8.79.1 release (2026-04-09)

Total recipe count: 4240

info

This changelog only shows what recipes have been added, removed, or changed. OpenRewrite may do releases that do not include these types of changes. To see these changes, please go to the releases page.

Corresponding CLI version

• Stable CLI version v3.57.16
• Staging CLI version: v3.57.16

Removed Artifacts

• rewrite-csharp
• rewrite-dropwizard

New Recipes

• io.quarkus.updates.core.quarkus330.RenameEnableMetrics:
• org.openrewrite.apache.commons.lang.DefaultIfBlankToJdk: Replace StringUtils#defaultIfBlank(s, fallback) with s == null || s.isBlank() ? fallback : s.
• org.openrewrite.apache.commons.lang.IsBlankToJdk: Replace any StringUtils#isBlank(String) and #isNotBlank(String) with s == null || s.isBlank() and s != null && !s.isBlank().
• org.openrewrite.github.security.AnonymousJobs: Find jobs that lack descriptive names, making them harder to identify in workflow runs. Jobs without name properties default to their job ID, which may not be descriptive. Based on zizmor's anonymous-definition audit.
• org.openrewrite.github.security.ArtifactSecurity: Find workflows that may persist credentials through artifact uploads. This occurs when checkout actions don't disable credential persistence and upload actions include sensitive paths that may contain credentials, SSH keys, or configuration files. Based on zizmor's artipacked audit.
• org.openrewrite.github.security.BotConditions: Find workflow conditions that check for bot actors in ways that can be spoofed. Bot actor names (like dependabot[bot]) can be easily spoofed by creating accounts with similar names. Use actor_id with numeric comparison instead for secure bot validation. Based on zizmor's bot-conditions audit.
• org.openrewrite.github.security.CachePoisoning: Detects potential cache poisoning vulnerabilities in workflows that use caching and publish artifacts. When workflows use caches during artifact publishing, attackers may be able to poison the cache with malicious content that gets included in published artifacts. Based on zizmor's cache-poisoning audit.
• org.openrewrite.github.security.DangerousTriggers: Detects use of fundamentally insecure workflow triggers like pull_request_target and workflow_run. These triggers run with elevated privileges and are almost always used insecurely, potentially allowing code injection from untrusted sources. Based on zizmor's dangerous-triggers audit.
• org.openrewrite.github.security.ExcessivePermissions: Find overly broad permissions in GitHub Actions workflows. Flags 'write-all' permissions and excessive write permissions that could be scoped more narrowly for security. Based on zizmor's excessive-permissions audit.
• org.openrewrite.github.security.ForbiddenUses: Find usage of forbidden or dangerous GitHub Actions that have known security vulnerabilities or follow suspicious patterns. Based on zizmor's forbidden-uses audit.
• org.openrewrite.github.security.GitHubEnv: Detects dangerous usage of GITHUB_ENV and GITHUB_PATH environment files in workflows with risky triggers like pull_request_target or workflow_run. Writing to these files can allow code injection when the content includes user-controlled data. Based on zizmor's github-env audit.
• org.openrewrite.github.security.HardcodedCredentials: Detects hardcoded credentials in GitHub Actions container configurations. Container registry passwords should use secrets instead of hardcoded values. Based on zizmor's hardcoded-container-credentials audit.
• org.openrewrite.github.security.InsecureCommands: Detects when insecure workflow commands are enabled via ACTIONS_ALLOW_UNSECURE_COMMANDS. This environment variable enables dangerous workflow commands that can lead to code injection vulnerabilities. Based on zizmor's insecure-commands audit.
• org.openrewrite.github.security.Obfuscation: Find workflows that use obfuscated action references or expressions that may be attempting to hide malicious behavior. This includes action paths with '.', '..', empty components, or expressions that use quote manipulation to hide their true intent. Based on zizmor's obfuscation audit.
• org.openrewrite.github.security.RefVersionMismatch: Find GitHub Actions that are pinned to commit SHAs but have version comments that may not match the actual pinned version. This can lead to confusion about which version is actually being used and potential security issues if the comment misleads developers about the pinned version. Based on zizmor's ref-version-mismatch audit.
• org.openrewrite.github.security.SecretsInherit: Detects when reusable workflows unconditionally inherit all parent secrets via secrets: inherit. This practice can lead to over-privileged workflows and potential secret exposure to called workflows that may not need access to all secrets. Consider explicitly passing only required secrets. Based on zizmor's secrets-inherit audit.
• org.openrewrite.github.security.SelfHostedRunner: Find workflows that use self-hosted runners, which may have security implications in public repositories due to potential persistence between workflow runs and lack of isolation. Self-hosted runners should be properly secured and ideally ephemeral. Based on zizmor's self-hosted-runner audit.
• org.openrewrite.github.security.TemplateInjection: Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable input (like pull request titles, issue bodies, or commit messages) is used directly in run commands or script inputs without proper escaping. Attackers can exploit this to execute arbitrary code. Based on zizmor's template-injection audit.
• org.openrewrite.github.security.TrustedPublishing: Find workflows that use manual credentials for publishing instead of OIDC trusted publishing. Trusted publishing eliminates the need for long-lived API tokens and provides better security through short-lived, automatically-rotated tokens. Based on zizmor's use-trusted-publishing audit.
• org.openrewrite.github.security.UndocumentedPermissions: Add documentation comments for permissions blocks in GitHub Actions workflows. Documenting permissions helps reviewers understand why specific permissions are needed and ensures security-conscious development practices. Based on zizmor's undocumented-permissions audit.
• org.openrewrite.github.security.UnpinnedActions: Pin GitHub Actions to specific commit SHAs for security and reproducibility. Actions pinned to tags or branches can be changed by the action author, while SHA pins are immutable. Based on zizmor's unpinned-uses audit.
• org.openrewrite.github.security.UnpinnedDockerImages: Pin Docker images to specific digest hashes for security and reproducibility. Images pinned to tags can be changed by the image author, while digest pins are immutable. Based on zizmor's unpinned-images audit.
• org.openrewrite.gradle.SortDependencies: Sort dependencies in build.gradle and build.gradle.kts files. Dependencies are sorted alphabetically by configuration name (e.g. api, implementation), then by groupId, then by artifactId.
• org.openrewrite.gradle.SyncGradleExtPropertiesWithBom: Downloads a BOM and compares its properties against Gradle ext properties. When the BOM defines a higher version for a property, the ext property is updated to match (or removed if removeRedundantOverrides is enabled).
• org.openrewrite.gradle.UseAssignmentForPropertySyntax: Converts deprecated Groovy DSL property assignment syntax from space/method-call form (e.g., description 'text' or description('text')) to assignment form (description = 'text') for well-known Gradle project and task properties. See the Gradle 8.14 upgrade guide for more information.
• org.openrewrite.gradle.UsePropertyAssignmentSyntax: Converts deprecated Groovy DSL property assignment syntax from space/method-call form (e.g., description 'text' or description('text')) to assignment form (description = 'text'). Addresses Gradle 8.14 deprecation: "Properties should be assigned using the 'propName = value' syntax.".
• org.openrewrite.java.jackson.AddMissingJacksonDependencies: Adds Jackson dataformat dependencies when code uses types from their packages but the dependency is not declared. For example, adds jackson-dataformat-xml when code uses XmlMapper.
• org.openrewrite.java.jackson.CommentOutSimpleModuleMethodCalls: In Jackson 3, some modules (e.g. JodaModule) no longer extend SimpleModule and instead extend JacksonModule directly. This means methods like addSerializer() and addDeserializer() are no longer available on these types. This recipe adds a TODO comment to flag these call sites for manual migration.
• org.openrewrite.java.jackson.ReplacePropertyNamingStrategyConstants: Replace usages of deprecated PropertyNamingStrategy inner classes and constants with their PropertyNamingStrategies equivalents, introduced in Jackson 2.12.
• org.openrewrite.java.jackson.UpdateAutoDetectVisibilityConfiguration: In Jackson 3, auto-detection MapperFeature flags like AUTO_DETECT_FIELDS are removed. Use changeDefaultVisibility() on the builder instead.
• org.openrewrite.java.migrate.UpgradeBuildToJava24: Kotlin versions before 2.3 only support up to Java 24.
• org.openrewrite.java.migrate.UpgradeBuildToJava25: Upgrades build files to Java 25 for projects without Kotlin <2.3.
• org.openrewrite.java.migrate.jspecify.MoveAnnotationToArrayType: When an annotation like @Nullable is applied to an array type in declaration position, this recipe moves it to the array brackets. For example, @Nullable byte[] becomes byte @Nullable[]. Best used before ChangeType in a migration pipeline, targeting the pre-migration annotation type.
• org.openrewrite.java.migrate.util.MigrateCollectionsEmptyList: Prefer List.of() instead of using Collections.emptyList() in Java 9 or higher.
• org.openrewrite.java.migrate.util.MigrateCollectionsEmptyMap: Prefer Map.of() instead of using Collections.emptyMap() in Java 9 or higher.
• org.openrewrite.java.migrate.util.MigrateCollectionsEmptySet: Prefer Set.of() instead of using Collections.emptySet() in Java 9 or higher.
• org.openrewrite.java.netty.upgrade.3_2_to_4_1.ChannelSetReadableToAutoRead: Replaces channel.setReadable(x) with channel.config().setAutoRead(x).
• org.openrewrite.java.netty.upgrade.3_2_to_4_1.RemoveChannelStateEventParameter: Removes ChannelStateEvent parameters from Netty channel handler method declarations, as Netty 4 handler methods no longer take this parameter.
• org.openrewrite.java.netty.upgrade.3_2_to_4_1.ReplaceChannelsFireMessageReceived: Replaces Netty 3 Channels.fireMessageReceived(channel, message) with Netty 4 ctx.fireChannelRead(message).
• org.openrewrite.java.netty.upgrade.3_2_to_4_1.StringEncoderToStandardCharsets: Replaces new StringEncoder(charsetName) with new StringEncoder(StandardCharsets.<constant>) for all standard charsets (US-ASCII, ISO-8859-1, UTF-8, UTF-16BE, UTF-16LE, UTF-16).
• org.openrewrite.java.recipes.UseJavaTemplateStaticApply: Replaces JavaTemplate.builder(template).build().apply(cursor, coordinates, args...) with JavaTemplate.apply(template, cursor, coordinates, args...) when the builder chain has no intermediate configuration methods.
• org.openrewrite.java.spring.data.MigratePagingAndSortingRepository: In Spring Data 3.0, PagingAndSortingRepository no longer extends CrudRepository. Interfaces that extend only PagingAndSortingRepository must also explicitly extend CrudRepository to retain CRUD methods like save(), findById(), and delete().
• org.openrewrite.java.spring.data.UpgradeSpringData_3_0: Migrate applications to Spring Data 3.0. Handles the PagingAndSortingRepository hierarchy change where it no longer extends CrudRepository, and chains prior deprecation fixes from Spring Data 2.7.
• org.openrewrite.java.testing.cleanup.AssertEqualsIntegralDeltaToAssertEquals: Remove the delta argument from assertEquals() when both expected and actual are int or long types, since the delta is meaningless for exact integer comparison. Integer arguments get unnecessarily upcasted to double when a delta is provided.
• org.openrewrite.java.testing.mockito.PowerMockWhiteboxToJavaReflection: Replace org.powermock.reflect.Whitebox calls (setInternalState, getInternalState, invokeMethod) with plain Java reflection using java.lang.reflect.Field and java.lang.reflect.Method.
• org.openrewrite.java.testing.mockito.PowerMockitoDoStubbingToMockito: Replaces PowerMockito's private method stubbing pattern doNothing().when(instance, "methodName", args...) with the standard Mockito pattern doNothing().when(instance).methodName(args...).
• org.openrewrite.java.testing.mockito.RemoveDoNothingForDefaultMocks: Remove unnecessary doNothing() stubbings for void methods on @Mock fields. Mockito mocks already do nothing for void methods by default, making these stubbings redundant and triggering strict stubbing violations in Mockito 3+.
• org.openrewrite.java.testing.mockito.RemovePowerMockClassExtensions: Removes extends PowerMockConfiguration and extends PowerMockTestCase from test classes, as these are PowerMock-specific base classes not needed with Mockito.
• org.openrewrite.java.testing.mockito.ThenThrowCheckedExceptionToRuntimeException: In Mockito 3+, thenThrow() validates that checked exceptions are declared in the mocked method's throws clause. This recipe replaces checked exception class literals in thenThrow() calls with RuntimeException.class when the mocked method does not declare the exception.
• org.openrewrite.java.testing.testcontainers.MigrateToOracleFree: Oracle Database Free is the successor of Oracle XE. Migrate from org.testcontainers:oracle-xe to org.testcontainers:oracle-free.
• org.openrewrite.java.testing.wiremock.UpgradeWiremockDependencyVersion: Migrate WireMock dependencies from the old com.github.tomakehurst coordinates to the new org.wiremock coordinates. WireMock 3.x changed its Maven coordinates and requires Java 11 or higher. Old 2.x versions contain CVE-2023-44487.
• org.openrewrite.maven.SortDependencies: Sort dependencies alphabetically by groupId then artifactId. Test-scoped dependencies are sorted after non-test dependencies. Applies to both <dependencies> and <dependencyManagement> sections.
• org.openrewrite.netty.UpgradeNetty_3_2_to_4_1: Migrate applications to the latest Netty 4.1.x release.

Removed Recipes

• org.openrewrite.github.security.AnonymousJobsRecipe: Find jobs that lack descriptive names, making them harder to identify in workflow runs. Jobs without name properties default to their job ID, which may not be descriptive. Based on zizmor's anonymous-definition audit.
• org.openrewrite.github.security.ArtifactSecurityRecipe: Find workflows that may persist credentials through artifact uploads. This occurs when checkout actions don't disable credential persistence and upload actions include sensitive paths that may contain credentials, SSH keys, or configuration files. Based on zizmor's artipacked audit.
• org.openrewrite.github.security.BotConditionsRecipe: Find workflow conditions that check for bot actors in ways that can be spoofed. Bot actor names (like dependabot[bot]) can be easily spoofed by creating accounts with similar names. Use actor_id with numeric comparison instead for secure bot validation. Based on zizmor's bot-conditions audit.
• org.openrewrite.github.security.CachePoisoningRecipe: Detects potential cache poisoning vulnerabilities in workflows that use caching and publish artifacts. When workflows use caches during artifact publishing, attackers may be able to poison the cache with malicious content that gets included in published artifacts. Based on zizmor's cache-poisoning audit.
• org.openrewrite.github.security.DangerousTriggersRecipe: Detects use of fundamentally insecure workflow triggers like pull_request_target and workflow_run. These triggers run with elevated privileges and are almost always used insecurely, potentially allowing code injection from untrusted sources. Based on zizmor's dangerous-triggers audit.
• org.openrewrite.github.security.ExcessivePermissionsRecipe: Find overly broad permissions in GitHub Actions workflows. Flags 'write-all' permissions and excessive write permissions that could be scoped more narrowly for security. Based on zizmor's excessive-permissions audit.
• org.openrewrite.github.security.ForbiddenUsesRecipe: Find usage of forbidden or dangerous GitHub Actions that have known security vulnerabilities or follow suspicious patterns. Based on zizmor's forbidden-uses audit.
• org.openrewrite.github.security.GitHubEnvRecipe: Detects dangerous usage of GITHUB_ENV and GITHUB_PATH environment files in workflows with risky triggers like pull_request_target or workflow_run. Writing to these files can allow code injection when the content includes user-controlled data. Based on zizmor's github-env audit.
• org.openrewrite.github.security.HardcodedCredentialsRecipe: Detects hardcoded credentials in GitHub Actions container configurations. Container registry passwords should use secrets instead of hardcoded values. Based on zizmor's hardcoded-container-credentials audit.
• org.openrewrite.github.security.InsecureCommandsRecipe: Detects when insecure workflow commands are enabled via ACTIONS_ALLOW_UNSECURE_COMMANDS. This environment variable enables dangerous workflow commands that can lead to code injection vulnerabilities. Based on zizmor's insecure-commands audit.
• org.openrewrite.github.security.ObfuscationRecipe: Find workflows that use obfuscated action references or expressions that may be attempting to hide malicious behavior. This includes action paths with '.', '..', empty components, or expressions that use quote manipulation to hide their true intent. Based on zizmor's obfuscation audit.
• org.openrewrite.github.security.RefVersionMismatchRecipe: Find GitHub Actions that are pinned to commit SHAs but have version comments that may not match the actual pinned version. This can lead to confusion about which version is actually being used and potential security issues if the comment misleads developers about the pinned version. Based on zizmor's ref-version-mismatch audit.
• org.openrewrite.github.security.SecretsInheritRecipe: Detects when reusable workflows unconditionally inherit all parent secrets via secrets: inherit. This practice can lead to over-privileged workflows and potential secret exposure to called workflows that may not need access to all secrets. Consider explicitly passing only required secrets. Based on zizmor's secrets-inherit audit.
• org.openrewrite.github.security.SelfHostedRunnerRecipe: Find workflows that use self-hosted runners, which may have security implications in public repositories due to potential persistence between workflow runs and lack of isolation. Self-hosted runners should be properly secured and ideally ephemeral. Based on zizmor's self-hosted-runner audit.
• org.openrewrite.github.security.TemplateInjectionRecipe: Find GitHub Actions workflows vulnerable to template injection attacks. These occur when user-controllable input (like pull request titles, issue bodies, or commit messages) is used directly in run commands or script inputs without proper escaping. Attackers can exploit this to execute arbitrary code. Based on zizmor's template-injection audit.
• org.openrewrite.github.security.TrustedPublishingRecipe: Find workflows that use manual credentials for publishing instead of OIDC trusted publishing. Trusted publishing eliminates the need for long-lived API tokens and provides better security through short-lived, automatically-rotated tokens. Based on zizmor's use-trusted-publishing audit.
• org.openrewrite.github.security.UndocumentedPermissionsRecipe: Add documentation comments for permissions blocks in GitHub Actions workflows. Documenting permissions helps reviewers understand why specific permissions are needed and ensures security-conscious development practices. Based on zizmor's undocumented-permissions audit.
• org.openrewrite.github.security.UnpinnedActionsRecipe: Pin GitHub Actions to specific commit SHAs for security and reproducibility. Actions pinned to tags or branches can be changed by the action author, while SHA pins are immutable. Based on zizmor's unpinned-uses audit.
• org.openrewrite.github.security.UnpinnedDockerImagesRecipe: Pin Docker images to specific digest hashes for security and reproducibility. Images pinned to tags can be changed by the image author, while digest pins are immutable. Based on zizmor's unpinned-images audit.
• org.openrewrite.java.spring.data.UseJpaRepositoryDeleteAllInBatch: JpaRepository#deleteInBatch(Iterable) was deprecated in 2.5.
• org.openrewrite.java.spring.data.UseJpaRepositoryGetById: JpaRepository#getOne(ID) was deprecated in 2.5.
• org.openrewrite.java.spring.data.UseJpaRepositoryGetReferenceById: JpaRepository#getOne(ID) was deprecated in 2.5 and JpaRepository#getById(ID) was deprecated in 2.7.

Changed Recipes

• org.openrewrite.javascript.dependencies.upgrade-dependency-version was changed:
  • Old Options:
    • newVersion: { type: String, required: true }
    • packageName: { type: String, required: true }
  • New Options:
    • newVersion: { type: String, required: true }
    • packageName: { type: String, required: false }
    • packagePattern: { type: String, required: false }
• org.openrewrite.properties.AddProperty was changed:
  • Old Options:
    • comment: { type: String, required: false }
    • delimiter: { type: String, required: false }
    • orderedInsertion: { type: Boolean, required: false }
    • property: { type: String, required: true }
    • value: { type: String, required: true }
  • New Options:
    • comment: { type: String, required: false }
    • delimiter: { type: String, required: false }
    • insertMode: { type: InsertMode, required: false }
    • insertProperty: { type: String, required: false }
    • orderedInsertion: { type: Boolean, required: false }
    • property: { type: String, required: true }
    • value: { type: String, required: true }