Bump com.mchange:c3p0 from 0.13.0 to 0.14.1

[dependabot]

Bumps com.mchange:c3p0 from 0.13.0 to 0.14.1.

Changelog

Sourced from com.mchange:c3p0's changelog.

c3p0-0.14.1 -- Modify c3p0 to use new BeanInfoGen functionality, restoring compatability with Java [7,11). -- Modify BeanInfoGen to (optionally but by default) cache descriptors rather than regenerating for each call to an introspection method. -- Modify BeanInfoGen to log items skipped from descriptors due to API incompatibility. -- Modify BeanInfoGen to generate BeanInfo classes in which properties/events/methods that existed in the JVM under which they were generated and built, but do not exist under the runtime JVM are tolerate, simply omitted at runtime from BeanInfo descriptors. This fixes compatability with Java environments before Java 11, under whose API c3p0 and mchange-commons-java are currently built. (Thanks to Vlad Skarzhevskyy, @​skarzhevskyy on GitHub, for calling attention to this issue.) c3p0-0.14.0 -- Update to mill 1.1.6 and fix broken support for reproducible builds via the SOURCE_DATE_EPOCH environment variable. -- Generate explicit BeanInfo classes for c3p0-defined concrete DataSource and ConnectionPoolDataSource implementations, which exclude "connection" and/or "pooledConnection" from introspected bean properties, in order to preclude attacks such as those described here: https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/ -- Enforce a deterministic ordering on methods produced by the code generator DelegatorGenerator, in order to keep builds including such generated classes reproducible. (mchange-commons-java and c3p0 subclass) -- Define BeanInfoGen, a code-generation utility that defines explicit BeanInfo classes for what otherwise would have been introspected via JavaBean naming conventions, but that permits properties to be excluded from such introspection. (mchange-commons-java) -- JavaBeanObjectFactory now enforces a whitelist of classes it is willing to construct from References that call upon it. That whitelist is defined by new config parameter com.mchange.v2.naming.referenceableJavaBeanClassWhitelist (mchange-commons-java) -- Define false-biased config security key com.mchange.v2.naming.allowIndirectSerializationViaReference, disabling by default indirect serialization/deserialization of Referenceable but otherwise not serializable objects by serializing their references. This is a clever mechanism, but rarely used, and a place where attackers might smuggle a malicious reference. (mchange-commons-java) c3p0-0.13.0 -- Ensure sessions are marked as endRequest() is called prior to check-in, to eliminate race between DBMS cleanup and checkout by a new client. Thanks Krrish (ota0912 on github). -- Take generic JavaBeanObjectFactory out of the whitelist of object factories, com.mchange.v2.naming.objectFactoryWhitelist, mchange-commons-java ReferenceableUtils is willing to dereference. Only C3P0JavaBeanObjectFactory should be used. -- Modify C3P0JavaBeanObjectFactory to use C3P0JavaBeanReferencePropertyOverrider. -- Modify the JavaBeanReferenceMaker employed by c3p0 beans to use C3P0JavaBeanReferencePropertyOverrider -- Define C3P0JavaBeanReferencePropertyOverrider, supporting the serialization and deserialization of user-defined config key value pairs (the 'extensions' property) -- Add support for extensions, in the form of JavaBeanReferencePropertyOverrider, that allow javax.naming.Referenceable JavaBeans that include non-String, non-coerceable-to-string, non-SecurelyStringifiable properties to use some custom serialization to a Reference. Add support both the JavaBeanReferenceMaker and JavaBeanObjectFactory for supporting such extensions. -- Replace with a CSV format internal use of Java serialization by JavaBeanObjectFactory and JavaBeanReferenceMaker when tracking reference properties. [in mchange-commons-java] -- Eliminate support for decoding BinaryRefAddrs via Java (de)serialization in JavaBeanObjectFactory. The capability still exists, but one must explicitly extend JavaBeanObjectFactory in order to support it. No existing classes in

... (truncated)

Commits

• 9084ab6 Update versions for mchange-commons-java 0.6.1, c3p0-0.14.1 final.
• 6579705 Add release notes for 0.14.1, update CHANGELOG.
• 8b58820 Use new functionality in BeanInfoGen, don't suppress caching (ie cache BeanIn...
• 993b9c2 Bump version to 0.14.1-SNAPSHOT, mchange-commons-java version to 0.6.1-SNAPSHOT.
• 931fd53 Update test console scala version, versions for mchange-commons-java 0.6.0 fi...
• 76cff33 Extremely minor tweaks to tests.
• d35e3b1 Wrote release notes for 0.14.0.
• 50c128a Update CHANGELOG for 0.14.0, README.md fixes.
• d7ae528 Update README.md to track changes to the test.runClasspath task, when explain...
• 2607761 Update README.md for 0.14.0, add to brief note re security fixes, describe re...
• Additional commits viewable in compare view

[rzo1]

@dependabot rebase