Bump jetty-server from 9.4.48.v20220622 to 10.0.10

[dependabot]

Bumps jetty-server from 9.4.48.v20220622 to 10.0.10.

Release notes

Sourced from jetty-server's releases.

10.0.10

Special Thanks to the following Eclipse Jetty community members

• @​jianglai (Lai Jiang)
• @​markslater (markslater)
• @​prenagha (Padraic Renaghan)

Changelog

• #8136 - Cherry-pick of Improvements to PathSpec for Jetty 10.0.x
• #8134 - Improve cleanup of deflater/inflater pools for PerMessageDeflateExtension
• #8088 - Add option to configure exitVm on ShutdownMonitor from System properties
• #8067 - Wall time usage in DoSFilter RateTracker results in false positive alert
• #8057 - Support Http Response 103 (Early Hints)
• #8014 - Review HttpRequest URI construction
• #8008 - Add compliance mode for LEGACY multipart parser in Jetty 10+
• #7994 - Ability to construct a detached client Request
• #7981 - Add TRANSFER_ENCODING violation for MultiPart RFC7578 parser. (#7976)
• #7977 - UpgradeHttpServletRequest.setAttribute & UpgradeHttpServletRequest.removeAttribute can throw NullPointerException
• #7975 - ForwardedRequestCustomizer setters do not clear existing handlers
• #7953 - Fix StatisticsHandler in the case a Handler throws exception.
• #7935 - Review HTTP/2 error handling
• #7929 - Correct requestlog formatString commented default (@​prenagha)
• #7924 - Fix a typo in Javadoc (@​jianglai)
• #7918 - PathMappings.asPathSpec does not allow root ServletPathSpec
• #7891 - Better Servlet PathMappings for Regex
• #7880 - DefaultServlet should not overwrite programmatically configured precompressed formats with defaults (@​markslater)
• #7863 - Default servlet drops first accept-encoding header if there is more than one. (@​markslater)
• #7858 - GZipHandler does not play nice with other handlers in HandlerCollection
• #7818 - Modifying of HTTP headers in HttpChannel.Listener#onResponseBegin is no longer possible with Jetty 10
• #7808 - Jetty 10.0.x 7801 duplicate set session cookie
• #7802 - HTTP/3 QPACK - do not expect section ack for zero required insert count
• #7754 - jetty.sh ignores JAVA_OPTIONS environment variable
• #7748 - Allow overriding of url-pattern mapping in ServletContextHandler to allow for regex or uri-template matching
• #7635 - QPACK decoder should fail connection if the encoder blocks more than SETTINGS_QPACK_BLOCKED_STREAMS
• #4414 - GZipHandler not excluding inflation for specified paths
• #1771 - Add module for SecuredRedirect support

Dependencies

• #8083 - Bump asciidoctorj to 2.5.4
• #8077 - Bump asciidoctorj-diagram to 2.2.3
• #7839 - Bump asm.version to 9.3
• #8142 - Bump biz.aQute.bndlib to 6.3.1
• #8075 - Bump checkstyle to 10.3
• #8056 - Bump error_prone_annotations to 2.14.0
• #8109 - Bump google-cloud-datastore to 2.7.0
• #8100 - Bump grpc-core to 1.47.0
• #7987 - Bump hawtio-default to 2.15.0

... (truncated)

Commits

• de73e94 Updating to version 10.0.10
• 1b4f941 RegexPathSpec documentation and MatchedPath improvements (#8163)
• 1f902f6 Disable H3 tests by default with a system property to explicitly enable them ...
• 7cc461b Fixing javadoc build errors (#8173)
• d63569d Migrate code from jetty-util Logger to slf4j Logger (#8162)
• 66de7ba Improve ssl buffers handling (#8165)
• 0699bc5 Use static exceptions for closing websocket flushers and in ContentProducer (...
• b1c19c0 Merge pull request #8134 from eclipse/jetty-10.0.x-websocketPermessageDeflate...
• 23948f1 no more profile IT tests runs per default (#8138)
• 0d13cbe change-dependabot-interval-to-monthly (#8140)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[exceptionfactory]

CVE-2022-2191 does not impact Jetty 9. See discussion on Jetty issue 8181 for further details.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[joakime]

See prior comments about version range, and jetty managed advisory (the master database at github has not been updated yet):

• Improve SSLConnection buffers handling (CVE-2022-2191) jetty/jetty.project#8161 (comment)
• GHSA-8mpp-f3f7-xc28

Also, Jetty 9.4.x is now at End of Community Support, you are strongly encouraged to upgrade to Jetty 10+ as soon as possible.

See:

• End of Community Support for Jetty 9.x - June 2022 jetty/jetty.project#7958

[exceptionfactory]

Thanks for the feedback @joakime! NiFi currently supports Java 8, but NIFI-10147 outlines plans to remove support for Java 8 in order to upgrade multiple dependencies, including Jetty.