JDK 27 Enters Rampdown Phase One, JDK 28 Expert Group Formed
JDK 27 officially entered Rampdown Phase One, marking the point where the main-line source repository has been forked to the stabilisation repository and no additional JEPs will be accepted for this release. The feature set is locked to nine JEPs, including JEP 538 (PEM Encodings of Cryptographic Objects, third preview), which was elevated to Targeted status this week. JDK 27 Build 25 is also available for testing, incorporating the accumulated fixes from the rampdown period.
On the JDK 28 front, JSR 403 was formally approved with a four-member expert group: Iris Clark (Oracle, specification lead), Simon Ritter (Azul Systems), Stephan Herrmann (Eclipse Foundation), and Christoph Langer (SAP SE). Early-access builds JDK 28 Build 0 and Build 1 are already available for developers who want to track early language or library experiments. The public review period is scheduled for December 2026 through February 2027, with a GA release targeting March 2027. For teams running Java in regulated or long-support environments, the formation of a diverse expert group early in the cycle signals a healthy standards process for the next feature release.
Read more — InfoQ
GlassFish 8.0.3: Faster Embedded Startup and Doubled Rendering Speed
GlassFish 8.0.3 delivers targeted performance improvements alongside a security fix. Embedded GlassFish startup time is measurably faster, benefiting test suites and containerised deployments that instantiate the server programmatically. More significantly, Jakarta Faces rendering performance improved by a factor of two, a meaningful gain for applications with heavy server-side rendering workloads.
On the security side, 8.0.3 resolves CVE-2024-9342, which affected brute-force authentication attacks against the Admin Console and REST API. Teams running earlier 8.0.x releases should treat this as a recommended upgrade given the authentication vulnerability.
For testing workflows, the GlassFish Arquillian Connectors Suite 2.2.0 was released alongside it. The suite eliminates Jakarta EE TCK overhead by sharing a pre-started GlassFish instance pool across test runs, reducing completion time from hours to minutes on full TCK passes. This is particularly relevant for library and framework maintainers who regularly verify Jakarta EE compliance.
Read more — InfoQ
Infinispan 16.2.0, Kotlin 2.4.0, and Micronaut 5 Security Patches
Infinispan 16.2.0, codename "Arctic Panzer Wolf", expands the Redis Serialization Protocol (RESP) command surface with BITFIELD, DELEX, COPY, DIGEST, and others, improving compatibility for clients using Infinispan as a Redis-protocol data grid. Notably, this release adds a suite of probabilistic data structure classes — BloomFilter, CuckooFilter, CountMinSketch, TopK, and HyperLogLog — giving Java applications native access to efficient large-scale cardinality estimation and membership testing without external dependencies. Unified PEM certificate configuration with auto-detection also simplifies TLS setup for cluster communication.
Kotlin 2.4.0 enables JDK 26 support and turns on incremental compilation by default, which should noticeably reduce recompilation times in large mixed Kotlin/Java projects. For teams targeting the browser or edge, the WebAssembly Component Model is now supported in Kotlin/Wasm, and the Kotlin/JavaScript target gains ES2015 feature support along with the ability to export value classes.
Micronaut Framework 5.0.1 and 5.0.2 are patch releases addressing two security vulnerabilities: GHSA-387m-935m-c4vw (infinite redirect loops) and GHSA-q6gh-6v2r-hjv3 (sensitive header forwarding on cross-origin redirects). The Netty dependency is upgraded to 4.2.15, resolving several upstream CVEs. Teams on 5.0.0 should apply these patches promptly, particularly if their Micronaut services proxy cross-origin requests or handle untrusted redirect chains.
Read more — InfoQ
