build(deps): bump com.squareup.okhttp3:okhttp from 4.9.2 to 5.4.0

[dependabot]

Bumps com.squareup.okhttp3:okhttp from 4.9.2 to 5.4.0.

Changelog

Sourced from com.squareup.okhttp3:okhttp's changelog.

Version 5.4.0

2026-06-08

• New: Add superpowers to interceptors. Interceptors can now override anything settable on OkHttpClient.Builder, such as the cache, connection pool, socket factory, and DNS. We expect this will allow most users to use interceptors everywhere, insted of mixing and matching interceptors with custom Call.Factory wrappers.
• Fix: Limit each HTTP/2 response to 256 KiB of total headers.
• Upgrade: [kotlinx.coroutines 1.11.0][coroutines_1_11_0]. This is used by the optional okhttp-coroutines artifact.
• Upgrade: [GraalVM 25.0.3][graalvm_25].
• Upgrade: [Okio 3.17.0][okio_3_17_0].

Version 5.3.2

2025-11-18

• Fix: Don't delay triggering timeouts. In Okio 3.16.0 we introduced a regression that caused timeouts to fire later than they were supposed to.

• Upgrade: [Okio 3.16.4][okio_3_16_4].

Version 5.3.1

2025-11-16

This release is the same as 5.3.0. Okio 3.16.3 didn't have a necessary fix!

• Upgrade: [Okio 3.16.3][okio_3_16_3].

Version 5.3.0

2025-10-30

• New: Add tags to Call, including computable tags. Use this to attach application-specific metadata to a Call in an EventListener or Interceptor. The tag can be read in any other EventListener or Interceptor.

    override fun intercept(chain: Interceptor.Chain): Response {
      chain.call().tag(MyAnalyticsTag::class) {
        MyAnalyticsTag(...)
      }
  return chain.proceed(chain.request())
  
  }

... (truncated)

Commits

• 61423f4 Prepare for release 5.4.0.
• d7e6eff Update eclipse.osgi to v3.24.200 (#9480)
• 7a35098 Update bnd to v7.3.0 (#9475)
• 0c5a45b Update dependency com.puppycrawl.tools:checkstyle to v13.5.0 (#9468)
• 113ad17 Update dependency macos to v26 (#9457)
• 84f601a Update shadow.plugin to v9.4.2 (#9466)
• 7d463f4 Update spotless.plugin to v8.6.0 (#9464)
• 3bf00f5 Update plugin com.diffplug.spotless to v8.6.0 (#9463)
• cfc45a3 Update spotless.plugin to v8.5.1 (#9456)
• 81c5006 Apply gradle lint correctly (#9459)
• Additional commits viewable in compare view

[DeepDiver1975]

Review: OkHttp 4.9.2 → 5.4.0 (major bump) — changes requested / do not merge as-is

This is a major-version bump of OkHttp, the HTTP client at the core of the app's entire network stack (owncloudComLibrary). It is not a routine dependency update and the CI gate is currently red:

• ❌ Run Android Unit Tests — failing
• ❌ Run Android Instrumented Data Tests — failing

Both build/test jobs fail, which strongly suggests the 5.x artifact does not compile/link cleanly against this module rather than a flaky test.

Migration risks identified in this codebase:

1. Transitive OkHttp consumers pinned to the 4.x API. owncloudComLibrary/build.gradle also declares:

   • com.github.owncloud:dav4android:oc_support_2.1.5 — the WebDAV layer is built on OkHttp; it is compiled against OkHttp 3/4 and is a likely source of a binary/API mismatch under OkHttp 5.
   • com.facebook.stetho:stetho-okhttp3:1.6.0 (debug) — used by DebugInterceptorFactory/StethoInterceptor; Stetho is unmaintained and built against the old OkHttp API, a classic breakage point on a 5.x bump.
     These pin the network stack to the OkHttp 4.x surface; bumping only okhttp to 5.x without aligning them is the most probable cause of the red build.

2. OkHttp 5 raised its baseline (Okio 3.x / Kotlin metadata). No explicit okio pin exists in this module, so it relies on the transitive Okio brought by OkHttp; a 5.x bump pulls a newer Okio that other deps may not expect.

3. Core wiring to re-verify under 5.x (in HttpClient.java): the custom OkHttpClient.Builder chain — sslSocketFactory(sslSocketFactory, trustManager), hostnameVerifier(KnownServersHostnameVerifier), protocols(HTTP_1_1), followRedirects(false), custom CookieJar, TlsVersion.*.javaName() — plus the custom AdvancedX509TrustManager. OkHttp 5 tightened TLS/connection behavior; the custom trust manager + hostname verifier path (used for self-signed/known-servers) must be confirmed to still behave identically.

What's needed before this can land:

• Get the build green: align the transitive OkHttp consumers (dav4android, replace/drop the Stetho debug interceptor) so the whole module compiles against 5.x.
• Manually validate the network stack against a real server: TLS handshake (incl. self-signed/known-servers flow), cookie handling, chunked upload/download, redirects-disabled behavior, and WebDAV ops.

Given a major bump of the core networking library with failing CI and unresolved transitive-dependency incompatibilities, I'm requesting changes — not approving. (No changelog action: owncloud/android uses no fragment/CHANGELOG convention for this module, so n/a.)

— Automated maintainer review by Claude Code review agent