Changelog

June 12, 2026

4.10.1

(chore): Bump bundled @fern-api/generator-cli to 0.9.39 (Replay 0.18.0) for more reliable customization detection during regeneration.

4.10.0

(feat): The Java SDK now accepts space-separated datetime strings (e.g. “2025-02-15 10:30:00+00:00”) in addition to standard ISO 8601 format during deserialization. This matches the leniency of the Python and TypeScript SDKs.

June 11, 2026

4.9.3

(fix): Escape Java reserved keywords (e.g. enum, extends) in package names used by generated snippets, README, and reference docs. These now match the SDK code (e.g. com.seed._enum) instead of producing uncompilable imports like com.seed.enum.

June 10, 2026

4.9.2

(chore): Update java-sdk-generator container to fix CVE-2026-7010 (perl-HTTP-Tiny CRLF injection), CVE-2026-48864/CVE-2026-9149/CVE-2026-9150/CVE-2026-48863 (libsolv buffer overflows), and CVE-2026-8376 (perl heap buffer overflow).

June 5, 2026

4.9.1

(fix): Fix inline types referenced only from endpoint responses (e.g., map value types) not being generated as standalone files when enable-inline-types is enabled.

June 4, 2026

4.9.0

(feat): Add exported-client-class-name config to the Java SDK generator. When set, docs surfaces (dynamic snippets, README, reference.md) display this name for the root client instead of client-class-name — for teams that wrap the generated client with a hand-written public class and want documentation to show the wrapper. Generated source code and wire tests are unaffected.

(fix): SSE streaming endpoints now decide protocol-level vs data-level union discrimination from the API spec’s x-fern-discriminator-context (IR discriminatorContext) instead of inferring from the discriminator’s field name. Unions whose discriminator happens to be named event/id/retry/data but lives in the data payload are now correctly parsed from the data JSON; envelope dispatch only happens when x-fern-discriminator-context: protocol is explicit.

4.8.12

(fix): Fix compilation error on multipart file-upload endpoints when idempotency headers are configured. The generator now emits headers((RequestOptions) null) instead of a bare headers(null), which resolves the ambiguous method reference between headers(RequestOptions) and headers(IdempotentRequestOptions) overloads in ClientOptions.

May 22, 2026

4.8.11

(chore): Bump Node.js base image from 24.15 to 24.16.

May 18, 2026

4.8.10

(chore): Update krb5-libs in the Java SDK generator container to fix CVE-2026-40356 (integer underflow OOB read) and CVE-2026-40355 (NULL pointer dereference) in MIT Kerberos 5.

4.8.9

(chore): Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based buffer overflow in gcry_pk_decrypt.

May 15, 2026

4.8.8

(fix): Dynamic snippets now render path-parameter arguments in IR (URL / SDK signature) order rather than in the order they happen to appear in the input request, so generated examples line up with the actual SDK method signature even when the spec lists path parameters in a different order. Also fixes spurious “not recognized” errors that were raised for endpoint-level path parameters when both top-level and endpoint-level path parameters were supplied.

May 12, 2026

4.8.7

(fix): Fix undiscriminated union deserialization when one member has all-optional fields. Previously, an all-optional object variant (e.g. PayMethodCloud) could greedily consume a payload intended for a more specific variant with required fields (e.g. Check requiring achHolder), because Jackson’s @JsonIgnoreProperties(ignoreUnknown=true) silently accepts any JSON object when all fields are optional. The deserializer now emits guarded members (those with at least one required field) before unguarded (all-optional) members, ensuring the more specific match wins.

4.8.6

(chore): Patch Java SDK generator container CVEs flagged in the AWS ECR / grype scan. Patch npm’s bundled brace-expansion@5.0.4 -> 5.0.5 (GHSA-f886-m6hf-6m8v) via tarball replacement so the published image no longer ships the vulnerable bundled JS dependency that grype flags on dev/java-sdk-generator.

May 11, 2026

4.8.5

(chore): Bump the Java SDK generator container’s Node base image from node:24.14.1-bookworm to node:24.15-trixie. Aligns the generator with the rest of the Fern generator containers on a single Node patch minor (floating 24.15) and a single Debian release (trixie). Trixie ships patched versions of glibc, dpkg, nghttp2, libcap2, systemd, libgcrypt20, krb5, curl, and expat that are not available on bookworm, clearing the AWS Inspector findings that dist-upgrade alone could not. The non-slim variant is intentional because the Node-stage patch steps shell out to curl and tar. The bundled npm 11.12.1 in node:24.15 already ships patched glob@13.0.6, minimatch@10.2.4, tar@7.5.11, and brace-expansion@5.0.4, so those tarball-replacement patch steps are removed. The ip-address and picomatch patches are retained because the bundled versions (10.1.0 and 4.0.3 respectively) are still vulnerable.