Previous versions were vulnerable to DoS attacks, and the new protections use the new CSSDocument.isAuthorizedOrigin(URL) method.
The method ErrorHandler.hasErrors() now returns true if there are I/O errors. Those errors were previously considered transient, and therefore weren't appearing there.
DOM: on attribute nodes, getTextContent() now returns the attribute value instead of the empty string.
[3.1] DOM: DOMDocument.getDomConfig() was undeprecated, and the DOMConfiguration can be used to control the normalisation of the document.
[3.1] DOM: DOM nodes now implement java.io.Serializable.
[3.1] DefaultEntityResolver.resolveEntity(DocumentTypeDeclaration) is deprecated.
("DOM:" means that the change applies to "Native DOM implementation").
These new behaviours mean that the new releases are not fully backwards-compatible with the latest releases from their branches, so the minor versions were bumped to 3.1, 2.2 and 1.1.
Additionally, the following are important fixes/improvements:
[3.1] Case sensitivity fixes: Native DOM correctly matched the selector [Foo] to the attribute foo="bar" in HTML documents, but neither the XML-oriented DOM implementations in the DOM wrapper nor the DOM4J back-end did. Now they both do, and a few other smaller case sensitivity fixes were applied as well.
[3.1] DOM: indented serialisation of inline-block elements in DOMWriter.
DOM: normalisation of element-content whitespace is now based on the value of the whitespace CSS property, and so does DOMWriter serialisation (note: 1.0.9 already had this fix, and only 3.1 has configurable normalisation).
Due to the security fixes, all users that process untrusted HTML or CSS with css4j should upgrade.