Skip to content

chore(deps): Bump the java group with 6 updates#103

Merged
thced merged 1 commit into
masterfrom
dependabot/maven/java-8074ce71ff
Jun 8, 2026
Merged

chore(deps): Bump the java group with 6 updates#103
thced merged 1 commit into
masterfrom
dependabot/maven/java-8074ce71ff

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown

Bumps the java group with 6 updates:

Package From To
com.fasterxml.jackson.core:jackson-databind 2.21.3 2.22.0
tools.jackson.core:jackson-databind 3.1.3 3.1.4
ch.qos.logback:logback-classic 1.5.32 1.5.34
org.apache.maven.plugins:maven-dependency-plugin 3.10.0 3.11.0
org.apache.maven.plugins:maven-surefire-plugin 3.5.5 3.5.6
org.apache.maven.plugins:maven-failsafe-plugin 3.5.5 3.5.6

Updates com.fasterxml.jackson.core:jackson-databind from 2.21.3 to 2.22.0

Commits

Updates tools.jackson.core:jackson-databind from 3.1.3 to 3.1.4

Commits

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.11.0

🚀 New features and improvements

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • c186d05 [maven-release-plugin] prepare release maven-dependency-plugin-3.11.0
  • 3712611 Fix artifact relocation support
  • e873e0e Manage ASM version 9.10 to support JDK 27
  • 70b5356 fix: fix addParentPoms=true causes repositories to be ignored. (#1585)
  • 51d8939 Fix false positive in analyze-exclusions with transitive dependency exclusion...
  • 02b865b Bump eu.maveniverse.maven.domtrip:domtrip-core from 1.5.0 to 1.5.1
  • 04f4de1 Bump eu.maveniverse.maven.domtrip:domtrip-maven from 1.5.0 to 1.5.1
  • 2812490 Bump mavenVersion from 3.9.15 to 3.9.16
  • ce117da Bump org.apache.maven.shared:maven-dependency-analyzer
  • aea7a64 Prevent NPE (#1622)
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-failsafe-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the java group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) | `2.21.3` | `2.22.0` |
| [tools.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) | `3.1.3` | `3.1.4` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` |
| [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) | `3.10.0` | `3.11.0` |
| [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` |
| [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` |


Updates `com.fasterxml.jackson.core:jackson-databind` from 2.21.3 to 2.22.0
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `tools.jackson.core:jackson-databind` from 3.1.3 to 3.1.4
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

Updates `org.apache.maven.plugins:maven-dependency-plugin` from 3.10.0 to 3.11.0
- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)
- [Commits](apache/maven-dependency-plugin@maven-dependency-plugin-3.10.0...maven-dependency-plugin-3.11.0)

Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `org.apache.maven.plugins:maven-failsafe-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: java
- dependency-name: tools.jackson.core:jackson-databind
  dependency-version: 3.1.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: java
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: java
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-version: 3.11.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: java
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-version: 3.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: java
- dependency-name: org.apache.maven.plugins:maven-failsafe-plugin
  dependency-version: 3.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: java
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 3, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jun 3, 2026

Copy link
Copy Markdown

@thced thced merged commit 5648091 into master Jun 8, 2026
6 checks passed
@thced thced deleted the dependabot/maven/java-8074ce71ff branch June 8, 2026 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant