What's Changed
- CVE-2026-27903 CVE-2026-27904 CVE-2026-26996 UI: update grunt to 1.6.2 to address vulnerabilities by @maximthomas in #174
- CVE-2025-58057 unbounded memory allocation in Netty's BrotliDecoder allows OOM via zip-bomb by @maximthomas in #176
- CVE-2025-7962 Jakarta Mail vulnerable to SMTP Injection (#1005) by @dependabot[bot] in #175
- [OpenIdentityPlatform/OpenAM#980] import jackson-bom to resolve ambiguous jackson versions by @maximthomas in #177
- import bc-jdk18on-bom to resolve ambiguous bouncycastle versions by @maximthomas in #178
- Retry external artifact downloads on transient network failures by @Copilot in #179
- Bump GitHub Actions to latest major versions by @Copilot in #180
- Rhino: migrate from servicemix to mozilla by @maximthomas in #181
- CVE-2026-45536 CVE-2026-45416 CVE-2026-44249 Netty: Unix-socket fd receive leaks descriptors when peer sends two at once Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking by @vharseko in #182
- Fix field projection collapsing nested JsonPointers to leaf names by @vharseko in #183
Full Changelog: 3.1.0...3.1.1