4.8.4
(chore): Apply latest Ubuntu security updates to the Java model generator container
(gradle:8.5.0-jdk17-jammy) at build time so OS-level package CVEs are
picked up.
4.8.3
(chore): Patch the npm-bundled ip-address package to 10.2.0 in the Java SDK generator container to address GHSA-v2v4-37r5-5v8g (CVE-2026-42338): XSS in Address6 HTML-emitting methods. The vulnerable copy was pulled in transitively via socks-proxy-agent -> socks -> ip-address@10.1.0 inside /usr/local/lib/node_modules/npm.
4.8.2
(fix): Only apply @JsonIgnore to query-parameter getters when the wrapped request has an
inlined body. The 4.0.4 fix applied @JsonIgnore to every query getter, which made
toString() / ObjectMappers.stringify() return {} for pure-query GETs and for
referenced/file-upload/bytes bodies — none of which serialize the wrapped request.
4.8.1
(fix): Apply canonical “all user-specified examples, else first autogenerated” selection
when writing snippet.json. Previously the v2 SDK uploaded a snippet row to FDR
for every example variant, which caused /snippets API responses to vary across
consecutive calls because the database returned an arbitrary row per endpoint.
Now matches TS-v1 / Python-v1 behavior. Example identifiers are also
deterministic (no more uuidv4 fallback), so re-runs produce stable row keys.
4.8.0
(feat): Generate CONTRIBUTING.md for Java SDKs.
4.7.1
(chore): Upgrade glibc/glibc-common/glibc-minimal-langpack in the Java SDK generator
container to address CVE-2026-4046 (iconv() assertion failure when converting
IBM1390/IBM1399 inputs; fixed in glibc 2.34-231.amzn2023.0.4).
4.7.0
(feat): Add retry-status-codes config with "legacy" and "recommended" modes. Legacy (default)
preserves current behavior (408, 429, >= 500). Recommended retries only transient
codes (408, 429, 502, 503, 504), avoiding idempotency issues with 500. A 4.0.0
migration auto-pins legacy for upgrading users.
4.6.4
(fix): Fix dynamic snippet generation for multipart/form-data endpoints with file parameters.
Previously, when a file value was not provided in the example, the file argument was
omitted from the snippet, causing subsequent arguments to shift and produce compile errors
(e.g. incompatible types: <Op>Request cannot be converted to Optional<java.io.File>).
Now emits null for missing file arguments to keep positional args aligned.
4.6.3
(fix): Fix Java SDK snippet and wire test generation for allow-multiple query
parameters when coerce-optional-schemas-to-nullable: true is set.
Previously, list items wrapped in optional<...> and/or nullable<...>
produced calls like .strategy(Arrays.asList(Optional.of(...))), which
failed to compile because the generated builders only expose List<T>
overloads (no List<Optional<T>> or List<Nullable<T>>). The snippet
generator now strips both optional and nullable wrappers from list
items, so the emitted code matches an existing builder signature.
4.6.2
(fix): Fix Java SDK generation crash when an OpenAPI property name is a Java keyword
or literal (e.g. true, false, null, if, new). KeyWordUtils only
sanitized 12 of Java’s reserved words, so JavaPoet rejected the rest with
IllegalArgumentException: not a valid name. The reserved-word set now covers
the full Java keyword list plus true/false/null literals, so these
properties generate as _<name> fields with @JsonProperty("<name>")
preserving the wire format.
4.6.1
(fix): Fix undiscriminated union deserializer misclassifying payloads. The generated
deserializer now checks that all required wire keys are present in the JSON
object before attempting to convert to each variant, preventing the first
variant from always winning when Jackson’s builder silently accepts missing
required fields.
(fix): Replace switch-on-type WebSocket message dispatch with shape-based trial
deserialization. Messages are now matched by checking required-field presence
and literal values before attempting Jackson conversion. This correctly handles
AsyncAPI channels where multiple message schemas share the same discriminator
value (e.g., two “History” variants with disjoint required fields).
4.6.0
(feat): Use auth scheme placeholder values in README snippets when configured via
placeholder field on auth schemes.
4.5.0
(feat): Support omitting username or password from basic auth when configured via
usernameOmit/passwordOmit in the IR. When a field is omitted, it is
removed from the SDK’s public API (credentials() takes fewer arguments)
and an empty string is used internally for the auth header encoding. When
both fields are omitted, the credentials() call and Authorization header
are skipped entirely.
