I've released version 2.0.1 of Jaxen, the open source model
independent XPath 1.0 library for Java:

https://jaxen-xpath.github.io/jaxen/

<dependency>
  <groupId>jaxen</groupId>
  <artifactId>jaxen</artifactId>
  <version>2.0.1</version>
</dependency>

This release is the first that was coded with significant LLM
assistance. Most notably I gave Claude Sonnet 4.6 the task of simply
finding bugs in XPath conformance in the library. It found 5, one of
which was a misreading of the spec that would have introduced a new
bug had I merged the PR, so some caution is warranted. However, the
remaining four were real and had gone undetected for over 20 years:

* The round() function was fixed to return negative zero for values
between -0.5 and -0.0.
* The number() function now correctly rejects some strings Java
recognizes as a number but XPath does not.
* anyMatchingNode() and evaluateAsBoolean() no longer throw
NoSuchElementException when evaluating an XPath expression with
multiple predicates and more nodes than predicates.
* DefaultCommentNodeStep.getText() includes predicates. (This one's
very unlikely to have any effect on XPath queries or evaluation.)

In addition the DOMNavigator can now search inside entity reference
and document fragment nodes. This wasn't a new or unknown bug, just a
missing feature I finally got around to implementing with the help of
GitHub Copilot.

I also spent a lot of effort hardening Jaxen against the increasing
risk of MITM and supply chain attacks. In particular:

* The release has been mostly automated. It's not quite a one-click
deploy but it's close.

* The build is now fully byte-per-byte reproducible. If you use the
same JDK on the same platform to compile, you'll get the same bytes
out every time. This is a prerequisite for hash-based defenses against
supply chain and MITM attacks.

I recommend everyone upgrade.

-- 
Elliotte Rusty Harold
elharo@xxxxxxxxxxx