Skip to content

chore(deps): bump org.http4k:http4k-bom from 6.54.0.0 to 6.55.0.0#188

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/org.http4k-http4k-bom-6.55.0.0
Jul 6, 2026
Merged

chore(deps): bump org.http4k:http4k-bom from 6.54.0.0 to 6.55.0.0#188
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/org.http4k-http4k-bom-6.55.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps org.http4k:http4k-bom from 6.54.0.0 to 6.55.0.0.

Release notes

Sourced from org.http4k:http4k-bom's releases.

6.55.0.0

Changelog:

  • http4k-*: Upgrade versions including Toon to v2.0.0
  • http4k-server-undertow: [Unlikely Break] The request URI is now built from Undertow's raw request target instead of the already-decoded getRelativePath()
  • http4k-server-apache: [Unlikely Break] The request path and query are now built from the raw request-target.
  • http4k-client-jetty: [Fix] A request carrying both a body and an explicit Content-Length header no longer produces a duplicate Content-Length on the outgoing request.
  • http4k-multipart: [Unlikely Break] Nested multipart/mixed parts are now rejected with a ParseError instead of being parsed recursively, bounding parser stack usage on crafted inputs. The unbounded 3-argument StreamingMultipartFormParts.parse overload now applies a default 10MB stream-length cap.
  • http4k-core: [Unlikely Break] Cookie values are now percent-encoded on serialization so ;, , and control characters can no longer be interpreted as additional cookie attributes; the same characters are stripped from Domain/Path attributes. Existing quoting of normal values is unchanged.
  • http4k-core: [Unlikely Break] DefaultCookieStorage now only accepts a Set-Cookie Domain that domain-matches the origin host, and rejects dotless public-suffix domains (e.g. com), so a response from one host can no longer plant cookies scoped to another. Host-only and exact-host cookies (e.g. localhost, example.co.uk) are unaffected.
  • http4k-realtime-core/http4k-ai-mcp-sdk: [Unlikely Break] The HTTP transport now enforces DNS-rebind protection via the new ServerFilters.HttpRebindProtection.
  • http4k-connect-mpp/http4k-ai-mcp-mpp: [Break] MppVerifier.verify now receives the server-issued Challenge alongside the Credential, so verifiers can bind the payment to the challenge the server issued (checking id/opaque, expires and single-use), closing a bypass/replay gap. The HTTP, MCP and tool filters now reject a credential whose payment fields (realm/method/intent/request) don't match an offered challenge, before invoking the verifier. A malformed Authorization: Payment header now returns a 402 malformed-credential problem instead of a 500.
  • http4k-security-webauthn: [Unlikely Break] Passkeys.passwordless(...) now defaults to userVerification = REQUIRED.
  • http4k-core: Hardened docs: extracted path parameters are percent-decoded and may contain /, \ or .., so should be treated as untrusted; clearer warnings on the deliberately-loose ReverseProxyHostMatcher.Contains and on CorsPolicy.UnsafeGlobalPermissive.
  • http4k-api-ui-swagger-: [Fix] OAuth URI is not quoted properly
  • http4k-core: [Fix] Body.webForm/form parsing no longer truncates field values containing = (e.g. base64 padding); the value is now preserved intact.
  • http4k-serverless-lambda: [Fix] The API Gateway V1 and Application Load Balancer adapters now merge multi-value headers/query params.
  • http4k-serverless-lambda: [Fix] A request that fails to parse no longer reflects the exception message into the BAD_REQUEST response body.
  • http4k-serverless-tencent: [Fix] Requests with no query parameters no longer NPE.
  • http4k-serverless-openwhisk: [Fix] An event missing __ow_method now returns NOT_IMPLEMENTED instead of throwing an NPE.
  • http4k-connect-x402/http4k-ai-mcp-x402: The payment filters (HTTP + MCP) gain an optional resourceFor lambda; when supplied, a payment is rejected with 402 unless payload.resource matches, so a payment signed for one resource can't be replayed against another. Off by default (standard behaviour unchanged).
  • http4k-template-pug4j: The file-backed Caching renderer now applies the same canonical-path containment check as HotReload, rejecting template paths that escape the base directory.
  • http4k-core: URLConnectionHttpClient now accepts a BodyMode (defaulting to Memory), allowing responses to be streamed rather than always buffered fully into memory.
  • http4k-security-webauthn: Minor hardening and robustness improvements to passkey verification
Changelog

Sourced from org.http4k:http4k-bom's changelog.

v6.55.0.0

  • http4k-*: Upgrade versions including Toon to v2.0.0
  • http4k-server-undertow: [Unlikely Break] The request URI is now built from Undertow's raw request target instead of the already-decoded getRelativePath()
  • http4k-server-apache: [Unlikely Break] The request path and query are now built from the raw request-target.
  • http4k-client-jetty: [Fix] A request carrying both a body and an explicit Content-Length header no longer produces a duplicate Content-Length on the outgoing request.
  • http4k-multipart: [Unlikely Break] Nested multipart/mixed parts are now rejected with a ParseError instead of being parsed recursively, bounding parser stack usage on crafted inputs. The unbounded 3-argument StreamingMultipartFormParts.parse overload now applies a default 10MB stream-length cap.
  • http4k-core: [Unlikely Break] Cookie values are now percent-encoded on serialization so ;, , and control characters can no longer be interpreted as additional cookie attributes; the same characters are stripped from Domain/Path attributes. Existing quoting of normal values is unchanged.
  • http4k-core: [Unlikely Break] DefaultCookieStorage now only accepts a Set-Cookie Domain that domain-matches the origin host, and rejects dotless public-suffix domains (e.g. com), so a response from one host can no longer plant cookies scoped to another. Host-only and exact-host cookies (e.g. localhost, example.co.uk) are unaffected.
  • http4k-realtime-core/http4k-ai-mcp-sdk: [Unlikely Break] The HTTP transport now enforces DNS-rebind protection via the new ServerFilters.HttpRebindProtection.
  • http4k-connect-mpp/http4k-ai-mcp-mpp: [Break] MppVerifier.verify now receives the server-issued Challenge alongside the Credential, so verifiers can bind the payment to the challenge the server issued (checking id/opaque, expires and single-use), closing a bypass/replay gap. The HTTP, MCP and tool filters now reject a credential whose payment fields (realm/method/intent/request) don't match an offered challenge, before invoking the verifier. A malformed Authorization: Payment header now returns a 402 malformed-credential problem instead of a 500.
  • http4k-security-webauthn: [Unlikely Break] Passkeys.passwordless(...) now defaults to userVerification = REQUIRED.
  • http4k-core: Hardened docs: extracted path parameters are percent-decoded and may contain /, \ or .., so should be treated as untrusted; clearer warnings on the deliberately-loose ReverseProxyHostMatcher.Contains and on CorsPolicy.UnsafeGlobalPermissive.
  • http4k-api-ui-swagger-: [Fix] OAuth URI is not quoted properly
  • http4k-core: [Fix] Body.webForm/form parsing no longer truncates field values containing = (e.g. base64 padding); the value is now preserved intact.
  • http4k-serverless-lambda: [Fix] The API Gateway V1 and Application Load Balancer adapters now merge multi-value headers/query params.
  • http4k-serverless-lambda: [Fix] A request that fails to parse no longer reflects the exception message into the BAD_REQUEST response body.
  • http4k-serverless-tencent: [Fix] Requests with no query parameters no longer NPE.
  • http4k-serverless-openwhisk: [Fix] An event missing __ow_method now returns NOT_IMPLEMENTED instead of throwing an NPE.
  • http4k-connect-x402/http4k-ai-mcp-x402: The payment filters (HTTP + MCP) gain an optional resourceFor lambda; when supplied, a payment is rejected with 402 unless payload.resource matches, so a payment signed for one resource can't be replayed against another. Off by default (standard behaviour unchanged).
  • http4k-template-pug4j: The file-backed Caching renderer now applies the same canonical-path containment check as HotReload, rejecting template paths that escape the base directory.
  • http4k-core: URLConnectionHttpClient now accepts a BodyMode (defaulting to Memory), allowing responses to be streamed rather than always buffered fully into memory.
  • http4k-security-webauthn: Minor hardening and robustness improvements to passkey verification
Commits
  • abcd1be Release 6.55.0.0
  • abd6765 Remove pinned ktlint version
  • ed8f2a3 Add resource checking to X402, MPP
  • baeca7f Tweak X402 to check the resource URL that is being requested. Hardening.
  • e1ddfb9 Fix up MPP (non compile) and Cookie (overeager regex for delimiters) problems
  • 8b7a165 Don't use , as a delimiter in cookies
  • 369670e Revert non-compiling MPP changes
  • 3db6328 Various fixes/hardenings to a variety of modules.
  • a8ce81f Add static analysis (detekt and spotless configured) to build script and tidy...
  • f11e258 tidy up Anthropic API (#1573)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 6, 2026
@github-actions github-actions Bot enabled auto-merge July 6, 2026 07:53
@dependabot dependabot Bot force-pushed the dependabot/gradle/org.http4k-http4k-bom-6.55.0.0 branch from 1e355d5 to 445f231 Compare July 6, 2026 07:57
Bumps [org.http4k:http4k-bom](https://github.com/http4k/http4k) from 6.54.0.0 to 6.55.0.0.
- [Release notes](https://github.com/http4k/http4k/releases)
- [Changelog](https://github.com/http4k/http4k/blob/master/CHANGELOG.md)
- [Commits](http4k/http4k@6.54.0.0...6.55.0.0)

---
updated-dependencies:
- dependency-name: org.http4k:http4k-bom
  dependency-version: 6.55.0.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/gradle/org.http4k-http4k-bom-6.55.0.0 branch from 445f231 to 3d3d035 Compare July 6, 2026 08:01
@github-actions github-actions Bot merged commit dd1e7cb into main Jul 6, 2026
2 checks passed
@github-actions github-actions Bot deleted the dependabot/gradle/org.http4k-http4k-bom-6.55.0.0 branch July 6, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants