Releases: wiremock/wiremock
3.4.0
🚀 New features and improvements
- Version number add to the endpoint /health - healthcheck Issue Nro 1339 (#2498) @gorostiaga
- Allow @wiremocktest to be applied on base classes (#2500) @kkocel
- Expose numberOfParameters on PathTemplate (#2509) @Mahoney
- Add the version number to the output when wiremock starts (#2485) @leeturner
- Add ability to return application version from new admin endpoint and wiremock standalone cli (#2453) @leeturner
🐛 Bug fixes
- Do not return null objects in getAll of the InMemoryRequestJournalStore (#2508) @coder-hugo
- Fix
NullPointerException
inResponseDefinition.getProxyUrl()
(#2490) @mfruizs - Generalize function calculating normalized distance between date/time values (#2543) @papiomytoglou
- Show correct diff for unescaped
?
in regex (#2596) @Mahoney - Disable XML External Entities (#2603) @Pr0methean
- Disable connection reuse only for proxy clients not for the admin client (#2597) @coder-hugo
- [FIX] Fix the deserialization behavior which change the precision of decimal (#2588) @AlEmerich
- Fix json-body not escaping special characters (#2551) @G-Basak
- Fix sonarqube scanner (#2577) @dieppa
- correct handling of empty request body with Handlebars (#2546) (#2552) @dirkbolte
📦 Dependency updates
38 changes
- Bump io.netty:netty-all from 4.1.106.Final to 4.1.107.Final (#2608) @dependabot
- Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.16.1 (#2548) @dependabot
- Bump org.eclipse.jetty:jetty-bom from 11.0.19 to 11.0.20 (#2599) @dependabot
- Bump com.networknt:json-schema-validator from 1.3.1 to 1.3.2 (#2605) @dependabot
- Bump versions.junitJupiter from 5.10.1 to 5.10.2 (#2602) @dependabot
- Bump org.slf4j:log4j-over-slf4j from 2.0.11 to 2.0.12 (#2604) @dependabot
- Bump com.networknt:json-schema-validator from 1.3.0 to 1.3.1 (#2598) @dependabot
- Bump com.networknt:json-schema-validator from 1.2.0 to 1.3.0 (#2595) @dependabot
- Bump org.mockito:mockito-core from 5.9.0 to 5.10.0 (#2589) @dependabot
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1 (#2591) @dependabot
- Bump org.mockito:mockito-junit-jupiter from 5.9.0 to 5.10.0 (#2590) @dependabot
- Bump io.netty:netty-all from 4.1.105.Final to 4.1.106.Final (#2581) @dependabot
- Bump com.diffplug.spotless from 6.24.0 to 6.25.0 (#2587) @dependabot
- Bump com.toomuchcoding.jsonassert:jsonassert from 0.7.0 to 0.8.0 (#2586) @dependabot
- Bump com.jayway.jsonpath:json-path from 2.8.0 to 2.9.0 (#2582) @dependabot
- Bump com.networknt:json-schema-validator from 1.1.0 to 1.2.0 (#2583) @dependabot
- Bump io.netty:netty-all from 4.1.104.Final to 4.1.105.Final (#2580) @dependabot
- Bump com.networknt:json-schema-validator from 1.0.88 to 1.1.0 (#2537) @dependabot
- Bump io.netty:netty-all from 4.1.101.Final to 4.1.104.Final (#2538) @dependabot
- Bump com.google.guava:guava from 32.1.3-jre to 33.0.0-jre (#2539) @dependabot
- Bump org.eclipse.jetty:jetty-bom from 11.0.18 to 11.0.19 (#2542) @dependabot
- Bump org.slf4j:log4j-over-slf4j from 2.0.9 to 2.0.11 (#2563) @dependabot
- Bump org.mockito:mockito-core from 5.7.0 to 5.9.0 (#2571) @dependabot
- Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#2575) @dependabot
- Bump org.mockito:mockito-junit-jupiter from 5.7.0 to 5.9.0 (#2570) @dependabot
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.3 (#2524) @dependabot
- Bump com.networknt:json-schema-validator from 1.0.87 to 1.0.88 (#2527) @dependabot
- Bump ch.qos.logback:logback-classic from 1.2.0 to 1.2.13 in /testlogging (#2522) @dependabot
- Bump commons-io:commons-io from 2.15.0 to 2.15.1 (#2512) @dependabot
- Bump com.toomuchcoding.jsonassert:jsonassert from 0.6.2 to 0.7.0 (#2520) @dependabot
- Bump com.diffplug.spotless from 6.23.0 to 6.23.3 (#2521) @dependabot
- Bump com.diffplug.spotless from 6.22.0 to 6.23.0 (#2507) @dependabot
- Bump org.apache.commons:commons-lang3 from 3.13.0 to 3.14.0 (#2496) @dependabot
- Bump org.junit-pioneer:junit-pioneer from 2.1.0 to 2.2.0 (#2493) @dependabot
- Bump io.netty:netty-all from 4.1.99.Final to 4.1.101.Final (#2484) @dependabot
- Bump versions.junitJupiter from 5.10.0 to 5.10.1 (#2483) @dependabot
- Bump org.mockito:mockito-junit-jupiter from 5.6.0 to 5.7.0 (#2477) @dependabot
- Bump org.mockito:mockito-core from 5.6.0 to 5.7.0 (#2476) @dependabot
📝 Documentation updates
- Add operationId to openApi/swagger documents (#2487) @j1mr10rd4n
👻 Maintenance
- chore: minor internal refactors (#2491) @Marvin9
- Proposal for: Flaky port allocation tests #2281 (#2421) @dkhozyainov
✍ Other changes
- Improve Scenario error message for unsupported state (#2594) @nlisgo
- Supply lazy TemplateEngine, HttpClientFactory, and DefaultHttpClient. (#2564) @kyle-winkelman
- Parsing config files with BOM character (#2535) @salehjafarli
- Clean up duplicative isAbsent and unused serializer. (#2567) @kyle-winkelman
- Allow matchesJsonSchema to be supplied as a json object. (#2566) @kyle-winkelman
- Adding a few unit tests for Body (#2559) @G-Basak
- Add gzipDisabled at the ResponseDefinitionBuilder level (#2481) @dkhozyainov
- Update wrapper scripts version to match gradle version. (#2574) @HappyHacker123
- Remove and log warning before loading webhooks (#2568) @prithvitewatia
- Add extensionScanningEnabled option to @wiremocktest. (#2561) @kyle-winkelman
- Adding build function for all kind of UrlPattern in RequestPatternBuilder (#2536) @AlEmerich
- Added GET_OR_HEAD method. (#2555) @prithvitewatia
3.3.1
🚀 New features and improvements
- Allow empty URI path segments after the first (#2404) @Mahoney
- Switch the Webhooks Extension to use the injected template engine so that it respects standard configuration providers, e.g. system properties and environment variables (#2473) @tomakehurst
- Introduce the substitutable HTTP client (#2455) @tomakehurst
- Make
NetworkAddressRules
into an interface so that it can be implemented in a fully customised way @tomakehurst
🐛 Bug fixes
- Fix network address rules breaking change - regression in WireMock
3.3.0
(#2478) @tomakehurst - Ignore IPv6 addresses when checking network security rules (#2475) @tomakehurst
- #2415 - Fix warning in the log due to SLF4J-API 1.7.36 to 2.0.7 replacement by Gradle (#2449) @Xabibax
- Fix API contract for
FileSourceBlobStore
(#2451) @dkhozyainov - Add
null
check for actual date/time truncation (#2466) (#2467) @papiomytoglou - #2422 - URL not matched by path template when query parameter present in request (#2429) @tomakehurst
📝 Documentation updates
- Add BEFORE_RESPONSE_SENT request phase to the stub-mapping schema (#2428) @picimako
- Update the co-maintainer policy beyond WireMock 3 (#2435) @oleg-nenashev
- Turn reference link into actual link (#2443) @SimonVerhoeven
👻 Maintenance
- chore: use List.of where possible if only one argument is passed (#2468) @SimonVerhoeven
- fix: introduce a slight delay given the 2-3 results is slightly flakey (#2463) @SimonVerhoeven
- chore: infer explicit type arguments where possible (#2462) @SimonVerhoeven
- Refactor: split getLines method of Diff class (#2460) @julianahrens1999
- Replace Optional.orElse() calls with Optional.orElseGet() (#2450) @picimako
- Do not use deprecated jackson iso8601 class (#2423) @SimonVerhoeven
- feat: use expression lambdas over statement lambdas (#2444) @SimonVerhoeven
- Replace Guava by JDK (Partly) (#2384) @pks-1981
- Remove unnecessary type unboxing (#2424) @SimonVerhoeven
- Replace Guava by JDK (Partly) (#2409) @pks-1981
📦 Dependency updates
- Bump org.eclipse.jetty:jetty-bom from 11.0.17 to 11.0.18 (#2469) @dependabot
- Bump commons-io:commons-io from 2.14.0 to 2.15.0 (#2464) @dependabot
- Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre (#2433) @dependabot
- Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 (#2441) @dependabot
- Bump org.eclipse.jetty:jetty-bom from 11.0.16 to 11.0.17 (#2430) @dependabot
- Bump org.sonarqube from 4.3.1.3277 to 4.4.1.3373 (#2410) @dependabot
- Bump org.mockito:mockito-junit-jupiter from 5.5.0 to 5.6.0 (#2426) @dependabot
- Bump org.ow2.asm:asm from 9.5 to 9.6 (#2406) @dependabot
- Bump org.mockito:mockito-core from 5.5.0 to 5.6.0 (#2425) @dependabot
- Bump io.netty:netty-all from 4.1.98.Final to 4.1.99.Final (#2403) @dependabot
- Bump com.diffplug.spotless from 6.21.0 to 6.22.0 (#2402) @dependabot
- Bump commons-io:commons-io from 2.13.0 to 2.14.0 (#2407) @dependabot
3.3.0
NOTE: This version is discarded because of the uninteded breaking change in
NetworkAddressRules
, fixed in 3.3.1 by #2478
🚀 New features and improvements
- Allow empty URI path segments after the first (#2404) @Mahoney
- Switched the webhooks extension to use the injected template engine so that it gets e.g. system/env property configuration (#2473) @tomakehurst
- Substitutable HTTP client (#2455) @tomakehurst
- Make
NetworkAddressRules
into an interface so that it can be implemented in a fully customised way. note this introduced a breaking change, which is fixed in https://github.com/wiremock/wiremock/releases/tag/3.3.1
🐛 Bug fixes
- Fixed #2415 Gradle replaces SLF4J-API 1.7.36 with 2.0.7, causing warning in the log (#2449) @Xabibax
- Refactor: split getLines method of Diff class (#2460) @julianahrens1999
- Fix contract for FileSourceBlobStore (#2451) @dkhozyainov
- Add null check for actual date/time truncation (#2466) (#2467) @papiomytoglou
- Fixed #2422 - URL not matched by path template when query parameter present in request (#2429) @tomakehurst
📝 Documentation updates
- Update the co-maintainer policy beyond WireMock 3 (#2435) @oleg-nenashev
- Turn reference link into actual link (#2443) @SimonVerhoeven
👻 Maintenance
- chore: use List.of where possible if only one argument is passed (#2468) @SimonVerhoeven
- fix: introduce a slight delay given the 2-3 results is slightly flakey (#2463) @SimonVerhoeven
- chore: infer explicit type arguments where possible (#2462) @SimonVerhoeven
- Replace Optional.orElse() calls with Optional.orElseGet() (#2450) @picimako
- Do not use deprecated jackson iso8601 class (#2423) @SimonVerhoeven
- feat: use expression lambdas over statement lambdas (#2444) @SimonVerhoeven
- Replace Guava by JDK (Partly) (#2384) @pks-1981
- Remove unnecessary type unboxing (#2424) @SimonVerhoeven
- Replace Guava by JDK (Partly) (#2409) @pks-1981
✍ Other changes
- Ignore IPv6 addresses when checking network security rules (#2475) @tomakehurst
- Add BEFORE_RESPONSE_SENT request phase to the stub-mapping schema (#2428) @picimako
📦 Dependency updates
- Bump org.eclipse.jetty:jetty-bom from 11.0.17 to 11.0.18 (#2469) @dependabot
- Bump commons-io:commons-io from 2.14.0 to 2.15.0 (#2464) @dependabot
- Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre (#2433) @dependabot
- Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 (#2441) @dependabot
- Bump org.eclipse.jetty:jetty-bom from 11.0.16 to 11.0.17 (#2430) @dependabot
- Bump org.sonarqube from 4.3.1.3277 to 4.4.1.3373 (#2410) @dependabot
- Bump org.mockito:mockito-junit-jupiter from 5.5.0 to 5.6.0 (#2426) @dependabot
- Bump org.ow2.asm:asm from 9.5 to 9.6 (#2406) @dependabot
- Bump org.mockito:mockito-core from 5.5.0 to 5.6.0 (#2425) @dependabot
- Bump io.netty:netty-all from 4.1.98.Final to 4.1.99.Final (#2403) @dependabot
- Bump com.diffplug.spotless from 6.21.0 to 6.22.0 (#2402) @dependabot
- Bump commons-io:commons-io from 2.13.0 to 2.14.0 (#2407) @dependabot
3.2.0
💥 Breaking changes
- Enable local response templating by default in standalone (#2386) @tomakehurst
- Add startup option to enable/disable extension scanning and set to disabled by default when running from Java (#2385) @tomakehurst
🚀 New features and improvements
- Exposing MappingsLoader as an extension point (#2334) @bharatnpti
- Include more info when webhook refusal logged (#2389) @Mahoney
- HTTP Server Factory as an extension point (#2391) @tomakehurst
- Print loaded extensions at startup (#2381) @tomakehurst
🐛 Bug fixes
- Fix json string schema rejecting numbers (#2390) @Mahoney
- Fix FileSource backed blobstore keys bug (#2392) @tomakehurst
- Fixed #2388 - empty getPath() returned from new FileStore implementation passed to transformers (#2396) @tomakehurst
📦 Dependency updates
- Bump io.netty:netty-all from 4.1.97.Final to 4.1.98.Final (#2394) @dependabot
3.1.0
🚀 New features and improvements
- Move webhooks to the WireMock core (#2376) @tomakehurst
- Added a setter for max template cache entries in WireMockConfiguration (#2365) @tomakehurst
- Add working equals & readable toString to NetworkAddressRange (#2358) @Mahoney
💥 Breaking changes
- Move webhooks to the WireMock core. Users of the extension should remove the dependency when updating to the new version (#2376) @tomakehurst
🐛 Bug fixes
- Fixed #2364 - scenarios produced by recorder play back in reverse order (#2377) @tomakehurst
- Fix admin requests with empty body to avoid response code 411 (#1738) @danielimre
- Fix standalone missing filename extension bug (#2366) @tomakehurst
👻 Maintenance
- Fix markdown links (#2375) @pks-1981
- Add tests proving we match on request bodies (#2367) @Mahoney
- Replace Guava by JDK (Partly) (#2380) @pks-1981
📦 Dependency updates
- Bump org.junit-pioneer:junit-pioneer from 2.0.1 to 2.1.0 (#2370) @dependabot
- Bump com.github.tomakehurst:wiremock-jre8-standalone from 2.33.2 to 2.35.1 in /testlogging (#2368) @dependabot
- Bump com.networknt:json-schema-validator from 1.0.86 to 1.0.87 (#2371) @dependabot
3.0.4
🚀 New features and improvements
🐛 Bug fixes
- Fix standalone missing filename extension bug (#2366) @tomakehurst
- Added a setter for max template cache entries in WireMockConfiguration (#2365) @tomakehurst
- Second attempt at fixing shaded webhooks plugin (#2362) @tomakehurst
👻 Maintenance
- Bump org.scala-lang:scala-library test dependency from 2.13.11 to 2.13.12 (#2360) @dependabot
✍ Other changes
3.0.3 - Security Release
🔒 Security
This security release addresses the following issues
- CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
- Base CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
- CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
- Base CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)
NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments
🔗 Related releases
- WireMock Docker 3.0.3-1 - Docker Image with the Patch
- WireMock 2.35.1 / WireMock Docker 2.35.1-1 - Backport to WireMock 2.x
- Python WireMock 2.6.1 - Python library that bundles the WireMock JAR file
- NOTE: Other distributions like Testcontainers modules or Helm chart need explicit version declaration, and hence a user action is needed to update the dependencies should they be considered a risk
Credits
2.35.1 - Security Release
🔒 This is a security release that addresses the following issues
- CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
- Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
- CVE-2023-41329 - Domain restrictions bypass via DNS
Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes- Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)
NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments
Credits: @W0rty, @numacanedo, @Mahoney, @tomakehurst, @oleg-nenashev
3.0.2
🐛 Bug fixes
- fix: avoid crash when printing help in wiremock-standalone (#2351) @tomasbjerre
👻 Maintenance
📦 Dependency updates
- Bump org.eclipse.jetty:jetty-bom from 11.0.15 to 11.0.16 (#2346) @dependabot
- Bump org.slf4j:log4j-over-slf4j from 2.0.7 to 2.0.9 (#2353) @dependabot
- Bump org.sonarqube from 4.3.0.3225 to 4.3.1.3277 (#2352) @dependabot
3.0.1
🐛 Bug fixes
- Stop returning 500s for unmatched path patterns (#2339) @Mahoney
- Ensure that the shadow JAR is always built last to ensure webhooks fat JAR wins (#2344) @tomakehurst
- Added validation of UUIDs in path parameters in the admin API so that clearer errors are reported when non UUIDs are provided or item isn't found rather than throwing a 500 error (#2347) @tomakehurst
- Respect StopAction in V1 Filter (#2335) @Mahoney
Thanks to the regression reporters: @defnngj , @oleg-nenashev , @Mahoney