3.4.0

🚀 New features and improvements

• Version number add to the endpoint /health - healthcheck Issue Nro 1339 (#2498) @gorostiaga
• Allow @wiremocktest to be applied on base classes (#2500) @kkocel
• Expose numberOfParameters on PathTemplate (#2509) @Mahoney
• Add the version number to the output when wiremock starts (#2485) @leeturner
• Add ability to return application version from new admin endpoint and wiremock standalone cli (#2453) @leeturner

🐛 Bug fixes

• Do not return null objects in getAll of the InMemoryRequestJournalStore (#2508) @coder-hugo
• Fix NullPointerException in ResponseDefinition.getProxyUrl() (#2490) @mfruizs
• Generalize function calculating normalized distance between date/time values (#2543) @papiomytoglou
• Show correct diff for unescaped ? in regex (#2596) @Mahoney
• Disable XML External Entities (#2603) @Pr0methean
• Disable connection reuse only for proxy clients not for the admin client (#2597) @coder-hugo
• [FIX] Fix the deserialization behavior which change the precision of decimal (#2588) @AlEmerich
• Fix json-body not escaping special characters (#2551) @G-Basak
• Fix sonarqube scanner (#2577) @dieppa
• correct handling of empty request body with Handlebars (#2546) (#2552) @dirkbolte

📦 Dependency updates

38 changes

• Bump io.netty:netty-all from 4.1.106.Final to 4.1.107.Final (#2608) @dependabot
• Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.16.1 (#2548) @dependabot
• Bump org.eclipse.jetty:jetty-bom from 11.0.19 to 11.0.20 (#2599) @dependabot
• Bump com.networknt:json-schema-validator from 1.3.1 to 1.3.2 (#2605) @dependabot
• Bump versions.junitJupiter from 5.10.1 to 5.10.2 (#2602) @dependabot
• Bump org.slf4j:log4j-over-slf4j from 2.0.11 to 2.0.12 (#2604) @dependabot
• Bump com.networknt:json-schema-validator from 1.3.0 to 1.3.1 (#2598) @dependabot
• Bump com.networknt:json-schema-validator from 1.2.0 to 1.3.0 (#2595) @dependabot
• Bump org.mockito:mockito-core from 5.9.0 to 5.10.0 (#2589) @dependabot
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1 (#2591) @dependabot
• Bump org.mockito:mockito-junit-jupiter from 5.9.0 to 5.10.0 (#2590) @dependabot
• Bump io.netty:netty-all from 4.1.105.Final to 4.1.106.Final (#2581) @dependabot
• Bump com.diffplug.spotless from 6.24.0 to 6.25.0 (#2587) @dependabot
• Bump com.toomuchcoding.jsonassert:jsonassert from 0.7.0 to 0.8.0 (#2586) @dependabot
• Bump com.jayway.jsonpath:json-path from 2.8.0 to 2.9.0 (#2582) @dependabot
• Bump com.networknt:json-schema-validator from 1.1.0 to 1.2.0 (#2583) @dependabot
• Bump io.netty:netty-all from 4.1.104.Final to 4.1.105.Final (#2580) @dependabot
• Bump com.networknt:json-schema-validator from 1.0.88 to 1.1.0 (#2537) @dependabot
• Bump io.netty:netty-all from 4.1.101.Final to 4.1.104.Final (#2538) @dependabot
• Bump com.google.guava:guava from 32.1.3-jre to 33.0.0-jre (#2539) @dependabot
• Bump org.eclipse.jetty:jetty-bom from 11.0.18 to 11.0.19 (#2542) @dependabot
• Bump org.slf4j:log4j-over-slf4j from 2.0.9 to 2.0.11 (#2563) @dependabot
• Bump org.mockito:mockito-core from 5.7.0 to 5.9.0 (#2571) @dependabot
• Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#2575) @dependabot
• Bump org.mockito:mockito-junit-jupiter from 5.7.0 to 5.9.0 (#2570) @dependabot
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.3 (#2524) @dependabot
• Bump com.networknt:json-schema-validator from 1.0.87 to 1.0.88 (#2527) @dependabot
• Bump ch.qos.logback:logback-classic from 1.2.0 to 1.2.13 in /testlogging (#2522) @dependabot
• Bump commons-io:commons-io from 2.15.0 to 2.15.1 (#2512) @dependabot
• Bump com.toomuchcoding.jsonassert:jsonassert from 0.6.2 to 0.7.0 (#2520) @dependabot
• Bump com.diffplug.spotless from 6.23.0 to 6.23.3 (#2521) @dependabot
• Bump com.diffplug.spotless from 6.22.0 to 6.23.0 (#2507) @dependabot
• Bump org.apache.commons:commons-lang3 from 3.13.0 to 3.14.0 (#2496) @dependabot
• Bump org.junit-pioneer:junit-pioneer from 2.1.0 to 2.2.0 (#2493) @dependabot
• Bump io.netty:netty-all from 4.1.99.Final to 4.1.101.Final (#2484) @dependabot
• Bump versions.junitJupiter from 5.10.0 to 5.10.1 (#2483) @dependabot
• Bump org.mockito:mockito-junit-jupiter from 5.6.0 to 5.7.0 (#2477) @dependabot
• Bump org.mockito:mockito-core from 5.6.0 to 5.7.0 (#2476) @dependabot

📝 Documentation updates

• Add operationId to openApi/swagger documents (#2487) @j1mr10rd4n

👻 Maintenance

• chore: minor internal refactors (#2491) @Marvin9
• Proposal for: Flaky port allocation tests #2281 (#2421) @dkhozyainov

✍ Other changes

• Improve Scenario error message for unsupported state (#2594) @nlisgo
• Supply lazy TemplateEngine, HttpClientFactory, and DefaultHttpClient. (#2564) @kyle-winkelman
• Parsing config files with BOM character (#2535) @salehjafarli
• Clean up duplicative isAbsent and unused serializer. (#2567) @kyle-winkelman
• Allow matchesJsonSchema to be supplied as a json object. (#2566) @kyle-winkelman
• Adding a few unit tests for Body (#2559) @G-Basak
• Add gzipDisabled at the ResponseDefinitionBuilder level (#2481) @dkhozyainov
• Update wrapper scripts version to match gradle version. (#2574) @HappyHacker123
• Remove and log warning before loading webhooks (#2568) @prithvitewatia
• Add extensionScanningEnabled option to @wiremocktest. (#2561) @kyle-winkelman
• Adding build function for all kind of UrlPattern in RequestPatternBuilder (#2536) @AlEmerich
• Added GET_OR_HEAD method. (#2555) @prithvitewatia

3.3.1

🚀 New features and improvements

• Allow empty URI path segments after the first (#2404) @Mahoney
• Switch the Webhooks Extension to use the injected template engine so that it respects standard configuration providers, e.g. system properties and environment variables (#2473) @tomakehurst
• Introduce the substitutable HTTP client (#2455) @tomakehurst
• Make NetworkAddressRules into an interface so that it can be implemented in a fully customised way @tomakehurst

🐛 Bug fixes

• Fix network address rules breaking change - regression in WireMock 3.3.0 (#2478) @tomakehurst
• Ignore IPv6 addresses when checking network security rules (#2475) @tomakehurst
• #2415 - Fix warning in the log due to SLF4J-API 1.7.36 to 2.0.7 replacement by Gradle (#2449) @Xabibax
• Fix API contract for FileSourceBlobStore (#2451) @dkhozyainov
• Add null check for actual date/time truncation (#2466) (#2467) @papiomytoglou
• #2422 - URL not matched by path template when query parameter present in request (#2429) @tomakehurst

📝 Documentation updates

• Add BEFORE_RESPONSE_SENT request phase to the stub-mapping schema (#2428) @picimako
• Update the co-maintainer policy beyond WireMock 3 (#2435) @oleg-nenashev
• Turn reference link into actual link (#2443) @SimonVerhoeven

👻 Maintenance

• chore: use List.of where possible if only one argument is passed (#2468) @SimonVerhoeven
• fix: introduce a slight delay given the 2-3 results is slightly flakey (#2463) @SimonVerhoeven
• chore: infer explicit type arguments where possible (#2462) @SimonVerhoeven
• Refactor: split getLines method of Diff class (#2460) @julianahrens1999
• Replace Optional.orElse() calls with Optional.orElseGet() (#2450) @picimako
• Do not use deprecated jackson iso8601 class (#2423) @SimonVerhoeven
• feat: use expression lambdas over statement lambdas (#2444) @SimonVerhoeven
• Replace Guava by JDK (Partly) (#2384) @pks-1981
• Remove unnecessary type unboxing (#2424) @SimonVerhoeven
• Replace Guava by JDK (Partly) (#2409) @pks-1981

📦 Dependency updates

• Bump org.eclipse.jetty:jetty-bom from 11.0.17 to 11.0.18 (#2469) @dependabot
• Bump commons-io:commons-io from 2.14.0 to 2.15.0 (#2464) @dependabot
• Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre (#2433) @dependabot
• Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 (#2441) @dependabot
• Bump org.eclipse.jetty:jetty-bom from 11.0.16 to 11.0.17 (#2430) @dependabot
• Bump org.sonarqube from 4.3.1.3277 to 4.4.1.3373 (#2410) @dependabot
• Bump org.mockito:mockito-junit-jupiter from 5.5.0 to 5.6.0 (#2426) @dependabot
• Bump org.ow2.asm:asm from 9.5 to 9.6 (#2406) @dependabot
• Bump org.mockito:mockito-core from 5.5.0 to 5.6.0 (#2425) @dependabot
• Bump io.netty:netty-all from 4.1.98.Final to 4.1.99.Final (#2403) @dependabot
• Bump com.diffplug.spotless from 6.21.0 to 6.22.0 (#2402) @dependabot
• Bump commons-io:commons-io from 2.13.0 to 2.14.0 (#2407) @dependabot

3.3.0

NOTE: This version is discarded because of the uninteded breaking change in NetworkAddressRules, fixed in 3.3.1 by #2478

🚀 New features and improvements

• Allow empty URI path segments after the first (#2404) @Mahoney
• Switched the webhooks extension to use the injected template engine so that it gets e.g. system/env property configuration (#2473) @tomakehurst
• Substitutable HTTP client (#2455) @tomakehurst
• Make NetworkAddressRules into an interface so that it can be implemented in a fully customised way. note this introduced a breaking change, which is fixed in https://github.com/wiremock/wiremock/releases/tag/3.3.1

🐛 Bug fixes

• Fixed #2415 Gradle replaces SLF4J-API 1.7.36 with 2.0.7, causing warning in the log (#2449) @Xabibax
• Refactor: split getLines method of Diff class (#2460) @julianahrens1999
• Fix contract for FileSourceBlobStore (#2451) @dkhozyainov
• Add null check for actual date/time truncation (#2466) (#2467) @papiomytoglou
• Fixed #2422 - URL not matched by path template when query parameter present in request (#2429) @tomakehurst

📝 Documentation updates

• Update the co-maintainer policy beyond WireMock 3 (#2435) @oleg-nenashev
• Turn reference link into actual link (#2443) @SimonVerhoeven

👻 Maintenance

• chore: use List.of where possible if only one argument is passed (#2468) @SimonVerhoeven
• fix: introduce a slight delay given the 2-3 results is slightly flakey (#2463) @SimonVerhoeven
• chore: infer explicit type arguments where possible (#2462) @SimonVerhoeven
• Replace Optional.orElse() calls with Optional.orElseGet() (#2450) @picimako
• Do not use deprecated jackson iso8601 class (#2423) @SimonVerhoeven
• feat: use expression lambdas over statement lambdas (#2444) @SimonVerhoeven
• Replace Guava by JDK (Partly) (#2384) @pks-1981
• Remove unnecessary type unboxing (#2424) @SimonVerhoeven
• Replace Guava by JDK (Partly) (#2409) @pks-1981

✍ Other changes

• Ignore IPv6 addresses when checking network security rules (#2475) @tomakehurst
• Add BEFORE_RESPONSE_SENT request phase to the stub-mapping schema (#2428) @picimako

📦 Dependency updates

• Bump org.eclipse.jetty:jetty-bom from 11.0.17 to 11.0.18 (#2469) @dependabot
• Bump commons-io:commons-io from 2.14.0 to 2.15.0 (#2464) @dependabot
• Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre (#2433) @dependabot
• Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 (#2441) @dependabot
• Bump org.eclipse.jetty:jetty-bom from 11.0.16 to 11.0.17 (#2430) @dependabot
• Bump org.sonarqube from 4.3.1.3277 to 4.4.1.3373 (#2410) @dependabot
• Bump org.mockito:mockito-junit-jupiter from 5.5.0 to 5.6.0 (#2426) @dependabot
• Bump org.ow2.asm:asm from 9.5 to 9.6 (#2406) @dependabot
• Bump org.mockito:mockito-core from 5.5.0 to 5.6.0 (#2425) @dependabot
• Bump io.netty:netty-all from 4.1.98.Final to 4.1.99.Final (#2403) @dependabot
• Bump com.diffplug.spotless from 6.21.0 to 6.22.0 (#2402) @dependabot
• Bump commons-io:commons-io from 2.13.0 to 2.14.0 (#2407) @dependabot

3.2.0

💥 Breaking changes

• Enable local response templating by default in standalone (#2386) @tomakehurst
• Add startup option to enable/disable extension scanning and set to disabled by default when running from Java (#2385) @tomakehurst

🚀 New features and improvements

• Exposing MappingsLoader as an extension point (#2334) @bharatnpti
• Include more info when webhook refusal logged (#2389) @Mahoney
• HTTP Server Factory as an extension point (#2391) @tomakehurst
• Print loaded extensions at startup (#2381) @tomakehurst

🐛 Bug fixes

• Fix json string schema rejecting numbers (#2390) @Mahoney
• Fix FileSource backed blobstore keys bug (#2392) @tomakehurst
• Fixed #2388 - empty getPath() returned from new FileStore implementation passed to transformers (#2396) @tomakehurst

📦 Dependency updates

• Bump io.netty:netty-all from 4.1.97.Final to 4.1.98.Final (#2394) @dependabot

3.1.0

🚀 New features and improvements

• Move webhooks to the WireMock core (#2376) @tomakehurst
• Added a setter for max template cache entries in WireMockConfiguration (#2365) @tomakehurst
• Add working equals & readable toString to NetworkAddressRange (#2358) @Mahoney

💥 Breaking changes

• Move webhooks to the WireMock core. Users of the extension should remove the dependency when updating to the new version (#2376) @tomakehurst

🐛 Bug fixes

• Fixed #2364 - scenarios produced by recorder play back in reverse order (#2377) @tomakehurst
• Fix admin requests with empty body to avoid response code 411 (#1738) @danielimre
• Fix standalone missing filename extension bug (#2366) @tomakehurst

👻 Maintenance

• Fix markdown links (#2375) @pks-1981
• Add tests proving we match on request bodies (#2367) @Mahoney
• Replace Guava by JDK (Partly) (#2380) @pks-1981

📦 Dependency updates

• Bump org.junit-pioneer:junit-pioneer from 2.0.1 to 2.1.0 (#2370) @dependabot
• Bump com.github.tomakehurst:wiremock-jre8-standalone from 2.33.2 to 2.35.1 in /testlogging (#2368) @dependabot
• Bump com.networknt:json-schema-validator from 1.0.86 to 1.0.87 (#2371) @dependabot

3.0.4

🚀 New features and improvements

• Add working equals & readable toString to NetworkAddressRange (#2358) @Mahoney

🐛 Bug fixes

• Fix standalone missing filename extension bug (#2366) @tomakehurst
• Added a setter for max template cache entries in WireMockConfiguration (#2365) @tomakehurst
• Second attempt at fixing shaded webhooks plugin (#2362) @tomakehurst

👻 Maintenance

• Bump org.scala-lang:scala-library test dependency from 2.13.11 to 2.13.12 (#2360) @dependabot

✍ Other changes

• Add tests proving we match on request bodies (#2367) @Mahoney

3.0.3 - Security Release

🔒 Security

This security release addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Base CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Base CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

🔗 Related releases

• WireMock Docker 3.0.3-1 - Docker Image with the Patch
• WireMock 2.35.1 / WireMock Docker 2.35.1-1 - Backport to WireMock 2.x
• Python WireMock 2.6.1 - Python library that bundles the WireMock JAR file
• NOTE: Other distributions like Testcontainers modules or Helm chart need explicit version declaration, and hence a user action is needed to update the dependencies should they be considered a risk

Credits

@W0rty, @numacanedo, @Mahoney, @tomakehurst, @oleg-nenashev

2.35.1 - Security Release

🔒 This is a security release that addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS
  Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @W0rty, @numacanedo, @Mahoney, @tomakehurst, @oleg-nenashev

3.0.2

🐛 Bug fixes

• fix: avoid crash when printing help in wiremock-standalone (#2351) @tomasbjerre

👻 Maintenance

• Reset system properties at end of test (#2356) @Mahoney

📦 Dependency updates

• Bump org.eclipse.jetty:jetty-bom from 11.0.15 to 11.0.16 (#2346) @dependabot
• Bump org.slf4j:log4j-over-slf4j from 2.0.7 to 2.0.9 (#2353) @dependabot
• Bump org.sonarqube from 4.3.0.3225 to 4.3.1.3277 (#2352) @dependabot

3.0.1

🐛 Bug fixes

• Stop returning 500s for unmatched path patterns (#2339) @Mahoney
• Ensure that the shadow JAR is always built last to ensure webhooks fat JAR wins (#2344) @tomakehurst
• Added validation of UUIDs in path parameters in the admin API so that clearer errors are reported when non UUIDs are provided or item isn't found rather than throwing a 500 error (#2347) @tomakehurst
• Respect StopAction in V1 Filter (#2335) @Mahoney

Thanks to the regression reporters: @defnngj , @oleg-nenashev , @Mahoney