes it available by downloading (if necessary) and adding to the classloader. Libs already on the classpath are not updated. If the coordinate is not provided, the newest Maven or git (if the library has an inferred git repo name) version or tag are used.

... (truncated)

Commits
  • d4bb93f [maven-release-plugin] prepare release clojure-1.12.0
  • 23d0f98 fix link in changelog
  • 90e7dd0 [maven-release-plugin] prepare for next development iteration
  • b3bd4cd [maven-release-plugin] prepare release clojure-1.12.0-rc2
  • ad54fec CLJ-2881: Making asm-type function array class symbol aware.
  • 5ae9587 CLJ-2873 add-libs - reload data-readers if new libs were added
  • 48b1fe5 Update changelog for 1.12.0-rc1
  • faeda7a [maven-release-plugin] prepare for next development iteration
  • 9a13d44 [maven-release-plugin] prepare release clojure-1.12.0-rc1
  • 37b6f5a CLJ-2145 Fix clearing of closed overs in ^:once fns, recur to head of :once f...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.clojure:clojure](https://github.com/clojure/clojure) from 1.11.4 to 1.12.0.
- [Changelog](https://github.com/clojure/clojure/blob/master/changes.md)
- [Commits](clojure/clojure@clojure-1.11.4...clojure-1.12.0)

---
updated-dependencies:
- dependency-name: org.clojure:clojure
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Sep 8, 2024
@martin-g martin-g merged commit fdb6205 into master Sep 9, 2024
1 check passed
@dependabot dependabot bot deleted the dependabot/maven/org.clojure-clojure-1.12.0 branch September 9, 2024 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant