Skip to content

Bump mockserver-client from 6.0.0 to 6.1.0#34

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-mockserver-client-6.1.0
Open

Bump mockserver-client from 6.0.0 to 6.1.0#34
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-mockserver-client-6.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps mockserver-client from 6.0.0 to 6.1.0.

Release notes

Sourced from mockserver-client's releases.

MockServer 6.1.0

Release 6.1.0

Changelog

Sourced from mockserver-client's changelog.

[6.1.0] - 2026-05-27

Security

  • SSRF protection for forward and forward-template actions: new mockserver.forwardProxyBlockPrivateNetworks property (default false for backwards compatibility) rejects forward targets that resolve to loopback, link-local, RFC 1918 private, or cloud metadata addresses (e.g. 169.254.169.254). Enable in hardened or multi-tenant deployments where untrusted callers can register expectations. A future major release is expected to flip the default to true.
  • ReDoS protection in regex matchers: regex evaluation now runs on a shared cached daemon-thread pool with a configurable timeout mockserver.regexMatchingTimeoutMillis (default 5000ms). Patterns that exceed the budget are treated as non-matches and a WARN log entry is written, so a pathological pattern cannot wedge a Netty worker.
  • XPath DoS protection: XPath evaluation in body matching now uses the same shared timeout executor with mockserver.xpathMatchingTimeoutMillis (default 5000ms).
  • Cryptographically secure randomness: UUIDService and TemplateFunctions now use SecureRandom instead of java.util.Random for UUID generation, rand_int/rand_int_10/rand_int_100, and rand_bytes template helpers.
  • Loud insecure-mode warning logs at startup / SSL-context init: a WARN is emitted when (a) the forward proxy trusts all TLS certificates (forwardProxyTLSX509CertificatesTrustManagerType=ANY), (b) Velocity class loading is enabled (velocityDisallowClassLoading=false), (c) JavaScript templates have no class restrictions (javascriptDisallowedClasses empty), or (d) tlsProtocols includes the deprecated TLSv1 / TLSv1.1.
  • mockserver.tlsAllowInsecureProtocols configuration property (default true for backwards compatibility): when set to false, any TLSv1 or TLSv1.1 entries in mockserver.tlsProtocols are filtered out before the SSL context is built, giving users an opt-in hardened TLS profile without having to rewrite their existing tlsProtocols value. A future major release is expected to flip this default to false.
  • Secrets are no longer logged in plaintext: the startup property dump now redacts the values of properties whose name indicates a secret (password, secret, access key, API key, connection string, token, private key, credential, passphrase) as ***REDACTED***. This covers the cloud blob credentials (blobStoreSecretAccessKey, blobStoreConnectionString), llmApiKey, proxyAuthenticationPassword, and similar, so they are not leaked to log aggregation.
  • Kubernetes admission-webhook Helm hardening: fixed a shell-injection vector where the webhook.tls.certValidityDays value was interpolated unquoted into the self-signed-cert bootstrap Job (now quoted and integer-coerced); narrowed the TLS-bootstrap RBAC from cluster-wide Secret access to a namespace-scoped Role plus a resourceNames-restricted ClusterRole for the MutatingWebhookConfiguration caBundle patch only; and removed the running webhook's unused Kubernetes API RBAC (the webhook is a pure HTTPS server) in favour of automountServiceAccountToken: false.
  • HTTP/3 CONNECT-UDP (MASQUE) open-relay risk documented: when http3ConnectUdpEnabled=true the relay forwards to any target the client names (SSRF-equivalent); it is default-off and now clearly flagged as test-only in the configuration and HTTP/3 documentation.

Fixed

  • HTTP/3 request bodies are now capped at maxRequestBodySize (default 10 MiB), matching the HTTP/1.1 and HTTP/2 paths; an over-cap HTTP/3 request is rejected (413 / QUIC stream shutdown) instead of being accumulated unboundedly in memory.
  • Cloud BlobStore backends: cloud SDK clients (S3/GCS) are now closed on server shutdown (the BlobStore SPI is AutoCloseable, closed via the state backend) instead of leaking connection pools and threads; the Azure backend now encodes metadata keys reversibly so keys such as x-custom-type round-trip exactly and no longer collide with x_custom_type (previously both were silently mapped to the same key), and writes data + metadata atomically; the S3 and GCS get() paths no longer make a redundant second network call per read.
  • Release pipeline now downloads the mockserver-k8s-webhook jar artifact before building its image, so the webhook image is published reliably on multi-agent CI.

Added

  • First-class LLM and agent mocking: new httpLlmResponse action type lets you mock LLM provider APIs at the semantic level — describe the model's reply (text, tool calls, stop reason, usage) and MockServer produces the byte-correct provider wire format. Supports all 7 major providers: Anthropic Messages, OpenAI Chat Completions, OpenAI Responses, Google Gemini, AWS Bedrock, Azure OpenAI, and Ollama. Non-streaming responses return provider-correct JSON; streaming responses generate the full SSE event sequence (e.g. message_start through message_stop for Anthropic, chat.completion.chunk with finish_reason for OpenAI) with configurable timing physics (timeToFirstToken, tokensPerSecond, jitter). OpenAI embeddings are also supported with deterministic vector generation via deterministicFromInput().
  • Conversation-aware matchers for multi-turn agent testing: whenTurnIndex(n), whenLatestMessageContains(text), whenLatestMessageRole(role), and whenContainsToolResultFor(toolName) predicates match against the parsed messages array in the inbound request body, enabling scripted multi-turn conversations where turn 1 returns a tool_use and turn 2 (after the agent sends a tool_result) returns the final answer. All predicates compose with AND semantics and integrate with the scenario state machine for automatic turn advancement.
  • Per-session conversation isolation via isolateBy(header("x-session-id")), isolateBy(queryParameter("agent")), or isolateBy(cookie("sid")): each unique value of the configured attribute gets independent scenario state, so concurrent agents sharing the same mocked endpoint do not interfere. Missing attributes fall back to shared state gracefully.
  • mock_llm_completion MCP tool: set up a single-turn LLM expectation from the MCP control plane, specifying provider, path, model, text, tool calls, and streaming mode
  • create_llm_conversation MCP tool: build a multi-turn scenario-chained LLM conversation with optional per-session isolation from the MCP control plane; returns the generated scenario name and per-turn state values
  • LLM Response badge in the dashboard expectation row showing provider, model, and text preview; Conversation view extended with a scripted-turns panel
  • mockserver.maxLlmConversationBodySize configuration property (default 1 MiB; clamped to 16 KiB - 64 MiB; env var MOCKSERVER_MAX_LLM_CONVERSATION_BODY_SIZE): request bodies larger than this limit skip conversation-aware parsing and are treated as no-match, preventing DoS via oversized JSON payloads
  • Custom json-unit matcher support for JSON body matching: implement org.mockserver.matchers.CustomJsonUnitMatcherProvider and point mockserver.customJsonUnitMatchersClass at it to register named Hamcrest matchers that JSON body expectations can reference via the ${json-unit.matches:name} placeholder (e.g. { "price": "${json-unit.matches:largerThan}" }); misconfigured providers are logged at WARN and ignored, so matching never fails because of an unloadable extension (fixes #2279)
  • http2Enabled configuration property to disable HTTP/2: when set to false ALPN no longer advertises h2 (and h2c is not detected) so HTTP/2 capable clients fall back to HTTP/1.1
  • Agent-friendly mismatch diagnostics: explain_unmatched_requests MCP tool and PUT /mockserver/explainUnmatched REST endpoint return recent requests that matched no expectation, each with ranked closest-expectation diffs and actionable remediation hints (e.g., "use method POST not GET", "add missing header Authorization"); debug_request_mismatch results are now ranked by closeness and include remediation hints; new mockserver://unmatched MCP resource
  • create_expectations_from_recorded_traffic MCP tool: converts traffic recorded by MockServer's forwarding/proxy mode into active mock expectations in one call, enabling an "observe then mock" workflow; supports method/path filtering and preview mode to inspect expectations before activating them
  • OpenAPI contract verification MCP tools: verify_traffic_against_openapi validates recorded request-response pairs against an OpenAPI spec (passive conformance checking); run_contract_test sends example requests derived from an OpenAPI spec to a running service and validates the responses (active contract testing); both return structured per-operation pass/fail results with validation errors
  • OpenAPI resiliency testing MCP tool: run_resiliency_test sends deliberately malformed and boundary-case requests derived from an OpenAPI spec to a running service (omitting required fields, type violations, numeric/string boundary violations, oversized strings, malformed JSON) and classifies each outcome as HANDLED (4xx) or UNEXPECTED (5xx/2xx/error); returns per-mutation results with operation summaries
  • Deterministic LLM record/replay: record_llm_fixtures MCP tool snapshots LLM/MCP traffic recorded through MockServer's forwarding proxy into a committable JSON fixture file with secrets automatically redacted (Authorization, api-key, Cookie, etc.); SSE streaming responses (Anthropic, OpenAI, etc.) are converted to HttpSseResponse actions for faithful event-by-event replay; load_expectations_from_file MCP tool loads fixture files as active expectations for offline, deterministic, zero-cost test replay

Changed

  • BREAKING Inbound HTTP/1.1 and HTTP/2 request bodies are now capped at 10 MiB by default (mockserver.maxRequestBodySize). Previously unbounded. Requests larger than the limit are rejected with 413 Payload Too Large. Raise the limit (e.g. -Dmockserver.maxRequestBodySize=52428800) if you intentionally mock large uploads.
  • BREAKING Upstream response bodies received when MockServer is acting as a proxy or forwarder are now capped at 50 MiB by default (mockserver.maxResponseBodySize). Previously unbounded. Raise if you forward to services that legitimately return larger payloads.
  • Each published JAR (including the -no-dependencies shaded artifacts) now declares a stable Automatic-Module-Name in its MANIFEST.MF, so downstream JPMS consumers can requires MockServer modules with names that no longer change with each version: org.mockserver.core (mockserver-core), org.mockserver.client (mockserver-client-java), org.mockserver.netty (mockserver-netty), org.mockserver.test (mockserver-testing), org.mockserver.testing (mockserver-integration-testing), org.mockserver.junit.rule (mockserver-junit-rule), org.mockserver.junit.jupiter (mockserver-junit-jupiter), org.mockserver.springtest (mockserver-spring-test-listener), org.mockserver.examples (mockserver-examples), org.mockserver.maven (mockserver-maven-plugin); each *-no-dependencies shaded variant shares its unshaded counterpart's module name and is an alternative packaging (place only one on the JPMS module path)

Fixed

  • Dynamic CA / SSL certificate generation no longer fails when dynamicallyCreateCertificateAuthorityCertificate=true (or any auto-generated server certificate path) is used: the four Configuration fluent setters for certificateAuthorityCertificate, certificateAuthorityPrivateKey, privateKeyPath, and x509CertificatePath no longer file-existence-check at set-time, because the internal generator sets these to the destination path before the file is written. User-supplied path typos are still surfaced by CertificateConfigurationValidator at TLS-init time.
  • HTTP/2 requests through the HTTPS CONNECT forward proxy no longer hang and emit a GOAWAY after ~30s; the internal relay now negotiates HTTP/1.1 or HTTP/2 per connection via ALPN instead of mismatching its TLS layer and codec (fixes #2260)
  • Docker image and standalone executable JAR produced no log output because the shaded server JAR did not include an SLF4J logging provider (fixes #2097)
  • *-no-dependencies shaded artifacts leaked their un-shaded source module (and its transitive dependencies) onto consumers' classpaths; these artifacts are now truly dependency-free
Commits
  • f62eabc release: publish mockserver-client-node 6.1.0
  • 9457878 release: bump non-Maven version manifests to 6.1.0
  • 9deb58f build(deps): bump tmp (#2280)
  • f08c1b6 feat(client): exponential WS reconnect and JS verifyZeroInteractions
  • d0e7461 fix: pin uuid to a patched version to clear CVE-2026-41907
  • a513654 release: update version references to 6.0.0
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [mockserver-client](https://github.com/mock-server/mockserver-monorepo/tree/HEAD/mockserver-client-node) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/mock-server/mockserver-monorepo/releases)
- [Changelog](https://github.com/mock-server/mockserver-monorepo/blob/master/changelog.md)
- [Commits](https://github.com/mock-server/mockserver-monorepo/commits/mockserver-client-node-6.1.0/mockserver-client-node)

---
updated-dependencies:
- dependency-name: mockserver-client
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants