8.60.0 release (2025-08-13)

Total recipe count: 4631

info

This changelog only shows what recipes have been added, removed, or changed. OpenRewrite may do releases that do not include these types of changes. To see these changes, please go to the releases page.

Corresponding CLI version

• Stable CLI version v3.43.6
• Staging CLI version: v3.44.4

New Artifacts

• rewrite-program-analysis

New Recipes

• com.oracle.weblogic.rewrite.WebLogicXmlCreateIfNotExists1511: This recipe will create a weblogic.xml file with the WebLogic 15.1.1 namespace if it does not already exist.
• com.oracle.weblogic.rewrite.WebLogicXmlPreferApplicationPackagesJPA: This recipe will add a prefer-application-packages entry for Jakarta Persistence in weblogic.xml if it does not already exist.
• com.oracle.weblogic.rewrite.WebLogicXmlPreferApplicationPackagesSlf4j: This recipe will add a prefer-application-packages entry for SLF4J in weblogic.xml if it does not already exist.
• com.oracle.weblogic.rewrite.jakarta.UpdateJakartaPersistenceTo31: Update Jakarta Persistence to 3.1.
• com.oracle.weblogic.rewrite.jakarta.UpdateJakartaPersistenceTo32: Update Jakarta Persistence to 3.2.
• com.oracle.weblogic.rewrite.jakarta.UpgradeMavenPluginArtifactItems: Change the groupId and the artifactId of an artifactItem in the configuration section of a plugin's execution. This recipe does not perform any validation and assumes all values passed are valid.
• com.oracle.weblogic.rewrite.jakarta.UpgradeMavenPluginConfigurationArtifacts: Change artifacts for a Maven plugin configuration artifacts.
• com.oracle.weblogic.rewrite.spring.data.UpgradeSpringDataJpa: Upgrade Spring Data JPA to 3.4.6 version, which is the version used by spring-data-bom v2024.1.x
• io.moderne.hibernate.update70.AddCascadePersistToIdMappedAssociations: Hibernate used to automatically enable cascade=PERSIST for association fields annotated @Id or @MapsId. This was undocumented and unexpected behavior, and no longer supported in Hibernate 7. Existing code which relies on this behavior will be modified by addition of explicit cascade=PERSIST to the association fields.
• io.moderne.hibernate.update70.MigrateToTargetEmbeddable: Migrates code using removed @Target to to Hibernate 7.0's @TargetEmbeddable equivalent. Removes misused @Target annotations.
• io.quarkus.updates.camel.camel413.CamelQuarkusMigrationRecipe: Migrates camel 4.12 Quarkus application to camel 4.13.
• io.quarkus.updates.core.quarkus326.EnableEnabledConfigChanges:
• org.apache.camel.upgrade.camel413.CamelMigrationRecipe: Migrates camel 4.12 application to camel 4.13.
• org.apache.camel.upgrade.camel413.YamlDsl413Recipe: Apache Camel YML DSL migration from version 4.12 o 4.13.
• org.apache.camel.upgrade.camel413.authenticationHttpClientConfigurer: BasicAuthenticationHttpClientConfigurer is renamed to DefaultAuthenticationHttpClientConfigurer.
• org.apache.camel.upgrade.camel413.furyDependency:
• org.apache.camel.upgrade.camel413.furyDsl:
• org.apache.camel.upgrade.camel413.furyJava: BasicAuthenticationHttpClientConfigurer is renamed to DefaultAuthenticationHttpClientConfigurer.
• org.openrewrite.analysis.java.FindNullPointerIssues: Detects potential null pointer dereferences using path-sensitive analysis to distinguish between definite NPEs, possible NPEs, and safe dereferences.
• org.openrewrite.analysis.java.controlflow.FindUnusedDefinitions: Identifies variable assignments whose values are never used before being overwritten.
• org.openrewrite.analysis.java.controlflow.search.FindCyclomaticComplexity: Calculates the cyclomatic complexity of methods and produces a data table containing the class name, method name, argument types, complexity value, and complexity threshold.
• org.openrewrite.analysis.java.controlflow.search.FindUnreachableCode: Uses control flow analysis to identify statements that can never be executed.
• org.openrewrite.analysis.java.dataflow.FindDeadStores: Identifies variable assignments whose values are never used before being overwritten or going out of scope.
• org.openrewrite.analysis.java.datalineage.TrackDataLineage: Tracks the flow of data from database sources (JDBC queries, JPA entities) to API sinks (REST endpoints, GraphQL mutations) to understand data dependencies and support compliance requirements.
• org.openrewrite.analysis.java.privacy.FindPiiExposure: Detects when Personally Identifiable Information (PII) is exposed through logging statements or sent to external APIs without proper sanitization. This helps prevent data leaks and ensures compliance with privacy regulations like GDPR and CCPA.
• org.openrewrite.analysis.java.security.FindCommandInjection: Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder, which could allow attackers to execute arbitrary commands.
• org.openrewrite.analysis.java.security.FindLdapInjection: Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
• org.openrewrite.analysis.java.security.FindPathTraversal: Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
• org.openrewrite.analysis.java.security.FindSecurityVulnerabilities: Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization.
• org.openrewrite.analysis.java.security.FindSqlInjection: Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
• org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage: Identifies when personally identifiable information (PII) is stored in databases, files, or other persistent storage without encryption.
• org.openrewrite.analysis.java.security.FindXssVulnerability: Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
• org.openrewrite.analysis.java.security.FindXxeVulnerability: Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
• org.openrewrite.apache.commons.lang.ApacheCommonsStringUtilsRecipes$RemoveRedundantNullCheckWithIsNotBlankRecipe: Remove redundant null check when using StringUtils.isNotBlank(String) as it already handles null values.
• org.openrewrite.github.RemoveUnusedWorkflowDispatchInputs: Remove workflow_dispatch inputs that are not referenced anywhere in the workflow file.
• org.openrewrite.github.RemoveWorkflowInputArgument: Remove a specific input argument from calls to a reusable workflow.
• org.openrewrite.gradle.ChangeManagedDependency: Change a Gradle managed dependency coordinates. The newGroupId or newArtifactId MUST be different from before. For now, only Spring Dependency Management Plugin entries are supported and no other forms of managed dependencies (yet).
• org.openrewrite.gradle.RemoveExtension: Remove a Gradle build extension from settings.gradle(.kts) or build.gradle(.kts) files.
• org.openrewrite.java.AddCommentToImport: Add a comment to an import statement in a Java source file.
• org.openrewrite.java.dependencies.FindDependency: Finds direct dependencies declared in Maven and Gradle build files. This does not search transitive dependencies. To detect both direct and transitive dependencies use org.openrewrite.java.dependencies.DependencyInsight This recipe works for both Maven and Gradle projects.
• org.openrewrite.java.dependencies.search.DoesNotIncludeDependency: A precondition which returns false if visiting a Gradle file / Maven pom which includes the specified dependency in the classpath of some Gradle configuration / Maven scope. For compatibility with multimodule projects, this should most often be applied as a precondition.
• org.openrewrite.java.logging.ArgumentArrayToVarargs: For Logger methods that support varargs, convert any final explicit Object[] arguments into their unpacked values.
• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes: Replace logger.level("hello {0}", arg) with logger.levelv("hello {0}", arg).
• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$DebugToVDebugRecipe: Recipe created for the following Refaster template:

public static class DebugToVDebug {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.debug(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.debugv(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$DebugToVDebugWithThrowableRecipe: Recipe created for the following Refaster template:

public static class DebugToVDebugWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.debug((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.debugv(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$ErrorToVErrorRecipe: Recipe created for the following Refaster template:

public static class ErrorToVError {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.error(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.errorv(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$ErrorToVErrorWithThrowableRecipe: Recipe created for the following Refaster template:

public static class ErrorToVErrorWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.error((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.errorv(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$FatalToVFatalRecipe: Recipe created for the following Refaster template:

public static class FatalToVFatal {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.fatal(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.fatalv(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$FatalToVFatalWithThrowableRecipe: Recipe created for the following Refaster template:

public static class FatalToVFatalWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.fatal((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.fatalv(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$InfoToVInfoRecipe: Recipe created for the following Refaster template:

public static class InfoToVInfo {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.info(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.infov(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$InfoToVInfoWithThrowableRecipe: Recipe created for the following Refaster template:

public static class InfoToVInfoWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.info((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.infov(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$TraceToVTraceRecipe: Recipe created for the following Refaster template:

public static class TraceToVTrace {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.trace(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.tracev(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$TraceToVTraceWithThrowableRecipe: Recipe created for the following Refaster template:

public static class TraceToVTraceWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.trace((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.tracev(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$WarnToVWarnRecipe: Recipe created for the following Refaster template:

public static class WarnToVWarn {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args) {
        logger.warn(message, args);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args) {
        logger.warnv(message, args);
    }
}

.

• org.openrewrite.java.logging.jboss.FormattedArgumentsToVMethodRecipes$WarnToVWarnWithThrowableRecipe: Recipe created for the following Refaster template:

public static class WarnToVWarnWithThrowable {
    
    @BeforeTemplate
    void before(Logger logger, String message, Object[] args, Throwable t) {
        logger.warn((Object)message, args, t);
    }
    
    @AfterTemplate
    void after(Logger logger, String message, Object[] args, Throwable t) {
        logger.warnv(message, args, t);
    }
}

.

• org.openrewrite.java.logging.jboss.JBossLoggingBestPractices: This recipe applies best practices for logging in JBoss applications. It includes converting argument arrays to varargs for better readability and performance.
• org.openrewrite.java.logging.jboss.LoggerLevelArgumentToMethod: Replace calls to Logger.log(Level, ...) with the corresponding eponymous level method calls. For example Logger.log(Level.INFO, ...) to Logger.info(...).
• org.openrewrite.java.logging.slf4j.AddJBossLogManagerSlf4jProviderDependency: When JBoss LogManager is the logging backend, add its SLF4J provider so we can migrate to SLF4J as a logging facade.
• org.openrewrite.java.logging.slf4j.JBossLoggingToSlf4j: Migrates usage of the JBoss Logging facade to using SLF4J.
• org.openrewrite.java.migrate.UpdateJakartaAnnotationsIfExistsForJakarta: Counteract the jakarta.annotation-api by updating to jakarta namespace
• org.openrewrite.java.migrate.UpdateJakartaAnnotationsIfForJavax: Counteract the jakarta.annotation-api by updating to jakarta namespace
• org.openrewrite.java.migrate.jakarta.RemoveJakartaAnnotationDependencyWhenManagedBySpringBoot: Best practice recipe to cleanup a direct dependency which also comes transitively for Spring Boot applications.
• org.openrewrite.java.migrate.lang.SwitchCaseAssignmentsToSwitchExpression: Switch statements for which each case is assigning a value to the same variable can be converted to a switch expression that returns the value of the variable. This is only applicable for Java 17 and later.
• org.openrewrite.java.migrate.lang.SwitchCaseReturnsToSwitchExpression: Switch statements where each case returns a value can be converted to a switch expression that returns the value directly.
• org.openrewrite.java.migrate.lang.SwitchExpressionYieldToArrow: Convert switch expressions with colon cases and yield statements to arrow syntax.
• org.openrewrite.java.migrate.lombok.AdoptLombokSetterMethodNames: Rename methods that are effectively setter to the name Lombok would give them. Limitations:

• If two methods in a class are effectively the same setter then one's name will be corrected and the others name will be left as it is.
• If the correct name for a method is already taken by another method then the name will not be corrected.
• Method name swaps or circular renaming within a class cannot be performed because the names block each other. E.g. int getFoo() { return ba; } int getBa() { return foo; } stays as it is.

• org.openrewrite.java.recipes.ReplaceNullWithDoesNotExist: Replace the first or second null argument in OpenRewrite Assertions class methods with RewriteTest.doesNotExist().
• org.openrewrite.java.recipes.UseRewriteTestDefaults: When all rewriteRun methods in a test class use the same RecipeSpec configuration, refactor to use the defaults method instead.
• org.openrewrite.maven.RemoveRedundantProperties: Remove properties when a parent POM specifies the same property.
• org.openrewrite.staticanalysis.MoveConditionsToWhile: Simplifies while (true) loops where the first statement is an if statement that only contains a break. The condition is inverted and moved to the loop condition for better readability.
• org.openrewrite.staticanalysis.PreferEqualityComparisonOverDifferenceCheck: Replace a - b == 0 with a == b, a - b != 0 with a != b, a - b < 0 with a < b, and similar transformations for all comparison operators to improve readability and avoid overflow issues.
• org.openrewrite.staticanalysis.PreferIncrementOperator: Prefer the use of increment and decrement operators (++, --, +=, -=) over their more verbose equivalents.
• org.openrewrite.staticanalysis.RemoveRedundantNullCheckBeforeLiteralEquals: Removes redundant null checks before equals() comparisons when the receiver is a literal string, since literals can never be null and equals() returns false for null arguments.
• org.openrewrite.staticanalysis.SimplifyBooleanExpressionWithDeMorgan: Applies De Morgan's laws to simplify boolean expressions with negation. Transforms !(a && b) to !a || !b and !(a || b) to !a && !b.
• org.openrewrite.staticanalysis.maven.MavenJavadocNonAsciiRecipe: Maven's javadoc-plugin configuration does not support non-ASCII characters. What makes it tricky is the error is very ambiguous and doesn't help in any way. This recipe removes those non-ASCII characters.
• org.openrewrite.xml.AddTagAttribute: Add new XML attribute with value on a specified element.

Removed Recipes

• io.moderne.cryptography.FindHardcodedAlgorithmChoice: Locate hardcoded algorithm choices in cryptographic code.
• io.moderne.cryptography.FindHardcodedAlgorithmSpecificParameters: Locate hardcoded algorithm specific parameters in cryptographic code.
• io.moderne.cryptography.FindHardcodedCertificate: Detects hardcoded PEM certificates passed into CertificateFactory.generateCertificate().
• io.moderne.cryptography.FindHardcodedCipherSuitesOnSslSocket: Detects hardcoded cipher suites in SSL socket configurations, which can lead to security vulnerabilities.
• io.moderne.cryptography.FindHardcodedCiphersuiteChoice: Locate hardcoded ciphersuite choices in cryptographic code.
• io.moderne.cryptography.FindHardcodedKeyPairGenerator: Detects hardcoded cryptographic algorithms.
• io.moderne.cryptography.FindHardcodedPrivateKey: Detects hardcoded PEM private keys passed into KeyFactory.generatePrivate().
• io.moderne.cryptography.FindHardcodedProtocolChoice: Locate hardcoded protocol choices in cryptographic code.
• io.moderne.cryptography.FindHardcodedProtocolsOnSSLSocketCreation: Finds hardcoded protocols in SSL socket creation methods, such as SSLContext.getInstance(String).
• io.moderne.cryptography.FindHardcodedProtocolsOnSSLSocketSetProtocols: Detects hardcoded protocol versions in SSL socket configurations, which can hinder adaptability and security.
• io.moderne.cryptography.FindHardcodedRSAKeyGenParameterSpec: It is usually insecure to pass hardcoded numbers passed into RSAKeyGenParameterSpec.
• io.moderne.cryptography.FindHardcodedSecretKeySpec: Detects hardcoded cryptographic algorithms.
• io.moderne.cryptography.FindInsecureSecuritySetProperties: Locate calls to Security.setProperty that set insecure properties.
• io.moderne.cryptography.FindSecurityProviderEditing: Locate programmatic edits of the Security provider list.
• io.moderne.cryptography.FindSslConfiguration: The configuration of Secure Socket Layer (SSL) and Transport Layer Security (TLS) is a key aspect of making a secure application. This recipe detects and enumerates these configurations.
• io.moderne.cryptography.FindSslContextDefault: This includes anywhere where SSLContext.setDefault is called.
• org.openrewrite.config.CompositeRecipe: A recipe that consists of a list of other recipes.
• org.openrewrite.gitlab.AddStages: Add or Update the set of stages defined in .gitlab-ci.yml.
• org.openrewrite.java.migrate.jakarta.RemoveJakartaAnnotationDependency: Counteract the jakarta.annotation-api added by org.openrewrite.java.migrate.javax.AddCommonAnnotationsDependencies for Spring Boot applications.
• org.openrewrite.staticanalysis.ReplaceStreamToListWithCollect: Replace Java 16 Stream.toList() with Java 11 Stream.collect(Collectors.toList()).
• software.amazon.awssdk.v2migration.ConstructorToFluent: A recipe that takes constructor arguments and moves them to the specified fluent setters on the object.

Changed Recipes

• org.openrewrite.gradle.ChangeDependency was changed:
  • Old Options:
    • newArtifactId: { type: String, required: false }
    • newGroupId: { type: String, required: false }
    • newVersion: { type: String, required: false }
    • oldArtifactId: { type: String, required: true }
    • oldGroupId: { type: String, required: true }
    • overrideManagedVersion: { type: Boolean, required: false }
    • versionPattern: { type: String, required: false }
  • New Options:
    • changeManagedDependency: { type: Boolean, required: false }
    • newArtifactId: { type: String, required: false }
    • newGroupId: { type: String, required: false }
    • newVersion: { type: String, required: false }
    • oldArtifactId: { type: String, required: true }
    • oldGroupId: { type: String, required: true }
    • overrideManagedVersion: { type: Boolean, required: false }
    • versionPattern: { type: String, required: false }
• org.openrewrite.java.AddCommentToMethodInvocations was changed:
  • Old Options:
    • comment: { type: String, required: true }
    • isMultiline: { type: Boolean, required: false }
    • methodPattern: { type: String, required: true }
  • New Options:
    • comment: { type: String, required: true }
    • methodPattern: { type: String, required: true }
• org.openrewrite.java.dependencies.search.ModuleHasDependency was changed:
  • Old Options:
    • artifactIdPattern: { type: String, required: true }
    • groupIdPattern: { type: String, required: true }
    • scope: { type: String, required: false }
    • version: { type: String, required: false }
  • New Options:
    • artifactIdPattern: { type: String, required: true }
    • groupIdPattern: { type: String, required: true }
    • invertMarking: { type: Boolean, required: false }
    • scope: { type: String, required: false }
    • version: { type: String, required: false }
• org.openrewrite.java.dependencies.DependencyVulnerabilityCheck was changed:
  • Old Options:
    • maximumUpgradeDelta: { type: UpgradeDelta, required: false }
    • overrideTransitive: { type: Boolean, required: false }
    • preferDirectUpgrade: { type: Boolean, required: false }
    • scope: { type: String, required: false }
  • New Options:
    • maximumUpgradeDelta: { type: UpgradeDelta, required: false }
    • overrideTransitive: { type: Boolean, required: false }
    • scope: { type: String, required: false }
• org.openrewrite.maven.UpdateScmFromGitOrigin was changed:
  • Old Options:
    • None
  • New Options:
    • addIfMissing: { type: Boolean, required: false }
• org.openrewrite.yaml.CoalesceProperties was changed:
  • Old Options:
    • None
  • New Options:
    • applyTo: { type: List, required: true }
    • exclusions: { type: List, required: true }