Update dependencies

[alexander-yevsyukov]

What

Refreshes dependency declarations under buildSrc/src/main/kotlin/io/spine/dependency/ to their latest accepted versions and bumps the Kotlin toolchain to 2.3.21.

Spine SDK snapshots (local/)

Base .390 → .400, ToolBase .378 → .381, CoreJvmCompiler .067 → .068, Compiler (fallback) .044 → .046, Validation .445 → .446.

Kotlin → 2.3.21

Updated all three coupled sites so the compiler and the forced library version stay aligned (a partial bump fails to resolve kotlin-scripting-*):

• buildSrc/build.gradle.kts → kotlinEmbeddedVersion
• Kotlin.runtimeVersion and Kotlin.embeddedVersion

KSP stays at 2.3.9 (latest; compatible with Kotlin 2.3.x).

External libraries (selected)

• Majors: Aedile 3.0.4, CheckerFramework 4.2.0, Clikt 5.1.0, Firebase 9.9.0, google-http-client 2.1.0, J2ObjC 3.1, KotlinSemver 3.1.0, JetBrains annotations 26.1.0, plugin-publish 2.1.1, errorprone gradle plugin 5.1.0.
• Same-major: gRPC 1.81, gRPC-Kotlin 1.5, Protobuf 4.35 (+plugin 0.10), Jackson 2.22, Guava 33.6, Netty 4.2.15, Okio 3.17, Log4j2 2.26, Slf4J 2.0.18, JUnit 6.1, Jacoco 0.8.15, PalantirJavaFormat 2.91, PMD 7.25, KotlinPoet 2.3, KotlinCompileTesting 0.13, DateTime 0.8.0, and others. Back-filled a Maven Central URL hint on Slf4J.kt.

Why

Routine dependency refresh — keeps the SDK snapshots current and the external stack patched.

Notes for reviewers

Several newer versions were deliberately not taken because the build (JDK 17, failOnVersionConflict, Spine SDK coupling) rejects them:

• Kotlin 2.4.0 — KSP has no 2.4.x; deferred until KSP ships a matching release.
• ErrorProne 2.49.0 / CheckStyle 13.5.0 — require JDK 21 / drag transitive conflicts; kept at 2.36.0 / 10.12.1.
• kotlinx coroutines / serialization / atomicfu — not in the force(...) allow-list and pulled transitively by the SDK snapshots; kept at SDK-aligned 1.10.2 / 1.8.1 / 0.29.0 to satisfy failOnVersionConflict.
• JavaJwt left on 3.x (intentional, documented in-file); GoogleApis/GoogleCloud/BouncyCastle/JavaX inline-pinned legacy coordinates left for a dedicated review.

Verification

./gradlew clean build green on JDK 17. Version advanced 2.0.0-SNAPSHOT.400 → .401 (.400 was already published). Pre-PR reviewers (dependency-audit, spine-code-review, kotlin-engineer) all approve.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.15%. Comparing base (adc624a) to head (1b87481).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #934   +/-   ##
=======================================
  Coverage   87.15%   87.15%           
=======================================
  Files         193      193           
  Lines        4164     4164           
  Branches      338      339    +1     
=======================================
  Hits         3629     3629           
  Misses        412      412           
  Partials      123      123           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR refreshes dependency version declarations across the build configuration and generated dependency documentation, and bumps the published snapshot version to 2.0.0-SNAPSHOT.401. Given base-libraries sits at the bottom of the Spine SDK dependency graph, these updates primarily aim to keep downstream builds secure and aligned on accepted versions.

Changes:

• Bump versionToPublish (and docs’ Maven version) from 2.0.0-SNAPSHOT.400 → .401.
• Update Kotlin toolchain alignment to 2.3.21 (plus broad library/plugin version refreshes, incl. gRPC/Protobuf/Jackson/Guava/etc.).
• Regenerate dependency documentation under docs/dependencies/ to reflect the new resolved versions.

Reviewed changes

Copilot reviewed 54 out of 56 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
version.gradle.kts	Bumps versionToPublish to 2.0.0-SNAPSHOT.401.
docs/dependencies/pom.xml	Updates the documentation POM’s dependency versions (Kotlin/Protobuf/Guava/Jackson/JUnit/KSP API, etc.) and project version to .401.
docs/dependencies/dependencies.md	Regenerates the dependency/license report to reflect updated resolved versions and the .401 snapshot.
buildSrc/src/main/kotlin/io/spine/gradle/java/Linters.kt	Disables ErrorProne using the updated API (enabled.set(false)) and updates header year.
buildSrc/src/main/kotlin/io/spine/dependency/test/Truth.kt	Bumps Truth to 1.4.5.
buildSrc/src/main/kotlin/io/spine/dependency/test/KotlinCompileTesting.kt	Bumps Kotlin compile testing fork to 0.13.0.
buildSrc/src/main/kotlin/io/spine/dependency/test/JUnit.kt	Bumps JUnit BOM to 6.1.0 and legacy JUnit 4 to 4.13.2.
buildSrc/src/main/kotlin/io/spine/dependency/test/Jacoco.kt	Bumps JaCoCo to 0.8.15.
buildSrc/src/main/kotlin/io/spine/dependency/local/Validation.kt	Bumps Spine Validation snapshot to .446.
buildSrc/src/main/kotlin/io/spine/dependency/local/ToolBase.kt	Bumps ToolBase snapshot to .381 (incl. dogfooding).
buildSrc/src/main/kotlin/io/spine/dependency/local/CoreJvmCompiler.kt	Bumps CoreJvmCompiler snapshot to .068 (incl. dogfooding).
buildSrc/src/main/kotlin/io/spine/dependency/local/Compiler.kt	Bumps Compiler fallback snapshots to .046.
buildSrc/src/main/kotlin/io/spine/dependency/local/Base.kt	Bumps Base snapshot to .400 (incl. buildscript version).
buildSrc/src/main/kotlin/io/spine/dependency/lib/Slf4J.kt	Bumps SLF4J to 2.0.18 and adds a Maven Central URL hint.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Roaster.kt	Bumps Roaster to 2.31.0.Final.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Protobuf.kt	Bumps Protobuf to 4.35.0 and protobuf-gradle-plugin to 0.10.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Plexus.kt	Bumps plexus-utils to 4.0.3.
buildSrc/src/main/kotlin/io/spine/dependency/lib/PalantirJavaFormat.kt	Bumps Palantir Java Format to 2.91.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Okio.kt	Bumps Okio to 3.17.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Netty.kt	Bumps Netty to 4.2.15.Final.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Log4j2.kt	Bumps Log4j2 to 2.26.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/KotlinSemver.kt	Bumps kotlin-semver to 3.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/KotlinPoet.kt	Bumps KotlinPoet to 2.3.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Kotlin.kt	Aligns Kotlin runtime/embedded versions to 2.3.21 and JetBrains annotations to 26.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/JetBrainsAnnotations.kt	Bumps JetBrains annotations to 26.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/JavaDiffUtils.kt	Bumps java-diff-utils to 4.17.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Jackson.kt	Bumps Jackson BOM to 2.22.0 and annotations to 2.22.
buildSrc/src/main/kotlin/io/spine/dependency/lib/J2ObjC.kt	Bumps j2objc-annotations to 3.1.
buildSrc/src/main/kotlin/io/spine/dependency/lib/HttpClient.kt	Bumps google-http-client to 2.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Guava.kt	Bumps Guava to 33.6.0-jre.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Gson.kt	Bumps Gson to 2.14.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/GrpcKotlin.kt	Bumps grpc-kotlin to 1.5.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Grpc.kt	Bumps gRPC BOM to 1.81.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Flogger.kt	Bumps Flogger to 0.9.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Firebase.kt	Bumps firebase-admin to 9.9.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/CommonsLogging.kt	Bumps commons-logging to 1.3.6.
buildSrc/src/main/kotlin/io/spine/dependency/lib/CommonsCodec.kt	Bumps commons-codec to 1.22.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/CommonsCli.kt	Bumps commons-cli to 1.11.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Clikt.kt	Bumps Clikt to 5.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Caffeine.kt	Bumps Caffeine to 3.2.4.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Auto.kt	Bumps auto-value-annotations to 1.11.1.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Asm.kt	Bumps ASM to 9.10.1.
buildSrc/src/main/kotlin/io/spine/dependency/lib/Aedile.kt	Bumps Aedile to 3.0.4.
buildSrc/src/main/kotlin/io/spine/dependency/kotlinx/Serialization.kt	Updates header year (dependency alignment handled elsewhere).
buildSrc/src/main/kotlin/io/spine/dependency/kotlinx/DateTime.kt	Bumps kotlinx-datetime to 0.8.0.
buildSrc/src/main/kotlin/io/spine/dependency/kotlinx/Coroutines.kt	Updates header year (version intentionally SDK-aligned per PR notes).
buildSrc/src/main/kotlin/io/spine/dependency/kotlinx/AtomicFu.kt	Updates header year (version intentionally SDK-aligned per PR notes).
buildSrc/src/main/kotlin/io/spine/dependency/build/Pmd.kt	Bumps PMD to 7.25.0.
buildSrc/src/main/kotlin/io/spine/dependency/build/PluginPublishPlugin.kt	Bumps Gradle plugin-publish plugin to 2.1.1.
buildSrc/src/main/kotlin/io/spine/dependency/build/Ksp.kt	Bumps KSP to 2.3.9.
buildSrc/src/main/kotlin/io/spine/dependency/build/GradleDoctor.kt	Bumps Gradle Doctor to 0.12.1.
buildSrc/src/main/kotlin/io/spine/dependency/build/ErrorProne.kt	Bumps ErrorProne Gradle plugin library version to 5.1.0.
buildSrc/src/main/kotlin/io/spine/dependency/build/CheckerFramework.kt	Bumps Checker Framework annotations to 4.2.0.
buildSrc/src/main/kotlin/io/spine/dependency/build/AnimalSniffer.kt	Bumps animal-sniffer annotations to 1.27.
buildSrc/build.gradle.kts	Aligns Kotlin embedded version to 2.3.21 and bumps key buildscript dependency/plugin versions (Guava, ErrorProne plugin, protobuf plugin).
.idea/misc.xml	Updates IDE nullability annotation lists and ProjectRootManager defaults.

Files not reviewed (1)

• .idea/misc.xml: Language not supported

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1b87481be4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".