Jonas Konrad

I don't think it's possible to mix full body binding with `@Body` and partial binding with `@Part`.

Actual diff without indent: ```diff Index: http-server-netty/src/main/java/io/micronaut/http/server/netty/binders/NettyBodyAnnotationBinder.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP UTF-8 =================================================================== diff --git a/http-server-netty/src/main/java/io/micronaut/http/server/netty/binders/NettyBodyAnnotationBinder.java b/http-server-netty/src/main/java/io/micronaut/http/server/netty/binders/NettyBodyAnnotationBinder.java --- a/http-server-netty/src/main/java/io/micronaut/http/server/netty/binders/NettyBodyAnnotationBinder.java (revision ef4b1673169c26430b7c81cede455139780c1642) +++ b/http-server-netty/src/main/java/io/micronaut/http/server/netty/binders/NettyBodyAnnotationBinder.java (date 1756793254061) @@ -38,11 +38,13 @@...

Note that LZ4BlockInputStream does not support safeDecompressor in lz4-java 1.8.1. If you upgrade to that version, it will still work and be secure, but performance will be much worse than...

It is published, but only under the new group id

I recommend you wait a few hours with releasing this. Another (smaller, unrelated) CVE has been found in lz4-java.

[CVE-2025-66566](https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q) has been published and fixed in 1.10.1. I suggest you move to that version. Though cloudflare seems to be having some trouble that breaks maven central at the moment.

I am not aware of spark benchmarks, but as of 1.8.1, safeDecompressor is *substantially* faster than fastDecompressor. In earlier versions, the difference was minor.

Performance between 1.8.1 and 1.10.1 has not changed substantially.

The underlying lz4 library was updated in 1.9.0 so a performance difference is possible.

You could try setting max-concurrent-requests-per-http2-connection.