Eclipse JGit: Java implementation of Git 7.3.0 Release Review

Features

• PackExt: Add value for the multipack index
• MultiPackIndex: Add and implement #resolve() method
• MultiPackIndexWriter: Handle empty packs
• MultiPackIndexWriter: return bytes written
• MultiPackIndex: add #getMemorySize() method
• MultiPackIndex: reader for the multipack index
• SystemReader: Add support for XDG_CACHE_HOME
• TreeRevFilter: enable Bloom Filter usage with ChangedPathTreeFilter

Performance Improvements

• BlameResult: Let generator decide when to use the blame cache
• BlameGenerator: Use cache only for candidates modifying the path

Bug Fixes

• FS.getFileStoreAttributes: cancel failed task executed asynchronously
• FileReftableStack: ensure new reftable files aren't missed on NFS
• Encapsulate layout of reftable stack in FileReftableStack
• PlotRefComparator: fix #timeof
• jgit-157 Fix package name of spring boot JarLauncher class in jgit.sh
• jgit-146 Checkout: Handle InvalidRefNameException
• FileReftableDatabase: mark autoRefresh volatile

Security Fixes

The following changes fix CVE-2025-4949:

• ManifestParser: Do not accept DOCTYPE and entities to harden XML parser
• AmazonS3: Do not accept DOCTYPE and entities to harden XML parser

Kudos to Simon Gerst for reporting this vulnerability.

Build and Release Engineering

• update dependencies
  • jgit-148 bouncyvastle to 1.80.0
  • bytebuddy to 1.17.5
  • com.google.code.gson:gson to 2.13.1
  • commons-io:commons-io to 2.19.0
  • jetty to 12.0.21
  • jna to 5.17.0
  • mockito to 5.18.0
• update maven plugins
  • maven-deploy-plugin to 3.1.4
  • maven-install-plugin to 3.1.4
  • spotbugs-maven-plugin to 4.9.2.0
  • tycho to 4.0.12
• update bazel to 8.2.1
• MODULE.bazel: Move dependencies from WORKSPACE to bazel modules
• jgit-151 Update scm url in pom.xml to refer to gerrit homepage of jgit repo
• Add target platform jgit-4.36 for eclipse 2025-06
• replace old Date Time classes with java.time API in many places