chore(deps): update to SB 3.2.6, SF 5.3.36, 6.1.8

[yanavasileva]

#4144

[github-actions]

Java dependency diff

Omitted due to character limit. See workflow artifacts for full diff file.

Module details

Omitted due to character limit. See workflow artifacts for full diff file.

Checklist

Unique changes

• spring-jcl: 5.3.35 ✔ => 5.3.36 ✔
• spring-core: 5.3.35 ✔ => 5.3.36 ✔
• spring-beans: 5.3.35 ✔ => 5.3.36 ✔
• spring-jcl: 6.1.7 ✔ => 6.1.8 ✔
• spring-core: 6.1.7 ✔ => 6.1.8 ✔
• spring-beans: 6.1.7 ✔ => 6.1.8 ✔
• spring-aop: 6.1.7 ✔ => 6.1.8 ✔
• spring-expression: 6.1.7 ✔ => 6.1.8 ✔
• spring-context: 6.1.7 ✔ => 6.1.8 ✔
• spring-tx: 6.1.7 ✔ => 6.1.8 ✔
• spring-jdbc: 6.1.7 ✔ => 6.1.8 ✔
• spring-orm: 6.1.7 ✔ => 6.1.8 ✔
• spring-web: 6.1.7 ✔ => 6.1.8 ✔
• byte-buddy: 1.14.11 ✔ => 1.14.16 ✔
• assertj-core: 3.24.2 ✔ => 3.24.2 ✔
• spring-jcl: 6.1.3 ✔ => 6.1.8 ✔
• spring-core: 6.1.3 ✔ => 6.1.8 ✔
• spring-beans: 6.1.3 ✔ => 6.1.8 ✔
• spring-aop: 6.1.3 ✔ => 6.1.8 ✔
• spring-expression: 6.1.3 ✔ => 6.1.8 ✔
• micrometer-commons: 1.12.2 ✔ => 1.12.6 ✔
• micrometer-observation: 1.12.2 ✔ => 1.12.6 ✔
• spring-context: 6.1.3 ✔ => 6.1.8 ✔
• spring-boot: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-autoconfigure: 3.2.2 ✔ => 3.2.6 ✔
• slf4j-api: 2.0.11 ✔ => 2.0.13 ✔
• logback-classic: 1.4.14 ⚠❓‼ => 1.4.14 ⚠❓‼
• log4j-to-slf4j: 2.21.1 ✔ => 2.21.1 ✔
• jul-to-slf4j: 2.0.11 ✔ => 2.0.13 ✔
• spring-boot-starter-logging: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-starter: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-test: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-test-autoconfigure: 3.2.2 ✔ => 3.2.6 ✔
• slf4j-api: 2.0.11 ✔ => 1.7.26 ✔ ⬇
• json-path: 2.8.0 ✔ => 2.9.0 ✔
• jakarta.activation-api: 2.1.2 ✔ => 2.1.3 ✔
• jakarta.xml.bind-api: 4.0.1 ✔ => 4.0.2 ✔
• accessors-smart: 2.5.0 ✔ => 2.5.1 ✔
• json-smart: 2.5.0 ✔ => 2.5.1 ✔
• awaitility: 4.2.0 ✔ => 4.2.1 ✔
• junit-platform-commons: 1.10.1 ⚠ => 1.10.2 ⚠
• junit-jupiter-api: 5.10.1 ⚠ => 5.10.2 ⚠
• junit-jupiter-params: 5.10.1 ⚠ => 5.10.2 ⚠
• junit-platform-engine: 1.10.1 ⚠ => 1.10.2 ⚠
• junit-jupiter-engine: 5.10.1 ⚠ => 5.10.2 ⚠
• junit-jupiter: 5.10.1 ⚠ => 5.10.2 ⚠
• byte-buddy-agent: 1.14.11 ✔ => 1.14.16 ✔
• mockito-core: 5.7.0 ✔ => 5.7.0 ✔
• mockito-junit-jupiter: 5.7.0 ✔ => 5.7.0 ✔
• spring-test: 6.1.3 ✔ => 6.1.8 ✔
• xmlunit-core: 2.9.1 ✔ => 2.9.1 ✔
• spring-boot-starter-test: 3.2.2 ✔ => 3.2.6 ✔
• junit-vintage-engine: 5.10.1 ⚠ => 5.10.2 ⚠
• spring-tx: 6.1.3 ✔ => 6.1.8 ✔
• spring-jdbc: 6.1.3 ✔ => 6.1.8 ✔
• spring-orm: 6.1.3 ✔ => 6.1.8 ✔
• aspectjweaver: 1.9.21 ⚠ => 1.9.22 ⚠
• spring-boot-starter-aop: 3.2.2 ✔ => 3.2.6 ✔
• HikariCP: 5.0.1 ✔ => 5.0.1 ✔
• spring-boot-starter-jdbc: 3.2.2 ✔ => 3.2.6 ✔
• angus-activation: 2.0.1 ✔ => 2.0.2 ✔
• txw2: 4.0.4 ✔ => 4.0.5 ✔
• jaxb-core: 4.0.4 ✔ => 4.0.5 ✔
• jaxb-runtime: 4.0.4 ✔ => 4.0.5 ✔
• hibernate-core: 6.4.1.Final ❓ => 6.4.8.Final ❓
• spring-data-commons: 3.2.2 ✔ => 3.2.6 ✔
• spring-data-jpa: 3.2.2 ✔ => 3.2.6 ✔
• spring-aspects: 6.1.3 ✔ => 6.1.8 ✔
• spring-boot-starter-data-jpa: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-actuator: 3.2.2 ✔ => 3.2.6 ✔
• jackson-annotations: 2.15.3 ✔ => 2.15.4 ✔
• jackson-core: 2.15.3 ✔ => 2.15.4 ✔
• jackson-databind: 2.15.3 ✔ => 2.15.4 ✔
• jackson-datatype-jsr310: 2.15.3 ✔ => 2.15.4 ✔
• spring-boot-actuator-autoconfigure: 3.2.2 ✔ => 3.2.6 ✔
• micrometer-core: 1.12.2 ✔ => 1.12.6 ✔
• micrometer-jakarta9: 1.12.2 ✔ => 1.12.6 ✔
• spring-boot-starter-actuator: 3.2.2 ✔ => 3.2.6 ✔
• spring-web: 6.1.3 ✔ => 6.1.8 ✔
• jackson-datatype-jdk8: 2.15.3 ✔ => 2.15.4 ✔
• jackson-module-parameter-names: 2.15.3 ✔ => 2.15.4 ✔
• spring-boot-starter-json: 3.2.2 ✔ => 3.2.6 ✔
• tomcat-embed-core: 10.1.18 ✔ => 10.1.24 ✔
• tomcat-embed-el: 10.1.18 ✔ => 10.1.24 ✔
• tomcat-embed-websocket: 10.1.18 ✔ => 10.1.24 ✔
• spring-boot-starter-tomcat: 3.2.2 ✔ => 3.2.6 ✔
• spring-webmvc: 6.1.3 ✔ => 6.1.8 ✔
• spring-boot-starter-web: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-starter-validation: 3.2.2 ✔ => 3.2.6 ✔
• jersey-common: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-client: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-server: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-container-servlet-core: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-container-servlet: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-bean-validation: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• aopalliance-repackaged: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• hk2-utils: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• hk2-api: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• hk2-locator: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• javassist: 3.29.2-GA ⚠❓‼ => 3.30.2-GA ⚠❓‼
• jersey-hk2: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• hk2-core: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• hk2-runlevel: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• class-model: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• hk2: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• spring-bridge: 3.0.5 ⚠‼ => 3.0.6 ⚠‼
• jersey-spring6: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jersey-entity-filtering: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• jackson-module-jakarta-xmlbind-annotations: 2.15.3 ✔ => 2.15.4 ✔
• jersey-media-json-jackson: 3.1.5 ⚠❓‼ => 3.1.6 ⚠❓‼
• spring-boot-starter-jersey: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-configuration-processor: 3.2.2 ✔ => 3.2.6 ✔
• spring-boot-devtools: 3.2.2 ✔ => 3.2.6 ✔
• jaxb-core: 4.0.4 ✔ => 4.0.5 ✔
• jaxb-impl: 4.0.5 ✔ => 4.0.5 ✔
• spring-aop: 5.3.35 ✔ => 5.3.36 ✔
• spring-expression: 5.3.35 ✔ => 5.3.36 ✔
• spring-context: 5.3.35 ✔ => 5.3.36 ✔
• spring-tx: 5.3.35 ✔ => 5.3.36 ✔
• spring-jdbc: 5.3.35 ✔ => 5.3.36 ✔
• spring-orm: 5.3.35 ✔ => 5.3.36 ✔
• spring-web: 5.3.35 ✔ => 5.3.36 ✔
• jakarta.json.bind-api: 3.0.0 ⚠❓‼ => 3.0.1 ⚠❓‼
• jakarta.jakartaee-web-api: 10.0.0 ❓ => 10.0.0 ❓

Unique additions

• asm: 9.6 ✔
• expressly: 5.0.0 ⚠❓‼

Developer comments

Glossary

Limitations

• The reported transitive dependencies may not always be accurate in a multi-module project.
  The SBOM file format represents a unique dependency (coordinates + type) only once. In a multi-module
  project a dependency can be declared in multiple locations with different exclusions of transitive dependencies
  or different version overrides for transitive dependencies.

Emojies

• ✔: All licenses are on the Go list
• ⚠: (At least one) license is on the Caution list
• ❌: (At least one) license is on the Stop list
• ❓: (At least one) license cannot be determined or is unknown
• ‼: Dependency has multiple licenses declared
• ⬆: New dependency version is higher than previous
• ⬇: New dependency version is lower than previous
• 🔄: Dependency version is equal and the dependencies of this component changed (e.g. when comparing snapshots)
• 🤷: The change of the dependency version can not be determined further (e.g. because the version does not follow semantic versioning)

[yanavasileva]

expressly:5.0.0

Declared licenses:

• EPL-2.0 ⚠
• GNU General Public License, version 2 with the GNU Classpath Exception / https://www.gnu.org/software/classpath/license.html ❓

Links:

• website
• distribution
• issue-tracker
• mailing-list
• vcs

• org.glassfish.expressly:expressly
• license: https://github.com/eclipse-ee4j/expressly/blob/5.0.0/LICENSE.md
• project home: https://github.com/eclipse-ee4j/expressly/tree/master

It's a new dependency with a dual licensed, raised a question to Legal if we can use it under EPL 2.0:

• https://jira.camunda.com/browse/OB-37

[venetrius]

Looks good 👍

[yanavasileva]

We can use the expressly library under EPL 2.0, approved by Legal.