Bump classgraph from 4.8.110 to 4.8.121

[dependabot]

Bumps classgraph from 4.8.110 to 4.8.121.

Release notes

Sourced from classgraph's releases.

classgraph-4.8.121

Optimization of reflection code (no functional changes compared to previous release)

classgraph-4.8.120

First version that is fully compatible with JDK 16+

The JDK team decided to switch on strong encapsulation in JDK 16+. That means that ClassGraph cannot find the classpath, if all of the following are true:

• You are running on JDK 16+
• You are using a legacy classloader (rather than the module system)
• The legacy classloader does not expose its classpath via a public field or method
• The classloader is loaded in a different module from your user code

If your ClassGraph code works in JDK versions less than 16 but breaks in JDK 16+ (meaning that ClassGraph can no longer find your classes), you have probably run into this problem.

You can circumvent this restriction by:

• Adding the Narcissus library to your project as an extra dependency (only Linux x86/x64, Windows x86/x64, and Mac OS X x64 are currently supported).
• Setting ClassGraph.CIRCUMVENT_ENCAPSULATION = true; before interacting with ClassGraph in any other way (this will load the Narcissus library as ClassGraph's reflection driver).

This release of ClassGraph uses Narcissus to silently circumvent all of Java's security mechanisms (visibility/access checks, security manager restrictions, and strong encapsulation), in order to read the classpath from private fields and methods of classloaders. Narcissus is a collaboration between:

• Luke Hutchison (@​lukehutch), author of ClassGraph
• Roberto Gentili (@​burningwave), author of Burningwave Core and toolfactory/jvm-driver, which is an alternative to Narcissus

JDK 16's strong encapsulation is just the first step of trying to lock down Java's internals, so further restrictions are possible (e.g. it is likely that setAccessible(true) will fail in future JDK releases, even within a module, and probably the JNI API will be locked down soon, making Narcissus require a commandline flag to work).

Please convince your upstream runtime environment to expose the full classpath from their classloader using a public method or field, otherwise ClassGraph may stop working for your runtime environment in the future.

classgraph-4.8.119

(Skip this release, reflection was broken...)

classgraph-4.8.118

Fix regressions in previous release (#562, #563).

classgraph-4.8.117

UPDATE: Do not use this release, it caused some regressions -- use ClassGraph-4.8.118+ instead.

classgraph-4.8.116

• Handle unchecked exceptions such as UnsupportedOperationException (rather than dying), which may be thrown by filesystems when accessing a Path object discovered as a classpath element. (#553, thanks to @​wajda for the report and the helpful info on how to reproduce.)
• Specifically, ignore JrtFileSystem (which throws UnsupportedOperationException if you try to open a new FileChannel on a resource). This filesystem is not needed anyway, as ClassGraph already has the ability to scan all visible modules using the JPMS API.

classgraph-4.8.115

Merged pull request from @​larsgrefer to allow class references and not just class names to be used (e.g. to find all the subclasses of a given class). (#549, thanks Lars for the contribution!)

classgraph-4.8.114

Fixed bug where short constant values (e.g. short-typed annotation parameter values) were always being read as zero. Thanks to @​liangzengle for reporting the bug and tracing it right down to the source line that needed to be fixed!

classgraph-4.8.113

• Don't throw IllegalArgumentException if ClassInfo#getClassesImplementing() or ScanResult#getClassesImplementing() are called for a non-interface class.

... (truncated)

Commits

• b2141fe [maven-release-plugin] prepare release classgraph-4.8.121
• d859088 Improve reflection code
• ac3f369 Ensure Narcissus native library is loaded
• e7cf33c Add field setters for completeness
• 1aaaba7 Fix Javadoc
• 05c20e9 Fix for reading static fields; refactoring
• fe9c669 Small optimization
• 2427287 Remove unnecessary code
• 65c5525 Update README
• d10cc52 Update README
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #33.