What's Changed

• Reproducible build by @yawkat in #15
• Run tests for pull requests again by @Marcono1234 in #17
• Add .git-versioned-pom.xml to .gitignore by @Marcono1234 in #16
• Fix source code formatting by @Marcono1234 in #18
• Improve publish workflow by @Marcono1234 in #19
• Migrate to macOS 15 x86_64 for release build by @Marcono1234 in #21
• Use gcc included in Windows image for release build by @Marcono1234 in #22
• Improve LZ4FrameIOStreamTest test by @Marcono1234 in #23
• Rename windows JNI lib to liblz4-java.dll by @HTHou in #25
• Use bnd-maven-plugin to fix osgi manifest headers by @aptmac in #28

New Contributors

• @HTHou made their first contribution in #25
• @aptmac made their first contribution in #28

Full Changelog: v1.10.1...v1.10.2

Contains fix for CVE-2025-66566!

What's Changed

• Add test for corrupted LZ4 block input stream by @Marcono1234 in #7
• Update documentation for checksum registration by @yawkat in #8
• Migrate to maven-git-versioning-extension by @yawkat in #10
• Add workflow_dispatch trigger to multi-platform build to allow testing without release by @yawkat in #13
• Copy native libraries to target/classes instead of src/resources by @yawkat in #14

Full Changelog: v1.10.0...v1.10.1

This release does not contain security-relevant changes. It was made for #3, so that users of LZ4BlockInputStream can migrate to safeDecompressor() to mitigate the performance impact of the CVE‐2025‐12183 patch. Note that this still requires a change in user code.

What's Changed

• Replace old repository links & improve README by @Marcono1234 in #2
• Remove unused POM template files by @Marcono1234 in #1
• Hide util package from Javadoc by @Marcono1234 in #4
• Allow to create LZ4BlockInputStream with LZ4SafeDecompressor by @meshcow in #3
• Fix remaining ArrayIndexOutOfBoundsExceptions in LZ4DecompressorTest by @Marcono1234 and @yawkat in #6

New Contributors

• @Marcono1234 made their first contribution in #2
• @meshcow made their first contribution in #3
• @yawkat made their first contribution in #6

Full Changelog: v1.9.0...v1.10.0

• Replace ant-based build with maven (@yawkat)
• Use multi-platform GitHub actions for native library build (@yawkat)
• Update lz4 to v1.10.0 (@yawkat)
• Improve Java implementation bounds checking and tests (@yawkat and @Marcono1234)

Unsafe implementations should be secure now, but are not yet enabled by default.

Full Changelog: v1.8.1...v1.9.0

Note: This release is still vulnerable to CVE-2025-66566 which was discovered later. Please upgrade to at.yawk.lz4:lz4-java:1.10.1.

Minimal patch to resolve CVE‐2025‐12183:

• LZ4Factory.nativeInstance().fastDecompressor() returns the safe Java implementation instead
• LZ4Factory.unsafeInstance() returns the safe Java implementation instead
• LZ4Factory.unsafeInsecureInstance() and LZ4Factory.nativeInsecureInstance() are added to provide access to insecure but faster implementations.

User code does not need to be changed for this patch to be effective.

The full diffoscope output can be found here.

org.lz4:lz4-java:1.8.1 is a relocation pom that "redirects" to the new artifact at.yawk.lz4:lz4-java:1.8.1. To avoid issues with gradle, please use only the latter group ID.