Two foundational security upgrades land together in this release : the JVM moves to Java 25, the latest long-term-support release, and the cryptography layer adopts Argon2id as the default password-hashing algorithm. Both close compliance gaps that audit firms have flagged on the previous baseline ; both extend the platform's security posture through the next decade.
Java 25 LTS
- LTS through 2033. Java 25 is Oracle's current LTS release with vendor support commitments through 2033. The platform stays on a vendor-supported JVM without forced major upgrades for the next eight years.
- Virtual threads in production. JEP 444 (production virtual threads) lets the platform run thousands of concurrent agent and tool calls on a single JVM without the memory cost of OS threads.
- ProGuard preserved. The bytecode-optimisation configuration is updated for JDK 25 compatibility ; the optimisation pass that removes dead code and shrinks the binary continues to apply.
Argon2id password hashing
- OWASP 2023 compliance. Argon2id is OWASP's current recommendation for password storage, replacing bcrypt and PBKDF2 in new deployments. The hash is memory-hard, GPU-resistant and parameterised against future hardware.
- Backward compatibility. Existing bcrypt and PBKDF2 hashes continue to verify ; new password sets and password resets write Argon2id. The credential store transparently re-hashes on next successful login.
- Configurable cost. Memory, parallelism and iteration parameters are configurable per deployment so high-security tenants raise the cost without forking the platform.