build(deps): bump org.http4k:http4k-core from 5.46.0.0 to 6.49.0.0 in /bolt-http4k

[dependabot]

Bumps org.http4k:http4k-core from 5.46.0.0 to 6.49.0.0.

Release notes

Sourced from org.http4k:http4k-core's releases.

6.49.0.0

Changelog:

• http4k-*: Upgrade versions
• http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
• http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
• http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
• http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
• http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
• http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
• http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
• http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
• http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
• http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
• http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
• http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
• http4k-bridge-vertx: Stream request and response bodies instead of buffering.
• http4k-bridge-ratpack: Stream request and response bodies instead of buffering.

6.48.0.0

Changelog:

• http4k-*: Upgrade versions
• http4k-security-digest: [Break] Remove default Nonce verifier option so avoid bad config
• http4k-core: [Break] Deprecate BasicCookieStorage (rename to InsecureCookieStorage) and replace with RFC 6265 compliant DefaultCookieStorage. This should be a drop-in replacement.
• http4k-core: [Deprecation] Rename Java8HttpClient -> URLConnectionHttpCilent
• http4k-core: [Fix] Handle brace quantifiers in UriTemplate regex patterns. H/T @​ukman48
• http4k-connect-amazon-iamidentitycenter: Update amazon sso grant type wire values. H/T @​oharaandrew314
• http4k-connect-amazon-s3: Allow content streaming for S3 via connect H/T @​asadmanji
• http4k-core: Rejects illegal characters in Status description field (could break HTTP message)
• http4k-client-okhttp: Fix request streaming

6.47.2.0

Changelog:

• http4k-*: Upgrade versions
• http4k-connect-amazon-kms-fake: FakeKMS to generate keys with an injectable SecureRandom; allowing for deterministic testing.

6.47.1.0

Changelog:

• http4k-*: Upgrade versions
• http4k-bridge-spring: Add support for SSE and WS bridging

6.47.0.0

Changelog:

• http4k-*: Upgrade versions
• http4k-platform-aws: [Unlikely break] - Fix #1533 Aws sig4 path canonicalization needs double encoding. H/T @​aharin
• http4k-ai-mcp-a2a-bridge: [New Pro module!] Expose any A2A server as an MCP server, allowing for LLM -> LLM communication.
• http4k-wiretap: Better recording of incoming HTTP requests.
• http4k-connect-amazon-iamidentitycenter: [Fix] Use generated JSON adapters for SSOCacheManager. H/T @​oharaandrew314

6.46.1.0

Changelog:

... (truncated)

Changelog

Sourced from org.http4k:http4k-core's changelog.

v6.49.0.0

• http4k-*: Upgrade versions
• http4k-core: [Break] reverseProxy()/reverseProxyRouting() now default to Exact host matching instead of Contains, so a request Host header that merely contains a configured virtual host (e.g. host1.evil.com for vhost host1) no longer routes to it. Pass matcher = Contains to opt back into substring matching.
• http4k-core: [Unlikely break] ExecutorService.withRequestTracing() applies a defaultTimeout (60s by default, configurable) to the untimed invokeAll/invokeAny so a slow or dead task can no longer pin pool threads indefinitely. No code change needed; only affects callers whose tasks legitimately ran longer than default.
• http4k-core: [Unlikely break] Header.AUTHORIZATION_BASIC / Request.basicAuthentication() now return null for any malformed Basic credentials (wrong scheme, invalid base64, or no colon in the decoded value) instead of manufacturing Credentials("", ""). Lets callers reliably distinguish absent/invalid credentials from genuinely empty ones.
• http4k-server-netty: [Unlikely break] Cap aggregated request body size at 10MB (was unbounded ~2GB) to prevent OOM; oversized requests now get a 413 Request Entity Too Large. Duplicate and modify the Netty class if you need a different limit.
• http4k-core: [Unlikely break] Cap GZip decompression at 10MB (was unbounded) to prevent possible OOM; oversized requests through ServerFilters.GZip/RequestFilters.GunZip now get a 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. Duplicate and modify the Gzip functions if you need a different limit.
• http4k-core: [Unlikely break] ServerFilters.Cors no longer emits the spec-invalid Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true.
• http4k-core: [Fix] bearerToken() extracts the token for any casing of the Bearer scheme (e.g. BEARER), instead of returning the raw header value.
• http4k-core: [Fix] Improve safe path parsing in ResourceLoader.Classpath
• http4k-core: [Deprecation] Add Sha256 (with hash and hmac) and deprecate HmacSha256, whose hash was misleadingly unkeyed SHA-256. Replace HmacSha256.hash/hmacSHA256 with Sha256.hash/Sha256.hmac.
• http4k-connect-openfeature: [New module] Standard OpenFeature Remote Evaluation Protocol client
• http4k-connect-openfeature-fake: [New module] Fake to setup and evaluate OpenFeature flags
• http4k-ops-openfeature: [New module] Support for plugging OpenFeature into request chain, including typesafe lenses for extracting flags from prinicpal and context during request processing.
• http4k-bridge-vertx: Stream request and response bodies instead of buffering.
• http4k-bridge-ratpack: Stream request and response bodies instead of buffering.

v6.48.0.0

• http4k-*: Upgrade versions
• http4k-security-digest: [Break] Remove default Nonce verifier option so avoid bad config
• http4k-core: [Break] Deprecate BasicCookieStorage (rename to InsecureCookieStorage) and replace with RFC 6265 compliant DefaultCookieStorage. This should be a drop-in replacement.
• http4k-core: [Deprecation] Rename Java8HttpClient -> URLConnectionHttpCilent
• http4k-core: [Fix] Handle brace quantifiers in UriTemplate regex patterns. H/T @​ukman48
• http4k-connect-amazon-iamidentitycenter: Update amazon sso grant type wire values. H/T @​oharaandrew314
• http4k-connect-amazon-s3: Allow content streaming for S3 via connect H/T @​asadmanji
• http4k-core: Rejects illegal characters in Status description field (could break HTTP message)
• http4k-client-okhttp: Fix request streaming

v6.47.2.0

• http4k-*: Upgrade versions
• http4k-connect-amazon-kms-fake: FakeKMS to generate keys with an injectable SecureRandom; allowing for deterministic testing.

v6.47.1.0

• http4k-*: Upgrade versions
• http4k-bridge-spring: Add support for SSE and WS bridging

v6.47.0.0

• http4k-*: Upgrade versions
• http4k-platform-aws: [Unlikely break] - Fix #1533 Aws sig4 path canonicalization needs double encoding. H/T @​aharin
• http4k-ai-mcp-a2a-bridge: [New Pro module!] Expose any A2A server as an MCP server, allowing for LLM -> LLM communication.
• http4k-wiretap: Better recording of incoming HTTP requests.
• http4k-connect-amazon-iamidentitycenter: [Fix] Use generated JSON adapters for SSOCacheManager. H/T @​oharaandrew314

v6.46.1.0

• http4k-*: Upgrade versions
• http4k-*: Various Moshi adapters converted to be Factories instead of using annotation based lookup
• http4k-connect-amazon-sts-*: Add GetCallerIdentity support to STS client and fake. H/T @​feknall

v6.46.0.0

• http4k-*: Upgrade versions

... (truncated)

Commits

• f90e7b8 Release 6.49.0.0
• d70b6c1 Fix compile of ClientFiltersTest.kt
• ddfc0a5 Use supportedOrNull to handle unsupported HTTP methods
• 741a5d9 Replace toLong with toLongOrNull in Ktor bridge
• 14c869e Change messages for oaith nonce and state mismatches
• a5b94ab Add sensitive header stripping for cross-origin redirects in FollowRedirects ...
• 2e06b73 Update OkHttp to use TLS instead of SSL for SSLContext
• a6707f6 Use secureEquals for comparing tokens
• 7c5e307 SecureEqual fails for null && null comparison
• cff8fec Introduce robust handling for unsupported HTTP methods across serverless modu...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.