chore(deps): bump the maven-dependencies group across 1 directory with 14 updates

[dependabot]

Bumps the maven-dependencies group with 14 updates in the / directory:

Package	From	To
org.apache.maven.plugins:maven-failsafe-plugin	3.5.5	3.5.6
org.hibernate.orm:hibernate-core	7.3.6.Final	7.4.0.Final
com.github.kagkarlsson:db-scheduler	16.10.0	16.12.0
org.jobrunr:jobrunr	8.6.0	8.6.1
com.fasterxml.jackson:jackson-bom	2.21.3	2.21.4
tools.jackson:jackson-bom	3.1.3	3.1.4
com.puppycrawl.tools:checkstyle	13.4.2	13.5.0
org.apache.maven.plugins:maven-surefire-plugin	3.5.5	3.5.6
tools.jackson.core:jackson-core	3.1.3	3.1.4
io.mockk:mockk-jvm	1.14.9	1.14.11
io.dropwizard.metrics5:metrics-core	5.0.6	5.0.7
org.openrewrite.recipe:rewrite-recipe-bom	3.30.1	3.31.0
ch.qos.logback:logback-classic	1.5.32	1.5.33
io.github.oshai:kotlin-logging-jvm	8.0.03	8.0.4

Updates org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-failsafe-plugin's releases.

3.5.6

🚀 New features and improvements

• Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

• Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_socket at address' is not displayed anymore when using maven.surefire.debug (#3353) (#3354) @​olamy
• Ensure that the statistics filename is calculated only once. (#3326) (#3327) @​olamy
• Add flakes attribute to use in testsuite report (#3306) (#3308) @​olamy
• [BACKPORT 3.5.x] [SUREFIRE-2049] - Fix SHUTDOWN type lost during command serialization. (#3270) (#3289) @​olamy
• fix: null guard for context map (#3269) (#3272) @​olamy

👻 Maintenance

• 3.5.x/bug/cherry pick embedded mode its (#3328) @​olamy
• Use surefire 3.5.5 by project itself for testing (#3324) @​slawekjaranowski
• Follow Oracle javadoc guidelines (#3177) @​elharo

📦 Dependency updates

• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#3334) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#3350) @dependabot[bot]

Commits

• 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
• e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
• dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
• 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
• 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
• 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
• 04ad9a2 Use surefire 3.5.5 by project itself for testing
• 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
• a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
• e838393 deploy 3.5.x branch to nexus
• Additional commits viewable in compare view

Updates org.hibernate.orm:hibernate-core from 7.3.6.Final to 7.4.0.Final

Release notes

Sourced from org.hibernate.orm:hibernate-core's releases.

Release 7.4.0

Hibernate ORM 7.4.0.Final released

Today, we published a new release of Hibernate ORM 7.4: 7.4.0.Final.

You can find the full list of 7.4.0.Final changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.
• See the Migration Guide for details about migration.

Conclusion

For additional details, see:

• the release page
• the Migration Guide
• the Introduction Guide
• the User Guide
• the API docs

See also the following resources related to supported APIs:

• the compatibility policy
• the incubating API report (@Incubating)
• the deprecated API report (@Deprecated + @Remove)
• the internal API report (internal packages, @Internal)

Visit the website for details on getting in touch with us.

Release 7.4.0.CR1

Hibernate ORM 7.4.0.CR1 released

Today, we published a new release of Hibernate ORM 7.4: 7.4.0.CR1.

You can find the full list of 7.4.0.CR1 changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.
• See the Migration Guide for details about migration.

Conclusion

... (truncated)

Changelog

Sourced from org.hibernate.orm:hibernate-core's changelog.

Changes in 7.4.0.Final (May 26, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/39172

** Bug * HHH-20454 HbmXmlTransformer generates an incorrect mapping for an HBM file containing a association with a property-ref attribute. * HHH-20451 Hbm is ignored during HbmXmlTransformer conversion * HHH-20418 @​Access on entity wrongly affects @​MappedSuperclass default * HHH-20394 Cascade profile causes LAZY associations to be eagerly fetched even if they won't be affected * HHH-20357 Component.sortProperties() reorders Envers originalId key, breaking joined audit-table FK/joins for JOINED inheritance * HHH-20324 AnnotationException: overrides mapping specified using '@​JoinColumnOrFormula' thrown when join column is overridden via XML mapping * HHH-20125 ClassCastException on merge during polymorphic embeddable replace * HHH-19214 Record as @​IdClass - some tests are failing when record componets of ID class are not alphabetically sorted, but passing when sorted

** Improvement * HHH-20432 Increase the minimum container / worker threads to 4 to reduce build time * HHH-20423 Relax the strict JPQL compliance and make select optional * HHH-20419 Make BytecodeEnhancedTestEngine better compatible with Maven's parallel test execution * HHH-19417 FetchProfile not properly overridden in mapping.xml * HHH-17767 Add support for Value LOBs

** Sub-task * HHH-20439 enable ci for spanner

Changes in 7.4.0.CR1 (May 07, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/37741

** Bug * HHH-20358 PRIVILEGED_CLI is not set to "sudo" when Podman is aliased as Docker * HHH-20356 NPE when mapping embedded property as @​MappedSuperclass * HHH-20355 use of static calendar in TimestampUtcAsJdbcTimestampJdbcType and friends * HHH-20353 unhelpful error with @​ManyToAny * HHH-20350 Unexpected physical naming of columns for embeddables in Hibernate 7 * HHH-20336 JdbcResourceLocalTransactionCoordinatorImpl does not trigger afterCompletionCallback if it encounters a TransactionException * HHH-20326 ClassCastException when joining array within embeddable * HHH-20323 with hibernate.temporal.use_server_transaction_timestamps, session obtains a database timestamp even when not needed * HHH-20321 import.sql not executed when there are no @​Entity classes * HHH-20313 Criteria query comparing double path to integer expression containing integer parameter fails * HHH-20308 JSON embeddable array access not working because Column reports wrong SQL type code * HHH-20307 Informix count distinct tuple emulation is broken * HHH-20305 Lock timout on Informix broken * HHH-20303 Power function usage for PostgreSQLTruncRoundFunction breaks CockroachDB * HHH-20300 OptionalTableUpdateWithUpsertOperation can fail on PostgreSQL 14 * HHH-20297 SQM parameter use in multiple type-incompatible contexts binds with wrong JdbcMapping * HHH-20287 DataException ( Parameter is not set) when updating only the version of an Entity with a PartitionKey

... (truncated)

Commits

• 6d267d9 [Jenkins release job] Preparing release 7.4.0.Final
• a4892eb [Jenkins release job] changelog.txt updated by release build 7.4.0.Final
• 2a1db34 HHH-20418 @​Access on entity wrongly affects defaults of other classes
• 89b9101 Revert "HHH-20466 Add test for issue"
• 9165058 Revert "HHH-20466 XML mapping for <many-to-many> accepts orphan-removal attri...
• ebbc8fe HHH-20466 XML mapping for <many-to-many> accepts orphan-removal attribute but...
• 814f3b2 HHH-20466 Add test for issue
• 7ae9521 HHH-20454 HbmXmlTransformer generates an incorrect mapping for an HBM file co...
• 00f34ee HHH-20454 Add test for issue
• 0db3c65 Unify the waiting for the clock to progress past the dialect timestamp resolu...
• Additional commits viewable in compare view

Updates com.github.kagkarlsson:db-scheduler from 16.10.0 to 16.12.0

Release notes

Sourced from com.github.kagkarlsson:db-scheduler's releases.

v16.12.0

Changelog

🚀 Features

• d29c497 add per-task summary to SchedulerClient (#874), closes #873 #874
• 277f96b sqlite support is added (#869), closes #868 #869

🐛 Fixes

• 9ff943a single statement lock-and-fetch unresolved task from first batch… (#811), closes #804 #811

🛠 Build

• a02d60d deps-dev: bump org.xerial:sqlite-jdbc from 3.25.2 to 3.41.2.2 in /db-scheduler (#875), closes #875
• f520342 deps: bump io.zonky.test.postgres:embedded-postgres-binaries-bom from 17.5.0 to 18.3.0 (#865), closes #102 #103 #105 #106 #107 #108 #865

Contributors

We'd like to thank the following people for their contributions:

• Gustav Karlsson (@​kagkarlsson)
• Michael Str
• dependabot[bot] (@​dependabot[bot])

v16.11.0

Changelog

🚀 Features

• ef0d41e add MaxRetriesBuilder fluent API for FailureHandler (#856)

🔄️ Changes

• 9481948 mdc logging interceptor is refactored in spring boot example (#854)

🛠 Build

• 8c3e465 deps: bump org.mockito:mockito-bom from 5.20.0 to 5.23.0 (#866)
• 7cc6edc deps: bump org.junit:junit-bom from 6.0.3 to 6.1.0 (#867)

Contributors

We'd like to thank the following people for their contributions:

• Gustav Karlsson (@​kagkarlsson)
• Michael Str
• dependabot[bot] (@​dependabot[bot])

Commits

• a02d60d build(deps-dev): bump org.xerial:sqlite-jdbc from 3.25.2 to 3.41.2.2 in /db-s...
• d29c497 feat: add per-task summary to SchedulerClient (#874)
• 277f96b feat: sqlite support is added (#869)
• f520342 build(deps): bump io.zonky.test.postgres:embedded-postgres-binaries-bom from ...
• 9ff943a fix: single statement lock-and-fetch unresolved task from first batch… (#811)
• 8c3e465 build(deps): bump org.mockito:mockito-bom from 5.20.0 to 5.23.0 (#866)
• 7cc6edc build(deps): bump org.junit:junit-bom from 6.0.3 to 6.1.0 (#867)
• 9481948 refactor: mdc logging interceptor is refactored in spring boot example (#854)
• ef0d41e feat: add MaxRetriesBuilder fluent API for FailureHandler (#856)
• See full diff in compare view

Updates org.jobrunr:jobrunr from 8.6.0 to 8.6.1

Release notes

Sourced from org.jobrunr:jobrunr's releases.

v8.6.1

JobRunr and JobRunr Pro 8.6.1

This patch release includes bug fixes and small improvements for both JobRunr and JobRunr Pro.

JobRunr 8.6.1

Bugfixes

• Fix multiple master nodes [PR #1557](jobrunr/jobrunr#1557)
• Log dataVersion mismatch exceptions [PR #1555](jobrunr/jobrunr#1555)
• Fix thread pool corePoolSize setting [PR #1559](jobrunr/jobrunr#1559)

Enhancements

• Enable JobScheduler and JobRequestScheduler by default for Micronaut [PR #1556](jobrunr/jobrunr#1556)

Full Changelog: jobrunr/jobrunr@v8.6.0...v8.6.1

JobRunr Pro 8.6.1

Bugfixes

• Fix multiple master nodes [PR #1557](jobrunr/jobrunr#1557)
• Log dataVersion mismatch exceptions [PR #1555](jobrunr/jobrunr#1555)
• Fix thread pool corePoolSize setting [PR #1559](jobrunr/jobrunr#1559)
• Prevent JobFilters from logging when annotation class is missing [PR #886](https://git.jobrunr.io/JobRunr/jobrunr-pro/pulls/886)
• Fix DoNotRetryPolicy trying to retry [PR #884](https://git.jobrunr.io/JobRunr/jobrunr-pro/pulls/884)
• Improve from FromScheduledConcurrentStateChange to also support awaiting jobs [PR #890](https://git.jobrunr.io/JobRunr/jobrunr-pro/pulls/890)

Misc

• Enable JobScheduler and JobRequestScheduler by default for Micronaut [PR #1556](jobrunr/jobrunr#1556)

Full Changelog: jobrunr/jobrunr@v8.6.0...v8.6.1

Commits

• b32f027 PR feedback (#1559)
• 1ba9156 Cleanup after tests (#1558)
• 556ee9c Prevent dataVersion mismatch exceptions from spamming logs (#1555)
• b34a455 Fix multiple master nodes (#1557)
• 758cd71 Enable JobScheduler and JobRequestScheduler by default for Micronaut (#1556)
• 19a04c6 Use local maven proxy and gradle cache (#1554)
• See full diff in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.21.4

Commits

• d1abd31 [maven-release-plugin] prepare release jackson-bom-2.21.4
• 2aaea43 Prep for 2.21.4 release
• 9d3a9d5 Post-release dep version bump
• 84bcf7f [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates tools.jackson:jackson-bom from 3.1.3 to 3.1.4

Commits

• 4085e4d [maven-release-plugin] prepare release jackson-bom-3.1.4
• f8e1a4e Prep for 3.1.4 release
• 47eb6ea Merge branch '2.x' into 3.1
• 902ec69 Update Woodstox/stax2-api (to 7.2.0/4.3.0)
• d5df403 Post-release dep version bump
• 7ed6798 [maven-release-plugin] prepare for next development iteration
• 2570647 Merge branch '2.21' into 2.x
• 9d3a9d5 Post-release dep version bump
• 84bcf7f [maven-release-plugin] prepare for next development iteration
• 374fbd0 [maven-release-plugin] prepare release jackson-bom-2.21.3
• Additional commits viewable in compare view

Updates com.puppycrawl.tools:checkstyle from 13.4.2 to 13.5.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.5.0

Checkstyle 13.5.0 - https://checkstyle.org/releasenotes.html#Release_13.5.0

New:

#19496 - AvoidStarImport: new property maxAllowedStarImports to allow atmost one star import in a file. #14782 - LITERAL_DEFAULT token support in RightCurlyCheck. #15484 - New Check UnusedTryResourceShouldBeUnnamed.

Bug fixes:

#17697 - Google style: Disallow comments enclosed in boxes. #19641 - Add checks for OpenJDK Style §3.10 - Variable Declarations. #19640 - Add checks for OpenJDK Style §4.1 - Package Names. #18227 - Extend TextBlockGoogleStyleFormatting to check indentation of each line in the blocks. #19770 - JavadocTypeCheck incorrectly matches record component @param tags using prefix instead of exact match. #17052 - Add support for flexible constructor bodies (JEP 513) targeted for JDK25. #17464 - RequireThis false positive inside annotation definition. #19623 - Add checks for OpenJDK Style §3.3 - Import statements. #17203 - PatternVariableAssignment check false negative when pattern variable extends beyond the statement of introduction. #19716 - False Negative: SimplifyBooleanExpression does not report with paranthesized boolean literals in ternary operators. #19617 - Add checks for OpenJDK Style §2 - Java Source Files. #17253 - Google-style: Illegal to break the line before or after the lambda arrow. #19149 - update MissingJavadocTypeCheck to use AST of javadoc. #2629 - IndentationCheck: incorrect validation for class definition. #5685 - Indentation: false positive for try child on the same line. #11822 - RequireThisCheck giving multiple violation for classes nested in lambdas. #19622 - Add checks for OpenJDK Style §3.2 - Package declaration.

... (truncated)

Commits

• 110e63e [maven-release-plugin] prepare release checkstyle-13.5.0
• 47d9268 doc: release notes for 13.5.0
• 2ae101f Issue #19793: Anchor IndentationCheck regex in google_checks.xml SuppressWith...
• fb3c9e9 Issue #19827: Complete removal of chapter numbers
• e2b0411 Issue #18435: Fix xdocs Examples AST Consistency Test - nowhitespacebefore
• 096df1d Issue #19764: Move violation comment out of Javadoc
• 4d69a3f Issue #19993: Regexp check for unnecessary // ok comments is configured under...
• 035297e dependency: bump org.pitest:pitest-maven from 1.25.2 to 1.25.3
• 6b82789 supplemental: Fixes Overloaded Methods Order
• d9306da Issue #18435: Fix xdocs Examples AST Consistency Test - linelength
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

• Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

• Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_socket at address' is not displayed anymore when using maven.surefire.debug (#3353) (#3354) @​olamy
• Ensure that the statistics filename is calculated only once. (#3326) (#3327) @​olamy
• Add flakes attribute to use in testsuite report (#3306) (#3308) @​olamy
• [BACKPORT 3.5.x] [SUREFIRE-2049] - Fix SHUTDOWN type lost during command serialization. (#3270) (#3289) @​olamy
• fix: null guard for context map (#3269) (#3272) @​olamy

👻 Maintenance

• 3.5.x/bug/cherry pick embedded mode its (#3328) @​olamy
• Use surefire 3.5.5 by project itself for testing (#3324) @​slawekjaranowski
• Follow Oracle javadoc guidelines (#3177) @​elharo

📦 Dependency updates

• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#3334) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#3350) @dependabot[bot]

Commits

• 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
• e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
• dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
• 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
• 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
• 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
• 04ad9a2 Use surefire 3.5.5 by project itself for testing
• 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
• a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
• e838393 deploy 3.5.x branch to nexus
• Additional commits viewable in compare view

Updates tools.jackson.core:jackson-core from 3.1.3 to 3.1.4

Commits

• 222daf2 [maven-release-plugin] prepare release jackson-core-3.1.4
• 7854ecc Prep for 3.1.4 release
• 31937c4 Merge branch '2.x' into 3.1
• 7db5b50 Merge branch '2.21' into 2.x
• 4c05816 Merge branch '2.20' into 2.21
• 6cd594c Merge branch '2.19' into 2.20
• b561668 Merge branch '2.18' into 2.19
• 88e3941 Add back JDK 11 in CI
• fa4ee09 Test refactoring
• 797d509 test refactoring
• Additional commits viewable in compare view

Updates io.mockk:mockk-jvm from 1.14.9 to 1.14.11

Release notes

Sourced from io.mockk:mockk-jvm's releases.

v1.14.11

What's Changed

• fix: added SameInstanceMatcher to handle an issue with equals method when using EqMatcher along with a mock to an object by @​DOssaA in mockk/mockk#1508
• Add scoped confirmVerified overloads for callables (KFunction and KProperty) by @​DOssaA in mockk/mockk#1513
• feat: support MockKAnnotation.useDependencyOrder for JUnit 5 by @​ilia1243 in mockk/mockk#1515
• Allow updating settings from code by @​Yentis in mockk/mockk#1517
• Add currentThread filter and excluded mocks to clearAllStubsFromMemory by @​evgenru in mockk/mockk#1519
• Support new Kotlin annotation defaulting rule for @​InjectMockKs by @​ZzAve in mockk/mockk#1525
• feat(dsl): Add context parameters support module (#1431) by @​faraz152 in mockk/mockk#1521
• fix: resolve @​InjectMockKs dependency order for interface by @​neungs-2 in mockk/mockk#1526
• fix: resolve @​InjectMockKs dependency order for list injection by @​ilia1243 in mockk/mockk#1527
• fix: extract native lib from APK when not on filesystem (AGP 8.5+) by @​snowykte0426 in mockk/mockk#1529
• fix: support OpenJ9 in JvmAutoHinter by @​hspedro in mockk/mockk#1530

New Contributors

• @​DOssaA made their first contribution in mockk/mockk#1508
• @​ilia1243 made their first contribution in mockk/mockk#1515
• @​Yentis made their first contribution in mockk/mockk#1517
• @​evgenru made their first contribution in mockk/mockk#1519
• @​ZzAve made their first contribution in mockk/mockk#1525
• @​faraz152 made their first contribution in mockk/mockk#1521
• @​hspedro made their first contribution in mockk/mockk#1530

Full Changelog: mockk/mockk@1.14.9...v1.14.11

Commits

• d5617fc Version bump for v1.14.11
• d4e6a00 Merge pull request #1530 from hspedro/fix/726-openj9-classcast-message-format
• 98e91bc fix: handle OpenJ9 CCE message in JvmAutoHinter
• 945f746 Merge pull request #1529 from snowykte0426/fix/1273-jvmtiagent-agp85-native-l...
• 35cc073 [ 1273-jvmtiagent ] chore: stop tracking .claude/scheduled_tasks.lock
• d6aa82b [ 1273-jvmtiagent ] chore: drop useLegacyPackaging workaround
• 85a907c [ 1273-jvmtiagent ] chore: apply spotless formatting
• 7d9aec1 [ 1273-jvmtiagent ] fix: extract .so when findLibrary returns a path with '='
• 1d5d30e [ 1273-jvmtiagent ] test: verify findLibrary resolves mockkjvmtiagent to a va...
• 21a6a3a [ 1273-jvmtiagent]fix: pass findLibrary path directly to attach JvmtiAgent
• Additional commits viewable in compare view

Updates io.dropwizard.metrics5:metrics-core from 5.0.6 to 5.0.7

Commits

• 4c8cc48 [maven-release-plugin] prepare release v5.0.7
• 8b68720 ci: remove surplus double quote
• 797711a ci: replace zoispag/action-assign-milestone with GitHub CLI
• 73a7d44 fix(deps): update jackson monorepo to v3.1.3 (#5230)
• cff4d2a feat: add module for Jackson 3.x (#5229)
• 6251fd1 fix(deps): update junit-framework monorepo to v6.1.0 (#5228)
• b825170 chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin...
• 64baec5 ci: build with Java 25 (#4965)
• 07cba6a fix(deps): update dependency org.apache.httpcomponents.client5:httpclient5 to...
• 186359c chore(deps): update maven plugins (#5152)
• Additional commits viewable in compare view

Updates org.openrewrite.recipe:rewrite-recipe-bom from 3.30.1 to 3.31.0

Release notes

Sourced from org.openrewrite.recipe:rewrite-recipe-bom's releases.

3.31.0

What's Changed

• Incorporates the latest versions of OpenRewrite (v8.83.0), the rewrite-gradle-plugin (v7.33.0), and the rewrite-maven-plugin (v6.40.0) to improve code parsing accuracy and recipe execution reliability.

Full Changelog: openrewrite/rewrite-recipe-bom@v3.30.1...v3.31.0

Commits

• 891a5d3 Suppress CVE-2026-39852 (false positive: quarkus-update-recipes) (#50)
• 6c7ebfd Remove alignment check suppression
• d57aa83 Renew false-positive suppressions to 2026-06-01 (#49)
• See full diff in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.33

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• b768a96 remove spurious java.swing.* import
• 12cf2c5 classes in java.lang and java.util are now whitelisted individually
• e9133ed fix typo
• 47089a2 added Filip Egeric icla
• 85735f7 Modified ConversionRuleAction.java: Updated validPreconditions() to
• 614f7a7 the official name for initial instructions file foe coding agents is AGENTS.md
• fe50bb5 fix: do not warn when both converterClass and class attributes are specified ...
• Additional commits viewable in compare view

Updates io.github.oshai:kotlin-logging-jvm from 8.0.03 to 8.0.4

Release notes

Sourced from io.github.oshai:kotlin-logging-jvm's releases.

8.0.4

Align to semver.

Full Changelog: oshai/kotlin-logging@8.0.03...8.0.4

Commits

• 0aaa57c bump to semver 8.0.5
• bf60363 change to semver 8.0.4
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud