Bump reactor-netty to 1.3.2 and reactor to 3.8.2

[reta]

Description

Bump reactor-netty to 1.3.2 and reactor to 3.8.2

Related Issues

N/A

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• Chores
  • Updated Gradle dependency versions: reactor bumped to 3.8.2 and reactor-netty to 1.3.2
  • Updated associated build artifacts and checksums to reflect the new dependency versions

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps Project Reactor and Reactor Netty dependency versions to 3.8.2 and 1.3.2 respectively, updating the Gradle version catalog, changelog documentation, and license SHA-1 checksums across multiple modules.

Changes

Cohort / File(s)	Summary
Documentation & Configuration CHANGELOG.md, gradle/libs.versions.toml	Updated changelog entry documenting reactor-netty 1.3.2 and reactor 3.8.2 bump; upgraded version catalog entries from reactor 3.8.1→3.8.2 and reactor_netty 1.3.1→1.3.2
License SHA-1 Checksums - Reactor Core client/rest/licenses/reactor-core-3.8.*.jar.sha1, server/licenses/reactor-core-3.8.*.jar.sha1	Removed 3.8.1 checksums and added 3.8.2 checksums across client and server modules
License SHA-1 Checksums - Reactor Netty Core plugins/repository-azure/licenses/reactor-netty-core-1.3.*.jar.sha1, plugins/transport-reactor-netty4/licenses/reactor-netty-core-1.3.*.jar.sha1	Removed 1.3.1 checksums and added 1.3.2 checksums across Azure repository and transport reactor netty4 plugins
License SHA-1 Checksums - Reactor Netty HTTP plugins/repository-azure/licenses/reactor-netty-http-1.3.*.jar.sha1, plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.*.jar.sha1	Removed 1.3.1 checksums and added 1.3.2 checksums across Azure repository and transport reactor netty4 plugins

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Bump Project Reactor to 3.8.1 and Reactor Netty to 1.3.1 #20217: Performs the same kind of dependency version bump for Project Reactor and Reactor Netty with identical file structure changes (libs.versions.toml, changelog, SHA1 license files), but to the preceding versions (3.8.1/1.3.1).

Suggested reviewers

• sandeshkr419
• andrross
• cwperks

Poem

🐰 Hop, hop—the reactor springs anew,
Netty threads now 1.3.2 through and through!
Checksums dance in directories aligned,
Version bumps leave old hashes behind!
A stable upgrade, clean and bright,
The project now flows with renewed might! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping reactor-netty to 1.3.2 and reactor to 3.8.2, which matches the changeset.
Description check	✅ Passed	The description follows the template structure with a clear description section stating the change, related issues marked as N/A, and the required checklist present. No critical sections are missing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba420b3 and 62f6e67.

📒 Files selected for processing (14)

• CHANGELOG.md
• client/rest/licenses/reactor-core-3.8.1.jar.sha1
• client/rest/licenses/reactor-core-3.8.2.jar.sha1
• gradle/libs.versions.toml
• plugins/repository-azure/licenses/reactor-netty-core-1.3.1.jar.sha1
• plugins/repository-azure/licenses/reactor-netty-core-1.3.2.jar.sha1
• plugins/repository-azure/licenses/reactor-netty-http-1.3.1.jar.sha1
• plugins/repository-azure/licenses/reactor-netty-http-1.3.2.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-core-1.3.1.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-core-1.3.2.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.1.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.2.jar.sha1
• server/licenses/reactor-core-3.8.1.jar.sha1
• server/licenses/reactor-core-3.8.2.jar.sha1

💤 Files with no reviewable changes (6)

• plugins/repository-azure/licenses/reactor-netty-http-1.3.1.jar.sha1
• server/licenses/reactor-core-3.8.1.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-core-1.3.1.jar.sha1
• client/rest/licenses/reactor-core-3.8.1.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.1.jar.sha1
• plugins/repository-azure/licenses/reactor-netty-core-1.3.1.jar.sha1

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-12-13T20:16:15.318Z

Learnt from: reta
Repo: opensearch-project/OpenSearch PR: 20017
File: modules/transport-netty4/src/main/java/org/opensearch/http/netty4/Netty4Http3ServerTransport.java:101-123
Timestamp: 2025-12-13T20:16:15.318Z
Learning: In OpenSearch, only one HTTP transport implementation can be active and loaded at a time, so duplicate setting definitions (such as h3.max_stream_local_length, h3.max_stream_remote_length, and h3.max_streams) across different transport implementations like Netty4Http3ServerTransport and ReactorNetty4HttpServerTransport will not cause setting registration conflicts.

Applied to files:

• CHANGELOG.md

📚 Learning: 2025-12-12T18:40:08.452Z

Learnt from: reta
Repo: opensearch-project/OpenSearch PR: 20017
File: plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java:256-256
Timestamp: 2025-12-12T18:40:08.452Z
Learning: In the OpenSearch ReactorNetty4 secure HTTP transport tests (plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java), URI limit validation has been moved from the protocol layer to the transport layer, making it protocol-agnostic. The random protocol selection in ReactorHttpClient.https(settings) is intentional to ensure all tests validate correct behavior across HTTP/1.1, HTTP/2, and HTTP/3.

Applied to files:

• gradle/libs.versions.toml
• plugins/transport-reactor-netty4/licenses/reactor-netty-core-1.3.2.jar.sha1
• plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.2.jar.sha1

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: Analyze (java)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: detect-breaking-change

🔇 Additional comments (7)

plugins/repository-azure/licenses/reactor-netty-http-1.3.2.jar.sha1 (1)

1-1: LGTM! Checksum is consistent across modules.

The SHA1 checksum matches the identical file in the transport-reactor-netty4 module, which is correct since they reference the same reactor-netty-http 1.3.2 JAR artifact.

plugins/repository-azure/licenses/reactor-netty-core-1.3.2.jar.sha1 (1)

1-1: LGTM! Checksum is consistent across modules.

The SHA1 checksum matches the identical file in the transport-reactor-netty4 module, which is correct since they reference the same reactor-netty-core 1.3.2 JAR artifact.

plugins/transport-reactor-netty4/licenses/reactor-netty-http-1.3.2.jar.sha1 (1)

1-1: Checksum format is correct and version 1.3.2 has no known security vulnerabilities.

The SHA1 checksum file is properly formatted. Version 1.3.2 of reactor-netty-http is not affected by known CVEs including CVE-2025-22227 (which targets versions <1.2.8 and >=1.3.0-M1 to <1.3.0-M5) and earlier CVEs like CVE-2023-34062 that only affect 1.0/1.1 releases.

server/licenses/reactor-core-3.8.2.jar.sha1 (1)

1-1: No known security vulnerabilities found for reactor-core 3.8.2, but verify the SHA1 checksum locally.

There are no published security advisories for reactor-core 3.8.2 from Project Reactor or Spring security. However, manually verify that the SHA1 hash 874cfa3a39b93eb74e21f13ce9dba537ccc49726 matches the official reactor-core 3.8.2 JAR from Maven Central by running:

sha1sum reactor-core-3.8.2.jar

or downloading and checking against the official artifact.

CHANGELOG.md (1)

64-64: LGTM!

The changelog entry follows the established format and is correctly placed under the Dependencies section for the unreleased 3.x version.

gradle/libs.versions.toml (1)

45-46: Version bump looks good.

The patch version updates for Project Reactor (3.8.1 → 3.8.2) and Reactor Netty (1.3.1 → 1.3.2) are correctly applied and available on Maven Central. Reactor Netty 1.3.2 includes fixes for known security vulnerabilities including CVE-2025-22227.

client/rest/licenses/reactor-core-3.8.2.jar.sha1 (1)

1-1: SHA1 checksum verified against Maven Central.

The checksum in client/rest/licenses/reactor-core-3.8.2.jar.sha1 matches the official value from Maven Central. The file follows the expected naming convention and format.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[github-actions]

✅ Gradle check result for 62f6e67: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.17%. Comparing base (6b50fa4) to head (62f6e67).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20419      +/-   ##
============================================
- Coverage     73.29%   73.17%   -0.13%     
+ Complexity    71816    71783      -33     
============================================
  Files          5793     5793              
  Lines        328644   328644              
  Branches      47313    47313              
============================================
- Hits         240890   240486     -404     
- Misses        68404    68905     +501     
+ Partials      19350    19253      -97     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.