chore: consolidate open Dependabot PRs#1551
Open
RichardSlater wants to merge 14 commits intomasterfrom
Open
Conversation
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.4 to 3.27.7. - [Release notes](https://github.com/assertj/assertj/releases) - [Commits](assertj/assertj@assertj-build-3.27.4...assertj-build-3.27.7) --- updated-dependencies: - dependency-name: org.assertj:assertj-core dependency-version: 3.27.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the low-risk group with 8 updates in the /java directory: | Package | From | To | | --- | --- | --- | | [com.ensono.stacks.modules:stacks-modules-parent](https://github.com/Ensono/stacks-java-module-parent) | `3.0.111` | `3.0.139` | | [org.springframework.cloud:spring-cloud-dependencies](https://github.com/spring-cloud/spring-cloud-release) | `2025.0.0` | `2025.1.1` | | [au.com.dius.pact:consumer](https://github.com/pact-foundation/pact-jvm) | `4.6.17` | `4.6.19` | | [com.amazonaws:aws-java-sdk-s3](https://github.com/aws/aws-sdk-java) | `1.12.788` | `1.12.797` | | [org.pitest:pitest-junit5-plugin](https://github.com/pitest/pitest-junit5-plugin) | `1.2.1` | `1.2.3` | | [au.com.dius.pact.provider:maven](https://github.com/pact-foundation/pact-jvm) | `4.6.17` | `4.6.19` | | [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) | `12.1.9` | `12.2.0` | | [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) | `3.5.1` | `3.6.3` | Updates `com.ensono.stacks.modules:stacks-modules-parent` from 3.0.111 to 3.0.139 - [Commits](Ensono/stacks-java-module-parent@v3.0.111...v3.0.139) Updates `org.springframework.cloud:spring-cloud-dependencies` from 2025.0.0 to 2025.1.1 - [Release notes](https://github.com/spring-cloud/spring-cloud-release/releases) - [Commits](spring-cloud/spring-cloud-release@v2025.0.0...v2025.1.1) Updates `au.com.dius.pact:consumer` from 4.6.17 to 4.6.19 - [Release notes](https://github.com/pact-foundation/pact-jvm/releases) - [Changelog](https://github.com/pact-foundation/pact-jvm/blob/master/CHANGELOG.md) - [Commits](https://github.com/pact-foundation/pact-jvm/commits) Updates `com.amazonaws:aws-java-sdk-s3` from 1.12.788 to 1.12.797 - [Changelog](https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-java@1.12.788...1.12.797) Updates `com.puppycrawl.tools:checkstyle` from 12.3.0 to 12.3.1 - [Release notes](https://github.com/checkstyle/checkstyle/releases) - [Commits](checkstyle/checkstyle@checkstyle-12.3.0...checkstyle-12.3.1) Updates `org.pitest:pitest-junit5-plugin` from 1.2.1 to 1.2.3 - [Release notes](https://github.com/pitest/pitest-junit5-plugin/releases) - [Commits](pitest/pitest-junit5-plugin@1.2.1...1.2.3) Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.8 to 3.5.10 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.8...v3.5.10) Updates `au.com.dius.pact.provider:maven` from 4.6.17 to 4.6.19 - [Release notes](https://github.com/pact-foundation/pact-jvm/releases) - [Changelog](https://github.com/pact-foundation/pact-jvm/blob/master/CHANGELOG.md) - [Commits](https://github.com/pact-foundation/pact-jvm/commits) Updates `org.pitest:pitest-maven` from 1.22.0 to 1.22.1 - [Release notes](https://github.com/hcoles/pitest/releases) - [Commits](hcoles/pitest@1.22.0...1.22.1) Updates `org.owasp:dependency-check-maven` from 12.1.9 to 12.2.0 - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](dependency-check/DependencyCheck@v12.1.9...v12.2.0) Updates `org.codehaus.mojo:exec-maven-plugin` from 3.5.1 to 3.6.3 - [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases) - [Commits](mojohaus/exec-maven-plugin@3.5.1...3.6.3) --- updated-dependencies: - dependency-name: com.ensono.stacks.modules:stacks-modules-parent dependency-version: 3.0.139 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.springframework.cloud:spring-cloud-dependencies dependency-version: 2025.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: au.com.dius.pact:consumer dependency-version: 4.6.19 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: com.amazonaws:aws-java-sdk-s3 dependency-version: 1.12.797 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: com.puppycrawl.tools:checkstyle dependency-version: 12.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.pitest:pitest-junit5-plugin dependency-version: 1.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.springframework.boot:spring-boot-maven-plugin dependency-version: 3.5.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: au.com.dius.pact.provider:maven dependency-version: 4.6.19 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.pitest:pitest-maven dependency-version: 1.22.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.2.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: org.codehaus.mojo:exec-maven-plugin dependency-version: 3.6.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the low-risk group with 25 updates in the /api-tests directory: | Package | From | To | | --- | --- | --- | | [com.google.code.gson:gson](https://github.com/google/gson) | `2.13.1` | `2.13.2` | | [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.18` | `1.5.32` | | [io.cucumber:cucumber-java](https://github.com/cucumber/cucumber-jvm) | `7.33.0` | `7.34.2` | | [io.cucumber:cucumber-junit-platform-engine](https://github.com/cucumber/cucumber-jvm) | `7.33.0` | `7.34.2` | | [org.assertj:assertj-core](https://github.com/assertj/assertj) | `3.27.4` | `3.27.7` | | [net.bytebuddy:byte-buddy](https://github.com/raphw/byte-buddy) | `1.17.6` | `1.18.5` | | com.fasterxml.jackson.core:jackson-core | `2.19.2` | `2.21` | | com.fasterxml.jackson.core:jackson-databind | `2.19.2` | `2.21` | | [com.fasterxml.jackson.core:jackson-annotations](https://github.com/FasterXML/jackson) | `2.19.2` | `2.21` | | [io.netty:netty-codec-http](https://github.com/netty/netty) | `4.2.8.Final` | `4.2.10.Final` | | [io.netty:netty-codec-http2](https://github.com/netty/netty) | `4.2.3.Final` | `4.2.10.Final` | | [io.netty:netty-transport-native-epoll](https://github.com/netty/netty) | `4.2.3.Final` | `4.2.10.Final` | | [com.google.guava:guava](https://github.com/google/guava) | `33.4.8-jre` | `33.5.0-jre` | | [org.projectlombok:lombok](https://github.com/projectlombok/lombok) | `1.18.38` | `1.18.42` | | [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) | `5.5` | `5.6` | | [commons-codec:commons-codec](https://github.com/apache/commons-codec) | `1.19.0` | `1.21.0` | | [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) | `4.9.4` | `4.9.8` | | [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) | `12.1.9` | `12.2.0` | | [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) | `3.5.1` | `3.6.3` | | [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.3` | `3.5.5` | | [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) | `3.5.3` | `3.5.5` | | [org.apache.maven.plugins:maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) | `3.14.0` | `3.15.0` | | [au.com.dius.pact.provider:maven](https://github.com/pact-foundation/pact-jvm) | `4.6.17` | `4.6.20` | | [org.apache.maven.plugins:maven-pmd-plugin](https://github.com/apache/maven-pmd-plugin) | `3.27.0` | `3.28.0` | | [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) | `4.9.3.2` | `4.9.8.2` | Updates `com.google.code.gson:gson` from 2.13.1 to 2.13.2 - [Release notes](https://github.com/google/gson/releases) - [Changelog](https://github.com/google/gson/blob/main/CHANGELOG.md) - [Commits](google/gson@gson-parent-2.13.1...gson-parent-2.13.2) Updates `ch.qos.logback:logback-classic` from 1.5.18 to 1.5.32 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.18...v_1.5.32) Updates `io.cucumber:cucumber-java` from 7.33.0 to 7.34.2 - [Release notes](https://github.com/cucumber/cucumber-jvm/releases) - [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md) - [Commits](cucumber/cucumber-jvm@v7.33.0...v7.34.2) Updates `io.cucumber:cucumber-junit-platform-engine` from 7.33.0 to 7.34.2 - [Release notes](https://github.com/cucumber/cucumber-jvm/releases) - [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md) - [Commits](cucumber/cucumber-jvm@v7.33.0...v7.34.2) Updates `io.cucumber:cucumber-junit-platform-engine` from 7.33.0 to 7.34.2 - [Release notes](https://github.com/cucumber/cucumber-jvm/releases) - [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md) - [Commits](cucumber/cucumber-jvm@v7.33.0...v7.34.2) Updates `org.assertj:assertj-core` from 3.27.4 to 3.27.7 - [Release notes](https://github.com/assertj/assertj/releases) - [Commits](assertj/assertj@assertj-build-3.27.4...assertj-build-3.27.7) Updates `net.bytebuddy:byte-buddy` from 1.17.6 to 1.18.5 - [Release notes](https://github.com/raphw/byte-buddy/releases) - [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md) - [Commits](raphw/byte-buddy@byte-buddy-1.17.6...byte-buddy-1.18.5) Updates `com.fasterxml.jackson.core:jackson-core` from 2.19.2 to 2.21 Updates `com.fasterxml.jackson.core:jackson-databind` from 2.19.2 to 2.21 Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.19.2 to 2.21 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `io.netty:netty-codec-http` from 4.2.8.Final to 4.2.10.Final - [Commits](netty/netty@netty-4.2.8.Final...netty-4.2.10.Final) Updates `io.netty:netty-codec-http2` from 4.2.3.Final to 4.2.10.Final - [Commits](netty/netty@netty-4.2.3.Final...netty-4.2.10.Final) Updates `io.netty:netty-transport-native-epoll` from 4.2.3.Final to 4.2.10.Final - [Commits](netty/netty@netty-4.2.3.Final...netty-4.2.10.Final) Updates `com.google.guava:guava` from 33.4.8-jre to 33.5.0-jre - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) Updates `org.projectlombok:lombok` from 1.18.38 to 1.18.42 - [Changelog](https://github.com/projectlombok/lombok/blob/master/doc/changelog.markdown) - [Commits](projectlombok/lombok@v1.18.38...v1.18.42) Updates `org.apache.httpcomponents.client5:httpclient5` from 5.5 to 5.6 - [Changelog](https://github.com/apache/httpcomponents-client/blob/master/RELEASE_NOTES.txt) - [Commits](apache/httpcomponents-client@rel/v5.5...rel/v5.6) Updates `commons-codec:commons-codec` from 1.19.0 to 1.21.0 - [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt) - [Commits](apache/commons-codec@rel/commons-codec-1.19.0...rel/commons-codec-1.21.0) Updates `com.github.spotbugs:spotbugs` from 4.9.4 to 4.9.8 - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](spotbugs/spotbugs@4.9.4...4.9.8) Updates `org.owasp:dependency-check-maven` from 12.1.9 to 12.2.0 - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](dependency-check/DependencyCheck@v12.1.9...v12.2.0) Updates `org.codehaus.mojo:exec-maven-plugin` from 3.5.1 to 3.6.3 - [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases) - [Commits](mojohaus/exec-maven-plugin@3.5.1...3.6.3) Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.3 to 3.5.5 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.3...surefire-3.5.5) Updates `org.apache.maven.plugins:maven-failsafe-plugin` from 3.5.3 to 3.5.5 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.3...surefire-3.5.5) Updates `org.apache.maven.plugins:maven-compiler-plugin` from 3.14.0 to 3.15.0 - [Release notes](https://github.com/apache/maven-compiler-plugin/releases) - [Commits](apache/maven-compiler-plugin@maven-compiler-plugin-3.14.0...maven-compiler-plugin-3.15.0) Updates `au.com.dius.pact.provider:maven` from 4.6.17 to 4.6.20 - [Release notes](https://github.com/pact-foundation/pact-jvm/releases) - [Changelog](https://github.com/pact-foundation/pact-jvm/blob/master/CHANGELOG.md) - [Commits](https://github.com/pact-foundation/pact-jvm/commits) Updates `org.apache.maven.plugins:maven-pmd-plugin` from 3.27.0 to 3.28.0 - [Release notes](https://github.com/apache/maven-pmd-plugin/releases) - [Commits](apache/maven-pmd-plugin@maven-pmd-plugin-3.27.0...maven-pmd-plugin-3.28.0) Updates `com.github.spotbugs:spotbugs-maven-plugin` from 4.9.3.2 to 4.9.8.2 - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.3.2...spotbugs-maven-plugin-4.9.8.2) --- updated-dependencies: - dependency-name: com.google.code.gson:gson dependency-version: 2.13.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.32 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: io.cucumber:cucumber-java dependency-version: 7.34.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: io.cucumber:cucumber-junit-platform-engine dependency-version: 7.34.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: io.cucumber:cucumber-junit-platform-engine dependency-version: 7.34.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: org.assertj:assertj-core dependency-version: 3.27.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: net.bytebuddy:byte-buddy dependency-version: 1.18.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-version: '2.21' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: '2.21' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-version: '2.21' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: io.netty:netty-codec-http dependency-version: 4.2.10.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: io.netty:netty-codec-http2 dependency-version: 4.2.10.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: io.netty:netty-transport-native-epoll dependency-version: 4.2.10.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: com.google.guava:guava dependency-version: 33.5.0-jre dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: org.projectlombok:lombok dependency-version: 1.18.42 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.apache.httpcomponents.client5:httpclient5 dependency-version: '5.6' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: commons-codec:commons-codec dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.2.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: org.codehaus.mojo:exec-maven-plugin dependency-version: 3.6.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.apache.maven.plugins:maven-failsafe-plugin dependency-version: 3.5.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.apache.maven.plugins:maven-compiler-plugin dependency-version: 3.15.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: au.com.dius.pact.provider:maven dependency-version: 4.6.20 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk - dependency-name: org.apache.maven.plugins:maven-pmd-plugin dependency-version: 3.28.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: low-risk - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.8.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: low-risk ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) from 2.19.2 to 2.21.1. - [Commits](FasterXML/jackson-core@jackson-core-2.19.2...jackson-core-2.21.1) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-version: 2.21.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [svgo](https://github.com/svg/svgo) from 3.3.2 to 3.3.3. - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v3.3.2...v3.3.3) --- updated-dependencies: - dependency-name: svgo dependency-version: 3.3.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
# Conflicts: # api-tests/pom.xml
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Consolidates multiple open Dependabot updates into a single reviewable branch for the Stacks Java workload repo, updating Maven and npm dependencies across the Java app, api-tests module, and the Azure coverage tooling.
Changes:
- Bumped
stacks-modules-parentand several Maven-managed dependency/plugin versions injava/pom.xml. - Updated numerous dependency versions in
api-tests/pom.xml(Jackson, Logback, Netty, AssertJ, ByteBuddy, OWASP DC, and build plugins). - Updated
build/azDevOps/azure/coverage/package-lock.jsonto reflectsvgo3.3.3 and related transitive dependency changes.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
java/pom.xml |
Updates parent POM and several Maven property versions (Spring Cloud BOM, Pact plugin, OWASP DC, exec plugin, pitest plugin). |
api-tests/pom.xml |
Refreshes dependency and plugin versions used by the api-tests module, including Jackson and test tooling. |
build/azDevOps/azure/coverage/package-lock.json |
Locks updated npm transitive dependencies (including svgo → 3.3.3 and sax migration). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| - name: runVulnerabilityScan | ||
| displayName: Run OWASP Dependency Check | ||
| type: boolean | ||
| default: false |
There was a problem hiding this comment.
runVulnerabilityScan defaults to false, which disables OWASP Dependency Check by default. If this pipeline is used for CI on master/PRs, this reduces security coverage; consider defaulting to true (or enabling it at least on master builds) and only allowing opt-out for exceptional cases.
Suggested change
| default: false | |
| default: true |
Comment on lines
145
to
148
| # Vulnerability Scan | ||
| - name: vulnerability_scan | ||
| value: true | ||
| value: ${{ parameters.runVulnerabilityScan }} | ||
| - name: vulnerability_scan_report |
There was a problem hiding this comment.
vulnerability_scan is now sourced from a boolean parameter, but later this file passes it into templates as a quoted value. The templates gate steps with if eq(parameters.vulnerability_scan, true), which won’t evaluate as expected if the parameter arrives as a string. Pass booleans through without quotes (or change template conditions to compare against a string) so toggling this parameter actually enables/disables the scan.
Comment on lines
+31
to
+40
| DomainToDtoMapperMapstructTest() { | ||
| itemMapper = new ItemMapperImpl(); | ||
|
|
||
| CategoryMapperImpl categoryMapperImpl = new CategoryMapperImpl(); | ||
| ReflectionTestUtils.setField(categoryMapperImpl, "itemMapper", itemMapper); | ||
| categoryMapper = categoryMapperImpl; | ||
|
|
||
| MenuMapperImpl menuMapperImpl = new MenuMapperImpl(); | ||
| ReflectionTestUtils.setField(menuMapperImpl, "categoryMapper", categoryMapper); | ||
| menuMapper = menuMapperImpl; |
There was a problem hiding this comment.
This test now wires MapStruct’s Spring-component mappers via ReflectionTestUtils.setField(...) against generated implementation internals. That approach is brittle (field names / injection strategy can change across MapStruct or configuration updates) and may cause hard-to-diagnose failures. Prefer configuring the mappers for constructor injection (MapStruct injectionStrategy = CONSTRUCTOR) or using a lightweight Spring test slice that only instantiates the mapper beans, so the test doesn’t depend on private generated fields.
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
RichardSlater
force-pushed
the
chore/consolidate-dependabot-prs-2026-03-20
branch
from
2865c90 to
e0c67a9
Compare
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| - name: runVulnerabilityScan | ||
| displayName: Run OWASP Dependency Check | ||
| type: boolean | ||
| default: false |
There was a problem hiding this comment.
This changes the pipeline to disable OWASP Dependency Check by default (runVulnerabilityScan defaults to false, and vulnerability_scan now comes from that parameter). This is a security regression compared to the previous always-on scan; consider defaulting the parameter to true (and optionally allow overriding to false) or restricting disabling to non-protected branches so scheduled/mainline builds still always run the scan.
Suggested change
| default: false | |
| default: true |
| <webdriver.base.url/> | ||
| <jackson.version>2.19.2</jackson.version> | ||
| <jackson.version>2.21.1</jackson.version> | ||
| <jackson.annotations.version>2.21</jackson.annotations.version> |
There was a problem hiding this comment.
jackson-core/jackson-databind are set to 2.21.1, but jackson-annotations is pinned separately to 2.21. This introduces mixed Jackson patch versions, which can cause dependency convergence issues and makes it harder to reason about CVE coverage. Consider aligning jackson-annotations to the same version as the other Jackson artifacts (or manage them via a single BOM/version property).
Suggested change
| <jackson.annotations.version>2.21</jackson.annotations.version> | |
| <jackson.annotations.version>${jackson.version}</jackson.annotations.version> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR consolidates the currently open Dependabot updates into a single branch for review.
Included PRs:
Notes: