Update Maven dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.maven.plugins:maven-resources-plugin (source)	3.4.0 → 3.5.0
com.google.code.gson:gson	2.13.1 → 2.14.0
commons-io:commons-io (source)	2.19.0 → 2.22.0
org.springframework:spring-expression	6.2.11 → 6.2.18
org.junit:junit-bom (source)	5.11.2 → 5.14.4
com.google.guava:guava	33.4.8-jre → 33.6.0-jre
org.apache.maven.plugins:maven-shade-plugin (source)	3.5.1 → 3.6.2
org.mockito:mockito-core	5.18.0 → 5.23.0
org.mockito:mockito-junit-jupiter	5.18.0 → 5.23.0
org.jacoco:org.jacoco.agent (source)	0.8.13 → 0.8.14
com.googlecode.maven-download-plugin:download-maven-plugin	1.6.3 → 1.13.0
org.codehaus.mojo:build-helper-maven-plugin (source)	3.5.0 → 3.6.1
org.codehaus.mojo:exec-maven-plugin (source)	3.2.0 → 3.6.3
org.apache.maven.plugins:maven-compiler-plugin (source)	3.13.0 → 3.15.0

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-expression)

v6.2.18

Compare Source

⭐ New Features

• Improve SpringValidatorAdapter and MethodValidationAdapter performance #​36624
• Add missing @Deprecated(forRemoval = true) for deleted in 7.0 #​36591
• Deprecate methodIdentification() in CacheAspectSupport for removal #​36576
• Improve error handling in multipart codecs #​36564
• LazyConnectionDataSourceProxy does not work well with Hibernate's multi-tenancy by schema strategy #​36529
• MySQL Error 149 (Galera/WSREP conflict) not translated to ConcurrencyFailureException in Spring JDBC/ORM #​36510

🐞 Bug Fixes

• Handle Kotlin nullable value class param correctly in CoroutineUtils #​36643
• NullPointerException in ServerSentEvent when trying to set id or event properties #​36634
• @Sql fails if DataSource is wrapped in a TransactionAwareDataSourceProxy #​36630
• WebDataBinder unnecessarily instantiates collections when using the "!" and "_" prefixes #​36627
• Cache pollution from high-cardinality FieldError default messages in MessageSourceSupport #​36623
• ContentCachingRequestWrapper does not allow unlimited content caching #​36620
• MergedAnnotation does not use ClassLoader for method or field #​36614
• AnnotationBeanNameGenerator fails when an annotation references a non-existent class #​36588
• FileSystemResource does not strictly follow the Resource#isReadable() contract #​36585
• Query not hidden in DefaultClientResponse checkpoint #​36571
• LazyConnectionDataSourceProxy does not pass on holdability to target Connection #​36530
• DefaultJmsListenerContainer may hang in an endless loop in doShutdown #​36511
• Inconsistent codings resolution in resource resolvers #​36508

📔 Documentation

• Clarify semantics of HttpMethod.valueOf() #​36653
• Document that spring.profiles.active is ignored by @ActiveProfiles #​36636
• Document whitespace semantics in SpEL expressions #​36629
• MergedAnnotation.asAnnotationAttributes() Javadoc incorrectly states that it creates an immutable map #​36568
• Introduce Kotlin examples for Bean Overrides (@MockitoBean, etc.) #​36542
• Fix incorrect cross-reference links in AbstractEnvironment Javadoc #​36517

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.15.11 #​36661
• Upgrade to Reactor 2024.0.17 #​36660

v6.2.17

Compare Source

⭐ New Features

• Leverage ResourceHandlerUtils in ScriptTemplateView #​36459
• Restore ScriptTemplateViewTests #​36457
• Fix log message in ConfigurationClassBeanDefinitionReader #​36454
• Resolve context initializers only once in AbstractTestContextBootstrapper #​36431
• Exclude legacy @javax.validation.Constraint from convention-based annotation attribute override check #​36412
• Optimize MediaType(MediaType, Charset) constructor #​36351
• Optimize the addition of a charset to the MediaType in AbstractHttpMessageConverter #​36350
• Consistent adaptation of HTTP headers on Servlet responses #​36345
• Improve performance of validation groups determination in WebFlux #​36337
• Detect all common size exceptions from Tomcat and Commons FileUpload 2.x #​36324

🐞 Bug Fixes

• Guard against invalid id/event values in Server Sent Events #​36442
• Incomplete debug message in ConfigurationClassBeanDefinitionReader #​36411
• Inconsistent ApplicationEventMulticaster state after removing ApplicationListener implemented by FactoryBean #​36405
• Graceful shutdown of SimpleAsyncTaskExecutor #​36384
• HttpMediaTypeException thrown when calculating compatible media types #​36363
• ResolvableType#getGenerics() breaks serialization #​36347
• Multipart upload leak on client abort (ByteBuf.release() not called) #​36327

📔 Documentation

• Document @Fallback alongside Primary in the reference manual and @Bean Javadoc #​36441
• Document registration recommendations for BeanPostProcessor and BeanFactoryPostProcessor #​36436
• Fix links to UriComponentsBuilder and polish examples #​36406
• Emphasize @Configuration classes over XML and Groovy in testing chapter #​36394
• Polish SpEL operator examples in reference docs #​36375

🔨 Dependency Upgrades

• Upgrade to JUnit 5.14.3 #​36388
• Upgrade to Micrometer 1.15.10 #​36446
• Upgrade to Reactor 2024.0.16 #​36445

v6.2.16

Compare Source

⭐ New Features

• Improve performance of hashcode calculations for request mappings #​36297
• Improve performance of HandlerMethod bean lookup #​36296
• Improve performance of validation groups determination #​36295
• Improve performance of single pattern request mappings #​36294
• Optimize NamedParameterUtils#buildValueArray by lazily fetching SqlParameter #​36232
• Consistently close streams through try-with-resources in FileCopyUtils #​36224
• SqlBinaryValue and SqlCharacterValue should support InputStream content with undetermined length #​36220
• DataBufferUtils.write() with NettyDataBuffer on JDK 25 hangs indefinitely #​36189
• WebClient (Reactor) attributes on Netty channel do not clear after connection release #​36163
• Reintroduce WebLogicJtaTransactionManager in Spring Framework 6.2.x #​36152
• DisconnectedClientHelper should detect presence of RestClientException and WebClientException separately #​36150
• Add DataAccessException and MessagingException to the excluded outermost exceptions in DisconnectedClientHelper #​36135
• Improve user check in TransportHandlingSockJsService #​36129

🐞 Bug Fixes

• Avoid lock congestion in ConcurrentReferenceHashMap #​36308
• Resolved HttpEntity Controller argument does not reflect mutated HTTP headers #​36301
• AbstractMessageConverter does not support wildcards in supported MIME types #​36286
• Make LocalEntityManagerFactoryBean#setDataSource work on Hibernate as well as EclipseLink #​36272
• Deadlock might occur when calling System.exit on startup (against multiple shutdown hooks) #​36268
• Netty4HeadersAdapter.remove returns empty list instead of null for non-existing key #​36227
• EclipseLinkConnectionHandle can fail against transaction isolation race condition #​36166
• WiretapConnector leaks data buffers when response body not consumed #​36051
• UriComponentsBuilder loses the fragment when it consists of only a single character #​36035
• SimpleBeanInfoFactory fails to reliably resolve read/write methods in type hierarchies with unresolved generics #​36026

📔 Documentation

• Fix links to JUnit User Guide #​36218
• Fix LocalContainerEntityManagerFactoryBean#setPersistenceUnitName javadoc #​36206
• Update documentation on trailing slash handling where type-level @GetMapping("/base") is combined with method level @GetMapping("/") #​36200
• Update documentation on the MediaType used for ProblemDetail #​36193
• Replace getErrors() with getBindingResult() in examples #​36172
• Upgrade Antora dependencies #​36106
• Fix typos and grammar #​36023

🔨 Dependency Upgrades

• Bump fast-xml-parser from 4.5.2 to 5.3.4 in /framework-docs #​36239
• Upgrade to ASM 9.9.1 and Objenesis 3.5 #​36244
• Upgrade to JUnit 5.14.2 #​36148
• Upgrade to Micrometer 1.15.9 #​36290
• Upgrade to Reactor 2024.0.15 #​36289

v6.2.15

Compare Source

⭐ New Features

• Avoid package cycle caused by use of UriComponentsBuilder in ServletServerHttpRequest #​35954
• DefaultHandshakeHandler should not log client faults on error level #​35948
• Use concurrent set behind reactive TransactionSynchronizationManager#registerSynchronization #​35922
• Expose Collection on FragmentsRendering to facilitate Unit Tests #​35912
• Different ReactorNettyWebSocketSession call getId() may return the same value #​35911
• Enhance handleTypeMismatch error message in ResponseEntityExceptionHandler #​35878

🐞 Bug Fixes

• NullPointerException thrown from JdkClientHttpRequestFactory for null request header value #​35998
• State inconsistency in LazyConnectionDataSourceProxy when connection settings fail #​35981
• SubscriberInputStream#resume misuses parked thread reference #​35979
• PathMatchingResourcePatternResolver fails with URI in JAR manifest Class-Path entries #​35967
• Strong locking in ConcurrentReferenceHashMap#computeIfAbsent may cause context initialisation deadlock #​35945
• BridgeMethodResolver change in 6.2.13 breaks Spring Data entity introspection #​35941
• DefaultMessageListenerContainer does not clear Session and MessageConsumer for paused invokers #​35935
• Tighten cacheable decision behind @Lazy injection point #​35918
• Use provided ReactiveAdapterRegistry in BindingContext constructor #​35914
• Accidental fallback match for Collection-type beans due to @Bean-level qualifier annotation #​35909
• SortedResourcesFactoryBean does not accept non-existent resources anymore #​35896

📔 Documentation

• Document that annotations are ignored if attributes reference types not present in the classpath #​35973
• Fix broken Javadoc links to methods #​35904
• Refer to "Spring Tools" instead of "Spring Tools for Eclipse" in reference manual #​35902
• Clarify JMS sessionTransacted flag for local versus global transaction #​35898
• Reference docs should not use obsolete "junit5" links #​35893
• Testing chapter references nonexistent Dependency Management documentation #​35891

🔨 Dependency Upgrades

• Upgrade to json-path 2.10.0 #​35937
• Upgrade to Micrometer 1.14.14 #​35986
• Upgrade to Reactor 2024.0.13 #​35987

v6.2.14

Compare Source

⭐ New Features

• Add resetCaches() method to Caffeine/ConcurrentMapCacheManager #​35841
• Fix single-check idiom in UnmodifiableMultiValueMap #​35831
• Fix Spliterator characteristics in ConcurrentReferenceHashMap #​35828

🐞 Bug Fixes

• MissingPathVariableException produces wrong status code in ProblemDetail #​35856
• Fix getCacheNames() concurrent access in NoOpCacheManager #​35844
• Annotation discovery regression for interfaces extending BeanNameAware and co. #​35838
• Fix HtmlUtils unescape for supplementary chars #​35832

📔 Documentation

• Fix cross-reference links in HtmlUnit sections #​35857
• Remove @see Javadoc references to deprecated PropertiesBeanDefinitionReader #​35854

v6.2.13

Compare Source

⭐ New Features

• Support response encoding in select and options JSP form tags #​35783
• Preserve Connection readOnly state for DataSource with defaultReadOnly configuration #​35743
• Optimize resource URL resolution in SortedResourcesFactoryBean #​35687
• Relax multiple segment matching constraints in PathPattern #​35686
• Support wildcard path elements at the start of path patterns #​35679
• Validating byte[]s may produce OutOfMemoryError #​35675
• Update in FragmentsRendering to names of static methods #​33974

🐞 Bug Fixes

• ConcurrentReferenceHashMap misses dedicated computeIfAbsent, computeIfPresent, compute, merge implementations #​35794
• Avoid unnecessary bridge method resolution around getMostSpecificMethod #​35780
• Fix multi-release JAR issue with VirtualThreadDelegate #​35773
• ContentNegotiationManager not finding media type when request includes quality parameter #​35754
• Race condition in BufferingClientHttpResponseWrapper.getBody() #​35745
• Deprecate setConnectTimeout on HttpComponentsClientHttpRequestFactory #​35748
• Fix PathMatchingResourcePatternResolver to handle absolute paths in JAR manifests #​35732
• BeanDefinitionBuilder.addAutowiredProperty causes error during AOT processing #​35731
• Improve HttpServiceMethod support for Kotlin suspending functions returning Flow #​35718
• Exception translation does not expose original BatchUpdateException anymore #​35717
• Add hints for entities package-private methods #​35711
• Fix concurrency permit leak causing deadlock in SimpleAsyncTaskExecutor #​35708
• Remove jibx-marshaller element from spring-oxm.xsd #​35699
• NullPointerException When Handling 407 with JdkClientHttpConnector in WebClient #​35692
• Method-based Map injection fails against target Map with incomplete generics despite bean name or qualifier match #​35690
• JUnit Jupiter TEST_METHOD ExtensionContextScope is not fully supported #​35680
• Introduce isAutowirableConstructor(Executable, PropertyProvider) in TestConstructorUtils and deprecate existing variants #​35676
• Reflection on java.sql.Types without runtime hints #​35674
• getPubliclyAccessibleMethodIfPossible() returns hidden static method #​35667
• RestClient hangs during upload with ReactorClientHttpRequestFactory #​34707

📔 Documentation

• Correct formatting for Mono type #​35786
• Improve Java Bean Validation documentation for controller methods #​35759
• Fix typo in @NumberFormat Javadoc #​35742
• Javadoc of AsyncConfigurer does not match runtime behavior #​35736
• Document PathPattern behavior difference between */{name} and **/{*path} #​35727
• Fix minor typo in RestClient documentation #​35723
• Document test-method scoped TestContext semantics #​35716
• Improve docs on AbstractStreamingClientHttpRequest for streaming vs buffering mode #​35700
• Fix minor typo in JDBC Core Classes documentation #​35684
• Fix typos #​35656
• Improve spring-web filter documentation #​30454

🔨 Dependency Upgrades

• Upgrade to ASM 9.9 plus lenient version check patch #​35763
• Upgrade to Jetty 12.0.30 #​35806
• Upgrade to Micrometer 1.14.13 #​35810
• Upgrade to Reactor 2024.0.12 #​35809

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Anxton, @​Artur-, @​HJC96, @​MoadElfatihi, @​NYgomets, @​cbsingh1, @​dmitrysulman, @​ekcom, and @​scordio

v6.2.12

Compare Source

⭐ New Features

• Add "forEachByte" variant to DataBuffer for efficient traversing #​35623
• Nested transaction support via savepoints is broken in HSQLDB database [followup] #​35618
• Improve exception handling in ConfigurationClassBeanDefinitionReader #​35631
• Add MySQL/MariaDB to TableMetaDataProviderFactory for correct generated-keys support #​35593
• Optimize state management in StompSubProtocolHandler #​35591
• ServletServerHttpRequest.getRemoteAddress() may perform DNS lookup #​35589
• Emit log message when multiple primary beans are detected #​35550
• Duplicate key error is mapped to TransientDataAccessException by SQLStateSQLExceptionTranslator for BatchUpdateException #​35547
• Remove redundant object allocation in cglib proxy method calls #​35543
• Remove deprecation on CandidateComponentsIndex and CandidateComponentsIndexLoader #​35472
• Processing response with no Content-Length header and no body raises EOFException #​35361

🐞 Bug Fixes

• DefaultListableBeanFactory::getBeanNamesForType does not always return all bean names #​35634
• Consider defaultCandidate for scoped proxies #​35627
• Release data buffer in AbstractCharSequenceDecoder even when String creation fails #​35625
• PathMatchingResourcePatternResolver is not able to resolve file in SpringBoot Packaged JAR #​35617
• Prevent NoClassDefFoundError when Jetty Reactive HttpClient is not available #​35608
• Performance regression with Property Placeholder Resolution #​35594
• Retain order of produces media types in @ExceptionHandler #​35587
• Nested transaction support via savepoints is broken in HSQLDB database #​35564
• SpEL expression parser uses more CPU after upgrade to 6.2.9 #​35556
• Thread race during FactoryBean instantiations starting with 6.2 due to lenient locks #​35545
• Update parsed path handling in UrlHandlerFilter #​35538
• ResourceHttpMessageWriter.write has unexpected error handling for invalid range requests (offset > content length) #​35536
• AbstractTestNGSpringContextTests is not thread-safe regarding tracked exceptions #​35528
• UrlHandlerFilter breaks RequestDispatcher.forward() on Tomcat #​35509
• AbstractMockHttpServletRequestBuilder#buildRequest is not idempotent #​35493
• Add support for JvmDefault (default in Kotlin 2.2.20+) #​35487
• InstanceSupplierCodeGenerator fails to detect deprecated type on package private factory method #​35486
• Fix synchronization in ResponseBodyEmitter #​35466
• useCaches option in PathMatchingResourcePatternResolver not applied in special case #​35465
• Deadlock during context initialization due to EntityManager lock #​35398

📔 Documentation

• Improve guidance in WebFlux on how to join inbound and outbound streams in WebSocketHandler #​35572
• Fix idref example in reference manual #​35560
• Fix URI Patterns docs in WebMVC and WebFlux Request Mapping #​35551
• Allow event listener method declared with multiple event classes to take a single parameter that is assignable from all of those event classes #​35506
• Improve Task Javadoc about Runnable wrapping #​35394

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.12 #​35640
• Upgrade to Reactor 2024.0.11 #​35638

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Entea, @​IMurzich, @​hosea, @​maziyarbahramian, @​mlichtblau, @​nstdio, @​reckart, and @​reda-alaoui

mockito/mockito (org.mockito:mockito-core)

v5.23.0

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #​3788 for more details.

---

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline (#​3792)
• Fix StackOverflowError with AbstractList after using mockSingleton (#​3790)
• Mark parameters of Mockito.when @Nullable (#​3503)

v5.22.0

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.22.0

• 2026-02-27 - 6 commit(s) by Joshua Selbo, NiMv1, Rafael Winterhalter, dependabot[bot], eunbin son
• Avoid mocking of internal static utilities (#​3785)
• Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#​3780)
• Static mocking of UUID.class corrupted under JDK 25 (#​3778)
• Bump actions/upload-artifact from 5 to 6 (#​3774)
• docs: clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#​3773)
• Add tests for Sets utility class (#​3771)
• Add core API to enable Kotlin singleton mocking (#​3762)
• Stubbing Kotlin object singletons (#​3652)
• Incorrect documentation for RETURNS_MOCKS (#​3285)

v5.21.0

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 (#​3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 (#​3767)
• Bump actions/checkout from 5 to 6 (#​3765)
• Adds output of matchers to potential mismatch; Fixes #​2468 (#​3760)
• Forbid mocking WeakReference with inline mock maker (#​3759)
• StackOverflowError when mocking WeakReference (#​3758)
• Bump actions/upload-artifact from 4 to 5 (#​3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 (#​3755)
• Support primitives in GenericArrayReturnType. (#​3753)
• ClassNotFoundException when stubbing array of primitive type on Android (#​3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 (#​3744)
• Bump gradle/actions from 4 to 5 (#​3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 (#​3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 (#​3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 (#​3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#​3733)
• Bump errorprone from 2.41.0 to 2.42.0 (#​3732)
• Feat: automatically detect class to mock in mockStatic and mockConstruction (#​3731)
• Return completed futures for unstubbed Future/CompletionStage in ReturnsEmptyValues (#​3727)
• automatically detect class to mock (#​2779)
• Incorrect "has following stubbing(s) with different arguments" message when using Argument Matchers (#​2468)

v5.20.0

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.20.0

• 2025-09-20 - 11 commit(s) by Adrian-Kim, Giulio Longfils, Rafael Winterhalter, dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#​3730)
• Introducing the Ability to Mock Construction of Generic Types (#​2401) (#​3729)
• Bump com.gradle.develocity from 4.1.1 to 4.2 (#​3726)
• Bump graalvm/setup-graalvm from 1.3.6 to 1.3.7 (#​3725)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.100 to 3.23.200 (#​3720)
• Bump graalvm/setup-graalvm from 1.3.5 to 1.3.6 (#​3719)
• Bump actions/setup-java from 4 to 5 (#​3715)
• Bump com.gradle.develocity from 4.1 to 4.1.1 (#​3713)
• Bump bytebuddy from 1.17.6 to 1.17.7 (#​3712)
• test: Use Assume.assumeThat for SequencedCollection tests (#​3711)
• Fix #​3709 (#​3710)
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Introducing the Ability to Mock Construction of Generic Types (#​2401)

v5.19.0

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.19.0

• 2025-08-15 - 37 commit(s) by Adrian-Kim, Tim van der Lippe, Tran Ngoc Nhan, dependabot[bot], juyeop
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Bump actions/checkout from 4 to 5 (#​3707)
• build: Allow overriding 'Created-By' for reproducible builds (#​3704)
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#​3703)
• Bump androidx.test:runner from 1.6.2 to 1.7.0 (#​3697)
• Bump org.junit.platform:junit-platform-launcher from 1.13.3 to 1.13.4 (#​3694)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.1.0 to 7.2.1 (#​3693)
• Bump junit-jupiter from 5.13.3 to 5.13.4 (#​3691)
• Bump com.gradle.develocity from 4.0.2 to 4.1 (#​3689)
• Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 (#​3688)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.27.0 (#​3686)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.4 to 7.1.0 (#​3685)
• Bump junit-jupiter from 5.13.2 to 5.13.3 (#​3684)
• Bump org.shipkit:shipkit-auto-version from 2.1.0 to 2.1.2 (#​3683)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.2 to 7.0.4 (#​3682)
• Only run release after both Java and Android tests have finished
  (#​3681)
• Bump org.junit.platform:junit-platform-launcher from 1.12.2 to 1.13.3 (#​3680)
• Bump org.codehaus.groovy:groovy from 3.0.24 to 3.0.25 (#​3679)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.0 to 3.23.100 (#​3678)
• Can no longer publish snapshot releases (#​3677)
• Update Gradle to 8.14.2 (#​3676)
• Bump errorprone from 2.23.0 to 2.39.0 (#​3674)
• Correct Junit docs link (#​3672)
• Bump net.ltgt.gradle:gradle-errorprone-plugin from 4.1.0 to 4.3.0 (#​3670)
• Bump junit-jupiter from 5.13.1 to 5.13.2 (#​3669)
• Bump bytebuddy from 1.17.5 to 1.17.6 (#​3668)
• Bump junit-jupiter from 5.12.2 to 5.13.1 (#​3666)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 2.0.21 to 2.2.0 (#​3665)
• Bump org.gradle.toolchains.foojay-resolver-convention from 0.9.0 to 1.0.0 (#​3661)
• Bump org.junit.platform:junit-platform-launcher from 1.11.4 to 1.12.2 (#​3660)
• Add JDK21 sequenced collections for ReturnsEmptyValues (#​3659)
• Bump com.gradle.develocity from 3.19.1 to 4.0.2 (#​3658)
• Bump ru.vyarus:gradle-animalsniffer-plugin from 1.7.2 to 2.0.1 (#​3657)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.22.0 to 3.23.0 (#​3656)
• Bump org.codehaus.groovy:groovy from 3.0.23 to 3.0.24 (#​3655)
• Bump junit-jupiter from 5.11.4 to 5.12.2 (#​3653)
• Reproducible Build: need to inject JDK distribution details to rebuild (#​3563)

jacoco/jacoco (org.jacoco:org.jacoco.agent)

v0.8.14: 0.8.14

New Features

• JaCoCo now officially supports Java 25 (GitHub #​1950).
• Experimental support for Java 26 class files (GitHub [#​1870](https://redirect.github.com/j

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SONARJAVA-6350

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR updates Maven dependencies and build plugins across the project. Most changes are patch and minor version bumps for routine maintenance, including build tools (maven plugins), testing libraries (JUnit, Mockito), and utilities (Guava, Commons IO, GSON, SLF4J, Spring). Notable larger bumps: JUnit from 5.11.2 to 5.14.4, Spring Expression from 6.2.11 to 6.2.18. One consolidation: its/vibebot/pom.xml now uses the parent pom's ${slf4j.version} property instead of a hardcoded version.

What reviewers should know

Where to focus:

• All changes are version updates in <version> and <version.*> tags only — no code or configuration logic changes
• Main dependency changes in the root pom.xml; also updates in build-specific modules: check-list/, its/plugin/tests/, its/vibebot/, and sonar-java-plugin/
• Verify JUnit and Spring version jumps don't break assumptions (5.11→5.14 and 6.2.11→6.2.18 are significant)
• its/vibebot/pom.xml now inherits SLF4J version from parent instead of hardcoding — confirm this aligns with parent property

Gotchas:

• No obvious breaking changes, but test run recommended given scope (JUnit, Mockito, Spring are core testing/runtime libs)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[github-actions]

This PR is stale because it has been open 7 days with no activity. If there is no activity in the next 7 days it will be closed automatically

[sonar-review-alpha]

The incremental diff reverts the previous changes: commons-collections goes back to 3.2.1 and struts-core goes back to 1.3.9, which correctly aligns the artifact versions with their output directory names. However, the slf4j.version property is being downgraded from 1.7.36 to 1.7.30 in the root pom.xml, which is unexpected for a "dependency update" PR and needs clarification.

The previously flagged version/directory mismatch for commons-collections has been resolved by this revert — the artifact version now matches the directory name again.

Note — the following observations could not be attached as inline comments:

• pom.xml:117: This change downgrades slf4j.version from 1.7.36 to 1.7.30. That is a regression — 1.7.30 predates 1.7.36 and reverting to an older version loses any fixes shipped between those releases.

The its/vibebot/pom.xml change consolidates the version reference (good), but the value it now inherits (1.7.30) is older than the previous hardcoded value (1.7.36). If the intent is consolidation, the root property should be at least 1.7.36, not rolled back.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube