dependabot[bot] opened a new pull request, #2976: URL: https://github.com/apache/cxf/pull/2976
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.11</h2> <h3>Fixed</h3> <ul> <li><strong>WebSocket XSS sanitization bypass.</strong> Disabled HTML sanitization for WebSocket transport — HTML-encoding JSON in WebSocket frames broke the AI streaming wire protocol.</li> <li><strong>XSS and insecure cookie hardening.</strong> Sanitize HTML output in write methods and set the <code>Secure</code> flag on cookies over HTTPS.</li> </ul> <h3>Changed</h3> <ul> <li><strong>Token → Streaming Text rename.</strong> All AI module APIs, javadoc, and the atmosphere.js client now use "streaming text" instead of "token" to describe LLM output chunks. This affects method names (<code>onToken</code> → <code>onStreamingText</code>, <code>totalTokens</code> → <code>totalStreamingTexts</code>), field names, and the wire protocol message type (<code>"token"</code> → <code>"streaming-text"</code>). This is a <strong>breaking change</strong> for atmosphere.js consumers and custom <code>AiStreamBroadcastFilter</code> implementations.</li> <li><strong>Javadoc published to GitHub Pages.</strong> API docs for <code>atmosphere-runtime</code> are now deployed automatically to <code>async-io.org/apidocs</code>.</li> <li><strong>Starlight tutorial site.</strong> A 20-chapter tutorial book is now available at the project documentation site.</li> </ul> <h2>Atmosphere 4.0.10</h2> <p>React Native support, per-endpoint model routing, and architectural validation.</p> <h2>✨ Added</h2> <ul> <li><strong>React Native / Expo support</strong> in atmosphere.js — RN hooks, EventSource polyfill, NetInfo injection, and a complete Expo classroom sample app with markdown rendering</li> <li><strong>Per-endpoint model override</strong> — <code>@AiEndpoint(model = "...")</code> allows different endpoints to use different LLM models without changing global config</li> <li><strong>Auto-registered broadcast filters</strong> — new <code>filters()</code> attribute on <code>@AiEndpoint</code> enables <code>CostMeteringFilter</code>, <code>PiiRedactionFilter</code>, etc. declaratively</li> <li><strong>Fallback strategy</strong> — <code>RoutingAiSupport</code> handles <code>FAILOVER</code> / <code>ROUND_ROBIN</code> / <code>CONTENT_BASED</code> routing via <code>@AiEndpoint</code></li> <li><strong>Architectural validation CI gate</strong> — TOML-configured script detects NOOP/dead code, placeholder stubs, DI bypass, and fluent builder misuse; runs as fast-fail before JDK build matrix</li> </ul> <h2>🐛 Fixed</h2> <ul> <li><strong><code>RoutingAiSupportTest</code></strong> — corrected failover threshold (<code>maxConsecutiveFailures=1</code>)</li> <li><strong>Architectural validation</strong> — NOOP detection fails the build (was only warning)</li> </ul> <h2>🔧 Changed</h2> <ul> <li><strong>Expo classroom sample</strong> moved under <code>spring-boot-ai-classroom/expo-client</code> for better project organization</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-4.0.9...atmosphere-4.0.10";>https://github.com/Atmosphere/atmosphere/compare/atmosphere-4.0.9...atmosphere-4.0.10</a></p> <h2>Atmosphere 4.0.9</h2> <p>Framework-agnostic AI tool calling and conversation cache replay.</p> <h2>✨ Added</h2> <ul> <li><strong><code>@AiTool</code> annotation</strong> — framework-agnostic tool calling pipeline that works across Spring AI, LangChain4j, and standalone deployments. Includes sample, tests, and documentation.</li> <li><strong>Generator <code>--tools</code> flag</strong> — scaffolds <code>@AiTool</code> methods for ai-chat handler variants</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's changelog</a>.</em></p> <blockquote> <h2>[4.0.11] - 2026-03-11</h2> <h3>Fixed</h3> <ul> <li><strong>WebSocket XSS sanitization bypass.</strong> Disabled HTML sanitization for WebSocket transport — HTML-encoding JSON in WebSocket frames broke the AI streaming wire protocol.</li> <li><strong>XSS and insecure cookie hardening.</strong> Sanitize HTML output in write methods and set the <code>Secure</code> flag on cookies over HTTPS.</li> </ul> <h3>Changed</h3> <ul> <li><strong>Token → Streaming Text rename.</strong> All AI module APIs, javadoc, and the atmosphere.js client now use "streaming text" instead of "token" to describe LLM output chunks. This affects method names (<code>onToken</code> → <code>onStreamingText</code>, <code>totalTokens</code> → <code>totalStreamingTexts</code>), field names, and the wire protocol message type (<code>"token"</code> → <code>"streaming-text"</code>). This is a <strong>breaking change</strong> for atmosphere.js consumers and custom <code>AiStreamBroadcastFilter</code> implementations.</li> <li><strong>Javadoc published to GitHub Pages.</strong> API docs for <code>atmosphere-runtime</code> are now deployed automatically to <code>async-io.org/apidocs</code>.</li> <li><strong>Starlight tutorial site.</strong> A 20-chapter tutorial book is now available at the project documentation site.</li> </ul> <h2>[4.0.3] - 2026-02-22</h2> <h3>Fixed</h3> <ul> <li><strong>Room Protocol broadcast bug.</strong> <code>DefaultRoom.broadcast()</code> now wraps messages in <code>RawMessage</code> to bypass <code>@Message</code> decoder mangling. Room JSON envelopes (join/leave/message events) are delivered intact to clients.</li> <li><strong><code>enableHistory()</code> NPE.</strong> <code>UUIDBroadcasterCache</code> is now properly configured before use, preventing <code>NullPointerException</code> when room history is enabled.</li> <li><strong>Native Image build.</strong> Spring Boot samples use <code>process-aot</code> and <code>exec</code> classifier in the <code>native</code> profile so GraalVM can find the main class.</li> </ul> <h3>Added</h3> <ul> <li><strong><code>RawMessage</code> API</strong> (<code>org.atmosphere.cpr.RawMessage</code>) — first-class public wrapper for pre-encoded messages that bypass <code>@Message</code> decoder/encoder pipelines. <code>ManagedAtmosphereHandler.Managed</code> is deprecated in favor of <code>RawMessage</code>.</li> <li><strong>Playwright E2E tests</strong> for all sample applications (chat, spring-boot-chat, embedded-jetty, quarkus-chat, AI samples, durable-sessions, MCP server).</li> </ul> <h3>Changed</h3> <ul> <li><strong>Unified parent POM.</strong> All samples now inherit from <code>atmosphere-project</code>, making <code>mvn versions:set</code> update every module in a single command.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/27f88d9a782449c356a95d09ca54a52c71acf574";><code>27f88d9</code></a> release: Atmosphere 4.0.11</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/e71eba79d41821ef91b6a985519f612988f7b3f0";><code>e71eba7</code></a> refactor(embabel): rename token to streaming text in Kotlin module</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/375d7dfc21064c587aef146c45adbbe135967425";><code>375d7df</code></a> docs: update READMEs and CHANGELOG for 4.0.11 release</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/b3166ac639cc0bbd7b4b669e9782c5623e5f67be";><code>b3166ac</code></a> refactor(ai): complete token-to-streaming-text rename across codebase</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/62cc1bee514699bab344eabcd9b5ebca966ffeb8";><code>62cc1be</code></a> refactor(ai): rename token to streaming text across AI module and samples</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/a15c080f29832a8fc09a66be6c7d77c87bdde84b";><code>a15c080</code></a> docs: rename AI/LLM token references to streaming text</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f05d29a5228034b76850ec06d37a96bf0bd8753d";><code>f05d29a</code></a> docs: fix last 2.x release version in CHANGELOG (2.7.16 not 2.6.5)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f5510c801859be90f558cfe5ed2a1f5b6024b903";><code>f5510c8</code></a> ci(release): generate rich release notes from CHANGELOG or commits</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/0f1ed89b1e36de684f6c2aa638a15ab447186ed3";><code>0f1ed89</code></a> fix(cpr): skip XSS sanitization for WebSocket transport</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/fd1030b7aba45bb30195c6be2015521b7be67889";><code>fd1030b</code></a> ci: replace automatic dependency submission with custom workflow</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.11";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
