Bump the maven group across 1 directory with 12 updates

[dependabot]

Bumps the maven group with 12 updates in the / directory:

Package	From	To
com.google.errorprone:error_prone_core	2.48.0	2.49.0
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
com.diffplug.spotless:spotless-maven-plugin	3.3.0	3.5.1
com.github.siom79.japicmp:japicmp-maven-plugin	0.25.4	0.25.7
com.google.errorprone:error_prone_annotations	2.48.0	2.49.0
com.google.guava:guava-testlib	33.5.0-jre	33.6.0-jre
com.google.guava:guava	33.5.0-jre	33.6.0-jre
com.guardsquare:proguard-base	7.8.2	7.9.1
org.graalvm.buildtools:native-maven-plugin	0.11.5	1.1.0
com.fasterxml.jackson.core:jackson-databind	2.21.1	2.21.3
com.google.protobuf:protobuf-java	4.34.0	4.34.1
io.github.ascopes:protobuf-maven-plugin	5.0.2	5.1.4

Updates com.google.errorprone:error_prone_core from 2.48.0 to 2.49.0

Release notes

Sourced from com.google.errorprone:error_prone_core's releases.

Error Prone 2.49.0

This release includes several changes to Matcher APIs, and removed some deprecated or problematic APIs:

• Remove deprecated MethodMatchers.withSignature API, which relies on fragile toString behaviour. Alternatives for matching on method signatures with varargs and type parameters were added in google/error-prone@a98a1c5.
• Removed variableType(Matcher) API. Matchers.variableType(Matcher) uses VariableTree#getType to match variable types, which own't work for lambda parameters with inferred types after JDK-8268850. The recommended replacement is variableType(TypePredicate).
• Make enclosingPackage return an optional. Module elements are not enclosed by a package, checks using enclosingPackage shouldn't assume an enclosing package exists when processing arbitrary elements.
• New FieldMatchers API, similar to MethodMatchers (google/error-prone@1dd9c3a).

New checks:

• AssertThrowsBlockToExpression: Discourage unnecessary block lambdas in assertThrows.
• AssertThrowsMinimizer: Suggest minimizing the amount of logic in assertThrows.
• MemorySegmentReferenceEquality: Discourage using reference equality for MemorySegments.
• PreferThrowsTag: Recommends using @throws instead of the legacy @exception javadoc tag.
• RecordAccessorInCompactConstructor: detect record accessors inside the compact canonical ctors, which read uninitialized fields.

Closed issues: #2283, #3503, #5210, #5289, #5548, #5548, #5554, #5609, #5614, #5656

Full changelog: google/error-prone@v2.48.0...v2.49.0

Commits

• 89d75c1 Release Error Prone 2.49.0
• 0b7b03b Fix up some javadoc on `ModifySourceCollectionInStream.isStreamApiInvocationO...
• fe5a7b1 Remove old FieldMatchers API
• d54a1d1 Fix up some Finally javadocs.
• d93b319 [RefactorSwitch] bugfix comment handling
• ff59782 [IfChainToSwitch] cleanup redundant conditions in ternary. No functional cha...
• 43b6df6 Generalise DuplicateAssertion to handle check* methods.
• 2c4346f Fix a bug in BooleanLiteral: it currently suggests replacing `Boolean.FALSE...
• 559039b [IfChainToSwitch] doc-only change. fix typo in code comments.
• 393c61c [IfChainToSwitch] enhance code generation to emit unnamed variables, when sup...
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.3

🚀 New features and improvements

• Make bannedDependencies report root and transitive dependency in case both are banned. (#940) @​hvoynov
• Add enforceBytecodeVersion rule based on mojohaus (#968) @​cstamas
• Improve formatting of deprecated API warning (#951) @​mthmulders

🐛 Bug Fixes

• Fix handling of Java versions like 21.0.10.0.1 (#967) @​parttimenerd
• Add null checks for modelId in PluginWrapper (#974) @​cpfeiffer

📝 Documentation updates

• Document the banMavenDefaults option for the requirePluginVersions rule. (#936) @​rpkrajewski

👻 Maintenance

• PlexusStringUtils Refaster recipes (#943) @​slachiewicz
• JUnit Jupiter migration from JUnit 4.x (#941) @​slachiewicz

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-core from 2.25.3 to 2.25.4 in /maven-enforcer-plugin/src/it/projects/MENFORCER-434 (#970) @dependabot[bot]
• Deps: Parent POM 48 and align deps (#979) @​cstamas
• Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#973) @dependabot[bot]
• Bump mavenVersion from 3.9.13 to 3.9.14 (#965) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.13 (#964) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#963) @dependabot[bot]
• Update log4j in test to avoid CVE (#961) @​Bukama
• Bump commons-codec:commons-codec from 1.20.0 to 1.21.0 (#962) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#960) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#959) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 46 to 47 (#958) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#957) @dependabot[bot]
• Update to 46 including fixes (#955) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.5.0 (#956) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#948) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#947) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#946) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#945) @dependabot[bot]

Commits

• c7daff3 [maven-release-plugin] prepare release enforcer-3.6.3
• ee46e78 Make bannedDependencies report root and transitive dependency in case both ar...
• 0806924 Document the banMavenDefaults option for the requirePluginVersions rule. (#936)
• 8e4f5b9 Add better enforceBytecodeVersion rule based on mojohaus (#968)
• fd4b148 Add fix for 21.0.10.0.1 issue (#967)
• f32d597 Deps: Parent POM 48 and align deps (#979)
• df0f2a6 Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976)
• 2da7a68 Add null checks for modelId in PluginWrapper
• 91eb4d9 Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975)
• b622245 Bump mavenVersion from 3.9.14 to 3.9.15 (#973)
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.5.1

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.5.1

Fixed

• <licenseHeader> with <yearMode>SET_FROM_GIT</yearMode> no longer runs git log through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.
• Bump transitive plexus-utils 4.0.2 -> 4.0.3 to address CVE-2025-67030. (#2919)

Maven Plugin v3.5.0

Added

• <scalafmt> now reads the version from the version field in the scalafmt config file when no <version> is explicitly set, falling back to the built-in default only if neither is available. (#2922)
• Add <toml> format type with <versionCatalog> step for formatting and sorting Gradle version catalog files. (#2916)
• Add <javaparserVersion> option to <cleanthat>, allowing users to override the JavaParser version pulled in transitively by Cleanthat. (#2903)
• Add a expandWildcardImports API for java (#2829)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• The -Dspotless.ratchetFrom=... user property now takes priority over <ratchetFrom> configured in the plugin or in individual formatters, instead of being overridden by them. (#2896, fixes #2842)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.6.2] - 2026-05-27

Fixed

• P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
• forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
• versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

• EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
• Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
• expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

• LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

• scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
• Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

... (truncated)

Commits

• 0c48edf Published maven/3.5.1
• c1595c8 Published gradle/8.5.1
• b26b570 Published lib/4.6.1
• ac3f6f1 Bump plexus-utils to 4.0.3 to address CVE-2025-67030 (#2932)
• f5039f6 Bump plexus-utils to 4.0.3 to address CVE-2025-67030
• 0e77837 Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode (#2931)
• 84f6423 Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode
• b87eb75 Published maven/3.5.0
• 97c3baf Published gradle/8.5.0
• 3dd1a96 Published lib/4.6.0
• Additional commits viewable in compare view

Updates com.github.siom79.japicmp:japicmp-maven-plugin from 0.25.4 to 0.25.7

Release notes

Sourced from com.github.siom79.japicmp:japicmp-maven-plugin's releases.

japicmp-base-0.25.7

• Report incompatiblity in case a class changes from implementing a generic interface with raw types to concrete type parameters #507

japicmp-base-0.25.6

• No NPE in case of Maven artifacts without file #504

japicmp-base-0.25.5

0.25.5 (2026-04-09)

• getAnnotations() no longer returns empty list in case of removed members #497

Commits

• be5cc07 [maven-release-plugin] prepare release japicmp-base-0.25.7
• 1bb413b upgraded version in *.md files to 0.25.7
• 8134aa2 Add release notes for version 0.25.7
• 7eb8cc7 Merge pull request #508 from siom79/claude/plan-issue-507-fix-SMPd6
• 06648b2 Fix false negative when non-bridge method matches compiler-generated bridge m...
• 4d90a6e Merge pull request #506 from siom79/release-v0.25.6
• 92f6f1b Update gh-release.yml
• f306b5c [maven-release-plugin] prepare for next development iteration
• c69cec6 [maven-release-plugin] prepare release japicmp-base-0.25.6
• e8bdba6 upgraded version in *.md files to 0.25.6
• Additional commits viewable in compare view

Updates com.google.errorprone:error_prone_annotations from 2.48.0 to 2.49.0

Release notes

Sourced from com.google.errorprone:error_prone_annotations's releases.

Error Prone 2.49.0

This release includes several changes to Matcher APIs, and removed some deprecated or problematic APIs:

• Remove deprecated MethodMatchers.withSignature API, which relies on fragile toString behaviour. Alternatives for matching on method signatures with varargs and type parameters were added in google/error-prone@a98a1c5.
• Removed variableType(Matcher) API. Matchers.variableType(Matcher) uses VariableTree#getType to match variable types, which own't work for lambda parameters with inferred types after JDK-8268850. The recommended replacement is variableType(TypePredicate).
• Make enclosingPackage return an optional. Module elements are not enclosed by a package, checks using enclosingPackage shouldn't assume an enclosing package exists when processing arbitrary elements.
• New FieldMatchers API, similar to MethodMatchers (google/error-prone@1dd9c3a).

New checks:

• AssertThrowsBlockToExpression: Discourage unnecessary block lambdas in assertThrows.
• AssertThrowsMinimizer: Suggest minimizing the amount of logic in assertThrows.
• MemorySegmentReferenceEquality: Discourage using reference equality for MemorySegments.
• PreferThrowsTag: Recommends using @throws instead of the legacy @exception javadoc tag.
• RecordAccessorInCompactConstructor: detect record accessors inside the compact canonical ctors, which read uninitialized fields.

Closed issues: #2283, #3503, #5210, #5289, #5548, #5548, #5554, #5609, #5614, #5656

Full changelog: google/error-prone@v2.48.0...v2.49.0

Commits

• 89d75c1 Release Error Prone 2.49.0
• 0b7b03b Fix up some javadoc on `ModifySourceCollectionInStream.isStreamApiInvocationO...
• fe5a7b1 Remove old FieldMatchers API
• d54a1d1 Fix up some Finally javadocs.
• d93b319 [RefactorSwitch] bugfix comment handling
• ff59782 [IfChainToSwitch] cleanup redundant conditions in ternary. No functional cha...
• 43b6df6 Generalise DuplicateAssertion to handle check* methods.
• 2c4346f Fix a bug in BooleanLiteral: it currently suggests replacing `Boolean.FALSE...
• 559039b [IfChainToSwitch] doc-only change. fix typo in code comments.
• 393c61c [IfChainToSwitch] enhance code generation to emit unnamed variables, when sup...
• Additional commits viewable in compare view

Updates com.google.guava:guava-testlib from 33.5.0-jre to 33.6.0-jre

Release notes

Sourced from com.google.guava:guava-testlib's releases.

33.6.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.6.0-jre</version>
  <!-- or, for Android: -->
  <version>33.6.0-android</version>
</dependency>

Jar files

• 33.6.0-jre.jar
• 33.6.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.3.jar

Javadoc

• 33.6.0-jre
• 33.6.0-android

JDiff

• 33.6.0-jre vs. 33.5.0-jre
• 33.6.0-android vs. 33.5.0-android
• 33.6.0-android vs. 33.6.0-jre

Changelog

• Migrated some classes from finalize() to PhantomReference in preparation for the removal of finalization. (786b619dd6, 7c6b17c, aeef90988d)
• cache: Deprecated CacheBuilder APIs that use TimeUnit in favor of those that use Duration. (73f8b0bb84)
• collect: Added toImmutableSortedMap collectors that use the natural comparator. (64d70b9f94)
• collect: Changed ConcurrentHashMultiset, ImmutableMap and TreeMultiset deserialization to avoid mutating final fields. In extremely unlikely scenarios in which an instance of that type contains an object that refers back to that instance, this could lead to a broken instance that throws NullPointerException when used. (8240c7e596, 046468055f)
• graph: Removed @Beta from all APIs in the package. (dae9566b73)
• graph: Added support to Graphs.transitiveClosure() for different strategies for adding self-loops. (2e13df25b2)
• graph: Added an asNetwork() view to Graph and ValueGraph. (909c593c61)
• hash: Added BloomFilter.serializedSize(). (df9bcc251a)
• net: Added HttpHeaders.CDN_CACHE_CONTROL. (75331b5030)

Commits

• See full diff in compare view

Updates com.google.guava:guava from 33.5.0-jre to 33.6.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.6.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.6.0-jre</version>
  <!-- or, for Android: -->
  <version>33.6.0-android</version>
</dependency>

Jar files

• 33.6.0-jre.jar
• 33.6.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.3.jar

Javadoc

• 33.6.0-jre
• 33.6.0-android

JDiff

• 33.6.0-jre vs. 33.5.0-jre
• 33.6.0-android vs. 33.5.0-android
• 33.6.0-android vs. 33.6.0-jre

Changelog

• Migrated some classes from finalize() to PhantomReference in preparation for the removal of finalization. (786b619dd6, 7c6b17c, aeef90988d)
• cache: Deprecated CacheBuilder APIs that use TimeUnit in favor of those that use Duration. (73f8b0bb84)
• collect: Added toImmutableSortedMap collectors that use the natural comparator. (64d70b9f94)
• collect: Changed ConcurrentHashMultiset, ImmutableMap and TreeMultiset deserialization to avoid mutating final fields. In extremely unlikely scenarios in which an instance of that type contains an object that refers back to that instance, this could lead to a broken instance that throws NullPointerException when used. (8240c7e596, 046468055f)
• graph: Removed @Beta from all APIs in the package. (dae9566b73)
• graph: Added support to Graphs.transitiveClosure() for different strategies for adding self-loops. (2e13df25b2)
• graph: Added an asNetwork() view to Graph and ValueGraph. (909c593c61)
• hash: Added BloomFilter.serializedSize(). (df9bcc251a)
• net: Added HttpHeaders.CDN_CACHE_CONTROL. (75331b5030)

Commits

• See full diff in compare view

Updates com.guardsquare:proguard-base from 7.8.2 to 7.9.1

Release notes

Sourced from com.guardsquare:proguard-base's releases.

7.9.1

Bugfixes

• Fix regression in Kotlin metadata shrinking (#527).

7.9

Kotlin support

• Add support for Kotlin 2.3.

Java support

• Add support for Java 26.

Commits

• b464127 Prepare 7.9.1
• 11e552e Fix KotlinShrinker and add tests
• dd28444 Update version. clean outdated comment
• 7528722 Reapply "Migrate to Shadow 9" (#525)
• d6b0ba7 Upgrade pgcore and prepare release for java 26 support (#524)
• 51061ec Revert "Migrate to Shadow 9 (#497)" (#523)
• 30492a3 Migrate to Shadow 9 (#497)
• db91344 Upgrade kotest, use java 11 for building everything
• 9243e6d Introduce version catalog
• 23f5c1c Use Locale.ROOT in lower/upper case.
• Additional commits viewable in compare view

Updates org.graalvm.buildtools:native-maven-plugin from 0.11.5 to 1.1.0

Release notes

Sourced from org.graalvm.buildtools:native-maven-plugin's releases.

1.1.0

What's Changed

• Release 1.0.0 by @​graalvmbot in graalvm/native-build-tools#857
• Bump version to 1.0.1-SNAPSHOT by @​graalvmbot in graalvm/native-build-tools#858
• Use a safer way to create the temporary access filter file by @​sschuberth in graalvm/native-build-tools#852
• Bump io.netty:netty-codec-http from 4.1.129.Final to 4.1.132.Final in /samples/metadata-repo-integration by @​dependabot[bot] in graalvm/native-build-tools#859
• Add class introduced in 5.14.1/6.0.1 by @​marcphilipp in graalvm/native-build-tools#794
• Reduce CI usage by running CI only on "pull_request" and running only the latest gradle version (except when creating a new release) by @​jormundur00 in graalvm/native-build-tools#861
• Update latest docs symlink and improve 1.0.0 release notes by @​jormundur00 in graalvm/native-build-tools#866
• Fix early classpath resolution in GenerateDynamicAccessMetadata by @​jormundur00 in graalvm/native-build-tools#868
• Bump reachability metadata version to 1.0.0 by @​jormundur00 in graalvm/native-build-tools#879
• Add listLibrariesMissingMetadata task/goal for Gradle and Maven by @​jormundur00 in graalvm/native-build-tools#877

Full Changelog: graalvm/native-build-tools@1.0.0...1.1.0

1.0.0

Breaking Changes

• Native Build Tools 1.0.0 moves to the 1.0-M1 release of the reachability metadata repository, which uses the new reachability-metadata.json metadata format and no longer uses the global metadata/index.json.
• This may require dependency and metadata updates in downstream projects; some stacks can regress until they adapt.

What's Changed

• Fix broken JavaApplicationFunctionalTest due to using a removed feature by @​jormundur00 in graalvm/native-build-tools#850
• Remove the usage of the global metadata/index.json from the nbt plugins by @​jormundur00 in graalvm/native-build-tools#829
• Add reachability-metadata-schema cross-validation by @​jormundur00 in graalvm/native-build-tools#840
• Merge 1.0-M1 branch to master by @​jormundur00 in graalvm/native-build-tools#848

Full Changelog: graalvm/native-build-tools@0.11.5...1.0.0

Commits

• 84cc046 Release 1.1.0
• 95512d0 Add listLibrariesMissingMetadata task/goal for Gradle and Maven (#877)
• 0dcda78 Merge pull request #879 from jormundur00/bump-metadata-repository-1.0.0
• e5b90f0 Bump reachability metadata version to 1.0.0
• 05f45d3 Fix early classpath resolution in GenerateDynamicAccessMetadata (#868)
• 4d614c7 Update latest docs symlink and improve 1.0.0 release notes (#866)
• ee1351d Reduce CI usage by running CI only on "pull_request" and running only the lat...
• c6f3674 Add class introduced in 5.14.1/6.0.1 (#794)
• 5bc69bd Bump io.netty:netty-codec-http from 4.1.129.Final to 4.1.132.Final in /sample...
• 395f3b2 Use a safer way to create the temporary access filter file (#852)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.21.1 to 2.21.3

Commits

• See full diff in compare view

Updates com.google.protobuf:protobuf-java from 4.34.0 to 4.34.1

Commits

• See full diff in compare view

Updates io.github.ascopes:protobuf-maven-plugin from 5.0.2 to 5.1.4

Release notes

Sourced from io.github.ascopes:protobuf-maven-plugin's releases.

v5.1.4

Release notes

• Deprecated protocDigest parameter for removal in the future. It is now replaced with <digest> within a PathProtocDistribution or UriProtocDistribution object, which makes this API consistent with the Protoc plugin API.

  • Users may continue to use the current mechanism until the next major version but are advised to update their usages where possible.
  • The next major version will not support digests on Maven-based protoc distributions, as this is redundant functionality.
  • Documentation examples have been updated to reflect the change.
  • For example:

  <configuration>
    <protoc kind="url">
      <url>https://...</url>
      <digest>sha1:a927271a34eab2353662e2ec6f0686553034821a</digest>
    </protoc>
  </configuration>

• Added missing digest verification functionality for path based protoc plugins.

• Optimised digest generation and decoding to utilise SIMD functionality within the JDK. This reduces both overhead and memory consumption in complex builds.

• Improved control flow for dependency resolution.

• Removed noisy logging during plexus configuration merging.

Other changes

• Build on Maven 3.9.15.
• Dependency updates, as usual.

v5.1.3

Fairly large update to existing code that bundles several QoL improvements and bugfixes to improve user experience.

Bugfixes

• Fix NullPointerException raised when failing to resolve dependencies in certain cases (@​askoog, GH-980).
• Abstract away class references from Plexus parameter converters entirely. This avoids edge cases where ClassWorlds within Maven may try to classload the same classes in multiple places, causing class definition mismatches and breaking type conversion within POMs. This is a defensive workaround to the issue originally addressed by GH-974.
• Remove caching of sealed types to further avoid issues such as those in GH-974.
• Make configurator classes into singletons to enforce fixes for GH-974.

UX improvements

• Users are now warned in cases where we mitigate issues caused by overriding a string attribute in a child POM with an object attribute in a parent POM. The erroneous configuration is now logged as a warning, and a suggested fix is logged to the user.
• Improved error messages reported during failures in artifact resolution.

Performance improvements

... (truncated)

Commits

• 49cfe68 [maven-release-plugin] prepare release v5.1.4
• 666e799 Merge pull request #994 from ascopes/dependabot/maven/main/maven-703df8ac75
• 7a0378b Merge pull request #993 from ascopes/task/gh-968
• e67a64a Remove noisy logging of merge plexus issues that are spurious
• cc512cd Disable deprecated plugin generation steps
• be13f22 Bump the maven group across 2 directories with 2 updates
• 73ae44f GH-968: deprecate protocDigest and move inside protocDistribution models
• 83556fa Merge pull request #992 from ascopes/task/GSON is always converting a long number to scientific notation format. #968-missing-plugin-path-digest
• eff1320 GH-968: add missing digest functionality to path plugins
• 54eae7d Merge pull request #991 from ascopes/dependabot/maven/protobuf-maven-plugin/s...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Marcono1234]

Fix for the new Error Prone warnings in #3030