chore(deps): update dependency org.mock-server:mockserver-netty-no-dependencies to v6.1.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.mock-server:mockserver-netty-no-dependencies (source)	6.0.0 → 6.1.0

---

Release Notes

mock-server/mockserver-monorepo (org.mock-server:mockserver-netty-no-dependencies)

v6.1.0

Security

• SSRF protection for forward and forward-template actions: new mockserver.forwardProxyBlockPrivateNetworks property (default false for backwards compatibility) rejects forward targets that resolve to loopback, link-local, RFC 1918 private, or cloud metadata addresses (e.g. 169.254.169.254). Enable in hardened or multi-tenant deployments where untrusted callers can register expectations. A future major release is expected to flip the default to true.
• ReDoS protection in regex matchers: regex evaluation now runs on a shared cached daemon-thread pool with a configurable timeout mockserver.regexMatchingTimeoutMillis (default 5000ms). Patterns that exceed the budget are treated as non-matches and a WARN log entry is written, so a pathological pattern cannot wedge a Netty worker.
• XPath DoS protection: XPath evaluation in body matching now uses the same shared timeout executor with mockserver.xpathMatchingTimeoutMillis (default 5000ms).
• Cryptographically secure randomness: UUIDService and TemplateFunctions now use SecureRandom instead of java.util.Random for UUID generation, rand_int/rand_int_10/rand_int_100, and rand_bytes template helpers.
• Loud insecure-mode warning logs at startup / SSL-context init: a WARN is emitted when (a) the forward proxy trusts all TLS certificates (forwardProxyTLSX509CertificatesTrustManagerType=ANY), (b) Velocity class loading is enabled (velocityDisallowClassLoading=false), (c) JavaScript templates have no class restrictions (javascriptDisallowedClasses empty), or (d) tlsProtocols includes the deprecated TLSv1 / TLSv1.1.
• mockserver.tlsAllowInsecureProtocols configuration property (default true for backwards compatibility): when set to false, any TLSv1 or TLSv1.1 entries in mockserver.tlsProtocols are filtered out before the SSL context is built, giving users an opt-in hardened TLS profile without having to rewrite their existing tlsProtocols value. A future major release is expected to flip this default to false.

Added

• First-class LLM and agent mocking: new httpLlmResponse action type lets you mock LLM provider APIs at the semantic level — describe the model's reply (text, tool calls, stop reason, usage) and MockServer produces the byte-correct provider wire format. Supports all 7 major providers: Anthropic Messages, OpenAI Chat Completions, OpenAI Responses, Google Gemini, AWS Bedrock, Azure OpenAI, and Ollama. Non-streaming responses return provider-correct JSON; streaming responses generate the full SSE event sequence (e.g. message_start through message_stop for Anthropic, chat.completion.chunk with finish_reason for OpenAI) with configurable timing physics (timeToFirstToken, tokensPerSecond, jitter). OpenAI embeddings are also supported with deterministic vector generation via deterministicFromInput().
• Conversation-aware matchers for multi-turn agent testing: whenTurnIndex(n), whenLatestMessageContains(text), whenLatestMessageRole(role), and whenContainsToolResultFor(toolName) predicates match against the parsed messages array in the inbound request body, enabling scripted multi-turn conversations where turn 1 returns a tool_use and turn 2 (after the agent sends a tool_result) returns the final answer. All predicates compose with AND semantics and integrate with the scenario state machine for automatic turn advancement.
• Per-session conversation isolation via isolateBy(header("x-session-id")), isolateBy(queryParameter("agent")), or isolateBy(cookie("sid")): each unique value of the configured attribute gets independent scenario state, so concurrent agents sharing the same mocked endpoint do not interfere. Missing attributes fall back to shared state gracefully.
• mock_llm_completion MCP tool: set up a single-turn LLM expectation from the MCP control plane, specifying provider, path, model, text, tool calls, and streaming mode
• create_llm_conversation MCP tool: build a multi-turn scenario-chained LLM conversation with optional per-session isolation from the MCP control plane; returns the generated scenario name and per-turn state values
• LLM Response badge in the dashboard expectation row showing provider, model, and text preview; Conversation view extended with a scripted-turns panel
• mockserver.maxLlmConversationBodySize configuration property (default 1 MiB; clamped to 16 KiB - 64 MiB; env var MOCKSERVER_MAX_LLM_CONVERSATION_BODY_SIZE): request bodies larger than this limit skip conversation-aware parsing and are treated as no-match, preventing DoS via oversized JSON payloads
• Custom json-unit matcher support for JSON body matching: implement org.mockserver.matchers.CustomJsonUnitMatcherProvider and point mockserver.customJsonUnitMatchersClass at it to register named Hamcrest matchers that JSON body expectations can reference via the ${json-unit.matches:name} placeholder (e.g. { "price": "${json-unit.matches:largerThan}" }); misconfigured providers are logged at WARN and ignored, so matching never fails because of an unloadable extension (fixes #​2279)
• http2Enabled configuration property to disable HTTP/2: when set to false ALPN no longer advertises h2 (and h2c is not detected) so HTTP/2 capable clients fall back to HTTP/1.1
• Agent-friendly mismatch diagnostics: explain_unmatched_requests MCP tool and PUT /mockserver/explainUnmatched REST endpoint return recent requests that matched no expectation, each with ranked closest-expectation diffs and actionable remediation hints (e.g., "use method POST not GET", "add missing header Authorization"); debug_request_mismatch results are now ranked by closeness and include remediation hints; new mockserver://unmatched MCP resource
• create_expectations_from_recorded_traffic MCP tool: converts traffic recorded by MockServer's forwarding/proxy mode into active mock expectations in one call, enabling an "observe then mock" workflow; supports method/path filtering and preview mode to inspect expectations before activating them
• OpenAPI contract verification MCP tools: verify_traffic_against_openapi validates recorded request-response pairs against an OpenAPI spec (passive conformance checking); run_contract_test sends example requests derived from an OpenAPI spec to a running service and validates the responses (active contract testing); both return structured per-operation pass/fail results with validation errors
• OpenAPI resiliency testing MCP tool: run_resiliency_test sends deliberately malformed and boundary-case requests derived from an OpenAPI spec to a running service (omitting required fields, type violations, numeric/string boundary violations, oversized strings, malformed JSON) and classifies each outcome as HANDLED (4xx) or UNEXPECTED (5xx/2xx/error); returns per-mutation results with operation summaries
• Deterministic LLM record/replay: record_llm_fixtures MCP tool snapshots LLM/MCP traffic recorded through MockServer's forwarding proxy into a committable JSON fixture file with secrets automatically redacted (Authorization, api-key, Cookie, etc.); SSE streaming responses (Anthropic, OpenAI, etc.) are converted to HttpSseResponse actions for faithful event-by-event replay; load_expectations_from_file MCP tool loads fixture files as active expectations for offline, deterministic, zero-cost test replay

Changed

• BREAKING Inbound HTTP/1.1 and HTTP/2 request bodies are now capped at 10 MiB by default (mockserver.maxRequestBodySize). Previously unbounded. Requests larger than the limit are rejected with 413 Payload Too Large. Raise the limit (e.g. -Dmockserver.maxRequestBodySize=52428800) if you intentionally mock large uploads.
• BREAKING Upstream response bodies received when MockServer is acting as a proxy or forwarder are now capped at 50 MiB by default (mockserver.maxResponseBodySize). Previously unbounded. Raise if you forward to services that legitimately return larger payloads.
• Each published JAR (including the -no-dependencies shaded artifacts) now declares a stable Automatic-Module-Name in its MANIFEST.MF, so downstream JPMS consumers can requires MockServer modules with names that no longer change with each version: org.mockserver.core (mockserver-core), org.mockserver.client (mockserver-client-java), org.mockserver.netty (mockserver-netty), org.mockserver.test (mockserver-testing), org.mockserver.testing (mockserver-integration-testing), org.mockserver.junit.rule (mockserver-junit-rule), org.mockserver.junit.jupiter (mockserver-junit-jupiter), org.mockserver.springtest (mockserver-spring-test-listener), org.mockserver.examples (mockserver-examples), org.mockserver.maven (mockserver-maven-plugin); each *-no-dependencies shaded variant shares its unshaded counterpart's module name and is an alternative packaging (place only one on the JPMS module path)

Fixed

• Dynamic CA / SSL certificate generation no longer fails when dynamicallyCreateCertificateAuthorityCertificate=true (or any auto-generated server certificate path) is used: the four Configuration fluent setters for certificateAuthorityCertificate, certificateAuthorityPrivateKey, privateKeyPath, and x509CertificatePath no longer file-existence-check at set-time, because the internal generator sets these to the destination path before the file is written. User-supplied path typos are still surfaced by CertificateConfigurationValidator at TLS-init time.
• HTTP/2 requests through the HTTPS CONNECT forward proxy no longer hang and emit a GOAWAY after ~30s; the internal relay now negotiates HTTP/1.1 or HTTP/2 per connection via ALPN instead of mismatching its TLS layer and codec (fixes #​2260)
• Docker image and standalone executable JAR produced no log output because the shaded server JAR did not include an SLF4J logging provider (fixes #​2097)
• *-no-dependencies shaded artifacts leaked their un-shaded source module (and its transitive dependencies) onto consumers' classpaths; these artifacts are now truly dependency-free

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.