Skip to content

fix(deps): bump the prod-deps group with 6 updates#123

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-12df6e2048
Open

fix(deps): bump the prod-deps group with 6 updates#123
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-12df6e2048

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the prod-deps group with 6 updates:

Package From To
org.springframework.boot:spring-boot-starter-parent 4.0.2 4.1.0
org.apache.logging.log4j:log4j-bom 2.25.2 2.26.0
tools.jackson:jackson-bom 3.1.0 3.2.0
org.folio:folio-spring-base 10.0.0-RC1 10.0.0
org.springframework:spring-jdbc 7.0.3 7.0.8
org.projectlombok:lombok 1.18.42 1.18.46

Updates org.springframework.boot:spring-boot-starter-parent from 4.0.2 to 4.1.0

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.1.0

Full release notes for Spring Boot 4.1 are available on the wiki.

⭐ New Features

  • Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #50211
  • Reduce memory consumption when repeatedly calling WritableJson.toByteArray #49428

🐞 Bug Fixes

  • MailSender auto-configuration does not enable hostname verification #50747
  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50745
  • Embedded LDAP SSL should not be enabled when its bundle is empty #50700
  • InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #50668
  • NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #50645
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50635
  • Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #50633
  • Configuration property metadata includes incorrect class references #50632
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50618
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50612
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50610
  • SpringJtaPlatform should have been deprecated since 4.1.0-M3 #50592
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50510
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50417
  • Created StackTracePrinter instances have no access to the Environment #50414
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50412
  • Buildpack module does not validate long-to-int casts #50410
  • Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #50405
  • GraphQL WebSocket support does not configure allowed origins #50394
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50298
  • Meter registries are not removed from the global registry when the context is closed #50287
  • DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #50271
  • Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #50266
  • Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #50264
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50261
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50258
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50234
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50228
  • Missing dependency management for spring-boot-web-server-test #50224
  • Spring Batch support for MongoDB modules are not included in dependency management #50223
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50216
  • GrpcServerHealthScheduler is not started in servlet environments #50209
  • Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #50204

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50647
  • Document SSL reloading with Let's Encrypt #50630
  • Remove the use of Optional from Data Neo4j repository examples #50622
  • Fix typos in documentation #50620

... (truncated)

Commits

Updates org.apache.logging.log4j:log4j-bom from 2.25.2 to 2.26.0

Release notes

Sourced from org.apache.logging.log4j:log4j-bom's releases.

2.26.0

This minor release delivers all the fixes in the [2.25.0, 2.25.4] version range, plus some new fixes, and several other improvements and features.

Added

  • Add a new ConfigurationFactory::getConfiguration method accepting multiple URIs (#3775, #3921)
  • Add and export org.apache.logging.log4j.core.pattern.NamedInstantPattern enabling users to programmatically access named date & time patterns supported by Pattern Layout (#3789)
  • Add log4j.plugin.processor.minAllowedMessageKind annotation processor option to PluginProcessor to filter diagnostic messages by severity. This allows builds that treat compiler notes as errors (e.g. Maven with -Werror) to suppress informational notes emitted during normal plugin processing. (apache/logging-log4j2#3380, #4063)
  • Add missing setters to Rfc5424LayoutBuilder

Changed

  • Ensure scripts in the global Scripts element have explicit names by throwing a ConfigurationException for unnamed ones. (#3176)
  • Simplify file manager registry factory methods (#3968)

Deprecated

  • Deprecated withers in builder classes in favor of setters. This change improves API consistency with Log4j Core 3 and helps users adapt to the upcoming changes. (#3750)

Fixed

  • Fix script resolution failure when the Scripts element is placed after a ScriptRef in the configuration. (#3336)
  • Fix ArrayIndexOutOfBoundsException thrown by ThrowableStackTraceRenderer when the stack trace is modified concurrently (#3940, #3955)
  • Fix SLF4JLogger.atFatal() returning atLevel(Level.TRACE) instead of atLevel(Level.FATAL). This was causing FATAL-level log events to be silently discarded when using the fluent API through the log4j-to-slf4j bridge. (#4068, #4089)
  • Fix Javadoc references across module boundaries (i.e., cross-references) (#4099, #4100)
  • Fix header write in RollingRandomAccessFileManager that was being incorrectly skipped if append=true and the file didn't exist before
  • Fix a properties file configuration regression caused by not referenced loggers, appenders, and filters (#4036, #4069)

Removed

  • Remove the jvmrunargs lookup. (#3874)

Updated

  • Update org.junit:junit-bom to version 5.13.4 (#3850)
  • Update org.mongodb:bson to version 5.6.1 (#3961)
  • Update org.xerial.snappy:snappy-java to version 1.1.10.8 (#3841)

2.25.4

This patch release delivers fixes for configuration inconsistencies and formatting issues across several layouts.

  • Restores alignment between documented and actual configuration attributes.
  • Fixes formatting and sanitization issues in XML and RFC5424 layouts.
  • Improves handling of invalid characters and non-standard values.

The authoritative list of recognized configuration attributes is available in the PluginReference.

Fixed

  • Don't issue warnings if extra argument in parameterized logging is null. (#3975, #4014)

... (truncated)

Commits
  • c1ad2a6 Update the project.build.outputTimestamp property
  • 8b3a799 Set version to 2.26.0
  • 96486eb Merge remote-tracking branch 'origin/2.x' into release/2.26.0
  • 8243257 Add documentation for MessageRewritePolicy (#4042)
  • 2a15414 Add documentation pointer to the Async HTTP Appender of more-log4j2 (#4062)
  • b178cb1 Switch CI to gha/v0 and remove Develocity (#4108)
  • 23321de Remove changelog entries for already released changes
  • def55fc Add .release.xml and .release-notes.adoc.ftl
  • 0e019f2 Move changelog entries
  • a487a5d Tidy up changelog
  • Additional commits viewable in compare view

Updates tools.jackson:jackson-bom from 3.1.0 to 3.2.0

Commits
  • 421a5be [maven-release-plugin] prepare release jackson-bom-3.2.0
  • 0612da3 Prep for 3.2.0 release
  • db7fca0 Merge pull request #124 from FasterXML/tatu/3.2/woodstox-7.2.1
  • ed1fb9b Update Woodstox dep to 7.2.1
  • 907f30b Bump jackson-annotations to 2.22 (non-snapshot)
  • 9c72934 Merge branch '3.1' into 3.x
  • 1d54604 Post-release dep version bump
  • 0b65639 [maven-release-plugin] prepare for next development iteration
  • 4085e4d [maven-release-plugin] prepare release jackson-bom-3.1.4
  • f8e1a4e Prep for 3.1.4 release
  • Additional commits viewable in compare view

Updates org.folio:folio-spring-base from 10.0.0-RC1 to 10.0.0

Release notes

Sourced from org.folio:folio-spring-base's releases.

v10.0.0

Breaking Changes:

  • Migrated from OpenFeign to Spring HTTP Service Clients
  • Updated to Spring Boot 4.0.0
  • Updated to Jackson 3.x (package changed from com.fasterxml.jackson to tools.jackson)

Migration Guide: See SPRING_BOOT_4_MIGRATION_GUIDE.md for complete step-by-step migration instructions.

Breaking change, new default: A CQL search in a String field ignores case (= is case insensitive) and ignores accents by default; this is for consistency with RMB based modules. Use the annotations @RespectCase and/or @RespectAccents in the entity class to change this new default. Update database indices accordingly, for example:

DROP INDEX IF EXISTS idx_medreq_requester_barcode;
CREATE INDEX idx_medreq_requester_barcode ON ${database.defaultSchemaName}.mediated_request(lower(f_unaccent(requester_barcode)));

folio-spring-base

folio-spring-cql

folio-spring-i18n

  • FOLSPRINGS-198 Add support for searching multiple translation directories

folio-spring-system-user

folio-spring-tenant-settings

  • FOLSPRINGS-210 Add tenant-settings submodule for managing tenant-specific configuration

folio-spring-testing

  • FOLSPRINGS-218 Update Kafka and MinIO container images to latest versions
Changelog

Sourced from org.folio:folio-spring-base's changelog.

10.0.0 2026-04-06

Breaking Changes:

  • Migrated from OpenFeign to Spring HTTP Service Clients
  • Updated to Spring Boot 4.0.0
  • Updated to Jackson 3.x (package changed from com.fasterxml.jackson to tools.jackson)

Migration Guide: See SPRING_BOOT_4_MIGRATION_GUIDE.md for complete step-by-step migration instructions.

Breaking change, new default: A CQL search in a String field ignores case (= is case insensitive) and ignores accents by default; this is for consistency with RMB based modules. Use the annotations @RespectCase and/or @RespectAccents in the entity class to change this new default. Update database indices accordingly, for example:

DROP INDEX IF EXISTS idx_medreq_requester_barcode;
CREATE INDEX idx_medreq_requester_barcode ON ${database.defaultSchemaName}.mediated_request(lower(f_unaccent(requester_barcode)));

folio-spring-base

folio-spring-cql

folio-spring-i18n

  • FOLSPRINGS-198 Add support for searching multiple translation directories

folio-spring-system-user

folio-spring-tenant-settings

  • FOLSPRINGS-210 Add tenant-settings submodule for managing tenant-specific configuration

folio-spring-testing

  • FOLSPRINGS-218 Update Kafka and MinIO container images to latest versions

9.0.0 2025-02-28

... (truncated)

Commits

Updates org.springframework:spring-jdbc from 7.0.3 to 7.0.8

Release notes

Sourced from org.springframework:spring-jdbc's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.projectlombok:lombok from 1.18.42 to 1.18.46

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.46 (April 22nd, 2026)

  • PLATFORM: JDK26 support added #4019.
  • PLATFORM: Spring Tools Suite 5 supported #3985.
  • BUGFIX: @Jacksonized no longer stops generating @JsonProperty once an explicit @JsonIgnore annotations is encountered #4022.
  • BUGFIX: In eclipse, mixing @Jacksonized and fluent = true no longer causes the error com.fasterxml.jackson.annotation.JsonProperty is not a repeatable annotation interface. #3934.
  • BUGFIX: Some finishing touches for v1.18.44's support of Jackson3 #4004.

v1.18.44 (March 11th, 2026)

  • FEATURE: @Jacksonized now supports both Jackson2 and Jackson3; you'll get a warning until you configure which one (or even both!) you want lombok to generate. #3950.
  • BUGFIX: On JDK25, val and @ExtensionMethod could sometimes cause erroneous errors (in that you see errors but compilation succeeds anyway) using javac. #3947.
  • BUGFIX: @Jacksonized + fields marked transient would result in those transient fields being serialised which is surprising (and thus undesired) behaviour. #3936.
Commits
  • 936ca59 [build] lombok's launcher is still intended to be 1.4 compatible, or at least...
  • fcdab3f [version] pre-release version bump
  • 1cb7d49 [changelog]#4004 Mention Jackson3 final touches in changelog.
  • 12a15b0 Fix: Bump EA_JDK to 27 (25 and 26 have been released)
  • 2be766c Merge branch 'jackson3-final-touches'
  • 290fa4c [trivial] constantize the warning we spit out for ambiguous jackson2/3, and m...
  • e6567b6 test: Add Jackson 3 test cases and version ambiguity warnings
  • 45e72e2 feat: Add Jackson 3 databind/dataformat annotations to HandlerUtil copy lists
  • 184d423 feat: Add Jackson 3 support to @​Jacksonized handlers
  • e027ad0 refactored to ShadowClassLoader use Collections::enumeration instead of Vector
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the prod-deps group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [org.springframework.boot:spring-boot-starter-parent](https://github.com/spring-projects/spring-boot) | `4.0.2` | `4.1.0` |
| [org.apache.logging.log4j:log4j-bom](https://github.com/apache/logging-log4j2) | `2.25.2` | `2.26.0` |
| [tools.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) | `3.1.0` | `3.2.0` |
| [org.folio:folio-spring-base](https://github.com/folio-org/folio-spring-support) | `10.0.0-RC1` | `10.0.0` |
| [org.springframework:spring-jdbc](https://github.com/spring-projects/spring-framework) | `7.0.3` | `7.0.8` |
| [org.projectlombok:lombok](https://github.com/projectlombok/lombok) | `1.18.42` | `1.18.46` |


Updates `org.springframework.boot:spring-boot-starter-parent` from 4.0.2 to 4.1.0
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v4.0.2...v4.1.0)

Updates `org.apache.logging.log4j:log4j-bom` from 2.25.2 to 2.26.0
- [Release notes](https://github.com/apache/logging-log4j2/releases)
- [Changelog](https://github.com/apache/logging-log4j2/blob/2.x/RELEASE-NOTES.adoc)
- [Commits](apache/logging-log4j2@rel/2.25.2...rel/2.26.0)

Updates `tools.jackson:jackson-bom` from 3.1.0 to 3.2.0
- [Commits](FasterXML/jackson-bom@jackson-bom-3.1.0...jackson-bom-3.2.0)

Updates `org.folio:folio-spring-base` from 10.0.0-RC1 to 10.0.0
- [Release notes](https://github.com/folio-org/folio-spring-support/releases)
- [Changelog](https://github.com/folio-org/folio-spring-support/blob/master/NEWS.md)
- [Commits](https://github.com/folio-org/folio-spring-support/commits/v10.0.0)

Updates `org.springframework:spring-jdbc` from 7.0.3 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v7.0.3...v7.0.8)

Updates `org.projectlombok:lombok` from 1.18.42 to 1.18.46
- [Changelog](https://github.com/projectlombok/lombok/blob/master/doc/changelog.markdown)
- [Commits](projectlombok/lombok@v1.18.42...v1.18.46)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-starter-parent
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.apache.logging.log4j:log4j-bom
  dependency-version: 2.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: tools.jackson:jackson-bom
  dependency-version: 3.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.folio:folio-spring-base
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: org.springframework:spring-jdbc
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: org.projectlombok:lombok
  dependency-version: 1.18.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 02:44
@dependabot dependabot Bot added the java Pull requests that update java code label Jun 22, 2026
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants