Java Digest # 14: Valhalla, Nullability, other beasts and where to find them

?? Aloha, lads!?

Hey, fellow learners, happy new school year to everyone!

Summer’s wrapped up, and if you managed to take a vacation—props to you! The editorial team behind this digest? Not so lucky. That’s why you, our awesome readers, get the chance to catch up on all the August news.

You can check out the previous digest right here.

The JVM Language Summit didn't go unnoticed! We finally got those much-anticipated updates on Project Valhalla, along with plenty of other news.

Here are a few of the most critical talks, handpicked just for you:

• Valhalla - Where Are We? #JVMLS
• Type Specialization of Java Generics - What If Casts Have Teeth ? #JVMLS
• Rethinking Java String Concatenation #JVMLS
• A New Model for Java Object Initialization #JVMLS

Roman Kennke also gave an update on another important project—Lilliput. Its main goal is to shrink Java's footprint, primarily by reducing object header sizes.

In our last issue, we wrote about the new JDK-8303099, which aims to introduce syntax (like Foo? and Foo!) to denote nullability. Brian Goetz also touches on this development in the video "Valhalla - Where we are?" (linked above).

While this JEP is progressing through the Jep pipeline, several companies—including Google, Oracle, JetBrains, Microsoft, Sonar, and VMware (Spring)—have defined a standard called JSpecify. It has similar goals but uses annotations and is designed to replace the custom solutions some of these companies (like Spring, JetBrains, etc.) have developed for themselves.

JSpecify allows nullability to be defined using four annotations: @Nullable and @NonNull to mark types, and @NullMarked and @NullUnmarked to define nullability for an entire scope (package, module, etc.). For instance, with @NullMarked, you can mark all code in a module or package as non-nullable by default, and only use @Nullable where null is explicitly allowed. Since packages aren’t hierarchical, it’s often easier to apply this at the module level—making all module code non-nullable by default.

JEP-8209434 proposes to introduce more concise method bodies in the JVM, aligning method body syntax with that of lambda expressions. This aims to streamline and simplify method definitions.

Recently, Azul's OpenJDK distribution—Azul Zulu—introduced support for JavaFX on ARM64 Linux systems. To showcase this, Frank Delporte has provided a demo of a simple JavaFX app running on a Raspberry Pi 5. The app is packed into a single file and built using J'BANG. The program displays a window with randomly bouncing balls, and you can set the number of balls directly in the code. The more balls, the heavier the load—making it a fun way to test the system's performance!

Eclipse now allows third-party reproducible verification builds for their Temurin JDK 21+ distribution to enhance supply chain security. This process enables anyone to recreate the Temurin JDK build and verify that it matches 100% with what they downloaded, ensuring full transparency of the parameters Eclipse uses to build their JDK.

To make things easier for third parties, Eclipse has also started publishing their GCC compiler as a DevKit, minimizing complications for those wanting to verify the build process, including the compiler itself.

JDK 23

Build 37 is currently the latest available early-access build for JDK 23. You can find more details about this build here.

JDK 24

Early-access Build 13 of JDK 24 is now available. More information can be found in the release notes.

With the release of Spring Framework 6.2.0-M7, we’re one step closer to the global release of version 6.2.0. Notable updates include error handling in cache abstractions, the ability for HTTP client interfaces to specify static headers via annotations, encoding Collection-type parameters in @RequestParam as a single string in requests, and support for rendering fragment streams via SSE. You can check out the full list of changes here.

Since the last digest, the Spring team has addressed several CVE vulnerabilities, including:

CVE-2024-38807 (signature forgery vulnerability)        

CVE-2024-38808 (DoS via SpEL expressions)        

CVE-2024-38809 (DoS via conditional HTTP requests)        

You can find more information about these vulnerabilities here and there. As always, we stress the importance of updating your projects to minimize risks associated with these vulnerabilities.

Spring Boot 3.4.0-M2 brings several exciting updates, including:

• @ConditionalOnSingleCandidate now supports @Fallback beans.
• Added support for Grafana LGTM.
• A new Actuator endpoint provides information about SSL bundles.
• The /actuator/scheduledtasks endpoint now gives extra details like the next scheduled execution time, last execution time, status, and errors.
• It’s now easier to create additional beans with @Bean(defaultCandidate=false).

Spring Security 6.4.0-M2 includes a range of updates. Some highlights are:

• SAML 2.0 now supports OpenSAML 4 and 5.
• Enhanced support for placeholder expressions in @AuthenticationPrincipal and @CurrentSecurityContext annotations.
• Added the ability to specify OAuth2ClientHttpRequestInterceptor for RestClient.

You can check out all the changes more carefully via the link.

New versions of Spring for Apache Kafka have been released: 3.3.0-M2, 3.2.3, and 3.1.8. In version 3.3.0-M2, the Kafka client has been updated to version 3.8.0. More details can be found here.

Additionally, new versions of Spring Authorization Server have been released: 1.4.0-M1, 1.3.2, and 1.2.6. The key updates include bug fixes and dependency updates. In version 1.4.0-M1, support for the OpenID Connect 1.0 prompt=none parameter has been added, customization of LogoutHandler in OidcLogoutEndpointFilter is now possible, and AuthenticationDetailsSource has been added to OAuth2TokenRevocationEndpointFilter.

Spring Modulith 1.3 M2, 1.2.3, and 1.1.8 also include bug fixes and dependency updates. In version 1.3 M2, support for nested modules has been introduced. More details about these and other changes can be found via the link.

In Spring Session 3.4.0-M2, the key change is the ability to customize the session expiration policy for Redis.

The release of Spring Cloud 2024.0.0-M1 (aka Mooregate) doesn’t include new features. Its main focus was adding support for Spring Boot 3.4.0-M1.

Spring for Apache Pulsar 1.2.0-M1 includes two notable changes:

• ????Added support for custom ObjectMapper.
• ????The ability to specify default tenant and namespace is now available.

Spring AI 1.0.0 M2 introduces significant improvements and new features in modules like Vector Store, ChatModel, and several other components. For more detailed information, you can check the provided link.

Here are some recent Spring releases worth noting:

• Spring Framework: New versions 6.1.12, 6.0.23, and 5.3.39.
• Spring Boot: Released versions 3.3.3 and 3.2.9.
• Spring Security: Three new versions—5.8.14, 6.2.6, and 6.3.2.
• Spring Data: Versions 2024.0.3 and 2023.1.9 are now available.
• Spring for Apache Pulsar: New versions 1.0.9 and 1.1.3.
• Spring Session: Versions 3.3.2 and 3.2.5 have been released.
• Spring Boot: Additional versions 2.7.21, 3.0.16, and 3.1.13.
• Spring Shell: Versions 3.2.7, 3.3.2, and 3.4.0-M1 are now ready for use.

This time, we’re excited to share four new videos from the Spring Tips series with you!

In the first video, Josh Long introduces HTMX, a library that allows you to directly use AJAX, CSS transitions, WebSockets, and Server-Sent Events in HTML via attributes, making it easier to build modern user interfaces. He also demonstrates how simple it is to integrate HTMX with Spring Boot and Thymeleaf.

Spring Tips: HTMX

In the next video, Josh Long dives into Spring Security once again, focusing specifically on integration with Auth0—a platform that provides authentication and authorization services.

Spring Tips: Spring Security and Auth0.com

Naturally, Josh couldn’t skip over Spring AI. This time, he focuses on the recent changes related to tracking various metrics, highlighting how these updates can help monitor and optimize AI-driven applications.

Spring Tips: Spring AI Observability

In the final video, Josh Long discusses an exciting new feature coming in Spring Security 6.4—support for one-time passwords (OTP), highlighting how this addition enhances security and simplifies authentication processes.

Spring Tips: One-Time Tokens in Spring Security 6.4

At the end of August, the SpringOne conference took place, and all the videos from the event are available at this link. Among the talks that might catch your interest, we’d like to highlight two presentations by Paul Bakker, where he shares insights from Netflix's experiences.

Build GraphQL Services With Spring Boot Like Netflix (SpringOne 2024)

Learnings From Netflix To Effective Testing With Spring Boot (SpringOne 2024)

Also, don’t miss the presentation by Rob Winch dedicated to Spring Security 6.4. It provides an in-depth look at the new features and updates in this version.

Let’s Explore Spring Security 6.4 (SpringOne 2024)

Christian Tzolov continues to share updates on Spring AI and new integrations. This time, he’s written about the support for NVIDIA LLM API and OpenAI's Structured Outputs, which significantly enhances the reliability and usability of AI-generated content in real-world applications.

In our previous digest, we mentioned that Spring Boot 3.4 will introduce structured logging support. This time, we’re sharing an article by Moritz Halbritter that provides a more detailed look at this new feature.

Additionally, Sébastien Deleuze has published an article on CDS and the new changes in Spring Boot 3.3 that have helped unlock its potential. He also shared test results with the latest build of Project Leyden.

• Azul is focusing on reducing Java program startup times, particularly from the perspectives of embedded devices and cloud efficiency. They’ve revisited the AOT vs JIT discussion and highlighted solutions aiming to strike a balance, such as CRaC, its simpler version CRaM, and their own cloud solution, ReadyNow warmup technology. ReadyNow Orchestrator collects profiling data, hot spots, and sometimes precompiled code from "warmed-up" services and uses this information to optimize the startup of new services. Additionally, Azul reminds us of their Azul Prime platform and Azul Zing OpenJDK distribution, which includes their in-house developments like the C4 and Falcon JIT LLVM-based compilers.
• On the AWS front, they’ve introduced a migration tool for automated transitions from AWS Java SDK v1 to v2. This tool uses OpenRewrite with AWS-specific configurations and includes commands rewriteDryRun and rewriteRun. Currently, the plugin is in preview.

• Scala 3.5.0 has been released, featuring several enhancements including the inclusion of Scala CLI in the standard Scala distribution, pipelined compilation for faster builds of multi-module projects, and support for vars in type refinements. Note that Scala 3.5.0 is not an LTS version; Scala 3.3.3 remains the LTS release.?
• Additionally, a hotfix version, Scala 3.4.3, has been released to address binary incompatibility issues introduced in Scala 3.4.2. There’s also a warning about upcoming changes in Scala 3.7 regarding the new prioritization order for given, which might affect compatibility with existing Scala code.
• Oracle has launched Sandwood v0.5.0, an experimental DSL for programming probabilistic models. This language uses the .sandwood extension, features a Java-like syntax, and includes predefined algorithms for common probability distributions (e.g., Bernoulli, Beta). The release includes examples, a compiler that converts .sandwood files into Java classes (with the compiler itself written in Java), and a Maven plugin for compilation.
• Over the past few months, RedHat, Uber, and AWS have been discussing Tiered Storage for Kafka. InfoQ has published an article summarizing these discussions and presenting additional insights into the advantages, disadvantages, and limitations of Tiered Storage.
• IBM has released an article highlighting key patterns for message queues, such as One-to-Many, Many-to-Many, Filtering, and Browsing, within the context of IBM MQ and JMS. Additionally, Kafka Queues are actively being developed, which might be of interest in this context.

In a recent development, the court has ruled on the ongoing legal dispute between GitHub Copilot and private individuals. The judge dismissed most of the claims against GitHub Copilot, leaving only two key issues regarding open-source license violations and contract breaches. This ruling is a significant blow to the group of developers who accused GitHub and OpenAI of improper use of their code.

The judge dismissed the main copyright infringement allegations, noting that Copilot does not reproduce substantially similar code, which casts doubt on the validity of the claims. However, the case will continue, and legal questions surrounding the use of AI in programming remain pertinent. For more details, you can read the full article here.

Thanks for reading the digest!

Remember to like and subscribe to our monthly newsletter on LinkedIn. We also appreciate your ideas on how we can improve our future articles.

As usual, the Avenga team worked on the digest:

• Ivan Mahlatii;
• Oleg Chernygevych;
• Andrew Petryk.