• AAE-46367 Implement Category-based Automatic Multi-Instance Call Activity Variable Mapping by @igdianov in https://github.com/Activiti/Activiti/pull/5411

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.312...7.21.0-rc.313

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.311...7.21.0-rc.312

• #52741 - quarkus-amazon-lambda-rest does not correctly include a Jandex
• #53197 - Smallrye config and microprofile config version conflict causes build failure with java modules
• #53613 - Quarkus build with vertx-hazelcast fails after upgrade to 3.33.1
• #53785 - Multi threaded maven uber jar builds on windows faill with java.nio.file.ClosedFileSystemException
• #53808 - Wrap shorthand admonition blocks in ==== delimiters
• #54001 - Gradle quarkusRun task starts in TEST mode
• #54095 - Gradle config from one module's quarkusAppPartsBuild leaks into another module in 3.35.x
• #54144 - Open archive path tree interrupt workaround
• #54229 - Signals: add configurable concurrency limit
• #54270 - Enable RAG generation during release builds
• #54273 - Keycloak exchange code for tokens fails in devmode if clientId contains an underscore
• #54281 - quarkus.rest-client-oidc-filter.refresh-on-unauthorized not respected with multiple @RegisterProvider annotations
• #54286 - Signals: introduce configurable concurrency limiter
• #54313 - Fix Hibernate ORM Dev UI localization and clear HQL input on submit
• #54320 - Use Mode.RUN for the Gradle quarkusRun task to fix indexing crash
• #54340 - Fix Keycloak DEV UI code exchange for client IDs with underscores
• #54342 - @ServerExceptionMapper with generic base class drops other exception mappers at runtime
• #54343 - Fix JSON logging excluded keys config ignoring nested fields
• #54346 - Fix @ServerExceptionMapper bridge method handling for generic types
• #54357 - Fix typo it's is -> it is
• #54382 - Bump the hibernate group with 11 updates
• #54389 - Updates to Infinispan 16.0.12.Final
• #54413 - Update documentation of ReflectiveClassConditionBuildItem
• #54423 - Fix "Kafka OAuthBearer authentication fails in native mode" again
• #54426 - Injecting test security identity on IO thread is blocking operation
• #54427 - Fix injecting @TestSecurity identity with @RunOnVertxContext
• #54428 - Disambiguate config doc anchors for build-time properties
• #54432 - Fix platform BOM and platform metadata override ordering
• #54436 - Fix: quarkus.rest-client-oidc-filter.refresh-on-unauthorized not respected with multiple @RegisterProvider annotations
• #54443 - Bump the hibernate group across 1 directory with 16 updates
• #54447 - Reset stale Quarkus system properties on reused Gradle worker JVMs
• #54455 - [Kafka Dev UI] Topic message timestamp displayed one month behind actual value
• #54467 - Bump proposed Maven version to 3.9.16
• #54468 - Signals: Receivers - resolve lambda inference ambiguity
• #54470 - Bump org.eclipse.parsson:parsson from 1.1.7 to 1.1.9
• #54473 - Fix Kafka Dev UI message timestamp displaying one month earlier
• #54480 - Lambda fails serialization when returning Record, succeeds when swapped to Object
• #54482 - REST Client + Micrometer: duplicate gauge registration warning for http.client.active.connections on first invocation
• #54484 - Properly support java.lang.Record as Lambda return type
• #54496 - Avoid duplicate gauge warnings for REST Client
• #54497 - Agroal invalid connection metric has the wrong description
• #54499 - Fix wrong description for agroal.invalid.count metric
• #54505 - Bump Maven wrapper to 3.9.16
• #54520 - Add maven distribution sha256 validation
• #54522 - Dev UI Workspace - the scroll is not working anymore
• #54527 - Avoid transfer progress in Quarkus Update commands
• #54531 - Remove superfluous code in dev ui guide
• #54541 - Raggedy alignment on dev UI for new actions links
• #54543 - Undeprecate AbstractQuarkusExtensionTest and make it abstract
• #54544 - Bump version.surefire.plugin from 3.5.4 to 3.5.6
• #54545 - Bump jaxb-runtime.version from 4.0.8 to 4.0.9
• #54553 - Finalize Maven 3.9.16 update
• #54555 - Fix Dev UI Workspace scroll not working
• #54556 - Align Dev UI action links with regular extension links
• #54558 - DataSource leaks after upgrading to Quarkus 3.36.0
• #54560 - Signals: document programmatic Signal creation via Signal.create()
• #54573 - Bump jakarta.json.bind:jakarta.json.bind-api from 3.0.1 to 3.0.2
• #54574 - Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.21.4
• #54577 - Multiple extensions registered a feature of the same name: hibernate-orm-panache
• #54582 - Improve French translation of the Dev UI
• #54587 - [3.36] Fix duplicate feature name when hibernate-panache-next and hibernate-orm-panache coexist
• #54588 - Do not bytecode record the Vert.x service instances
• #54595 - Index additional classes in AWS Lambda extensions
• #54599 - Align MicroProfile Config with SmallRye Config
• #54606 - Bump Agroal to 3.2

• a212f13: [build] Share Selenium Manager cache across CI tests via SE_CACHE_PATH (Titus Fortner)
• c0aedde: [rb] tag integration tests with browser family (#17604) (Titus Fortner) #17604
• 25d50fb: [build] use se-manager tag for driver_finder tests instead of os-sensitive (Titus Fortner)
• 990e7d7: [build] update rbe gating for ruby tests to use the right toggle (Titus Fortner)
• aba540c: [build] use pinned browser and driver for starting grid in python and ruby tests (#17610) (Titus Fortner) #17610
• 925422e: Add logs to Grid to debug downloading files (#17599) (Andrei Solntsev) #17599
• dd6ec2a: [build] delete .skipped-tests entries (#17613) (Titus Fortner) #17613
• 1a85379: [build] Combine Rust build and test CI jobs (#17612) (Titus Fortner) #17612
• f98e870: [rb] Run unit tests as a single Bazel target instead of per-file (#17616) (Titus Fortner) #17616
• 702c97b: [py] retry safaridriver startup in tests (#17615) (Titus Fortner) #17615

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

• Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in https://github.com/netty/netty/pull/16834
• ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in https://github.com/netty/netty/pull/16847
• HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in https://github.com/netty/netty/pull/16856
• HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in https://github.com/netty/netty/pull/16861
• IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in https://github.com/netty/netty/pull/16860
• Configurable bound on RedisArrayAggregator by @normanmaurer in https://github.com/netty/netty/pull/16858
• Redis: Limit decoded length by @normanmaurer in https://github.com/netty/netty/pull/16859
• DNS: Ensure query id is not predictible by @normanmaurer in https://github.com/netty/netty/pull/16870
• Wrapping plain trust manager silently disables hostname verification by @normanmaurer in https://github.com/netty/netty/pull/16868
• MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in https://github.com/netty/netty/pull/16852
• Fix revapi warnings (#16885) by @chrisvest in https://github.com/netty/netty/pull/16892
• HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in https://github.com/netty/netty/pull/16866
• SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in https://github.com/netty/netty/pull/16871
• DNS: Only cache CNAME if part of the queried domain by @normanmaurer in https://github.com/netty/netty/pull/16873
• HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in https://github.com/netty/netty/pull/16876
• Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in https://github.com/netty/netty/pull/16877
• HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in https://github.com/netty/netty/pull/16880
• Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in https://github.com/netty/netty/pull/16886
• HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in https://github.com/netty/netty/pull/16883
• Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in https://github.com/netty/netty/pull/16894
• HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in https://github.com/netty/netty/pull/16881
• Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in https://github.com/netty/netty/pull/16872
• SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in https://github.com/netty/netty/pull/16875
• Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in https://github.com/netty/netty/pull/16878
• Redis: Limit the maximum number of nested arrays by @normanmaurer in https://github.com/netty/netty/pull/16882

Full Changelog: https://github.com/netty/netty/compare/netty-4.1.134.Final...netty-4.1.135.Final

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.310...7.21.0-rc.311

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-XXXXX: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @dreamlike-ocean in https://github.com/netty/netty/pull/16836
• HTTP/2: Parse request-target path like Vert.x by @yawkat in https://github.com/netty/netty/pull/16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @netty-project-bot in https://github.com/netty/netty/pull/16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @schiemon in https://github.com/netty/netty/pull/16837
• Pass maxAllocation to Brotli and Zstd decoders by @fedinskiy in https://github.com/netty/netty/pull/16844
• Fix revapi warnings by @chrisvest in https://github.com/netty/netty/pull/16885
• Fix SCTP and Redis tests by @chrisvest in https://github.com/netty/netty/pull/16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @skyguard1 in https://github.com/netty/netty/pull/16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @netty-project-bot in https://github.com/netty/netty/pull/16890

• @schiemon made their first contribution in https://github.com/netty/netty/pull/16837
• @fedinskiy made their first contribution in https://github.com/netty/netty/pull/16844

Full Changelog: https://github.com/netty/netty/compare/netty-4.2.14.Final...netty-4.2.15.Final

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.309...7.21.0-rc.310

• a1e0af7: [rb] add driver finder tests to use selenium manager when applicable (#17597) (Titus Fortner) #17597
• b02c5f2: [build] allow ruby and python to run remote tests on windows (#17603) (Titus Fortner) #17603
• 2279f8e: [build] allow bazel workflow to pass when rerun step is successful (Titus Fortner)
• 7b17d22: [rb] update test guards (Titus Fortner)
• 6a68466: [py] Scope py_test_suite shared library to support files only (#17600) (David Burns) #17600
• 33365ce: [java][BiDi] add clearListners via browsingContextIds for inspectors (#17376) (Swastik Baranwal) #17376
• fac1942: [py] Extract actions subpackage into //py:common_actions (#17605) (David Burns) #17605
• 2eaf118: [rust] Switch reqwest TLS backend from aws-lc-rs to ring (#17589) (David Burns) #17589
• e4eac88: [py] Extract feature-specific modules from //py:common (#17606) (David Burns) #17606