Bump the dependencies group across 1 directory with 16 updates

[dependabot]

Bumps the dependencies group with 15 updates in the / directory:

Package	From	To
ch.qos.logback:logback-classic	1.5.24	1.5.28
com.fasterxml.jackson.core:jackson-annotations	2.20	2.21
com.fasterxml.jackson.core:jackson-core	2.20.1	2.21.0
com.fasterxml.jackson.dataformat:jackson-dataformat-xml	2.20.1	2.21.0
com.github.dasniko:testcontainers-keycloak	4.1.0	4.1.1
de.grundid.opendatalab:geojson-jackson	1.14	3.0
org.eclipse.jetty.ee10:jetty-ee10-servlet	12.1.5	12.1.6
org.jooq:jooq	3.20.10	3.20.11
org.jooq:jooq-codegen	3.20.10	3.20.11
org.jooq:jooq-meta	3.20.10	3.20.11
org.postgresql:postgresql	42.7.8	42.7.9
org.apache.maven.plugins:maven-compiler-plugin	3.14.1	3.15.0
org.apache.maven.plugins:maven-dependency-plugin	3.9.0	3.10.0
com.diffplug.spotless:spotless-maven-plugin	3.1.0	3.2.1
org.owasp:dependency-check-maven	12.1.9	12.2.0

Updates ch.qos.logback:logback-classic from 1.5.24 to 1.5.28

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.28

2026-02-06 Release of logback version 1.5.28

• Appender names or appender references are no longer subject to variable substitution.

• Fixed issue with configurations with conditionals encompassing appenders. This was reported in issues/1016 reported by Sergey Sazonov.

• The element now admits a 'scan' attribute which can be used to override the 'scan' attribute in the element.

• Fixed NullPointerException thrown by VersionUtil.checkForVersionEquality method occurring with GraalVM Native Images. This issue was reported in issues/1014.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e7a1855ab562bb102333f754603ff89359bf3cfc associated with the tag v_1.5.28. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.27

2026-01-30 Release of logback version 1.5.27

• Updated license to Eclipse Public License version 2.0 from version 1.0, retaining the GPL 2.1 dual-license.

• Fixed missing MDC data transmitted by SocketAppender reported in issues/1010 by Lars Vogel.

• Removed all Receiver classes and components which were already disabled for several years.

• Refactored file scanning code for improved clarity.

• In SizeAndTimeBasedRollingPolicy modified totalSizeCap and maxFileSize comparison to taking into account file compression. This fixes issues/1007.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 3618eb01aad6672f9cd250dccf7546a69cbe982f associated with the tag v_1.5.27. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.26

2026-01-25 Release of logback version 1.5.26

• InsertFromJNDIModelHandler was accessing javax.naming package forcing the inclusion of the optional java.naming module. This problem was raised in issues/1003 by Marius Hanl who also provided the relevant PR.

• In applications using shadow/fat/shade jars, module or package information could be lost. Thus, in the absence of version information, logback-classic would warn about version mismatches. Logback components now ship with properties files containing version information that survive shadow/fat/shade jars. This issue was reporteed in issues/1002 by Christoph Gritschenberger.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 33deb54506bbfaf1ff151f26f3a5f86936011619 associated with the tag v_1.5.26. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• e7a1855 prepare release 1.5.28
• e8dee44 cosmetic changes only
• ded504c minor refactoring
• 8af5459 fix NPE as reported in issues/1014
• 4f560a0 appender names of references not subject to substitution
• eab8e1d remove spurious Sytem.out, add javadoc
• 9ff843d fix issues/1016
• 769bce0 add scanStr field to PropertiesConfiguratorAction, refactor ResourceAction
• 6fd0943 add missing package.html in logback-core
• 5350e54 add missing package.html in logback-classic
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-annotations from 2.20 to 2.21

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.20.1 to 2.21.0

Commits

• 80fb536 [maven-release-plugin] prepare release jackson-core-2.21.0
• 9097789 Prep for 2.21.0 release
• d678c69 Javadoc fix for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION (defaults to `...
• 67912b2 Minor improvement to UTF32Reader.read() bounds-checks
• ecf5de2 ...
• dbb1765 Merge branch '2.20' into 2.x
• 66a9467 Merge branch '2.19' into 2.20
• b46c0bd Merge branch '2.18' into 2.19
• fae2542 release notes update
• 70c99ba Update UTF8DataInputJsonParser.java (#1512)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-xml from 2.20.1 to 2.21.0

Commits

• 66c8c0d [maven-release-plugin] prepare release jackson-dataformat-xml-2.21.0
• 76d5526 Prep for 2.21.0 release
• 89d8704 Merge branch '2.20' into 2.x
• e02a2f5 Post-release dep version bump
• 27923c5 [maven-release-plugin] prepare for next development iteration
• bc9cd88 Update release notes wrt #114
• fdbd1e9 Fixes #114 in 2.x: support STRICT_DUPLICATE_DETECTION (#783)
• 30ccb47 Addition to #736 test
• e003de0 Create XmlClassDeser735Test.java (#776)
• c33e1e5 Bump codecov/codecov-action from 5.5.0 to 5.5.1 (#774)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.20.1 to 2.21.0

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-xml from 2.20.1 to 2.21.0

Commits

• 66c8c0d [maven-release-plugin] prepare release jackson-dataformat-xml-2.21.0
• 76d5526 Prep for 2.21.0 release
• 89d8704 Merge branch '2.20' into 2.x
• e02a2f5 Post-release dep version bump
• 27923c5 [maven-release-plugin] prepare for next development iteration
• bc9cd88 Update release notes wrt #114
• fdbd1e9 Fixes #114 in 2.x: support STRICT_DUPLICATE_DETECTION (#783)
• 30ccb47 Addition to #736 test
• e003de0 Create XmlClassDeser735Test.java (#776)
• c33e1e5 Bump codecov/codecov-action from 5.5.0 to 5.5.1 (#774)
• Additional commits viewable in compare view

Updates com.github.dasniko:testcontainers-keycloak from 4.1.0 to 4.1.1

Release notes

Sourced from com.github.dasniko:testcontainers-keycloak's releases.

v4.1.1

What's Changed

• Updated the keycloak-admin-client to 26.0.8, which is aligned to default server version 26.5.

Full Changelog: dasniko/testcontainers-keycloak@v4.1.0...v4.1.1

Commits

• 64f91fd [maven-release-plugin] prepare release v4.1.1
• ee18a56 chore(deps): bump org.sonatype.central:central-publishing-maven-plugin (#265)
• f901260 adjust Keycloak admin client version to align with Keycloak
• a891e25 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates de.grundid.opendatalab:geojson-jackson from 1.14 to 3.0

Commits

• 9808af9 [maven-release-plugin] prepare release geojson-jackson-3.0 [ci skip]
• f865bf5 inc version to align with jackson
• dc01b79 [maven-release-plugin] prepare for next development iteration
• 1178e49 [maven-release-plugin] prepare release geojson-jackson-1.19 [ci skip]
• 0a07d8f release config update
• fdda76c [maven-release-plugin] prepare for next development iteration
• 8448366 [maven-release-plugin] prepare release geojson-jackson-1.17 [ci skip]
• 6f57a75 [maven-release-plugin] rollback the release of geojson-jackson-1.17
• b844be4 updated deps
• d43b90c [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates org.eclipse.jetty.ee10:jetty-ee10-servlet from 12.1.5 to 12.1.6

Updates org.jooq:jooq from 3.20.10 to 3.20.11

Updates org.jooq:jooq-codegen from 3.20.10 to 3.20.11

Updates org.jooq:jooq-meta from 3.20.10 to 3.20.11

Updates org.jooq:jooq-codegen from 3.20.10 to 3.20.11

Updates org.jooq:jooq-meta from 3.20.10 to 3.20.11

Updates org.postgresql:postgresql from 42.7.8 to 42.7.9

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.9

Changes

• Added changelogs for version 42.7.9 @​davecramer (#3908)
• the classloader is nullable, and remove a space @​davecramer (#3907)
• fix: incorrect pg_stat_replication.reply_time calculation @​atorik (#3906)
• fix: issue #3892, PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only @​davecramer (#3897)
• fix badges for maven central and search paths. Sonatype has changed the search paths @​davecramer (#3901)
• fix: make all Calendar instances proleptic Gregorian (#3837) @​m-van-tilburg (#3887)
• test: add CI tests with Java 26 @​vlsi (#3893)
• perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder @​vlsi (#3866)
• use ssl_is_used() to check for ssl connection @​davecramer (#3867)
• Add PEMKeyManager to handle PEM based certs and keys. @​harinath001 (#3700)
• Comment and simplify the complex state machine logic in QueryExecutorImpl @​davecramer (#3850)
• Revert "fix: Issue #3784 pgjdbc can't decode numeric arrays containing special numbers like NaN" @​davecramer (#3851)
• fix: Issue #3784 pgjdbc can't decode numeric arrays containing special numbers like NaN @​ShenFeng312 (#3838)
• Small simplication of locking patterns in QueryExecutorBase @​Sanne (#3849)
• doc: update property quoteReturningIdentifiers default value @​sodekim (#3847)
• feat: default query timeout property @​cfredri4 (#3705)
• create action to deploy docs to https://pgjdbc.github.io/ @​davecramer (#3819)
• fix homepage release note @​davecramer (#3817)

🐛 Bug Fixes

• fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob @​vlsi (#3903)
• fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext @​vlsi (#3886)

📝 Documentation

• doc: add the new PGP signing key to the official documentation @​vlsi (#3813)

🧰 Maintenance

• chore: remove unused com.github.spotbugs Gradle plugin dependency @​vlsi (#3868)
• chore: drop SpotBugs as we do not seem to use it @​vlsi (#3834)
• chore: bump version to 42.7.9 after 42.7.8 release @​vlsi (#3810)

⬆️ Dependencies

• chore(deps): update actions/create-github-app-token digest to 29824e6 @​renovate-bot (#3898)
• chore(deps): update actions/setup-java digest to c1e3236 @​renovate-bot (#3899)
• chore(deps): update codecov/codecov-action digest to 671740a @​renovate-bot (#3900)
• fix(deps): update dependency org.junit:junit-bom to v5.14.1 - autoclosed @​renovate-bot (#3884)
• fix(deps): update dependency org.apache.bcel:bcel to v6.11.0 @​renovate-bot (#3883)
• fix(deps): update dependency org.mockito:mockito-bom to v5.20.0 @​renovate-bot (#3885)
• fix(deps): update dependency net.bytebuddy:byte-buddy-parent to v1.18.2 @​renovate-bot (#3882)
• chore(deps): update github/codeql-action digest to 497990d @​renovate-bot (#3881)

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.9] (2026-01-14)

Added

• feat: query timeout property [PR #3705](pgjdbc/pgjdbc#3705)
• feat: Add PEMKeyManager to handle PEM based certs and keys [PR #3700](pgjdbc/pgjdbc#3700)

Changed

• perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder
• doc: update property quoteReturningIdentifiers default value [PR #3847](pgjdbc/pgjdbc#3847)
• security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class

Fixed

• fix: incorrect pg_stat_replication.reply_time calculation [PR #3906](pgjdbc/pgjdbc#3906)
• fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob
• fix: PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only [PR #3897](pgjdbc/pgjdbc#3897)
• fix: make all Calendar instances proleptic Gregorian [PR #3837](pgjdbc/pgjdbc#3887)
• fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings [PR #3897](pgjdbc/pgjdbc#3849)
• fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext [PR #3886](pgjdbc/pgjdbc#3886)
• fix: Issue #3784 pgjdbc can't decode numeric arrays containing special numbers like NaN [PR #3838](pgjdbc/pgjdbc#3838)
• fix: use ssl_is_used() to check for ssl connection [PR #3867](pgjdbc/pgjdbc#3867)
• fix: the classloader is nullable [PR #3907](pgjdbc/pgjdbc#3907)

Commits

• 79b784e Added changelogs for version 42.7.9 (#3908)
• 1c00ffc doc: add the new PGP signing key to the official documentation
• f774000 chore(deps): update actions/create-github-app-token digest to 29824e6
• 27daf3b chore(deps): update actions/setup-java digest to c1e3236
• 6eb01ff chore(deps): update codecov/codecov-action digest to 671740a
• dbf1e57 the classloader is nullable, and remove a space (#3907)
• 6a20574 Merge commit from fork
• c07721a fix: incorrect pg_stat_replication.reply_time calculation (#3906)
• 83023f3 fix: close temporary lob descriptors that are used internally in PreparedStat...
• 62c9805 fix: issue #3892, PGXAConnection.prepare(Xid) should return XA_RDONLY if the ...
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0

Release notes

Sourced from org.apache.maven.plugins:maven-compiler-plugin's releases.

3.15.0

🐛 Bug Fixes

• Fix Java 25 compatibility during integration tests (#1020) @​desruisseaux
• [MCOMPILER-540] - useIncrementalCompilation=false may add generated sources to the sources list (#192) @​mensinda

👻 Maintenance

• Bump org.apache.maven.plugins:maven-plugins from 45 to 46 (#1015) @​slachiewicz
• Remove declaration of "plexus-snapshots" repository (#1010) @​desruisseaux
• Works only with Maven 4.0.0 rc4 (#996) @​slachiewicz
• Enable Java 25 and Maven 4 in CI (#975) @​slachiewicz

📦 Dependency updates

• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.0 (#1016) @dependabot[bot]
• Bump plexusCompilerVersion from 2.16.1 to 2.16.2 (#1021) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 46 to 47 (#1019) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2 (#1008) @dependabot[bot]
• Bump org.ow2.asm:asm from 9.9 to 9.9.1 (#1005) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#1007) @dependabot[bot]
• Bump maven-plugin-testing-harness to 3.4.0 (#1001) @​slawekjaranowski
• Bump plexusCompilerVersion from 2.16.0 to 2.16.1 (#999) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.1 (#993) @dependabot[bot]
• Bump plexusCompilerVersion from 2.15.0 to 2.16.0 (#992) @dependabot[bot]
• Bump org.ow2.asm:asm from 9.8 to 9.9 (#981) @dependabot[bot]

Commits

• 9290cb3 [maven-release-plugin] prepare release maven-compiler-plugin-3.15.0
• 3657d40 Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness
• 7bbf805 Bump plexusCompilerVersion from 2.16.1 to 2.16.2
• 57fa938 Bump org.apache.maven.plugins:maven-plugins from 46 to 47
• 385e3f2 Fix Java 25 compatibility during integration tests (#1020)
• 6b34423 Bump org.apache.maven.plugins:maven-plugins from 45 to 46
• aaeb9c6 [MCOMPILER-540] useIncrementalCompilation=false may add generated sources to ...
• 6e3db9d Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2
• 0fe9b84 Remove declaration of "plexus-snapshots" repository (#1010)
• 35f6800 Bump org.ow2.asm:asm from 9.9 to 9.9.1
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.9.0 to 3.10.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.10.0

🚀 New features and improvements

• Introduce graphRoots for dependencyFilter based mojos (#1571) @​rfscholte

🐛 Bug Fixes

• Apply excludeReactor to plugin dependencies in go-offline and resolve-plugins (#1583) @​slawekjaranowski
• Only log dependency classpath when no property/file output is specified (#1551) @​mwalser
• [MDEP-974] - strip ansi codes when writing to a file (#1564) @​elharo

📝 Documentation updates

• Add analyze-only to usage page (#1587) @​slawekjaranowski
• Move doc comment to correct location (#1568) @​elharo
• Focus on most recent version (#1537) @​elharo

👻 Maintenance

• Fix Jenkin bages in README (#1586) @​slawekjaranowski
• Improve dependencies filtering in AbstractAnalyzeMojo (#1579) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1574) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1569) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1563) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1562) @​slawekjaranowski
• Migration to JUnit 5 (#1558) @​slawekjaranowski
• JUnit Jupiter best practices (#1548) @​slachiewicz
• Migrate JUnit3 based Tests to JUnit 5 (#1541) @​sparsick

📦 Dependency updates

• Bump org.apache.maven.shared:maven-dependency-analyzer from 1.16.0 to 1.17.0 (#1584) @dependabot[bot]
• Bump org.assertj:assertj-core from 2.9.1 to 3.27.7 in /src/it/projects/analyze-testDependencyWithNonTestScope (#1581) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#1582) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#1580) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 46 to 47 (#1578) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#1576) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 45 to 46 (#1573) @dependabot[bot]
• Bump org.jsoup:jsoup from 1.21.2 to 1.22.1 (#1572) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#1570) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#1559) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#1552) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.3 to 4.10.4 (#1553) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-io from 3.5.2 to 3.6.0 (#1554) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-i18n from 1.0.0 to 1.1.0 (#1555) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.4.0 (#1550) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-io from 3.5.1 to 3.5.2 (#1538) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.1 to 4.10.3 (#1539) @dependabot[bot]

Commits

• 4127c33 [maven-release-plugin] prepare release maven-dependency-plugin-3.10.0
• 68b5e47 Add analyze-only to usage page
• 09d5860 Fix Jenkin bages in README
• 4308f6c Bump org.apache.maven.shared:maven-dependency-analyzer
• ba3c570 Apply excludeReactor to plugin dependencies in go-offline and resolve-plugins
• 0d88b66 Only log dependency classpath when no property/file output is specified
• 0075e31 Bump org.assertj:assertj-core (#1581)
• 65d53bb Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#1582)
• eaf54f0 Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#1580)
• ece9a38 Improve dependencies filtering in AbstractAnalyzeMojo
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.1.0 to 3.2.1

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.2.1

Fixed

• removeSemicolons() should not be applied to multiline strings in groovy #2780 (#2792)

Lib v3.2.0

Added

• Support for idea (#2020, #2535)
• Add support for removing wildcard imports via removeWildcardImports step. (#2517)
• scalafmt: enforce version consistency between the version configured in Spotless and the version declared in Scalafmt config file (#2460)

Fixed

• SortPom disable expandEmptyElements, to avoid empty body warnings. (#2520)
• Fix biome formatter for new major release 2.x of biome (#2537)
• Make sure npm-based formatters use the correct node_modules directory when running in parallel. (#2542)

Changed

• Bump internal dependencies for npm-based formatters (#2542)

Maven Plugin v3.2.0

Added

• Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)

Changes

• Dramatic (~100x) performance improvement when using git ratchetFrom. (#2805)

Fixed

• [fix] NPE due to workingTreeIterator being null for git ignored files. #911 (#2771)
• Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)

Changes

• Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
• Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
• Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

Lib v3.1.2

Fixed

• Fix UnsupportedOperationException in the Gradle plugin when using targetExcludeContent[Pattern] (#2487)
• pgp key had expired, this and future releases will be signed by new key (details)

Changed

• Bump default eclipse version to latest 4.34 -> 4.35. (#2458)
• Bump default greclipse version to latest 4.32 -> 4.35. (#2458)

Lib v3.1.1

Changed

• Use palantir-java-format 2.57.0 on Java 21. (#2447)
• Re-try npm install with --prefer-online after ERESOLVE error. (#2448)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.3.0] - 2026-01-27

Added

• Add P2Provisioner interface in lib-extra to enable build-tool-specific caching strategies for Eclipse P2 dependencies, fixing OutOfMemoryError in large multi-project builds. (#2788)

Fixed

• removeSemicolons() should not be applied to multiline strings in groovy #2780 (#2792)

[4.2.0] - 2026-01-22

Added

• Add a expandWildcardImports API for java (#2679)
• Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)

Fixed

• Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)
• Git ratchet no longer throws an error with Git worktrees. (#2779)

Changes

• Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
• Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
• Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

[4.1.0] - 2025-11-18

Changes

• Bump default ktfmt version to latest 0.58 -> 0.59. (#2681
• Bump default jackson version to latest 2.20.0 -> 2.20.1. (#2730)
• Bump default cleanthat version to latest 2.23 -> 2.24. (#2620)
• POTENTIALLY BREAKING Removed support for ktlint versions below 1.0. (#2711)

Fixed

• palantirJavaFormat is no longer arbitrarily set to outdated versions on Java 17, latest available version is always used (#2686 fixes #2685)

Added

• Add a forbidModuleImports API for java (#2679)
• new options to customize Flexmark, e.g. to allow YAML front matter (#2616)

[4.0.0] - 2025-09-24

Changes

• BREAKING Bump the required Java to 17. (#2375, #2540)
• BREAKING Renamed RemoveWildcardImportsStep to ForbidWildcardImportsStep. (#2633)
• Bump JGit from 6.10.1 to 7.3.0 (#2257)
  • Adds support for worktrees (fixes #1765)

... (truncated)

Commits

• d0f4c3d Published maven/3.2.1
• 2b7f9de Published gradle/8.2.1
• 78e26e9 Published lib/4.3.0
• 33692c2 [fix] removeSemicolons() should not be applied to multiline strings in groo...
• 90628d8 Update changelog.
• 61864a2 Merge branch 'main' into fix-removeSemicolons
• 4864bc8 Fix Gradle Cache performance issue by supporting cached P2 provisionning via ...
• 075895c docs: Mention P2 caching for gradle plugin caching
• 57214bf feat: Supports P2 in predeclare
• 8aee8ac chore: Adds a GradleProvisioner test
• Additional commits viewable in compare view

Updates org.owasp:dependency-check-maven from 12.1.9 to 12.2.0

Release notes

Sourced from org.owasp:dependency-check-maven's releases.

Version 12.2.0

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.2.0 (2026-01-09)

• feat: package and utilize generated suppression file (#8116)

• feat: override pnpm audit registry parameter (#8158)

• feat: support multiple cvssBelow thresholds per version (#2563) (#8024)

• feat: usage telemetry via scarf (#8066)

• feat: add new suppression xsd allowing grouping of suppressions (#7957)

• fix(ant): resolve relative paths against basedir (#8202)

• fix: add hint for Elastic APM Java agent CPE mapping (#8200)

• fix: Allow NVD data feed metadata downloads to fail on 1st Jan while logging correct errors (

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.