This week’s Java roundup for February 24th, 2025 features news highlighting: JEP 502, Stable Values (Preview), Proposed to Target for JDK 25; milestone and point releases for Spring Modulith; the February 2025 release of Open Liberty; and the releases of Quarkus 3.19.0, JReleaser 1.17.0 and Gradle 8.13.0.
OpenJDK
JEP 502, Stable Values (Preview), has been elevated from Candidate to Proposed to Target for JDK 25. Formerly known as Computed Constants (Preview), this JEP introduces the concept of computed constants, defined as immutable value holders that are initialized at most once. This offers the performance and safety benefits of final fields, while offering greater flexibility as to the timing of initialization. The review is expected to conclude on March 7, 2025.
JEP 503, Remove the 32-bit x86 Port, has been elevated from its JEP Draft 8345168 to Candidate status. This JEP proposes to “remove the source code and build support for the 32-bit x86 port.” This feature is a follow-up from JEP 501, Deprecate the 32-bit x86 Port for Removal, to be delivered in the upcoming release of JDK 24.
JDK 24
Build 36 remains the current build in the JDK 24 early-access builds. Further details may be found in the release notes.
JDK 25
Build 12 of the JDK 25 early-access builds was also made available this past week featuring updates from Build 11 that include fixes for various issues. More details on this release may be found in the release notes.
For JDK 24 and JDK 25, developers are encouraged to report bugs via the Java Bug Database.
Jakarta EE 11
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, provided an update on Jakarta EE 11 and Jakarta EE 12, writing:
While the work is being wrapped up on the TCK for Jakarta EE 11 Web Profile, the planning for Jakarta EE 12 is entering a new stage. Jared Anderson, in his capacity as the release lead for Jakarta EE 12, has requested the component specifications to come forward with their plans for the release by April 15, 2025. Some of them have already prepared their material for their plan reviews.
The release review for Jakarta NoSQL 1.0 is ongoing (concludes on March 11, 2025).
The road to Jakarta EE 11 included four milestone releases, the release of the Core Profile in December 2024, and the potential for release candidates as necessary before the GA releases of the Web Profile in 1Q 2025 and the Platform in 2Q 2025.
So far, plan reviews for Jakarta EE 12 have been submitted for Jakarta Context and Dependency Injection 5.0, Jakarta Data 1.1 and Jakarta Faces 5.0.
Spring Framework
The second milestone release of Spring Modulith 1.4.0, and service release versions 1.3.3 and 1.2.9, provide bug fixes and dependency upgrades. New features in version 1.4.0-M2 include: new classes, ApplicationModuleIdentifiers and ApplicationModuleMetadata, as abstractions for an ordered collection of application module identifiers and for generated metadata to expose the information required to downstream infrastructure components, respectively; and the ability for an instance of the ApplicationModulesExporter class to expose an ApplicationModuleInitializer interface bean. Further details on these releases may be found in the release notes for version 1.4.0-M2, version 1.3.3 and version 1.2.9.
Quarkus
The release of Quarkus 3.19 ships with bug fixes, dependency upgrades and new features such as: a switch to Red Hat Universal Base Image (UBI) 9 images by default; a new bridge from the current metrics implemented with Micrometer to the OpenTelemetry format; and support for JEP 483, Ahead-of-Time Class Loading & Linking, that will be delivered in the upcoming release of JDK 24. More details on this release may be found in the release notes.
The Quarkus team has also announced resolutions to numerous CVEs affecting the 3.15 and 3.8 release trains that include:
- CVE-2025-24970, a vulnerability in Netty versions 4.1.91.Final through 4.1.117.Final, where a specially crafted packet, received via an instance of the
SslHandlerclass, doesn’t correctly handle validation of such a packet, in all cases, which can lead to a native crash. - CVE-2025-1247, a vulnerability that allows attackers to manipulate request data, impersonate users or access sensitive information due to a flaw in Quarkus REST, an implementation of the Jakarta RESTful Web Services specification, that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope.
- CVE-2025-1634, a flaw in the Quarkus RESTEasy Classic extension that may cause memory leaks when a client request with a low timeout is made. Upon reaching the timeout, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to an
OutOfMemoryError. - CVE-2024-12225, currently embargoed, is related to the callback endpoint in
WebAuthnenabled by default that now requires it to be explicitly configured.
These CVEs are mitigated in Quarkus 3.19.1 and service releases 3.15.3.1 and 3.8.6.1.
Open Liberty
IBM has released version 25.0.0.2 of Open Liberty featuring: support for AES-256 password encryption; a new guide, Building a Dynamic Web Application with Integrated User Interface and Backend Logic; updated guides that include MicroProfile 7.0 and versionless features; and a resolution to CVE-2024-47535, a vulnerability in Netty versions up to and including 4.1.114 that allows an attacker to take advantage of an unsafe read of an environment file in WindowsOS that can lead to a denial of service and application crash.
Apache Software Foundation
Maintaining alignment with Quarkus, the release of Camel Quarkus 3.19.0, composed of Camel 4.10.0 and Quarkus 3.19.0, provides notable changes such as: use of the Quarkus NativeMonitoringBuildItem class to automatically enable native monitoring features; and the removal of the observability services configuration workaround for the /observe endpoint. Further details on this release may be found in the release notes.
Versions 4.0.26 and 3.0.24 of Apache Groovy (announced here and here, respectively) provide bug fixes, dependency upgrades and one improvement that now propagates the Groovy compiler parameter flag to the javac command. More details on this release may be found in the release notes for version 4.0.26 and version 3.0.24.
JReleaser
Version 1.17.0 of JReleaser, a Java utility that streamlines creating project releases, has been released to deliver bug fixes, improvements in documentation, dependency upgrades and new features such as: the ability to parameterize distributions using the new Matrix section; support for publishing -SNAPSHOT extension artifacts with the mavenCentral deployer; and the ability to add a custom Scoop manifest. Further details on this release may be found in the release notes.
Gradle
The release of Gradle 8.13.0 introduces a new auto-provisioning utility that automatically downloads a JVM required by the Gradle Daemon. Other notable enhancements include: an explicit Scala version configuration for the Scala Plugin to automatically resolve required Scala toolchain dependencies; and refined millisecond precision in JUnit XML test event timestamps. More details on this release may be found in the release notes.
