Improvements

• Support customizing BootstrapServiceRegistryBuilder (#3244)

Dependency updates

• Bump hibernate-validator from 6.1.2.Final to 6.1.3.Final (#3249)
• Bump jetty.version from 9.4.27.v20200227 to 9.4.28.v20200408 (#3250)
• Bump junit5.version from 5.6.1 to 5.6.2 (#3247, #3248)
• Bump maven-shade-plugin from 3.2.2 to 3.2.3 (#3252)
• Bump sphinx from 3.0.0 to 3.0.1 in /docs (#3242)

Dependency updates

• Upgrade to Jackson 2.9.10.20200411 (#3246)

Improvements

• Configure metrics event listener to track filters (#3236)

Dependency updates

• Bump bcprov-jdk15on from 1.64 to 1.65 (#3232)
• Bump hibernate-core from 5.4.13.Final to 5.4.14.Final (#3234)
• Bump liquibase-core from 3.8.8 to 3.8.9 (#3237)
• Bump metrics-bom from 4.1.5 to 4.1.6 (#3241)
• Bump sphinx from 2.4.4 to 3.0.0 in /docs (#3230)
• Bump sphinx-maven-plugin from 2.7.0 to 2.9.0 (#3231)
• Bump tomcat-jdbc from 9.0.33 to 9.0.34 (#3238)

Assorted

• Fix site URL in distributionManagement
• Replace global dropwizard.version property (#3240)

Security

• Upgrade to SnakeYAML to address CVE-2017-18640 (#3223, #3227, FasterXML/jackson-dataformats-text#187)

Security

• Upgrade to SnakeYAML 1.26 to address CVE-2017-18640 (#3223, #3228, FasterXML/jackson-dataformats-text#187)

Dependency updates

• Bump byte-buddy from 1.10.8 to 1.10.9 (#3220)
• Bump checker-qual from 3.2.0 to 3.3.0 (#3224)
• Bump sphinx-maven-plugin from 2.6.0 to 2.7.0 (#3219)

Documentation

• Fix typo in flattenMdc field name (#3222)

Dependency updates

• Bump commons-lang3 from 3.9 to 3.10 (#3218)
• Bump conscrypt-openjdk-uber from 2.1.0 to 2.4.0 (#3211)
• Bump hibernate-core from 5.4.12.Final to 5.4.13.Final (#3217)

Assorted

• Fix dependency scopes in dropwizard-testing (#3215)
• Make it easier to inherit from dropwizard-parent (#3216)

Bug fixes

• Remove dependency on HK2 BOM (#3212, #3213, eclipse-ee4j/glassfish-hk2#502)

Documentation

• Remove release notes for change which went into 2.0.x (#3139, #3142, #3214)

Security

• Disable message interpolation in ConstraintViolations by default (#3208)

Bug fixes

• Executor metrics shouldn't contain fmt string (#3142)
• Expose JmxReporter in Bootstrap (#3156)
• Fix FreeMarker "incompatible improvements" error logs (#3198)
• Fix regression in AbstractParam handling (#3163)

Dependency updates

• Bump checker-qual from 3.1.1 to 3.2.0 (#3178)
• Bump freemarker from 2.3.29 to 2.3.30 (#3182)
• Bump httpclient from 4.5.11 to 4.5.12 (#3183)
• Bump jackson-bom from 2.10.2.20200130 to 2.10.3 (#3179)
• Bump jakarta.activation-api from 1.2.1 to 1.2.2 (#3161)
• Bump jakarta.xml.bind-api from 2.3.2 to 2.3.3 (#3175)
• Bump javassist from 3.26.0-GA to 3.27.0-GA (#3199)
• Bump jersey-bom from 2.30 to 2.30.1 (#3165)
• Bump jetty-setuid-java from 1.0.3 to 1.0.4 (#3172)
• Bump jetty.version from 9.4.26.v20200117 to 9.4.27.v20200227 (#3176)
• Bump junit-jupiter from 5.6.0 to 5.6.1 (#3203)
• Bump junit5.version from 5.6.0 to 5.6.1 (#3204)
• Bump liquibase-core from 3.8.6 to 3.8.7 (#3170)
• Bump liquibase-core from 3.8.7 to 3.8.8 (#3200)
• Bump maven-javadoc-plugin from 3.1.1 to 3.2.0 (#3194)
• Bump maven-site-plugin from 3.8.2 to 3.9.0 (#3190)
• Bump metrics-bom from 4.1.2 to 4.1.3 (#3169)
• Bump metrics-bom from 4.1.3 to 4.1.4 (#3173)
• Bump metrics-bom from 4.1.4 to 4.1.5 (#3188)
• Bump mockito.version from 3.2.4 to 3.3.0 (#3164)
• Bump mockito.version from 3.3.0 to 3.3.3 (#3193)
• Bump octokit from 4.16.0 to 4.17.0 in /docs (#3189)
• Bump octokit from 4.17.0 to 4.18.0 in /docs (#3207)
• Bump pgpverify-maven-plugin from 1.5.1 to 1.7.0 (#3184)
• Bump sphinx from 2.4.2 to 2.4.3 in /docs (#3166)
• Bump sphinx from 2.4.3 to 2.4.4 in /docs (#3180)
• Bump tomcat-jdbc from 9.0.31 to 9.0.33 (#3196)

Documentation

• Update dead link to Jersey documentation (#3197)
• Update Javadoc and method signature for Cli#run(String...) (#3174)

Assorted

• Force English locale and UTC for dropwizard-example tests
• Enable maven-dependency-plugin analysis (#3202)
• Use Java 8, 11, and 14 in CI builds (#3205)

Security

• Disable message interpolation in ConstraintViolations by default (#3209)

Security

• Upgrade to Jackson 2.9.10.20200223 to address CVE-2020-8840 (#3168)

Security

• Escape EL expressions in ViolationCollector to address CVE-2020-5245 (#3157)
  • Security Advisory: Remote Code Execution (RCE) vulnerability in dropwizard-validation <2.0.2
  • Thanks to Alvaro Muñoz (@pwntester) and the GitHub Security Lab for the responsible disclosure!

Bug fixes

• Fix regression in OptionalInt/Long/Double handling (#3134)

Dependency updates

• Bump byte-buddy from 1.10.7 to 1.10.8 (#3151)
• Bump checker-qual from 3.1.0 to 3.1.1 (#3127)
• Bump hibernate-core from 5.4.10.Final to 5.4.11.Final (#3137)
• Bump hibernate-core from 5.4.11.Final to 5.4.12.Final (#3147)
• Bump hibernate-validator from 6.1.1.Final to 6.1.2.Final (#3126)
• Bump jdbi3-bom from 3.12.0 to 3.12.2 (#3146)
• Bump liquibase-core from 3.8.5 to 3.8.6 (#3136)
• Bump maven-shade-plugin from 3.2.1 to 3.2.2 (#3144)
• Bump octokit from 4.15.0 to 4.16.0 in /docs (#3128)
• Bump plexus-compiler-javac-errorprone from 2.8.5 to 2.8.6 (#3150)
• Bump sphinx from 2.3.1 to 2.4.0 in /docs (#3132)
• Bump sphinx from 2.4.0 to 2.4.1 in /docs (#3141)
• Bump sphinx from 2.4.1 to 2.4.2 in /docs (#3155)
• Bump tomcat-jdbc from 9.0.30 to 9.0.31 (#3143)

Assorted

• Enable error-prone on Java 9+ builds. (#3133)
• Fix a typo in the fourth paragraph of the Resources -> Methods section (#3135)
• Don't depend on iteration order in LoggingExceptionMapperTest (#3152)
• Fix user timezone for tests to UTC (#3158)

Security

• Escape EL expressions in ViolationCollector to address CVE-2020-5245 (#3160)
  • Security Advisory: Remote Code Execution (RCE) vulnerability in dropwizard-validation <2.0.2
  • Thanks to Alvaro Muñoz (@pwntester) and the GitHub Security Lab for the responsible disclosure!

Bug fixes

• Prefer jakarta apis over older javax apis (#3069)
• Fix thread safety issue with eTag calculation (#3120)

Dependency updates

• Bump assertj-core from 3.14.0 to 3.15.0 (#3116)
• Bump byte-buddy from 1.10.4 to 1.10.5 (#3060)
• Bump byte-buddy from 1.10.5 to 1.10.6 (#3071)
• Bump byte-buddy from 1.10.6 to 1.10.7 (#3110)
• Bump caffeine from 2.8.0 to 2.8.1 (#3102)
• Bump checker-qual from 3.0.1 to 3.1.0 (#3093)
• Bump guava from 28.1-jre to 28.2-jre (#3086)
• Bump hibernate-validator from 6.1.0.Final to 6.1.1.Final (#3101)
• Bump httpclient from 4.5.10 to 4.5.11 (#3104)
• Bump jackson-bom from 2.10.1 to 2.10.2 (#3092)
• Bump jackson-bom from 2.10.2 to 2.10.2.20200130 (#3122)
• Bump jdbi3-bom from 3.11.1 to 3.12.0 (#3064)
• Bump jersey-bom from 2.29.1 to 2.30 (#3096)
• Bump jetty.version from 9.4.24.v20191120 to 9.4.25.v20191220 (#3080)
• Bump jetty.version from 9.4.25.v20191220 to 9.4.26.v20200117 (#3105)
• Bump jmh.version from 1.22 to 1.23 (#3112)
• Bump junit from 4.12 to 4.13 (#3088)
• Bump junit-jupiter from 5.5.2 to 5.6.0 (#3108)
• Bump junit5.version from 5.5.2 to 5.6.0 (#3109)
• Bump lesscpy from 0.13.0 to 0.14.0 in /docs (#3113)
• Bump liquibase-core from 3.8.2 to 3.8.3 (#3070)
• Bump liquibase-core from 3.8.3 to 3.8.4 (#3077)
• Bump liquibase-core from 3.8.4 to 3.8.5 (#3095)
• Bump maven-source-plugin from 3.2.0 to 3.2.1 (#3075)
• Bump mockito.version from 3.2.0 to 3.2.4 (#3067)
• Bump octokit from 4.14.0 to 4.15.0 in /docs (#3090)
• Bump pgpverify-maven-plugin from 1.5.0 to 1.5.1 (#3074)
• Bump slf4j.version from 1.7.29 to 1.7.30 (#3066)
• Bump sphinx from 2.2.2 to 2.3.0 in /docs (#3063)
• Bump sphinx from 2.3.0 to 2.3.1 in /docs (#3076)
• Bump tomcat-jdbc from 9.0.29 to 9.0.30 (#3061)

Assorted

• GitHub Actions checkout v2 (#3078)
• Add configuration for Dependabot (#3081)
• Use default PGP keyservers (hkps://hkps.pool.sks-keyservers.net)
• Replacing ResourceTestRule with ResourceExtension in documentation (#3087)
• Example validation annotations (#3082)
• FileAppenderFactoryTest: verify that the appender has started (#3079)
• Use LinkedHashMap in App1Resource for deterministic iterations (#3103)

• Update Jackson version to 2.9.10.20200103 to address CVE-2019-20330 (#3100)

Thanks to @msymons!

Upgrade notes: https://www.dropwizard.io/en/release-2.0.x/manual/upgrade-notes/upgrade-notes-2_0_x.html

• Add TLS socket logging appender (#2317)
• Add opt-in EmptyOptionalNoContentExceptionMapper for returning 204 responses on empty Optional responses (#2350)
• Add configuration for excluding mime types and paths to gzip (#2356)
• Support expirable log level configurations (#2375)
• Add additional syslog logging facilities (#2381)
• Add opt-in logging throttling via the messageRate config property (#2384)
• Fix UUIDParams accepting input of incorrect length (#2382)
• Fix usage @SelfValidating with @BeanParam (#2334, #2335)
• Fix resource endpoints injected via DI not being logged on startup (#2389)
• Disable protocols less secure than TLS v1.2 by default (#2417)
• Add totalSizeCap to file log appender (#2502)
• Gzipped content encoded requests and responses are compatible with Servlet 3.1 and Async IO (#2566)
• Retired use of deprecated Apache StrSubstitutor and StrLookup classes and replaced them with Apache’s StringSubstitutor and StringLookup (#2462)
• Deprecate Bundle in favor of ConfiguredBundle (#2516)
• Allow unknown JSON properties (i.e. disable DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES) by default (#2570)
• Deprecate *Param classes and will be removed in 3.0.0 (#2637)
• Add data size class adhering to the correct SI and IEC prefixes (#2686)
• Added PortDescriptor class and method in ServerLifeCycleListener to provide a list of PortDescriptors, detailing all listening information for the application (#2711)
• Add support for proxy-protocol in http connector configuration (#2709)
• Disable using X-Forwarded-* headers by default (#2748)
• Fix typo by renaming ResilentSocketOutputStream to ResilientSocketOutputStream (#2766)
• Adds an opt-in URI request logging filter factory (UriFilterFactory) (#2794)`
• Add support for configuring Jetty’s cookie compliance (#2812)
• Deprecate Authorizer.authorize(principal, role) in favor of Authorizer.authorize(principal, role, context) (#2837)
• Fix undefined config environment variables with a default value causing an exception in strict mode (#2801)
• Removed dropwizard-jdbi as official module and moved it into it’s own project: dropwizard-jdbi (#2922)
• Add @JsonProperty to AbstractServerFactory setters
• Add InjectValidatorBundle that enable context injection into validators
• Add JUnit 5 Example to Testing Clients (#2367)
• Add TLS socket logging appender
• Add a JSONUnauthorizedHandler (#2839)
• Add config settings for tasks and health check resources (#3037)
• Add current class loader to javassist ClassPool
• Add mapping for Jetty alpn-boot to Java versions (#2948)
• Add missing “to” in BaseConfigurationFactory exception messages (#2869)
• Add new constructors to allow specifying a response content type for Task and PostBodyTask, keeping the default as text/plain;charset=UTF-8
• Add pip requirements file with Sphinx and dependencies
• Add possibility to disable logging bootstrap for ResourceTestRule (#2338)
• Add safe Jackson deserializers to prevent a DoS attack (#2511)
• Add support for PATCH request to ResourceTestRule client (#2410)
• Add support for SLF4J markers to dropwizard-json-logging (#2899)
• Add support for disabled metric attributes on ConsoleReporterFa… (#2976)
• Add support for logging caller data in dropwizard-json-logging
• Add support for pathQuery json access log attribute
• Added support for independently client-specified JCE Providers for both keystore and truststore (#2390)
• Addressed ThrottlingLoggingAppenderTest issues
• Adds a request logging url filter. Fixes #2794
• Allow full customization of HttpClientBuilder (#2864)
• Allow overriding ViewMessageBodyWriter#detectLocale() (#2967)
• Allow reporting Metrics on stop (#2558)
• Allow simple logger level config to support “OFF” (#2819)
• Allow to disable logging bootstrap in DAOTest
• Allow to setNormalizeUri on HTTP client
• Appropriately log ssl params
• Avoid error message while signing artifacts
• Be more precise about use of Metered and Timed annotations
• Catch EofException at the jetty handler level
• Checkout all freemarker templates with lf line endings
• Compiler Warning Cleanup (#2466)
• ConnectorProvider Not Set Silently
• Convert to lazy evaluation for json event creation (#2506)
• Correctly log resource paths with relative path segments (#2923)
• Default values allowed on strict undefined config env vars
• Dependency reorganization (#2897)
• Deprecate *Param classes
• Disable Errorprone: EqualsGetClass check (#2718)
• Disable FAIL_ON_UNKNOWN_PROPERTIES by default
• Document TeeFilter for JSON log format (#2596)
• DropwizardTestSupport sets ConfigurationFactoryFactory too early (#2551)
• Enable Jackson Afterburner only on Java 8 (#2966)
• Ensure DropwizardResourceConfig#forTesting() is using a random port
• Exclude javax.el and jakarta.el-api, using glassfish jakarta.el instead (#2750)
• Explicitly create BootstrapServiceRegistry in SessionFactoryFac… (#2977)
• Extend from AbstractHandlerContainer instead of AbstractHandler (#2460)
• Fix Incomplete TaskServletTest Method Stubbing To Avoid NullpointerException In Tests (#3032)
• Fix Integration Testing Example (#2364)
• Fix Jackson (fuzzy) enum handling (#2599)
• Fix date formatting pattern in test (#2585)
• Fix deprecation usage of argparse4j
• Fix errorpone warnings (#2399)
• Fix escape signs and broken @see section (#2331)
• Fix for InvalidKeyException: Illegal key size (#2411, #2408)
• Fix illegal reflection warning in DropwizardResourceConfig (#2964)
• Fix incorrect reading of somaxconn for tcp backlog on linux (#2430)
• Include default requestLog format string in documentation (#2500, #2526)
• Fix jersey attempting to resolve auth filter fields
• Fix shared metrics race with multiple environments
• Fix tests: Disable FAIL_ON_UNKNOWN_PROPERTIES
• Fixed flaky test in CachingAuthorizer (#2683)
• Improve Dropwizard test support (#2673)
• Improve validation message for min/max duration
• Include all Apache Tomcat JDBC ConnectionPool metrics (#2475)
• Increases the values in the hibernate validator annotations to actual minimums
• Let async logs finish in throttling append test
• Make Duration, DataSize, and Size serializable (#2975)
• Mark PermissiveEnumDeserializer as cacheable (#2446)
• Merge pull request #2316 from dropwizard/move-to-junit5
• Merge pull request #2320 from nickbabcock/remove-prereq-
• Merge pull request #2324 from nickbabcock/jersey-resolv
• Merge pull request #2325 from xiaodong-xie/upgrade-liquibase
• Merge pull request #2339 from nickbabcock/argparse4j
• Merge pull request #2341 from nickbabcock/freemarker-attributes
• Merge pull request #2342 from nickbabcock/env-metric-race
• Merge pull request #2344 from manuel-hegner/feature/improve_self_validation
• Merge pull request #2349 from nickbabcock/fix-javadoc-errors
• Merge pull request #2404 from nickbabcock/cleanup-params-test
• Merge pull request #2405 from nickbabcock/log-ssl
• Merge pull request #2409 from nickbabcock/inclusive
• Merge pull request #2414 from tsundberg/timed-and-meterd-cannot-be-used-at-the-same-time
• Merge pull request #2448 from dropwizard/resource-config-random-port
• Merge pull request #2487 from zmarois/patch-1
• Merge pull request #2509 from mattnelson/json_uri_query
• Merge pull request #2514 from bennyz/redundant-the
• Merge pull request #2519 from dropwizard/dependency-updates
• Merge pull request #2522 from alex-shpak/feature/inject-validator-2
• Merge pull request #2541 from shail/eofExceptionIssue
• Merge pull request #2549 from minisu/patch-3
• Merge pull request #2573 from isaki/throttle_revisit
• Merge pull request #2575 from isaki/cache_auth_test_fix
• Merge pull request #2576 from sergioescala/removing_unnecessary_import
• Merge pull request #2578 from nickbabcock/cve-suppress
• Merge pull request #2600 from dropwizard/issue-2539
• Merge pull request #2643 from nickbabcock/before-after
• Merge pull request #2659 from dropwizard/errorprone-nullaway
• Merge pull request #2665 from nickbabcock/sona-example
• Merge pull request #2675 from dennyac/dropwizard-jersey-metrics-documentation
• Merge pull request #2684 from nickbabcock/logging-docs
• Merge pull request #2692 from FredDeschenes/2.0-release-notes-abstractbinder
• Merge pull request #2693 from dropwizard/remove-checkstyle
• Merge pull request #2703 from slivkamiro/feature/validation-query
• Merge pull request #2722 from dropwizard/issue-2721
• Merge pull request #2741 from davnicwil/specify-task-response-type
• Merge pull request #2760 from dropwizard/issue-2759
• Merge pull request #2764 from tristanbuckner/reset_closed_client
• Merge pull request #2767 from nickbabcock/test-bind
• Merge pull request #2775 from nickbabcock/remove-doc
• Merge pull request #2786 from josephlbarnett/javassist-classpath
• Merge pull request #2803 from koraytugay/patch-1
• Merge pull request #2804 from stevenbenitez/fix/caching-authenticator-doc
• Merge pull request #2805 from mzamani1/fix-conscrypt-docs
• Merge pull request #2811 from cyberdelia/normalize-uri
• Merge pull request #2854 from toadzky/fix-hibernate-validator-values-on-server-factory
• Merge pull request #2874 from jamesalfei/master
• Merge pull request #2883 from dropwizard/dependency-cleanup
• Merge pull request #2919 from alexey-wg2/remove-duplicated-service-entry
• Merge pull request #2940 from msymons/master
• Merge pull request #2943 from gisripa/requestAttrs_json_logging
• Merge pull request #3021 from cjhawley/patch-1
• Migrate jetty min data rates to Sizes
• Migrate tests to JUnit 5.4.0 (#2493)
• Migrate to jetty-only gzip handler (#2566)
• Move ResilientSocketOutputStream into io.dropwizard.logging (#2925)
• Nested calls to @UnitOfWork methods cause inconsistent behaviour (#2913)
• Only override ConfigurationSourceProvider if explicitly provided (#2720)
• Overhaul logging resource endpoints
• Refactor inject validator bundle to use resourceContext directly
• Register HK2 AbstractBinder with Jersey (#3000)
• Remove Guava (#2400, #2555)
• Remove metrics-ganglia completely (#2310)
• Remove restrictions on generic type for ConfiguredBundle
• Replace InjectValidatorBundle with feature and register by default
• Replace JSON string asserts in MultipleContentTypeTest (#3056)
• Replace ThrottlingAppenderWrapper with external version
• Replace livereload and Guard with sphinx-autobuild
• Replace remaining use of Hamcrest with AssertJ (#2444)
• Request Uri event should not contain params in tests (#2504)
• Return 404 for POST /admin/tasks (#2627)
• Rework resource config test for resilient CI
• Rewrite of throttling logging appender testing (#2458)
• Satisfy optional check before unwrap analyses (#2644)
• Simplify SelfValidatingValidator (#2413)
• Support URL encoded entry names in ResourceURL#isDirectory() (#2674)
• Support configuration of exception details with JSON logging (#2501)
• Support custom request executor in HttpClientBuilder (#2959)
• Support dumping Jetty config on start/stop (#2743)
• Support for requestAttributes in Json access log
• Support handling failed commands via Application#onFatalError(… (#3020)
• Support nested JUnit 5 tests with DropwizardExtension (#2924)
• Surround bootclasspath in quotes for special characters in user home
• Test deserializing config without JsonAutoDetect
• Test support cleanup on before exceptions
• UUID param to length check input
• Use AtomicReference in LogConfigurationTask for timer
• Use Dropwizard’s CharStreams class in DefaultServerFactoryTest
• Use Java Stream API in DbDumpCommandTest (#2326)
• Use commons-text native undef var detection (#2829)
• Use correct property for Dropwizard versions in dropwizard-bom
• Use custom public and secret keyrings when signing
• Use instrumented thread factory (#2649)
• Use strict illegal-access policy on Java 9 and later (#2965)
• Allowing validation query to be null #2702
• make it possible to created subclass of apache http builder (#2958)
• Update JdbiFactory to use metrics’ InstrumentedSqlLogger (#2682)
  Version updates
• Bump bcprov-jdk15on to 1.64 (#2642, #2791, #2917, #2972)
• Bump byte-buddy to 1.10.4 (#2611, #2631, #2707, #2710, #2782, #2835, #2849, #2860, #2876, #2984, #3018, #3041)
• Bump caffeine to 2.8.0 (#2661, #2868)
• Bump checker-qual to 3.0.0 (#2676, #2728, #2756, #2790, #2827, #2865, #2866, #2894, #2902, #2955, #3048, #3012)
• Bump classmate to 1.5.1 (#2708, #2985)
• Bump commons-lang3 to 3.9 (#2732)
• Bump commons-text to 1.8 (#2828, #2905)
• Bump Mustache compiler to 0.9.6 (#2616)
• Bump Errorprone to 2.3.4 (#3046, #3047)
• Bump Freemarker to 2.3.29 (#2887)
• Bump Guava to 28.1-jre (#2472, #2688, #2798, #2900)
• Bump hibernate-core to 5.4.10.Final (#2706, #2785, #2863, #2952, #2993, #3007, #3026, #3052)
• Bump hibernate-validator to 6.1.0.Final (#2629, #2662, #2705, #2802, #3003)
• Bump Apache HttpClient to 4.5.10 (#2615, #2715, #2799, #2914)
• Bump Jackson to 2.10.0 (#2393, #2777, #2826, #2870, #3019, #2944)
• Bump jakarta.el to 3.0.3 (#2912)
• Bump javassist to 3.26.0-GA (#2738, #2961)
• Bump JAXB API to 2.3.1 (#2608)
• Bump JDBI3 to 3.11.1 (#2369, #2451, #2546, #2731, #2726, #2744, #2754, #2762, #2855, #2872, #2907, #2929, #3027, #3030)
• Bump Jersey to 2.29.1 (#2395, #2613, #2813, #2916)
• Bump Jetty to 9.4.24.v20191120 (#2346, #2657, #2734, #2740, #2752, #2800, #2879, #2956, #2997, #3031, #3033)
• Bump alpn-boot to v8.1.13.v20181017 (#2547, #2340)
• Bump Joda-Time to 2.10.5 (#2772, #2831, #2937, #2998)
• Bump Liquibase to 3.8.2 (#2386, #2621, #2845, #2890, #3016, #3038)
• Bump logback-throttling-appender to 1.1.0 (#2928)
• Bump Dropwizard Metrics to 4.1.2 (#2761, #2986, #3055)
• Bump Objenesis to 3.1 (#2968)
• Bump SLF4J to 1.7.29 (#2652, #2873, #2877, #3009)
• Bump tomcat-jdbc to 9.0.29 (#2636, #2700, #2733, #2776, #2793, #2838, #2885, #2979, #2935, #3034)
• Upgrade dependencies (#2445, #2473, #2537, #2565)
• Bump JUnit 5 to 5.5.2 (#2347, #2604, #2635, #2651, #2697, #2698, #2724, #2727, #2822, #2842, #2848, #2850, #2910, #2911)
• Bump Mockito to 3.2.0 (#2630, #2654, #2680, #2695, #2725, #2730, #2784, #2834, #2957, #3044)
• Bump assertj-core to 3.14.0 (#2648, #2666, #2696, #2861, #2862, #2867, #3004)
• Bump H2 to 1.4.200 (#2660, #2694, #2983)
• Bump hsqldb to 2.5.0 (#2788)
• Bump Octokit to 4.14.0 (#2607, #2716)
• Bump Sphinx to 2.2.2 (#2328, #2606, #2632, #2689, #2712, #2729, #2789, #2796, #2810, #2886, #3002, #3049)

• Add SLF4J marker to dropwizard-json-logging (#3005)
• Enable Jackson Afterburner only on Java 8 (backport) (#3028)
• Upgrade Apache HttpClient to 4.5.10 to fix URI rewriting (#3029)

• Upgrade to Jackson 2.9.10.20191020 to address CVE-2019-16942, CVE-2019-16943, and CVE-2019-17531 (#2988, thanks to @msymons)

• Upgrade to Jackson 2.9.10 to address multiple security issues (#2939)

• Upgrade to Jackson 2.9.9.20190807 to address multiple security issues (#2871)

• Upgrade to Jackson Databind 2.9.9.1 to address CVE-2019-12086 (#2825)
• Add a JSONUnauthorizedHandler (#2841)