Bump Apache HttpClient5 to 5.6 and Apache HttpCore5 to 5.4

[reta]

Description

Bump Apache HttpClient5 to 5.6 and Apache HttpCore5 to 5.4

Related Issues

Coming from opensearch-project/opensearch-java#1844

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• Chores

  • Upgraded Apache HttpClient to 5.6 and Apache HttpCore to 5.4.
  • Updated related license/checksum files for HTTP client dependencies.

• Changes

  • Removed automatic runtime gzip decompression for HTTP responses; responses may now preserve original Content-Encoding and be returned compressed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Bump Apache HttpClient5 (5.4.4 → 5.6) and HttpCore5 (5.3.4 → 5.4); update checksum files and libs.versions.toml; extend thirdPartyAudit.ignoreMissingClasses for optional compression/JNI classes; remove RestClient runtime gzip decompression; update tests to expect Accept-encoding and compressed response behavior.

Changes

Cohort / File(s)	Summary
Dependency version updates CHANGELOG.md, gradle/libs.versions.toml	Updated httpclient5 to 5.6 and httpcore5 to 5.4.
License checksum files (httpclient5) client/rest/licenses/httpclient5-5.4.4.jar.sha1, client/rest/licenses/httpclient5-5.6.jar.sha1, client/sniffer/licenses/httpclient5-5.4.4.jar.sha1, client/sniffer/licenses/httpclient5-5.6.jar.sha1	Removed old 5.4.4 checksum files and added 5.6 checksum files.
License checksum files (httpcore5 & variants) client/rest/licenses/httpcore5-5.3.4.jar.sha1, client/rest/licenses/httpcore5-5.4.jar.sha1, client/rest/licenses/httpcore5-h2-5.3.4.jar.sha1, client/rest/licenses/httpcore5-h2-5.4.jar.sha1, client/rest/licenses/httpcore5-reactive-5.3.4.jar.sha1, client/rest/licenses/httpcore5-reactive-5.4.jar.sha1, client/sniffer/licenses/httpcore5-5.3.4.jar.sha1, client/sniffer/licenses/httpcore5-5.4.jar.sha1	Removed 5.3.4-family checksum files and added corresponding 5.4-family checksum files.
Build configuration (thirdPartyAudit ignore list) client/rest/build.gradle, client/sniffer/build.gradle	Extended thirdPartyAudit.ignoreMissingClasses with optional compression/JNI classes (brotli4j, zstd, CompressorStreamFactory, etc.).
Runtime response handling client/rest/src/main/java/org/opensearch/client/RestClient.java	Removed manual runtime gzip decompression (deleted logic that wrapped gzip responses in GzipDecompressingEntity).
Tests qa/smoke-test-http/src/test/java/org/opensearch/http/HttpCompressionIT.java, client/rest/src/test/java/org/opensearch/client/RestClientSingleHostIntegTests.java	Updated compression-related test names and expectations: tests now assert compressed responses by default and expect non-Gzip wrapper (ByteArrayEntity) in certain flows; added "Accept-encoding" to expected headers in RestClient test.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client
  participant RestClient
  participant HTTPClient as ApacheHttpClient
  participant Server

  rect rgba(220,235,255,0.8)
    Note over RestClient: Previous flow — RestClient handled gzip
    Client->>RestClient: send request
    RestClient->>HTTPClient: execute request
    HTTPClient->>Server: forward request
    Server-->>HTTPClient: response (Content-Encoding: gzip)
    HTTPClient-->>RestClient: response entity (gzip)
    RestClient->>RestClient: detect gzip header\nwrap with GzipDecompressingEntity
    RestClient-->>Client: decompressed response
  end

  rect rgba(235,255,220,0.8)
    Note over RestClient: New flow — no manual decompression
    Client->>RestClient: send request
    RestClient->>HTTPClient: execute request
    HTTPClient->>Server: forward request
    Server-->>HTTPClient: response (Content-Encoding: gzip)
    HTTPClient-->>RestClient: response entity (gzip, handled natively)
    RestClient-->>Client: response (no GzipDecompressingEntity)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Replace multi-line strings with java text blocks #20269 — touches the same compression-related test (qa/smoke-test-http/src/test/java/org/opensearch/http/HttpCompressionIT.java); strongly related.

Suggested reviewers

• peternied
• cwperks
• andrross
• owaiskazi19

Poem

🐰 New jars hop in, old checksums fall away,
HttpClient skips and HttpCore finds its way,
I unwrapped gzip tears and let native do the dance,
Byte arrays bounce, headers gain a prance,
Tiny paws, big hops — celebrate the change! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping Apache HttpClient5 to 5.6 and Apache HttpCore5 to 5.4, which aligns with the primary objective of the changeset.
Description check	✅ Passed	The description includes the key section 'Description' that states the purpose, but lacks detailed explanation of the change's impact, motivation, or testing status beyond unchecked checkboxes.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e586e5 and c84c815.

📒 Files selected for processing (18)

• CHANGELOG.md
• client/rest/build.gradle
• client/rest/licenses/httpclient5-5.4.4.jar.sha1
• client/rest/licenses/httpclient5-5.6.jar.sha1
• client/rest/licenses/httpcore5-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-5.4.jar.sha1
• client/rest/licenses/httpcore5-h2-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-h2-5.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.4.jar.sha1
• client/rest/src/main/java/org/opensearch/client/RestClient.java
• client/rest/src/test/java/org/opensearch/client/RestClientSingleHostIntegTests.java
• client/sniffer/build.gradle
• client/sniffer/licenses/httpclient5-5.4.4.jar.sha1
• client/sniffer/licenses/httpclient5-5.6.jar.sha1
• client/sniffer/licenses/httpcore5-5.3.4.jar.sha1
• client/sniffer/licenses/httpcore5-5.4.jar.sha1
• gradle/libs.versions.toml

💤 Files with no reviewable changes (7)

• client/rest/licenses/httpcore5-5.3.4.jar.sha1
• client/sniffer/licenses/httpcore5-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.3.4.jar.sha1
• client/sniffer/licenses/httpclient5-5.4.4.jar.sha1
• client/rest/src/main/java/org/opensearch/client/RestClient.java
• client/rest/licenses/httpcore5-h2-5.3.4.jar.sha1
• client/rest/licenses/httpclient5-5.4.4.jar.sha1

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)

• GitHub Check: gradle-check
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: Analyze (java)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: detect-breaking-change
• GitHub Check: Mend Security Check

🔇 Additional comments (8)

client/rest/licenses/httpclient5-5.6.jar.sha1 (1)

1-1: SHA-1 checksum is valid.

The checksum format is correct and aligns with the HttpClient5 5.6 version bump. Ensure this checksum is verified against the actual downloaded artifact.

client/rest/licenses/httpcore5-h2-5.4.jar.sha1 (1)

1-1: All HttpCore5 5.4 checksum files are properly present.

The base httpcore5-5.4.jar.sha1 file exists alongside the h2 variant in client/rest/licenses/. Additionally, a reactive variant httpcore5-reactive-5.4.jar.sha1 is also present with all three having complete LICENSE and NOTICE files. No issues identified.

client/rest/licenses/httpcore5-reactive-5.4.jar.sha1 (1)

1-1: SHA-1 checksum is correct.

The checksum 7ebbb91027261db6f0e80fe03c928b63b116c247 matches the official Apache HttpCore5 Reactive 5.4 library from Maven Central Repository.

client/sniffer/licenses/httpclient5-5.6.jar.sha1 (1)

1-1: Consistency verified; official version confirmed.

The SHA-1 checksum f502ee00ba82d44a6a29bda06a18f5b959808e09 is consistently present in both client/rest/licenses/httpclient5-5.6.jar.sha1 and client/sniffer/licenses/httpclient5-5.6.jar.sha1. Apache HttpClient5 5.6 is an officially released artifact (GA release, December 22, 2025), available on Maven Central with coordinates org.apache.httpcomponents.client5:httpclient5:5.6.

client/sniffer/build.gradle (1)

116-126: LGTM: Optional compression libraries correctly ignored.

The addition of Brotli4j, Zstd, and Commons Compress classes to the ignore list is appropriate. HttpClient5 5.6 supports additional compression formats (Brotli, Zstandard) as optional features, so these classes won't be present unless those specific compression libraries are added as dependencies.

client/rest/build.gradle (1)

153-162: LGTM: Optional compression libraries correctly ignored.

Consistent with the client/sniffer module, these optional compression library classes (Brotli4j, Zstd, Commons Compress) are appropriately added to the ignore list. They represent optional compression format support in HttpClient5 5.6 and won't cause issues at runtime unless explicitly added as dependencies.

client/rest/src/test/java/org/opensearch/client/RestClientSingleHostIntegTests.java (1)

381-381: HttpClient5 5.6 automatically sends the "Accept-Encoding" header and handles response decompression transparently.

The test correctly expects "Accept-encoding" in standard headers. HttpClient5 5.6 automatically sends Accept-Encoding for gzip/deflate by default and transparently decompresses responses, which aligns with the removal of manual gzip decompression logic from RestClient.

gradle/libs.versions.toml (1)

49-50: Versions verified as available and stable with no known security vulnerabilities.

Both HttpClient5 5.6 and HttpCore5 5.4 are confirmed to exist on Maven Central and are stable releases. No known security vulnerabilities were found in either version. (Note: CVE-2025-27820 affected HttpClient5 versions <5.4.3, which has already been patched; version 5.6 is not affected.)

[github-actions]

❌ Gradle check result for 03178a6: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

qa/smoke-test-http/src/test/java/org/opensearch/http/HttpCompressionIT.java (1)

72-72: Nit: Trailing whitespace on empty line.

Consider removing the trailing whitespace.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03178a6 and c19a0ba.

📒 Files selected for processing (19)

• CHANGELOG.md
• client/rest/build.gradle
• client/rest/licenses/httpclient5-5.4.4.jar.sha1
• client/rest/licenses/httpclient5-5.6.jar.sha1
• client/rest/licenses/httpcore5-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-5.4.jar.sha1
• client/rest/licenses/httpcore5-h2-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-h2-5.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.4.jar.sha1
• client/rest/src/main/java/org/opensearch/client/RestClient.java
• client/rest/src/test/java/org/opensearch/client/RestClientSingleHostIntegTests.java
• client/sniffer/build.gradle
• client/sniffer/licenses/httpclient5-5.4.4.jar.sha1
• client/sniffer/licenses/httpclient5-5.6.jar.sha1
• client/sniffer/licenses/httpcore5-5.3.4.jar.sha1
• client/sniffer/licenses/httpcore5-5.4.jar.sha1
• gradle/libs.versions.toml
• qa/smoke-test-http/src/test/java/org/opensearch/http/HttpCompressionIT.java

💤 Files with no reviewable changes (7)

• client/rest/licenses/httpclient5-5.4.4.jar.sha1
• client/rest/licenses/httpcore5-reactive-5.3.4.jar.sha1
• client/sniffer/licenses/httpcore5-5.3.4.jar.sha1
• client/rest/src/main/java/org/opensearch/client/RestClient.java
• client/sniffer/licenses/httpclient5-5.4.4.jar.sha1
• client/rest/licenses/httpcore5-h2-5.3.4.jar.sha1
• client/rest/licenses/httpcore5-5.3.4.jar.sha1

✅ Files skipped from review due to trivial changes (3)

• client/rest/licenses/httpcore5-5.4.jar.sha1
• client/sniffer/licenses/httpclient5-5.6.jar.sha1
• client/rest/licenses/httpcore5-h2-5.4.jar.sha1

🚧 Files skipped from review as they are similar to previous changes (6)

• client/rest/src/test/java/org/opensearch/client/RestClientSingleHostIntegTests.java
• client/rest/licenses/httpclient5-5.6.jar.sha1
• CHANGELOG.md
• client/rest/build.gradle
• client/sniffer/build.gradle
• gradle/libs.versions.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)

• GitHub Check: gradle-check
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: detect-breaking-change
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: Analyze (java)
• GitHub Check: Mend Security Check

🔇 Additional comments (4)

client/sniffer/licenses/httpcore5-5.4.jar.sha1 (1)

1-1: Checksum verified against Maven Central.

The SHA-1 checksum e40011ec0dae056466399f8e414ede4772001621 matches the official Apache httpcore5-5.4.jar artifact on Maven Central. The dependency is correctly added with verified integrity.

qa/smoke-test-http/src/test/java/org/opensearch/http/HttpCompressionIT.java (3)

37-37: LGTM!

Import added appropriately to support the new entity type assertion.

---

88-99: LGTM!

Test correctly renamed to reflect the new default behavior. Assertions properly verify that responses are gzip-encoded by default and that the entity is no longer wrapped in GzipDecompressingEntity, consistent with the HttpClient5 5.6 upgrade.

---

78-85: Test assertions contradict each other regarding entity decompression.

Line 82 asserts the response entity is a ByteArrayEntity (not a decompressing wrapper), yet line 81 expects the Content-Encoding: gzip header to be present, and lines 84-85 expect EntityUtils.toString() to return readable plain text matching SAMPLE_DOCUMENT.

If the entity is indeed a raw ByteArrayEntity containing gzip-compressed bytes (since automatic decompression wrapping is not expected), then EntityUtils.toString() would return garbled data, and the assertion on line 85 would fail. Either:

1. Automatic decompression is not occurring despite the gzip header, or
2. The entity type assertion on line 82 is incorrect and should expect a decompressing wrapper instead

Verify that the test executes successfully and that HttpClient5's automatic decompression behavior aligns with these assertions.

[github-actions]

❌ Gradle check result for c19a0ba: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c19a0ba: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c19a0ba: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for c19a0ba: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.32%. Comparing base (d866be8) to head (c19a0ba).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20358      +/-   ##
============================================
+ Coverage     73.30%   73.32%   +0.02%     
+ Complexity    71777    71774       -3     
============================================
  Files          5784     5784              
  Lines        328141   328136       -5     
  Branches      47269    47269              
============================================
+ Hits         240531   240621      +90     
+ Misses        68329    68205     -124     
- Partials      19281    19310      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.