-
Notifications
You must be signed in to change notification settings - Fork 4
Commit 8d047fd
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Bump org.clojure:clojure from 1.11.2 to 1.12.0 (#26)
Bumps [org.clojure:clojure](https://github.com/clojure/clojure) from
1.11.2 to 1.12.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/clojure/clojure/blob/master/changes.md">org.clojure:clojure's
changelog</a>.</em></p>
<blockquote>
<h1>Changes to Clojure in Version 1.12.0</h1>
<h2>1 Compatibility</h2>
<h3>1.1 Java 8 - Compatiblity EOL notice</h3>
<p>Clojure 1.12 produces Java 8 bytecode (same as Clojure 1.10 and
1.11), but this is expected to be the last release using a Java 8
baseline. Future releases will move the bytecode and minimum Java
compatibility to a newer Java LTS release.</p>
<h3>1.2 Java 21 - Virtual thread pinning from user code under
<code>synchronized</code></h3>
<p>Clojure users want to use virtual threads on JDK 21. Prior to 1.12,
Clojure lazy-seqs and delays, in order to enforce run-once behavior, ran
user code under synchronized blocks, which as of JDK 21 don't yet
participate in cooperative blocking. Thus if that code did e.g. blocking
I/O it would pin a real thread. JDK 21 may emit warnings for this when
using <code>-Djdk.tracePinnedThreads=full</code>.</p>
<p>To avoid this pinning, in 1.12 <code>lazy-seq</code> and
<code>delay</code> use locks instead of synchronized blocks.</p>
<p>See: <a
href="https://clojure.atlassian.net/browse/CLJ-2804">CLJ-2804</a></p>
<h3>1.3 Security</h3>
<p>Fix <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-22871">CVE-2024-22871</a>
detailed in <a
href="https://github.com/advisories/GHSA-vr64-r9qj-h27f">GHSA-vr64-r9qj-h27f</a>:</p>
<ul>
<li><a href="https://clojure.atlassian.net/browse/CLJ-2839">CLJ-2839</a>
<code>iterate</code>, <code>cycle</code>, <code>repeat</code> - infinite
seqs have infinite <code>hashCode()</code></li>
</ul>
<h3>1.4 Serialization</h3>
<p><a href="https://clojure.atlassian.net/browse/CLJ-1327">CLJ-1327</a>
explicitly sets the Java serialization identifier for the classes in
Clojure that implement Java serialization. In Clojure 1.11.0 this
changed for two classes unnecessarily and we reverted those changes in
Clojure 1.11.1 - this completes that work for the rest of the
classes.</p>
<p>Clojure data types have implemented the Java serialization interfaces
since Clojure 1.0. Java serialization is designed to save graphs of Java
instances into a byte stream. Every class has an identifier (the
serialVersionUID) that is automatically generated based on the class
name, it's type hierarchy, and the serialized fields. At deserialization
time, deserialization can only occur when the available class has an
identifier that matches the class id recorded in the serialized
bytes.</p>
<p>Clojure has never provided a guarantee of serialization consistency
across Clojure versions, but we do not wish to break compatibility any
more than necessary and these changes will give us more control over
that in the future.</p>
<p>See: <a
href="https://clojure.atlassian.net/browse/CLJ-1327">CLJ-1327</a></p>
<h3>1.5 Dependencies</h3>
<p>Updated dependencies:</p>
<ul>
<li>spec.alpha dependency to 0.5.238 - <a
href="https://github.com/clojure/spec.alpha/blob/master/CHANGES.md">changes</a></li>
<li>core.specs.alpha dependency to 0.4.74 - <a
href="https://github.com/clojure/core.specs.alpha/blob/master/CHANGES.md">changes</a></li>
</ul>
<p>See: <a
href="https://clojure.atlassian.net/browse/CLJ-2852">CLJ-2852</a></p>
<h2>2 Features</h2>
<h3>2.1 Add libraries for interactive use</h3>
<p>There are many development-time cases where it would be useful to add
a library interactively without restarting the JVM - speculative
evaluation, adding a known dependency to your project, or adding a
library to accomplish a specific task.</p>
<p>Clojure now provides new functions to add libraries interactively,
without restarting the JVM or losing the state of your work:</p>
<ul>
<li><a
href="https://clojure.github.io/clojure/branch-master/clojure.repl-api.html#clojure.repl.deps/add-lib">add-lib</a>
takes a lib that is not available on the classpath, and makes it
available by downloading (if necessary) and adding to the classloader.
Libs already on the classpath are not updated. If the coordinate is not
provided, the newest Maven or git (if the library has an inferred git
repo name) version or tag are used.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/clojure/clojure/commit/d4bb93f0d1ab2004f89c6ead1b32449fd7ed1a6d"><code>d4bb93f</code></a>
[maven-release-plugin] prepare release clojure-1.12.0</li>
<li><a
href="https://github.com/clojure/clojure/commit/23d0f989803d4312a6bacb8f9166ce7cb8a5cac6"><code>23d0f98</code></a>
fix link in changelog</li>
<li><a
href="https://github.com/clojure/clojure/commit/90e7dd03afa7740efe269fad41ceea220d31143d"><code>90e7dd0</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="https://github.com/clojure/clojure/commit/b3bd4cdd325878ad9cec3410afb95041c0a61303"><code>b3bd4cd</code></a>
[maven-release-plugin] prepare release clojure-1.12.0-rc2</li>
<li><a
href="https://github.com/clojure/clojure/commit/ad54fecd0bdff38bde8ae057887ad8b724fdd661"><code>ad54fec</code></a>
CLJ-2881: Making asm-type function array class symbol aware.</li>
<li><a
href="https://github.com/clojure/clojure/commit/5ae95872738b3e0aacfa5d38069d528b590a5059"><code>5ae9587</code></a>
CLJ-2873 add-libs - reload <em>data-readers</em> if new libs were
added</li>
<li><a
href="https://github.com/clojure/clojure/commit/48b1fe5b50d48603f2c1fbd38223a7284520d1ed"><code>48b1fe5</code></a>
Update changelog for 1.12.0-rc1</li>
<li><a
href="https://github.com/clojure/clojure/commit/faeda7a552dcb8fe5faf8059ec5ab6421121bd51"><code>faeda7a</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="https://github.com/clojure/clojure/commit/9a13d44a5b79bf50ba8c64392354e89652c30fcb"><code>9a13d44</code></a>
[maven-release-plugin] prepare release clojure-1.12.0-rc1</li>
<li><a
href="https://github.com/clojure/clojure/commit/37b6f5a755f3d82295134a5419c7f3123013ef49"><code>37b6f5a</code></a>
CLJ-2145 Fix clearing of closed overs in ^:once fns, recur to head of
:once f...</li>
<li>Additional commits viewable in <a
href="https://github.com/clojure/clojure/compare/clojure-1.11.2...clojure-1.12.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent a29dff0 commit 8d047fdCopy full SHA for 8d047fd
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changed+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
70 | 70 | | |
71 | 71 | | |
72 | 72 | | |
73 | | - | |
| 73 | + | |
74 | 74 | | |
75 | 75 | | |
76 | 76 | | |
| |||
0 commit comments