For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Book a demoLog inStart for free
  • Overview
    • Introduction
    • How it works
    • Quickstart
    • Customer showcase
  • Working with SDKs
    • Project structure
    • Adding custom code
    • Migrating to Replay
    • Capabilities
  • Generators
      • Generating an SDK
      • Publishing to Maven Central
      • Configuration
      • Adding custom code
      • Changelog
      • Customer showcase
  • Reference
    • generators.yml
Checking status...
SOC2Soc 2 Type II
© 2026 Fern • Birch Solutions, Inc., a Postman company

Documentation

SDKsDocsAsk FernCLI Reference

API Definitions

OpenAPIAsyncAPIOpenRPCgRPC

Resources

BlogSupportPricing

Company

Brand KitPrivacy PolicyTerms of Service
LogoLogo
Book a demoLog inStart for free
On this page
  • May 22, 2026
  • 4.8.11
  • May 18, 2026
  • 4.8.10
  • 4.8.9
  • May 15, 2026
  • 4.8.8
  • May 12, 2026
  • 4.8.7
  • 4.8.6
  • May 11, 2026
  • 4.8.5
  • May 7, 2026
  • 4.8.4
  • 4.8.3
  • May 6, 2026
  • 4.8.2
  • May 5, 2026
  • 4.8.1
  • May 4, 2026
  • 4.8.0
  • 4.7.1
  • April 30, 2026
  • 4.7.0
  • 4.6.4
GeneratorsJava

Changelog

May 22, 2026
May 22, 2026

4.8.11

(chore): Bump Node.js base image from 24.15 to 24.16.

May 18, 2026
May 18, 2026
May 15, 2026
May 15, 2026
May 12, 2026
May 12, 2026
May 11, 2026
May 11, 2026
May 7, 2026
May 7, 2026
May 6, 2026
May 6, 2026
May 5, 2026
May 5, 2026
May 4, 2026
May 4, 2026
April 30, 2026
April 30, 2026

Older posts

Next

4.8.10

(chore): Update krb5-libs in the Java SDK generator container to fix CVE-2026-40356 (integer underflow OOB read) and CVE-2026-40355 (NULL pointer dereference) in MIT Kerberos 5.

4.8.9

(chore): Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based buffer overflow in gcry_pk_decrypt.

4.8.8

(fix): Dynamic snippets now render path-parameter arguments in IR (URL / SDK signature) order rather than in the order they happen to appear in the input request, so generated examples line up with the actual SDK method signature even when the spec lists path parameters in a different order. Also fixes spurious “not recognized” errors that were raised for endpoint-level path parameters when both top-level and endpoint-level path parameters were supplied.

4.8.7

(fix): Fix undiscriminated union deserialization when one member has all-optional fields. Previously, an all-optional object variant (e.g. PayMethodCloud) could greedily consume a payload intended for a more specific variant with required fields (e.g. Check requiring achHolder), because Jackson’s @JsonIgnoreProperties(ignoreUnknown=true) silently accepts any JSON object when all fields are optional. The deserializer now emits guarded members (those with at least one required field) before unguarded (all-optional) members, ensuring the more specific match wins.

4.8.6

(chore): Patch Java SDK generator container CVEs flagged in the AWS ECR / grype scan. Patch npm’s bundled brace-expansion@5.0.4 -> 5.0.5 (GHSA-f886-m6hf-6m8v) via tarball replacement so the published image no longer ships the vulnerable bundled JS dependency that grype flags on dev/java-sdk-generator.

4.8.5

(chore): Bump the Java SDK generator container’s Node base image from node:24.14.1-bookworm to node:24.15-trixie. Aligns the generator with the rest of the Fern generator containers on a single Node patch minor (floating 24.15) and a single Debian release (trixie). Trixie ships patched versions of glibc, dpkg, nghttp2, libcap2, systemd, libgcrypt20, krb5, curl, and expat that are not available on bookworm, clearing the AWS Inspector findings that dist-upgrade alone could not. The non-slim variant is intentional because the Node-stage patch steps shell out to curl and tar. The bundled npm 11.12.1 in node:24.15 already ships patched glob@13.0.6, minimatch@10.2.4, tar@7.5.11, and brace-expansion@5.0.4, so those tarball-replacement patch steps are removed. The ip-address and picomatch patches are retained because the bundled versions (10.1.0 and 4.0.3 respectively) are still vulnerable.

4.8.4

(chore): Apply latest Ubuntu security updates to the Java model generator container (gradle:8.5.0-jdk17-jammy) at build time so OS-level package CVEs are picked up.

4.8.3

(chore): Patch the npm-bundled ip-address package to 10.2.0 in the Java SDK generator container to address GHSA-v2v4-37r5-5v8g (CVE-2026-42338): XSS in Address6 HTML-emitting methods. The vulnerable copy was pulled in transitively via socks-proxy-agent -> socks -> ip-address@10.1.0 inside /usr/local/lib/node_modules/npm.

4.8.2

(fix): Only apply @JsonIgnore to query-parameter getters when the wrapped request has an inlined body. The 4.0.4 fix applied @JsonIgnore to every query getter, which made toString() / ObjectMappers.stringify() return {} for pure-query GETs and for referenced/file-upload/bytes bodies — none of which serialize the wrapped request.

4.8.1

(fix): Apply canonical “all user-specified examples, else first autogenerated” selection when writing snippet.json. Previously the v2 SDK uploaded a snippet row to FDR for every example variant, which caused /snippets API responses to vary across consecutive calls because the database returned an arbitrary row per endpoint. Now matches TS-v1 / Python-v1 behavior. Example identifiers are also deterministic (no more uuidv4 fallback), so re-runs produce stable row keys.

4.8.0

(feat): Generate CONTRIBUTING.md for Java SDKs.

4.7.1

(chore): Upgrade glibc/glibc-common/glibc-minimal-langpack in the Java SDK generator container to address CVE-2026-4046 (iconv() assertion failure when converting IBM1390/IBM1399 inputs; fixed in glibc 2.34-231.amzn2023.0.4).

4.7.0

(feat): Add retry-status-codes config with "legacy" and "recommended" modes. Legacy (default) preserves current behavior (408, 429, >= 500). Recommended retries only transient codes (408, 429, 502, 503, 504), avoiding idempotency issues with 500. A 4.0.0 migration auto-pins legacy for upgrading users.

4.6.4

(fix): Fix dynamic snippet generation for multipart/form-data endpoints with file parameters. Previously, when a file value was not provided in the example, the file argument was omitted from the snippet, causing subsequent arguments to shift and produce compile errors (e.g. incompatible types: <Op>Request cannot be converted to Optional<java.io.File>). Now emits null for missing file arguments to keep positional args aligned.