fix(deps): update dependency org.glassfish.jersey.core:jersey-client to v2.46 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.glassfish.jersey.core:jersey-client (source)	2.37 -> 2.46

GitHub Vulnerability Alerts

CVE-2025-12383

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

---

Release Notes

eclipse-ee4j/jersey (org.glassfish.jersey.core:jersey-client)

v2.46

Compare Source

[Pull 5749] - Jersey update from 3.1.3 to 3.1.4 slows down our external service res…

[Pull 5750] - Use Skipping Analyzer always

[Pull 5751] - test(flaky): fix paramter type assert in testBothAnnotatedConstructor test case

[Pull 5754] - test(flaky): Sorting headers for deterministic order

[Pull 5755] - Netty connector hang up after repeated buffer overflow errors when writing data #​5753

[Pull 5758] - Bump commons-io:commons-io from 2.11.0 to 2.14.0 in /tools/jersey-release-notes-maven-plugin

[Pull 5759] - Added test for JerseyChunkedInputStreamClose

[Pull 5760] - Adopt ASM 9.7.1 (JDK 24)

[Pull 5761] - Adopt Jackson 2.18.0

[Pull 5768] - fixed flaky test in testDisabledModule()

[Pull 5784] - Jersey 3.1.9: java.lang.NoSuchMethodException: jakarta.inject.Inject.value() #​5782

[Pull 5788] - Wrapping all methods of the EntityInputStream

[Pull 5792] - [2.x] ParamConverterProvider constructors are now protected to allow extensibility

[Pull 5800] - NettyConnector - HOST header contains port & 307 works with buffered post

[Pull 5801] - Set correct HOST header for Netty & POST

[Pull 5809] - Fixed memory leak in Micrometer code when exceptions are returned from the method

[Pull 5813] - Fix memory leak when client does not use HK2

[Pull 5816] - Allow to configure Jackson's JaxRSFeature on Jersey DefaultJacksonJaxbJsonProvider

[Pull 5819] - Build & run with JDK 24

v2.45

Compare Source

[Pull 5715] - Release a reference to threadlocal on shutdown

[Pull 5731] - Allow to disable JSON-B using System properties

v2.44

Compare Source

[Pull 5636] - Allow long content length in the JDK connector

[Pull 5639] - Allow having multiple annotations for multipart endpoint with @​FormDataParam in any order

[Pull 5642] - Remove synchronized from Apache stream wrappers

[Pull 5643] - Document Multipart Configuration.

[Pull 5644] - Refactoring Maven build process

[Pull 5648] - Support for Virtual Threads in Executor Services

[Pull 5649] - MAX_HEADER_SIZE for the Netty connector

[Pull 5652] - Unify the SniConfigurator with other branches

[Pull 5664] - More release checks

[Pull 5665] - update Jackson to 2.17.1

[Pull 5666] - [2.x] mvn build improvements

[Pull 5669] - prevent calling ServletRequest#getInputStream if FILTER_FORWARD_ON_404

[Pull 5673] - Support missing Content-Length header

[Pull 5677] - Prevent blowing connections number for reoccurring SSLContextFatories

[Pull 5685] - Better explanation of missing jersey-hk2 module consequences.

[Pull 5688] - Wrap call of deprecated HttpServletResponse#setStatus into try catch

[Pull 5689] - Support Multipart with Buffered Entity and Netty Connector

[Pull 5690] - Prevent NPE in micrometer when there is no response & 404

[Pull 5698] - Last-Modified header is garbled when accessing wadl document on Japanese locale

[Pull 5705] - Allow ChunkedInput#close to close the underlying stream

[Pull 5706] - Propagate WebApplicationException from SseEventSource to provided error handler

[Pull 5707] - Fix intermittent failure in BroadcasterExecutorTest

v2.43

Compare Source

[Pull 5574] - Backing up CI/CD jobs into the Jersey project

[Pull 5580] - Adopt ASM 9.7

[Pull 5592] - Micrometer - Add missing metrics for cases of client errors

[Pull 5604] - Prevent Jackson failing while loading Modules (classloader issues)

[Pull 5605] - Cleaning redundant plugins from plugin management

[Pull 5606] - clean CI/CD scripts from the main project

[Pull 5608] - ObjectMapper.findModules throws Error

[Pull 5613] - Allow the internal package to be a part of the Jersey APIDoc

[Pull 5614] - Added support for HK2 factories, binders to comply with documentation.

[Pull 5617] - Allow for overriding the SNIHostName or turn it off. Allow for Domain Fronting.

[Pull 5621] - Add ability to configure the queue capacity for ChunkedOutput

[Pull 5622] - Document a workaround for HTTP Patch & provide tests

[Pull 5624] - Ensure the RequestScope and other singleton bindings are registered just once

[Pull 5625] - align CONTRIBUTING.md with Eclipse actual requirements

[Pull 5627] - Prevent NPE in Jersey Spring RequestContextFilter

[Pull 5628] - Lazy Load TracingLogger to track MATCH_RESOURCE_METHOD

[Pull 5629] - prevent synchronized blocking the virtual threads in JDK21

[Pull 5631] - 2.x versions update

[Pull 5632] - Multirelease includes JDK21 to support Thread.isVirtual()

[Pull 5633] - Excluding JDK21 multi-release from jaxrs bundle

v2.42

Compare Source

[Pull 5469] - Allow @​Priority for ExceptionMapper

[Pull 5473] - SameSite is capital first letter only.

[Pull 5475] - RegularExpression in Uri Template IS NOT optional

[Pull 5487] - Prevent Netty connection from being stuck

[Pull 5493] - [2.x] backport of the #​5490

[Pull 5506] - Adopt Jackson 2.16.1

[Pull 5507] - prevent NPE when WebAppException#getResponse returns null

[Pull 5511] - Add URL of KeyStore and TrustStore to SslConfigurator

[Pull 5514] - ASCII encode ContentDisposition file name

[Pull 5536] - Add Apache5 properties to be grabbed by config

[Pull 5537] - Put duplicated methods into a common superclass

[Pull 5542] - Propagate Future.cancel() to connectors

[Pull 5544] - Add a logger for a request notifying Jersey Container is involved

[Pull 5557] - Drop JDK 7 profile

[Pull 5560] - [2.x] versions update

[Pull 5561] - [2.x] GitHub action validations added

v2.41

Compare Source

[Pull 5294] - HTTP/2 for Jetty connector

[Pull 5296] - HTTP/2 for Jetty container

[Pull 5350] - Using Java7+ NIO API for improved performance

[Pull 5359] - Race condition

[Pull 5364] - Save time by not inspecting configuration for property when in PropertiesDelegate

[Pull 5365] - Update war.plugin to work with jdk 21

[Pull 5373] - Issue #​3493 - backport BeanParams support from 3.x

[Pull 5378] - GraalVM 20.0.1 adaptation

[Pull 5379] - RFC 6570 implementation

[Pull 5387] - Encode curly brackets in proxy client

[Pull 5390] - update license check plugin to the latest released version

[Pull 5391] - Added jersey-micrometer module

[Pull 5392] - Fix nio failures on Windows

[Pull 5393] - Deprecate duplicated methods and fields in MBR/MBW

[Pull 5394] - Allowing using SSLContext supplier per request by the NettyConnector

[Pull 5405] - Prevent Class Cast Exception in cases where two classloaders handle t…

[Pull 5410] - Jetty HTTP2 modules added to the bom/pom.xml

[Pull 5412] - Netty Expect:100-continue feature support

[Pull 5417] - Fix normalizing URIs with percent encoded symbols

[Pull 5418] - ApiDocs fixes

[Pull 5423] - Filter headers for netty HTTP redirect and CONNECT requests

[Pull 5424] - Fix Jackson 15 -> Jackson 2.15

[Pull 5426] - Propagate back-pressure correctly in MP REST Client SSE publisher

[Pull 5427] - UserGuide and example extended for Micrometer integration

[Pull 5431] - Expect:100-continue fixes for Netty

[Pull 5432] - Decode extended filename in multipart content-disposition

[Pull 5435] - Fixing servlet ResponseWriter#writeResponseStatusAndHeaders for error states

[Pull 5436] - Support multipart by Jetty & Netty

[Pull 5440] - Adopt ASM 9.6

[Pull 5442] - Review Netty Connector

[Pull 5443] - proper way of removing a handler (Netty Connector, Expect100ContinueHandler)

[Pull 5444] - ApiDocs bundle fix

[Pull 5445] - Fix query param in UriBuilder

v2.40

Compare Source

[Pull 5298] - Do not encode slash in templates in MP RestClient

[Pull 5299] - Do not completely swallow the cdi exception on error

[Pull 5305] - Adopt ASM 9.5

[Pull 5306] - Support NettyConnector & RequestEntityProcessing.BUFFERED

[Pull 5310] - Better support inheritance in Resource Methods

[Pull 5311] - Changes to InterceptorInvocationContext related to the integration with Helidon

[Pull 5319] - Additional logging for SNI

[Pull 5320] - Guard list of headers for modifications

[Pull 5324] - Handle equals and hashCode on MicroProfile client proxies

[Pull 5326] - Return null instead of throwing exception when querystring parameter is missing

[Pull 5330] - Fix possible NPE in netty client

[Pull 5331] - allow for resource methods to return

[Pull 5335] - Redirect GuardianList#toString to original toString

[Pull 5345] - Allow for setting connector provider via properties

[Pull 5348] - dependencies update

[Pull 5349] - Parametrize ParamConverters to allow throwing IAE

v2.39.1

Compare Source

[Issue 5275] - Compatibility with RestEasy

[Issue 5276] - JettyConnectorProvider does not support JerseyClientBuilder.hostnameVerifier()?

[Pull 5270] - allow custom Content-Length for HEAD method

[Pull 5277] - Updated archetypes and created a test to keep archetype versions up-to-date

[Pull 5278] - Hostname verifier for the Jetty connector

[Pull 5282] - Get media type fix

[Pull 5284] - Support 3rd party instantiators working with @​Context only

v2.39

Compare Source

[Issue 5199] - Apache 5 Proxy Issue

[Issue 5221] - Typo in documentation

[Issue 5225] - CVE for dependency jackson-databind

[Issue 5226] - jersey-media-multipart depends on JUnit - regression

[Pull 5219] - Bundles related adjustments

[Pull 5222] - Typo fix in User Guide

[Pull 5229] - scope fix for JUnit dependency

[Pull 5230] - Jackson version update to 2.14.1

[Pull 5232] - Optional Injection-less client side for SE

[Pull 5241] - Add SNI Support based on Host header

[Pull 5250] - Update to NOTICE files & test

[Pull 5251] - Use useSystemProperties with Apache connectors

[Pull 5256] - Jersey Microprofile RestClient - NullPointerException when a optional…

[Pull 5261] - Warn only when ASM is not capable of handling java classes instead of…

v2.38

Compare Source

[Issue 3383] - jersey-container-jdk-http ignores host and always binds to wildcard address

[Issue 5156] - Question: how to change the configuration of ResourceConfig at runtime?

[Issue 5189] - Exception in Jersey Jetty handler's Host header parsing bubbles up to the top

[Pull 5115] - Dependencies versions update (master)

[Pull 5123] - JUnit bump 4 -> 5

[Pull 5129] - verify license via GitHub actions

[Pull 5136] - Release test: check the staged artifacts are valid

[Pull 5161] - Fix Container#reload

[Pull 5163] - Update JdkHttpServerFactory.java

[Pull 5165] - warn less (just once for all clients) about missing providers

[Pull 5174] - Adopt ASM 9.4

[Pull 5175] - Remove Guava under version 24

[Pull 5178] - Better @​Inject support. For servlet classes, a qualifier is used.

[Pull 5185] - add dependencyConvergence rule to the maven-enforcer-plugin

[Pull 5186] - CI timeout extended to 30 HOURS

[Pull 5191] - Exception in Jersey Jetty handler's Host header parsing bubbles up to the top

[Pull 5194] - Fix optionals when empty

[Pull 5195] - Call tearDown to prevent Address already in use

[Pull 5198] - SSLHandshake No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

[Pull 5201] - bump Eclipse's parent pom to 1.0.8

[Pull 5205] - Add caching and improve performance

[Pull 5206] - Use Java 11 InputStream::readAllBytes to read String entities

[Pull 5207] - Fix alignment in the doc

[Pull 5208] - Fix FORM_PARAM_CONSUMED warning

[Pull 5211] - Store InvocationBuilderListenerStage into Runtime not to look up

[Pull 5212] - faster RuntimeType.toLowerCase in PropertiesHelper

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	org.glassfish.jersey.core/​jersey-client@​2.37 ⏵ 2.46

View full report