Bump net.snowflake:snowflake-jdbc from 4.3.0 to 4.3.1

[dependabot]

Bumps net.snowflake:snowflake-jdbc from 4.3.0 to 4.3.1.

Release notes

Sourced from net.snowflake:snowflake-jdbc's releases.

v4.3.1

• Please Refer to Release Notes at https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

Sourced from net.snowflake:snowflake-jdbc's changelog.

For all official JDBC Release Notes please refer to https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

Changelog

• v4.3.2-SNAPSHOT

• v4.3.1

  • Fixed GCS-backed internal stage PUT failing with opaque invalid_gcs_credentials in SPCS pods on GCP: the GCS SDK's Application Default Credentials (ADC) probe was reaching out to metadata.google.internal which is unreachable inside SPCS; explicit credentials are now always set when a GCS_ACCESS_TOKEN is present, suppressing the ADC probe entirely. Also fixed GCSAccessStrategyAwsSdk rejecting custom GCS endpoints that lack an https:// scheme prefix (e.g. bare storage.me-central2.rep.googleapis.com), mirroring the existing handling in GCSDefaultAccessStrategy. The catch-all in setupGCSClientsnowflakedb/snowflake-jdbc#2664
  • Fixed Azure PUT memory leak where each PUT instantiated a fresh BlobServiceClient whose underlying reactor-netty stack the SDK exposes no API to release; the Azure SDK HttpClient and its ConnectionProvidersnowflakedb/snowflake-jdbc#2658
  • Fixed SFResultJsonParser2Failed: invalid escaped unicode character when a chunked JSON result contained UTF-16 surrogate-pair \u escapes (e.g. emoji) and the read buffer happened to split exactly 9 bytes after \u; the off-by-one boundary guard in ResultJsonParserV2snowflakedb/snowflake-jdbc#2660
  • Fixed (by removing) stale com.amazonaws.util.Base16/Base64 bytecode references from the shaded JAR by excluding dead SFBinary and SFBinaryFormat classes from the bundled snowflake-common artifact. Security scanners shold no longer flag snowflake-jdbc-thinsnowflakedb/snowflake-jdbc#2665
  • snowflakedb/snowflake-jdbc#2663

• v4.3.0

  • Bumped AWS SDK from 2.37.5 to 2.45.1, which transitively brings netty up to 4.1.133.Final and resolves a cluster of High/Medium netty CVEs (HTTP request smuggling, CRLF injection, data amplification, resource allocation) flagged by Snyk against netty-nio-client in thin_public_pom.xmlsnowflakedb/snowflake-jdbc#2654
  • Bumped jackson to 2.18.7 to address two High-severity resource-exhaustion CVEs in jackson-core 2.18.4.1, and added a .snyk policy file with justified ignores for the dual-licensed javax.servlet-api / javax.annotation-api findings and the tika-core XXE (SNYK-JAVA-ORGAPACHETIKA-14188255snowflakedb/snowflake-jdbc#2654
  • Fixed OAuth token requests sending scope=session:role:null when no scope is configured (or scope is empty/blank); the scopesnowflakedb/snowflake-jdbc#2646
  • Fixed Okta native SSO federated login sending malformed JSON to /api/v1/authn (HTTP 400 from Okta) when the username or password contained JSON-special characters such as double quotes or backslashes; the request body is now serialized with Jackson instead of string concatenation.
  • Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (account_provided, account_with_region, account_org_provided, region_provided, host_provided). No hostname or account value is included. This is gated by the existing server-side CLIENT_TELEMETRY_ENABLED parameter and can additionally be disabled locally by setting SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release.
  • Fixed Connection.isValid() silently swallowing thread interruption: when the underlying heartbeat is interrupted, the connection's interrupt flag is now restored via Thread.currentThread().interrupt()snowflakedb/snowflake-jdbc#2314
  • Fixed non-retryable HTTP 400 response bodies always being logged as "Failed to read content due to exception: Attempted read from closed stream". The response entity is now buffered before RestRequest#checkForDPoPNonceError and SnowflakeUtil#logResponseDetailssnowflakedb/snowflake-jdbc#2631
  • snowflakedb/snowflake-jdbc#2623
  • Fixed path traversal via server-controlled filenames in SnowflakeFileTransferAgentsnowflakedb/snowflake-jdbc#2622
  • Further changes regarding auto-configuration (jdbc:snowflake:autosnowflakedb/snowflake-jdbc#2625
    • Fixed bug leading to 'Connection property specified more than once: DB' error, when both connections.toml (database) and JDBC URL (db) defined database
    • Enhancement: now parameters passed as Properties() are also considered when building connection. For conflicting items defined in multiple places, priority is: Properties > JDBC URL > connections.toml
    • Enhancement (supportability): added provenance tracking for config keys and log them once per connection on debug level
  • snowflakedb/snowflake-jdbc#2617
  • Fixed auto-config debug log messages (provenance, TOML parsing) not appearing in client_config_filesnowflakedb/snowflake-jdbc#2632
  • The AWS S3 client now reuses a per-session shared Netty SdkEventLoopGroup, torn down once at session close, eliminating Netty's 2 s shutdownGracefullysnowflakedb/snowflake-jdbc#2620
  • snowflakedb/snowflake-jdbc#2655
  • Fixed inverted null check in CredentialManager.updateInputWithTokenAndPublicKeysnowflakedb/snowflake-jdbc#2650
  • Fixed Connection.setCatalog and Connection.setSchema producing malformed SQL (or switching to an unintended database/schema) when the supplied name contained an embedded " character; the name is now escaped per the SQL-standard quoted-identifier rule before being interpolated into the USEsnowflakedb/snowflake-jdbc#2651
  • Switched AWS Workload Identity Federation attestation from a SigV4-presigned GetCallerIdentity request to STS GetWebIdentityTokensnowflakedb/snowflake-jdbc#2653

• v4.2.0

  • Extended the SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable to also bypass permission verification on the connections.toml config file and on the credential cache file (credential_cache_v1.jsonsnowflakedb/snowflake-jdbc#2614
  • Fixed NPE in RestRequest.sendIBHttpErrorEvent when SFSession.getTelemetryClient() returns null because the session URL is not yet set; a NoOpTelemetryClientsnowflakedb/snowflake-jdbc#2610
  • Added support for attaching the SPCS service-identifier token (SPCS_TOKEN) to login requests when the driver is running inside an SPCS container (gated on the SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable; token read from /snowflake/session/spcs_tokensnowflakedb/snowflake-jdbc#2603
  • Added libc family and version detection (LIBC_FAMILY, LIBC_VERSION) to the CLIENT_ENVIRONMENTsnowflakedb/snowflake-jdbc#2596
  • Fixed NPE in SFTrustManager.validateRevocationStatusMain when the OCSP cache contains a non-SUCCESSFUL response (e.g. unauthorized(6)); the response is now surfaced as an SFOCSPExceptionsnowflakedb/snowflake-jdbc#2597
  • snowflakedb/snowflake-jdbc#2586
    • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address.
    • EC2 instance detection probes the IPv4 and IPv6 IMDS endpoints ([fd00:ec2::254]) in parallel so detection succeeds on IPv6-only instances without doubling the detection budget on dual-stack hosts.
  • Added enableCopyResultSet connection property (default false): when true, Statement.execute() exposes the COPY INTO per-file metadata result set via getResultSet()snowflakedb/snowflake-jdbc#2592
  • snowflakedb/snowflake-jdbc#2578
  • snowflakedb/snowflake-jdbc#2572
  • snowflakedb/snowflake-jdbc#2591
    • now defaulting to port 443 instead of 80 when neither port nor protocol is specified
    • config coming from the JDBC connection string are no longer ignored when auto-configuration sourced items also present (when both present, direct connection config takes precedence)
  • snowflakedb/snowflake-jdbc#2585

... (truncated)

Commits

• bc576f7 NO-SNOW: Bump version to 4.3.1 (#2667)
• f108dbd SNOW-3643369: Always set explicit GCS credentials to prevent ADC probe in SPC...
• dd2181a SNOW-3643336: Exclude stale SFBinary from snowflake-common shade to remove AW...
• 62e328f NO-SNOW: bump grpc-java to 1.82.0 (#2663)
• 4993be9 SNOW-3619741: Fix Azure memory leak on PUT requests by caching underlying Net...
• 08fe7c9 NO-SNOW: loosen NONEXISTENTTABLE async error assertion to a prefix match (#2661)
• bfb1c86 SNOW-3630146: Fix ResultJsonParserV2 off-by-one for \u surrogate pairs (#2660)
• 992ec61 NO_SNOW: Probers cleanup (#2649)
• b2e026d NO-SNOW: Bump to new 4.3.1-SNAPSHOT version (#2659)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)