Skip to content

ARTEMIS-X Bump mockserver.version from 7.2.0 to 7.3.0#6557

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/mockserver.version-7.3.0
Open

ARTEMIS-X Bump mockserver.version from 7.2.0 to 7.3.0#6557
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/mockserver.version-7.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps mockserver.version from 7.2.0 to 7.3.0.
Updates org.mock-server:mockserver-netty from 7.2.0 to 7.3.0

Updates org.mock-server:mockserver-core from 7.2.0 to 7.3.0

Release notes

Sourced from org.mock-server:mockserver-core's releases.

MockServer 7.3.0

[7.3.0] - 2026-07-01

Added

  • Typed client methods for control-plane operations that previously needed a hand-written REST call. The client libraries gain first-class methods for clock control (freeze / advance / reset / status), metrics (the JSON counter snapshot and the Prometheus scrape), configuration read/update, Pact import / export / verify, the file store (store / retrieve / list / delete), HAR and Postman import, the high-level operating mode (SIMULATE / SPY / CAPTURE), and generating expectations from a WSDL — so these no longer require a manual PUT /mockserver/… request. Rolling out across the Java, Node, Python, Ruby, Go, .NET, Rust and PHP clients.

Security

  • Fixture redaction now also masks credentials in query strings and streamed bodies, and fails closed on unparseable secrets. When redacting recorded traffic (HAR/Postman imports, the LLM optimisation report, the MCP capture tools) the redactor previously only masked sensitive headers and named JSON body fields. It now also (a) masks the values of credential-bearing query parameters by default (such as key, api_key, apikey, access_token, token, signature, sig, and the AWS SigV4 X-Amz-Signature/X-Amz-Security-Token) — e.g. Gemini's ?key= API key; (b) redacts configured fields inside each Server-Sent-Events data: payload of a streamed body, leaving non-JSON markers such as [DONE] intact (and failing closed on a data: payload it cannot parse that still mentions a configured field); and (c) when a body is configured for field redaction but cannot be parsed yet still mentions a configured field name, replaces the whole body rather than risk leaking it. Ordinary unstructured bodies (plain text, HTML, decoded binary) that mention no configured field are left unchanged.
  • A2A client builders: the custom-handler regex messagePattern is now escaped completely. Every client library (Java, Node, Python, Ruby, Go, Rust, PHP, .NET) inlines messagePattern into a JSONPath =~ /…/ regex literal but previously escaped only the / delimiter, so a pattern ending in a lone backslash (or containing \/) could escape the closing delimiter and break out of the regex literal into the surrounding JSONPath/JSON (CodeQL rb/incomplete-sanitization). The escaping now preserves valid regex escape sequences (e.g. \d) while neutralising the delimiter-breakout; normal patterns are unaffected.
  • Dashboard load-scenario report download now validates the URL scheme. The "download report" action passed a URL assembled from the user-configured connection to window.open without checking its scheme; it now opens the report only when the URL resolves to http/https, ruling out javascript:/data: redirection (CodeQL js/client-side-unvalidated-url-redirection).
  • /bind and /stop now honour control-plane authentication/authorization. These mutating lifecycle endpoints were serviced before the auth gate; they now require the same control-plane auth as /mockserver/configuration. Default deployments with no control-plane auth configured are unaffected, and /status / /ready remain open for health probes. Closes the lifecycle-endpoint gap noted in 7.2.0.
  • MCP tool calls now honour control-plane authorization. With controlPlaneAuthorizationEnabled, each MCP tool is classified read vs mutate (fail-closed) and checked against the same role model as the HTTP control plane, so a read-only principal can no longer invoke mutating MCP tools (create/clear/reset/…). Default (authorization disabled) behaviour is unchanged; enforced across HTTP and HTTP/3, single and batch. Closes the per-tool MCP gap noted in 7.2.0.
  • Control-plane JWT validation cross-request race fixed. A single shared JWTValidator reconfigured the Nimbus processor (key selector + claims verifier) on every call, so concurrent control-plane requests could be verified against another request's policy. The processor is now configured once and validate() is stateless.
  • Remote JWKS / OIDC discovery fetches are now bounded. JWKS-key-set and OIDC discovery-document fetches on the authentication path used the JOSE library defaults (infinite connect/read timeout, no size limit); they now use finite timeouts and a size cap, so a slow or hostile identity-provider endpoint can no longer hang the auth

... (truncated)

Changelog

Sourced from org.mock-server:mockserver-core's changelog.

[7.3.0] - 2026-07-01

Added

  • Typed client methods for control-plane operations that previously needed a hand-written REST call. The client libraries gain first-class methods for clock control (freeze / advance / reset / status), metrics (the JSON counter snapshot and the Prometheus scrape), configuration read/update, Pact import / export / verify, the file store (store / retrieve / list / delete), HAR and Postman import, the high-level operating mode (SIMULATE / SPY / CAPTURE), and generating expectations from a WSDL — so these no longer require a manual PUT /mockserver/… request. Rolling out across the Java, Node, Python, Ruby, Go, .NET, Rust and PHP clients.

Security

  • Fixture redaction now also masks credentials in query strings and streamed bodies, and fails closed on unparseable secrets. When redacting recorded traffic (HAR/Postman imports, the LLM optimisation report, the MCP capture tools) the redactor previously only masked sensitive headers and named JSON body fields. It now also (a) masks the values of credential-bearing query parameters by default (such as key, api_key, apikey, access_token, token, signature, sig, and the AWS SigV4 X-Amz-Signature/X-Amz-Security-Token) — e.g. Gemini's ?key= API key; (b) redacts configured fields inside each Server-Sent-Events data: payload of a streamed body, leaving non-JSON markers such as [DONE] intact (and failing closed on a data: payload it cannot parse that still mentions a configured field); and (c) when a body is configured for field redaction but cannot be parsed yet still mentions a configured field name, replaces the whole body rather than risk leaking it. Ordinary unstructured bodies (plain text, HTML, decoded binary) that mention no configured field are left unchanged.
  • A2A client builders: the custom-handler regex messagePattern is now escaped completely. Every client library (Java, Node, Python, Ruby, Go, Rust, PHP, .NET) inlines messagePattern into a JSONPath =~ /…/ regex literal but previously escaped only the / delimiter, so a pattern ending in a lone backslash (or containing \/) could escape the closing delimiter and break out of the regex literal into the surrounding JSONPath/JSON (CodeQL rb/incomplete-sanitization). The escaping now preserves valid regex escape sequences (e.g. \d) while neutralising the delimiter-breakout; normal patterns are unaffected.
  • Dashboard load-scenario report download now validates the URL scheme. The "download report" action passed a URL assembled from the user-configured connection to window.open without checking its scheme; it now opens the report only when the URL resolves to http/https, ruling out javascript:/data: redirection (CodeQL js/client-side-unvalidated-url-redirection).
  • /bind and /stop now honour control-plane authentication/authorization. These mutating lifecycle endpoints were serviced before the auth gate; they now require the same control-plane auth as /mockserver/configuration. Default deployments with no control-plane auth configured are unaffected, and /status / /ready remain open for health probes. Closes the lifecycle-endpoint gap noted in 7.2.0.
  • MCP tool calls now honour control-plane authorization. With controlPlaneAuthorizationEnabled, each MCP tool is classified read vs mutate (fail-closed) and checked against the same role model as the HTTP control plane, so a read-only principal can no longer invoke mutating MCP tools (create/clear/reset/…). Default (authorization disabled) behaviour is unchanged; enforced across HTTP and HTTP/3, single and batch. Closes the per-tool MCP gap noted in 7.2.0.
  • Control-plane JWT validation cross-request race fixed. A single shared JWTValidator reconfigured the Nimbus processor (key selector + claims verifier) on every call, so concurrent control-plane requests could be verified against another request's policy. The processor is now configured once and validate() is stateless.
  • Remote JWKS / OIDC discovery fetches are now bounded. JWKS-key-set and OIDC discovery-document fetches on the authentication path used the JOSE library defaults (infinite connect/read timeout, no size limit); they now use finite timeouts and a size cap, so a slow or hostile identity-provider endpoint can no longer hang the auth path or be used as an amplification vector.

... (truncated)

Commits
  • 72647c0 release: set version 7.3.0
  • a99299f test(core): lock previously-unguarded LLM-proxy/capture behaviours
  • d67340e fix(proxy): stop HTTP/2 client hang when forwarding to an HTTP/2 upstream
  • 223a176 build(deps): bump the maven-minor-and-patch group (#2384)
  • b34a190 docs(website): use typed control-plane client methods in code examples
  • 315e6e2 build(deps): bump grafana/k6 (#2383)
  • 3984f98 build(deps): bump the npm-minor-and-patch group across 1 directory with 3 upd...
  • b22ca04 docs(website): add headless/scripted/remote opencode LLM capture scenario
  • b7a62d0 fix(client-java): deleteFile throws on a missing file (404), matching the oth...
  • 3462037 feat(client-node): typed control-plane helpers (metrics, config, pact, files,...
  • Additional commits viewable in compare view

Updates org.mock-server:mockserver-client-java from 7.2.0 to 7.3.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps `mockserver.version` from 7.2.0 to 7.3.0.

Updates `org.mock-server:mockserver-netty` from 7.2.0 to 7.3.0

Updates `org.mock-server:mockserver-core` from 7.2.0 to 7.3.0
- [Release notes](https://github.com/mock-server/mockserver-monorepo/releases)
- [Changelog](https://github.com/mock-server/mockserver-monorepo/blob/master/changelog.md)
- [Commits](mock-server/mockserver-monorepo@mockserver-7.2.0...mockserver-7.3.0)

Updates `org.mock-server:mockserver-client-java` from 7.2.0 to 7.3.0

---
updated-dependencies:
- dependency-name: org.mock-server:mockserver-netty
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.mock-server:mockserver-core
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.mock-server:mockserver-client-java
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants