4.8.7
(fix): Fix undiscriminated union deserialization when one member has all-optional fields.
Previously, an all-optional object variant (e.g. PayMethodCloud) could greedily
consume a payload intended for a more specific variant with required fields (e.g.
Check requiring achHolder), because Jackson’s @JsonIgnoreProperties(ignoreUnknown=true)
silently accepts any JSON object when all fields are optional. The deserializer now
emits guarded members (those with at least one required field) before unguarded
(all-optional) members, ensuring the more specific match wins.
4.8.6
(chore): Patch Java SDK generator container CVEs flagged in the AWS ECR / grype
scan. Patch npm’s bundled brace-expansion@5.0.4 -> 5.0.5 (GHSA-f886-m6hf-6m8v)
via tarball replacement so the published image no longer ships the vulnerable
bundled JS dependency that grype flags on dev/java-sdk-generator.
4.8.5
(chore): Bump the Java SDK generator container’s Node base image from
node:24.14.1-bookworm to node:24.15-trixie. Aligns the generator
with the rest of the Fern generator containers on a single Node patch
minor (floating 24.15) and a single Debian release (trixie). Trixie ships
patched versions of glibc, dpkg, nghttp2, libcap2, systemd, libgcrypt20,
krb5, curl, and expat that are not available on bookworm, clearing the
AWS Inspector findings that dist-upgrade alone could not. The non-slim
variant is intentional because the Node-stage patch steps shell out to
curl and tar. The bundled npm 11.12.1 in node:24.15 already ships
patched glob@13.0.6, minimatch@10.2.4, tar@7.5.11, and
brace-expansion@5.0.4, so those tarball-replacement patch steps are
removed. The ip-address and picomatch patches are retained because the
bundled versions (10.1.0 and 4.0.3 respectively) are still vulnerable.
4.8.4
(chore): Apply latest Ubuntu security updates to the Java model generator container
(gradle:8.5.0-jdk17-jammy) at build time so OS-level package CVEs are
picked up.
4.8.3
(chore): Patch the npm-bundled ip-address package to 10.2.0 in the Java SDK generator container to address GHSA-v2v4-37r5-5v8g (CVE-2026-42338): XSS in Address6 HTML-emitting methods. The vulnerable copy was pulled in transitively via socks-proxy-agent -> socks -> ip-address@10.1.0 inside /usr/local/lib/node_modules/npm.
4.8.2
(fix): Only apply @JsonIgnore to query-parameter getters when the wrapped request has an
inlined body. The 4.0.4 fix applied @JsonIgnore to every query getter, which made
toString() / ObjectMappers.stringify() return {} for pure-query GETs and for
referenced/file-upload/bytes bodies — none of which serialize the wrapped request.
4.8.1
(fix): Apply canonical “all user-specified examples, else first autogenerated” selection
when writing snippet.json. Previously the v2 SDK uploaded a snippet row to FDR
for every example variant, which caused /snippets API responses to vary across
consecutive calls because the database returned an arbitrary row per endpoint.
Now matches TS-v1 / Python-v1 behavior. Example identifiers are also
deterministic (no more uuidv4 fallback), so re-runs produce stable row keys.
4.8.0
(feat): Generate CONTRIBUTING.md for Java SDKs.
4.7.1
(chore): Upgrade glibc/glibc-common/glibc-minimal-langpack in the Java SDK generator
container to address CVE-2026-4046 (iconv() assertion failure when converting
IBM1390/IBM1399 inputs; fixed in glibc 2.34-231.amzn2023.0.4).
4.7.0
(feat): Add retry-status-codes config with "legacy" and "recommended" modes. Legacy (default)
preserves current behavior (408, 429, >= 500). Recommended retries only transient
codes (408, 429, 502, 503, 504), avoiding idempotency issues with 500. A 4.0.0
migration auto-pins legacy for upgrading users.
4.6.4
(fix): Fix dynamic snippet generation for multipart/form-data endpoints with file parameters.
Previously, when a file value was not provided in the example, the file argument was
omitted from the snippet, causing subsequent arguments to shift and produce compile errors
(e.g. incompatible types: <Op>Request cannot be converted to Optional<java.io.File>).
Now emits null for missing file arguments to keep positional args aligned.
4.6.3
(fix): Fix Java SDK snippet and wire test generation for allow-multiple query
parameters when coerce-optional-schemas-to-nullable: true is set.
Previously, list items wrapped in optional<...> and/or nullable<...>
produced calls like .strategy(Arrays.asList(Optional.of(...))), which
failed to compile because the generated builders only expose List<T>
overloads (no List<Optional<T>> or List<Nullable<T>>). The snippet
generator now strips both optional and nullable wrappers from list
items, so the emitted code matches an existing builder signature.
4.6.2
(fix): Fix Java SDK generation crash when an OpenAPI property name is a Java keyword
or literal (e.g. true, false, null, if, new). KeyWordUtils only
sanitized 12 of Java’s reserved words, so JavaPoet rejected the rest with
IllegalArgumentException: not a valid name. The reserved-word set now covers
the full Java keyword list plus true/false/null literals, so these
properties generate as _<name> fields with @JsonProperty("<name>")
preserving the wire format.
4.6.1
(fix): Fix undiscriminated union deserializer misclassifying payloads. The generated
deserializer now checks that all required wire keys are present in the JSON
object before attempting to convert to each variant, preventing the first
variant from always winning when Jackson’s builder silently accepts missing
required fields.
(fix): Replace switch-on-type WebSocket message dispatch with shape-based trial
deserialization. Messages are now matched by checking required-field presence
and literal values before attempting Jackson conversion. This correctly handles
AsyncAPI channels where multiple message schemas share the same discriminator
value (e.g., two “History” variants with disjoint required fields).
