Bump io.netty:netty-bom from 4.2.9.Final to 4.2.11.Final by dependabot[bot] · Pull Request #4661 · microsoft/ApplicationInsights-Java

dependabot · 2026-03-25T03:13:30Z

Bumps io.netty:netty-bom from 4.2.9.Final to 4.2.11.Final.

Release notes

Sourced from io.netty:netty-bom's releases.

netty-4.2.11.Final

Security

CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service

CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

What's Changed

Update to latest JDK 26 EA release by @normanmaurer in netty/netty#16230

HTTP3: Allow to support non-standard HTTP3 settings by @normanmaurer in netty/netty#16171

Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop by @adwsingh in netty/netty#16245

Allocate one large segment and slice for each MsgHdrMemory by @dreamlike-ocean in netty/netty#16234

Make RefCntOpenSslContext.deallocate more robust by @chrisvest in netty/netty#16253

Epoll: Fix excessive CPU usage when Channel is only registered but no… by @normanmaurer in netty/netty#16250

Update to gcc for arm 10.3-2021.07 by @m1ngyuan in netty/netty#16255

Add acmeIdentifier extension support to pkitesting by @chrisvest in netty/netty#16256

Update JDK versions to latest patch releases by @m1ngyuan in netty/netty#16254

Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by @doom369 in netty/netty#16241

Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in netty/netty#16269

Revert "Automatic backporting workflow from 4.1 to 4.2" by @chrisvest in netty/netty#16270

HTTP2: Correctly account for padding when decompress by @normanmaurer in netty/netty#16264

Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in netty/netty#16271

Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in netty/netty#16273

Backport PRs must be created with personal access tokens by @chrisvest in netty/netty#16276

Expose QuicSslContextBuilder::sni by @ZeroErrors in netty/netty#16178

Add more porting workflows by @chrisvest in netty/netty#16275

Add more porting workflows by @chrisvest in netty/netty#16283

Remove the unpooled allocator from test permutations by @chrisvest in netty/netty#16282

Some polishing of the porting workflows by @chrisvest in netty/netty#16288

Allow to set destination connection id when creating a client side QuicheChannel by @normanmaurer in netty/netty#16286

Update to latest JDK26 EA build by @normanmaurer in netty/netty#16295

Add javadoc to clarify responsibility of the user when generating the remote connection id by @normanmaurer in netty/netty#16293

Make the build run faster by @chrisvest in netty/netty#16290

Fix IDE warnings in SslHandler by @doom369 in netty/netty#16237

Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by @doom369 in netty/netty#16242

Support boringssl SSLCredential API by @jmcrawford45 in netty/netty#15919

Fix high-order bit aliasing in HttpUtil.validateToken by @furkanvarol in netty/netty#16279

Improve multi-byte access performance when UNALIGNED availability is unknown by @Songdoeon in netty/netty#16207

Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by @doom369 in netty/netty#16278

Support more branch freedom for auto-porting by @chrisvest in netty/netty#16300

fix: the precedence of + is higher than >> by @cuiweixie in netty/netty#16312

AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by @laosijikaichele in netty/netty#16309

Fix flaky PooledByteBufAllocatorTest by @chrisvest in netty/netty#16313

Fix pooled arena accounting tests by @chrisvest in netty/netty#16321

Fix RunInFastThreadLocalThreadExtension by @chrisvest in netty/netty#16314

AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed by @laosijikaichele in netty/netty#16327

Recycler should not use thread locals unless they get cleaned up by @chrisvest in netty/netty#16315

OpenSSL: Don't leak OpenSslKeyManagerProvider on exception by @normanmaurer in netty/netty#16337

IoUring: Only complete deregistration promise once we received all co… by @normanmaurer in netty/netty#16330

Mark LoggingHandlerTest with @Isolated to fix flaky build by @normanmaurer in netty/netty#16338

Fix flaky HTTP/2 test by @chrisvest in netty/netty#16342

... (truncated)

Commits

c94a818 [maven-release-plugin] prepare release netty-4.2.11.Final
3b76df1 Merge commit from fork
aae944a Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers (#16...
6001499 Eliminate redundant bounds checks in CompositeByteBuf accessors (#16525)
a7fbb6f JdkZlibDecoder: accumulate decompressed output before firing channelRead (#16...
7937553 Enforce io.netty.maxDirectMemory accounting on all Java versions (#16489)
893ea2e Allocate less in QueryStringDecoder.addParam for typical use case (#16527)
8f744ec Replace ClosedChannelException with StacklessClosedChannelException (#16506)
4d7b70d Fix docker image for cross-compiling (#16522)
cfd0d9a Epoll / IoUring: setTcpMg5Sig(...) might overflow (#16511)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [io.netty:netty-bom](https://github.com/netty/netty) from 4.2.9.Final to 4.2.11.Final. - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.2.9.Final...netty-4.2.11.Final) --- updated-dependencies: - dependency-name: io.netty:netty-bom dependency-version: 4.2.11.Final dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Mar 25, 2026

dependabot bot requested review from harsimar, jeanbisutti, rajkumar-rangaraj, ramthi and trask as code owners March 25, 2026 03:13

dependabot bot added the dependencies Pull requests that update a dependency file label Mar 25, 2026

dependabot bot requested a review from xiang17 as a code owner March 25, 2026 03:13

dependabot bot added the java Pull requests that update Java code label Mar 25, 2026

github-actions bot added 2 commits March 25, 2026 08:48

./gradlew generateLicenseReport

66fa53e

./gradlew resolveAndLockAll --write-locks

1b02402

xiang17 requested a review from johnoliver as a code owner March 25, 2026 08:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump io.netty:netty-bom from 4.2.9.Final to 4.2.11.Final#4661

Bump io.netty:netty-bom from 4.2.9.Final to 4.2.11.Final#4661
dependabot[bot] wants to merge 3 commits intomainfrom
dependabot/gradle/io.netty-netty-bom-4.2.11.Final

dependabot bot commented on behalf of github Mar 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 25, 2026

netty-4.2.11.Final

Security

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants