Skip to content

chore(deps): bump the maven-dependencies group across 1 directory with 18 updates#4707

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-dependencies-4454fc67df
Open

chore(deps): bump the maven-dependencies group across 1 directory with 18 updates#4707
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-dependencies-4454fc67df

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bumps the maven-dependencies group with 17 updates in the / directory:

Package From To
org.hibernate.orm:hibernate-core 7.4.3.Final 7.4.4.Final
org.postgresql:postgresql 42.7.11 42.7.12
net.bytebuddy:byte-buddy 1.18.10 1.18.11
net.bytebuddy:byte-buddy-agent 1.18.10 1.18.11
org.junit:junit-bom 6.1.0 6.1.1
org.apache.logging.log4j:log4j-slf4j2-impl 2.26.0 2.26.1
org.apache.logging.log4j:log4j-core 2.26.0 2.26.1
org.apache.logging.log4j:log4j-core-test 2.26.0 2.26.1
com.puppycrawl.tools:checkstyle 13.6.0 13.7.0
org.junit.jupiter:junit-jupiter-api 6.1.0 6.1.1
org.junit.jupiter:junit-jupiter-engine 6.1.0 6.1.1
org.junit.jupiter:junit-jupiter-params 6.1.0 6.1.1
org.openrewrite.recipe:rewrite-recipe-bom 3.33.0 3.34.0
ch.qos.logback:logback-classic 1.5.32 1.5.37
io.axoniq.platform:axoniq-platform-framework-client 5.1.0 5.1.1
org.jline:jline 3.27.0 4.3.1
org.codehaus.mojo:exec-maven-plugin 3.5.0 3.6.3

Updates org.hibernate.orm:hibernate-core from 7.4.3.Final to 7.4.4.Final

Release notes

Sourced from org.hibernate.orm:hibernate-core's releases.

Release 7.4.4

Hibernate ORM 7.4.4.Final released

Today, we published a new release of Hibernate ORM 7.4: 7.4.4.Final.

You can find the full list of 7.4.4.Final changes here.

What's new

  • See the website for requirements and compatibilities.
  • See the What's New guide for details about new features and capabilities.
  • See the Migration Guide for details about migration.

Conclusion

For additional details, see:

See also the following resources related to supported APIs:

Visit the website for details on getting in touch with us.

Changelog

Sourced from org.hibernate.orm:hibernate-core's changelog.

Changes in 7.4.4.Final (July 05, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/39929

** Bug * HHH-20647 Binding an NClob attribute fails on PostgreSQL with "Could not convert 'java.sql.NClob' to 'java.sql.Clob'" * HHH-20634 Property based id generator configuration no longer working for EmbeddedId * HHH-20633 Unnecessary cast to SessionFactoryImplementor in AuditLogFactory * HHH-20614 AnnotationBasedGenerator is not initialized when the interface is implemented by an (abstract) superclass instead of the concrete class (after upgrading to hibernate 7.3/7.4) * HHH-20586 GlobalRegistrationsImpl is not extracting query hints correctly * HHH-20582 Envers ToOneRelationMetadataGenerator.checkMappedByAudited fails when inverse @OneToOne mappedBy points to a property declared on a superclass @Entity * HHH-20550 SqmSelectStatement.createCountQuery() doesn't copy CTE statements * HHH-20467 StackOverflow with Converters with unbounded Generics * HHH-20318 Unable to update CLOB column * HHH-20146 Cascade delete with bytecode enhancement throws transient exception * HHH-19569 Hibernate 6 alias injection in native query problem when using Joined Inheritance

** Task * HHH-20642 Handle renaming of Panache Next to Quarkus Data in hibernate-processor and add name SPI

Commits
  • 0f115c4 [Jenkins release job] Preparing release 7.4.4.Final
  • 3578615 [Jenkins release job] changelog.txt updated by release build 7.4.4.Final
  • 0ac8b71 HHH-20647 Handle Clob unwrap/wrap in NClobJavaType
  • 1621b05 HHH-20318 Fix CCE in Clob/NClob unwrap CharacterStream branch
  • bfd89d8 HHH-20622 locate() with start position returns wrong value when pattern is no...
  • e187168 HHH-20467 Resolve type variables to bounds when context is not parameterized
  • 057a026 HHH-20146: Fix multi-level cascade delete with bytecode enhancement
  • c23d31a HHH-20582 Accommodate PR feedback in tests
  • 68a0f61 HHH-20582 Walk superclass auditing data when resolving @​OneToOne mappedBy
  • 86c220c HHH-20642 Extract Quarkus Data type names into a ServiceLoader SPI
  • Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.7.11 to 42.7.12

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.12: security

Silent channel-binding authentication downgrade (CVE-2026-54291)

channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.

Two issues combine in releases 42.7.4 through 42.7.11:

The bundled com.ongres.scram:scram-client (3.1 or 3.2) returns an empty byte array instead of failing when it cannot derive the binding hash for such a certificate. This is the library issue tracked as GHSA-p9jg-fcr6-3mhf.

pgJDBC does not enforce channelBinding=require where it matters. ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it neither rejects the empty binding nor checks that the negotiated mechanism uses channel binding. The connection therefore downgrades silently.

Only connections that set channelBinding=require are affected. Under the default prefer policy, and under allow or disable, falling back to plain SCRAM is the documented behaviour.

Releases before 42.7.4 are unaffected, because they do not support channel binding.

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.12] (2026-xx-xx)

Security

Added

  • feat: reWriteBatchedInserts now merges up to 32768 rows into one multi-values INSERT (bounded by the 65535 bind-parameter limit on the extended protocol) instead of capping at 128, which speeds up batches of few-column rows. The new reWriteBatchedInsertsSize connection property lowers that cap when set; the default of 0 uses that maximum.
  • feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so callers no longer trip on "cached plan must not change result type" without opting into autosave=ALWAYS. Controlled by the new flushCacheOnDdl connection property (default true); set to false for the prior behaviour.
  • feat: add connectExecutor connection property to customize the Executor used to run the worker task that performs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.Executor. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named "PostgreSQL JDBC driver connection thread". The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it.
  • feat: add connectThreadFactory connection property to customize the ThreadFactory used to spawn the worker thread that runs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.ThreadFactory. With a null value, the default, the driver retains the prior behavior of using a daemon thread named "PostgreSQL JDBC driver connection thread". Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads.
  • feat: add classLoaderStrategy connection property to control which classloaders the driver searches when loading a class named by a connection property, for example socketFactory. The default driver-first now falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Set driver to keep the previous driver-classloader-only behaviour, or context-first to prefer the thread context classloader [Issue #2112](pgjdbc/pgjdbc#2112)

Changed

  • refactor: the worker that runs the connection attempt under loginTimeout is now a FutureTask (ConnectTask) instead of the hand-rolled ConnectThread. When the caller hits the timeout, the task is now cancelled with cancel(true), which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, so loginTimeout can stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out.
  • chore: PGXAConnection.ConnectionHandler now rejects setAutoCommit(false) and setSavepoint(...) during an active XA branch, in addition to the long-rejected setAutoCommit(true) / commit() / rollback(). The setSavepoint rejection was already meant to be in place but the guard misspelled the method name as setSavePoint, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4.
  • chore: commitPrepared / rollback-of-prepared now return XAER_RMFAIL instead of XAER_RMERR when the underlying connection is left in a non-idle TransactionState. Transaction managers (Geronimo, Narayana, Atomikos) treat XAER_RMFAIL as retryable on a fresh XAResource; the prepared transaction is no longer abandoned.

Fixed

  • fix: the published GitHub release now ships the released postgresql-<version>.jar and its detached PGP signature, taken from the same signed build that is uploaded to Maven Central, instead of a leftover SNAPSHOT jar [Issue #3812](pgjdbc/pgjdbc#3812) [PR #3814](pgjdbc/pgjdbc#3814)
  • fix: simplify the Statement#cancel state machine by dropping the redundant CANCELLED state. killTimerTask now waits for the state to return to IDLE directly, which removes a spin-forever case when more than one thread observes the cancel completing [PR #1827](pgjdbc/pgjdbc#1827).
  • perf: defer simple-query flushes until the driver reads the response, allowing BEGIN and the following query to share a network flush [Issue #3894](pgjdbc/pgjdbc#3894)
  • fix: reWriteBatchedInserts no longer throws IllegalArgumentException when batching a parameterless INSERT (for example INSERT INTO t VALUES (1, 2)) of 256 rows or more.
  • fix: a comment before CALL in a CallableStatement no longer hides the native call, so OUT parameter registration works for /* comment */ call proc(?, ?) and similar. Parser.modifyJdbcCall now skips leading whitespace and SQL comments (both -- and /* */) before the call, tolerates a trailing comment after a { ... } escape, and no longer adds a spurious comma when moving an OUT parameter into a call whose arguments are only a comment [Issue #2538](pgjdbc/pgjdbc#2538)
  • fix: PreparedStatement.toString() no longer throws for a bytea value supplied as text via PGobject. Hex-format values (\x...) are validated and rendered as a bytea literal, and escape-format values are quoted and cast like any other literal [Issue #3757](pgjdbc/pgjdbc#3757)
  • fix: the driver no longer nulls the contextClassLoader of shared ForkJoinPool.commonPool() worker threads, which previously left unrelated tasks on those threads running with a null classloader [Issue #4155](pgjdbc/pgjdbc#4155)
  • fix: getCharacterStream wraps String in StringReader [PR #4063](pgjdbc/pgjdbc#4063)
  • fix: PGXAConnection no longer saves and restores the underlying connection's JDBC autoCommit flag. All XA-protocol SQL (BEGIN, PREPARE TRANSACTION, COMMIT, ROLLBACK, COMMIT PREPARED, ROLLBACK PREPARED, the recover() SELECT) is sent through QUERY_SUPPRESS_BEGIN, so the caller's autoCommit value is invariant across every XAResource call. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections with autoCommit=false (TomEE, WildFly, WebSphere Liberty).
  • fix: PGXAConnection.prepare() now mutates XA state only after PREPARE TRANSACTION succeeds. A failed PREPARE previously left the driver thinking the branch was already prepared, so the follow-up rollback(xid) tried ROLLBACK PREPARED against a non-existent gid and returned XAER_RMERR. Transaction managers (Narayana) escalated this to HeuristicMixedException. With the fix, rollback(xid) takes the active-branch path and issues a plain ROLLBACK, which the server accepts cleanly. Fixes [Issue #3153](pgjdbc/pgjdbc#3153), [Issue #3123](pgjdbc/pgjdbc#3123).
  • fix: an updatable result set over an unqualified table name is now classified using only the table visible through search_path. When two schemas held a table with the same name and the same primary or unique index name but a different set of key columns, the driver took the union of both schemas' columns, so the result set could be wrongly rejected as not updatable [PR #4214](pgjdbc/pgjdbc#4214). Supersedes [PR #3400](pgjdbc/pgjdbc#3400).
Commits

Updates net.bytebuddy:byte-buddy from 1.18.10 to 1.18.11

Release notes

Sourced from net.bytebuddy:byte-buddy's releases.

Byte Buddy 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Changelog

Sourced from net.bytebuddy:byte-buddy's changelog.

2. July 2026: version 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Commits
  • 88dd0a3 [publish] Releasing Byte Buddy 1.18.11
  • 46fcade [release] Release new version
  • 6a68de6 Prevent path traversal from crafted type names when writing class files to fo...
  • 9ba4ab6 Pin ClusterFuzzLite base image and actions by hash.
  • dd4f81e Add SBOM to build.
  • 7dd9a0d Update internal Byte Buddy and release notes
  • d6b3e15 [publish] Start next development iteration 1.18.11-SNAPSHOT
  • See full diff in compare view

Updates net.bytebuddy:byte-buddy-agent from 1.18.10 to 1.18.11

Release notes

Sourced from net.bytebuddy:byte-buddy-agent's releases.

Byte Buddy 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Changelog

Sourced from net.bytebuddy:byte-buddy-agent's changelog.

2. July 2026: version 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Commits
  • 88dd0a3 [publish] Releasing Byte Buddy 1.18.11
  • 46fcade [release] Release new version
  • 6a68de6 Prevent path traversal from crafted type names when writing class files to fo...
  • 9ba4ab6 Pin ClusterFuzzLite base image and actions by hash.
  • dd4f81e Add SBOM to build.
  • 7dd9a0d Update internal Byte Buddy and release notes
  • d6b3e15 [publish] Start next development iteration 1.18.11-SNAPSHOT
  • See full diff in compare view

Updates net.bytebuddy:byte-buddy-agent from 1.18.10 to 1.18.11

Release notes

Sourced from net.bytebuddy:byte-buddy-agent's releases.

Byte Buddy 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Changelog

Sourced from net.bytebuddy:byte-buddy-agent's changelog.

2. July 2026: version 1.18.11

  • Add SBOM to published artifacts.
  • Check for traversable paths injected into class files as a rather hypothetical attack vector.
Commits
  • 88dd0a3 [publish] Releasing Byte Buddy 1.18.11
  • 46fcade [release] Release new version
  • 6a68de6 Prevent path traversal from crafted type names when writing class files to fo...
  • 9ba4ab6 Pin ClusterFuzzLite base image and actions by hash.
  • dd4f81e Add SBOM to build.
  • 7dd9a0d Update internal Byte Buddy and release notes
  • d6b3e15 [publish] Start next development iteration 1.18.11-SNAPSHOT
  • See full diff in compare view

Updates org.junit:junit-bom from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.apache.logging.log4j:log4j-slf4j2-impl from 2.26.0 to 2.26.1

Updates org.apache.logging.log4j:log4j-core from 2.26.0 to 2.26.1

Updates org.apache.logging.log4j:log4j-core-test from 2.26.0 to 2.26.1

Updates org.apache.logging.log4j:log4j-core from 2.26.0 to 2.26.1

Updates com.puppycrawl.tools:checkstyle from 13.6.0 to 13.7.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.7.0

Checkstyle 13.7.0 - https://checkstyle.org/releasenotes.html#Release_13.7.0

New:

#20357 - UnusedLocalVariable: new property jdkVersion to allow unused named pattern matching variables for pre-Java 22 code. #19148 - update MissingJavadocMethodCheck to use AST of javadoc. #19144 - update JavadocMethod to use AST of javadoc. #19889 - OverloadMethodsDeclarationOrder: new property required to order overloaded methods according to increasing parameter count.

Bug fixes:

#20395 - Javadoc parse error on @link label containing Java array initializer braces. #20452 - Add checks for OpenJDK style §4.6 - Constants. #20462 - Fix default property validation in InlineConfigParser. #20437 - Add checks for Openjdk style §3.8.3 - Wrapping Expressions. #19629 - Add checks for OpenJDK Style §3.5 - Modifiers. #20428 - Add checks for OpenJDK §3.4 - Class structure. #19623 - Add checks for OpenJDK Style §3.3 - Import statements. #20271 - UnnecessarySemicolonAfterTypeMemberDeclarationCheck: trailing semicolon after nested type not flagged in compact source files (JEP 512). #20223 - DeclarationOrderCheck: declaration order not enforced on top-level members in compact source files (JEP 512). #20219 - AnnotationLocationCheck: annotation on top-level variable not flagged in compact source files (JEP 512). #19805 - Add checks for OpenJDK Style §3.4.1 - Order of Constructors and Overloaded Methods. #20269 - UnnecessarySemicolonAfterOuterTypeDeclarationCheck reports false positive on JEP 512 compact source files. #20391 - Javadoc parse error while parsing formatted @value. #19915 - Documentation Comments Style Guide - Required Tags. #19972 - RequireThisCheck: NullPointerException on compact source files (JEP 512). #20385 - Add checks for OpenJDK Style §4.2 - Class, Interface and Enum Names. #20217 - InvalidJavadocPositionCheck: false positive on correctly-placed Javadoc in compact source files (JEP 512). #20093 - Add checks for OpenJDK Style §3.13 - Redundant Paranthesis. #20268 - OuterTypeNumberCheck reports false positive on JEP 512 compact source files. #20283 - Javadoc parse error for generic outer class inner-class link. #19835 - Documentation Comments Style Guide - First Sentence.

... (truncated)

Commits
  • be24005 [maven-release-plugin] prepare release checkstyle-13.7.0
  • aceb637 doc: release notes for 13.7.0
  • b1c826a Issue #20395: Fix Javadoc parse error on @​link label containing Java array in...
  • b7e64b5 Issue #16807: Specify all default properties in RedundantModifier tests
  • 07fb841 Issue #16807: Specify all default properties in AnnotationUtil tests
  • f5ef1d8 Issue #16807: Specify all default properties in JavadocStyle tests
  • 9fadf1e Issue #20473: Remove CirrusCI since it has shut down
  • d13b845 Issue #19764: Move violation comments out of Javadoc for JavadocMissingWhites...
  • e9a8cd5 Issue #20452: Added checks for constants
  • e111596 Issue #11163: Split InputJavadocTagContinuationIndentation.java to resolve Fi...
  • Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter-api from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter-api's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter-engine from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter-engine's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter-params from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter-params's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.openrewrite.recipe:rewrite-recipe-bom from 3.33.0 to 3.34.0

Release notes

Sourced from org.openrewrite.recipe:rewrite-recipe-bom's releases.

3.34.0

What's Changed

  • Incorporates the latest versions of OpenRewrite (v8.86.0), the rewrite-gradle-plugin (v7.36.0), and the rewrite-maven-plugin (v6.43.0) to improve code parsing accuracy and recipe execution reliability.

Full Changelog: openrewrite/rewrite-recipe-bom@v3.33.0...v3.34.0

Commits
  • 3a91108 Remove rewrite-csharp, rewrite-docker, rewrite-javascript, and rewrite-python...
  • See full diff in compare view

Updates org.apache.logging.log4j:log4j-api from 2.26.0 to 2.26.1

Updates org.junit.jupiter:junit-jupiter-engine from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter-engine's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter-params from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter-params's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.37

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

  1. • Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the <condition> element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

... (truncated)

Commits

Updates io.axoniq.platform:axoniq-platform-framework-client from 5.1.0 to 5.1.1

Release notes

Sourced from io.axoniq.platform:axoniq-platform-framework-client's releases.

v5.1.1

Version 5.1.1 of the Axoniq Platform Framework client brings a lot of great new stuff for Axon Framework 5!

  1. Detailed metrics on your (Event-Sourced) entities in Platform, such as load times, even stream size, and more
  2. You can see and replay your entity state over time with the Entity Inspector
  3. You can monitor, access, and manage your AF5.1 DLQs
  4. Reports are now sent using GZIP compression, saving on data transfer costs

Merged pull requests

…h 18 updates

Bumps the maven-dependencies group with 17 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) | `7.4.3.Final` | `7.4.4.Final` |
| [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) | `42.7.11` | `42.7.12` |
| [net.bytebuddy:byte-buddy](https://github.com/raphw/byte-buddy) | `1.18.10` | `1.18.11` |
| [net.bytebuddy:byte-buddy-agent](https://github.com/raphw/byte-buddy) | `1.18.10` | `1.18.11` |
| [org.junit:junit-bom](https://github.com/junit-team/junit-framework) | `6.1.0` | `6.1.1` |
| org.apache.logging.log4j:log4j-slf4j2-impl | `2.26.0` | `2.26.1` |
| org.apache.logging.log4j:log4j-core | `2.26.0` | `2.26.1` |
| org.apache.logging.log4j:log4j-core-test | `2.26.0` | `2.26.1` |
| [com.puppycrawl.tools:checkstyle](https://github.com/checkstyle/checkstyle) | `13.6.0` | `13.7.0` |
| [org.junit.jupiter:junit-jupiter-api](https://github.com/junit-team/junit-framework) | `6.1.0` | `6.1.1` |
| [org.junit.jupiter:junit-jupiter-engine](https://github.com/junit-team/junit-framework) | `6.1.0` | `6.1.1` |
| [org.junit.jupiter:junit-jupiter-params](https://github.com/junit-team/junit-framework) | `6.1.0` | `6.1.1` |
| [org.openrewrite.recipe:rewrite-recipe-bom](https://github.com/openrewrite/rewrite-recipe-bom) | `3.33.0` | `3.34.0` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.37` |
| [io.axoniq.platform:axoniq-platform-framework-client](https://github.com/AxonIQ/platform-framework-client) | `5.1.0` | `5.1.1` |
| [org.jline:jline](https://github.com/jline/jline3) | `3.27.0` | `4.3.1` |
| [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) | `3.5.0` | `3.6.3` |



Updates `org.hibernate.orm:hibernate-core` from 7.4.3.Final to 7.4.4.Final
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.4/changelog.txt)
- [Commits](hibernate/hibernate-orm@7.4.3...7.4.4)

Updates `org.postgresql:postgresql` from 42.7.11 to 42.7.12
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.7.11...REL42.7.12)

Updates `net.bytebuddy:byte-buddy` from 1.18.10 to 1.18.11
- [Release notes](https://github.com/raphw/byte-buddy/releases)
- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)
- [Commits](raphw/byte-buddy@byte-buddy-1.18.10...byte-buddy-1.18.11)

Updates `net.bytebuddy:byte-buddy-agent` from 1.18.10 to 1.18.11
- [Release notes](https://github.com/raphw/byte-buddy/releases)
- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)
- [Commits](raphw/byte-buddy@byte-buddy-1.18.10...byte-buddy-1.18.11)

Updates `net.bytebuddy:byte-buddy-agent` from 1.18.10 to 1.18.11
- [Release notes](https://github.com/raphw/byte-buddy/releases)
- [Changelog](https://github.com/raphw/byte-buddy/blob/master/release-notes.md)
- [Commits](raphw/byte-buddy@byte-buddy-1.18.10...byte-buddy-1.18.11)

Updates `org.junit:junit-bom` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.apache.logging.log4j:log4j-slf4j2-impl` from 2.26.0 to 2.26.1

Updates `org.apache.logging.log4j:log4j-core` from 2.26.0 to 2.26.1

Updates `org.apache.logging.log4j:log4j-core-test` from 2.26.0 to 2.26.1

Updates `org.apache.logging.log4j:log4j-core` from 2.26.0 to 2.26.1

Updates `com.puppycrawl.tools:checkstyle` from 13.6.0 to 13.7.0
- [Release notes](https://github.com/checkstyle/checkstyle/releases)
- [Commits](checkstyle/checkstyle@checkstyle-13.6.0...checkstyle-13.7.0)

Updates `org.junit.jupiter:junit-jupiter-api` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.junit.jupiter:junit-jupiter-engine` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.junit.jupiter:junit-jupiter-params` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.openrewrite.recipe:rewrite-recipe-bom` from 3.33.0 to 3.34.0
- [Release notes](https://github.com/openrewrite/rewrite-recipe-bom/releases)
- [Commits](openrewrite/rewrite-recipe-bom@v3.33.0...v3.34.0)

Updates `org.apache.logging.log4j:log4j-api` from 2.26.0 to 2.26.1

Updates `org.junit.jupiter:junit-jupiter-engine` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.junit.jupiter:junit-jupiter-params` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.37)

Updates `io.axoniq.platform:axoniq-platform-framework-client` from 5.1.0 to 5.1.1
- [Release notes](https://github.com/AxonIQ/platform-framework-client/releases)
- [Commits](AxonIQ/platform-framework-client@v5.1.0...v5.1.1)

Updates `org.jline:jline` from 3.27.0 to 4.3.1
- [Release notes](https://github.com/jline/jline3/releases)
- [Commits](jline/jline3@jline-3.27.0...4.3.1)

Updates `org.codehaus.mojo:exec-maven-plugin` from 3.5.0 to 3.6.3
- [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases)
- [Commits](mojohaus/exec-maven-plugin@3.5.0...3.6.3)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 7.4.4.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: net.bytebuddy:byte-buddy
  dependency-version: 1.18.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: net.bytebuddy:byte-buddy-agent
  dependency-version: 1.18.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: net.bytebuddy:byte-buddy-agent
  dependency-version: 1.18.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.junit:junit-bom
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.apache.logging.log4j:log4j-slf4j2-impl
  dependency-version: 2.26.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.apache.logging.log4j:log4j-core
  dependency-version: 2.26.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.apache.logging.log4j:log4j-core-test
  dependency-version: 2.26.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.apache.logging.log4j:log4j-core
  dependency-version: 2.26.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: com.puppycrawl.tools:checkstyle
  dependency-version: 13.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: maven-dependencies
- dependency-name: org.junit.jupiter:junit-jupiter-api
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.openrewrite.recipe:rewrite-recipe-bom
  dependency-version: 3.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: maven-dependencies
- dependency-name: org.apache.logging.log4j:log4j-api
  dependency-version: 2.26.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: io.axoniq.platform:axoniq-platform-framework-client
  dependency-version: 5.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-dependencies
- dependency-name: org.jline:jline
  dependency-version: 4.3.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: maven-dependencies
- dependency-name: org.codehaus.mojo:exec-maven-plugin
  dependency-version: 3.6.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: maven-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added this to the Release 5.2.0 milestone Jul 5, 2026
@dependabot dependabot Bot added the Priority 1: Must Highest priority. A release cannot be made if this issue isn’t resolved. label Jul 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 5, 2026 03:07
@dependabot dependabot Bot added the Type: Dependency Upgrade Use to signal an issue that adjusts the project’s dependencies. Typically used by dependabot only. label Jul 5, 2026
@dependabot dependabot Bot requested review from hatzlj, hjohn and zambrovski and removed request for a team July 5, 2026 03:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Priority 1: Must Highest priority. A release cannot be made if this issue isn’t resolved. Type: Dependency Upgrade Use to signal an issue that adjusts the project’s dependencies. Typically used by dependabot only.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants