Bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
org.springframework.boot:spring-boot-starter-parent	3.5.5	4.0.2
io.avaje:avaje-inject	12.0-RC4	12.4-javax
io.avaje:avaje-inject-generator	12.0-RC4	12.4-javax
io.avaje:avaje-config	4.1	5.1
com.auth0:java-jwt	4.5.0	4.5.1
com.spotify.fmt:fmt-maven-plugin	2.28	2.29

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.5 to 4.0.2

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.2

⚠️ Noteworthy Changes

• The dependency on org.eclipse.jetty.ee11:jetty-ee11-servlets has been removed from spring-boot-jetty as it was unnecessary and unused. If your application code depends on a class from jetty-ee11-servlets, declare a dependency on it in your build configuration. #48677

🐞 Bug Fixes

• No TransactionAutoConfiguration with spring-boot-starter-kafka for Spring Boot 4 #48880
• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #48840
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #48838
• SessionAutoConfiguration creates a DefaultCookieSerializer with a default SameSite of null instead of Lax #48830
• Setting graphql schema location to "classpath*:graphql/**/" causes failure due to incorrectly packaged test resource #48829
• Message interpolation by MVC and WebFlux's Validators does not work correctly in a native image #48828
• CloudFoundry integration fails in Servlet-based web app without a dependency on spring-boot-starter-restclient #48826
• RestTestClientAutoConfiguration and TestRestTemplateAutoConfiguration should be package-private #48820
• SSL metrics are no longer auto-configured #48819
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #48812
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #48703
• The spring-boot-cloudfoundry module should only have an optional dependency on spring-boot-security #48685
• Application JAR created by extract command is not reproductible #48678
• AOT processing of tests should not be disabled when 'skipTests' is set #48662
• @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) is no longer applied to the management server #48653
• Fix zero-length byte buffer in InspectedContent #48650
• Can no longer override JacksonJsonHttpMessageConverter with ServerHttpMessageConvertersCustomizer #48635
• HttpServiceClientProperties incorrectly uses the @ConfigurationProperties annotation on a LinkedHashMap class #48616
• spring-boot-micrometer-tracing-opentelemetry fails if spring-boot-opentelemetry isn't there #48585
• App fails to start with starter-webmvc and starter-zipkin #48581
• Micrometer test modules should have an api dependency on micrometer-observation-test #48386

📔 Documentation

• Fix typo in REST client documentation #48907
• Remove duplicate word #48874
• Document support for configuring arguments passed to Docker Compose #48806
• The documentation related to EnvironmentPostProcessor links to deprecated interface #48803
• Update documentation for Buildpack's AOT Cache support #48769
• Correct docs to use new location for error handling configuration properties #48767
• Document spring-boot-starter-cloudfoundry on Cloud Foundry Support Page #48675
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #48659
• Example using excludeDevtools property should document that optional dependencies should be enabled #48641
• Fix grammar and typos in the reference guide #48601
• Update Tracing section for Spring Boot 4's modularity #48576

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #48783
• Upgrade to Elasticsearch Client 9.2.3 #48721
• Upgrade to Hibernate 7.2.1.Final #48857
• Upgrade to HttpClient5 5.5.2 #48784
• Upgrade to Jackson 2 Bom 2.20.2 #48910

... (truncated)

Commits

• fae3545 Release v4.0.2
• 9fde744 Merge branch '3.5.x' into 4.0.x
• 650236d Remove breaking and unnecessary Undertow TLS with RSA test
• 547bc77 Upgrade to Spring Batch 6.0.2
• 4387cbb Upgrade to Jackson Bom 3.0.4
• abec26e Polish
• f677fba Upgrade to Spring Integration 7.0.2
• 849c2ee Upgrade to Spring GraphQL 2.0.2
• facd456 Upgrade to Nullability Plugin 0.0.10
• e99c08f Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates io.avaje:avaje-inject from 12.0-RC4 to 12.4-javax

Release notes

Sourced from io.avaje:avaje-inject's releases.

12.4

What's Changed

• Fix processor only running once on Eclipse Linux by @​SentryMan in avaje/avaje-inject#974
• Fix imported beans with capital package by @​SentryMan in avaje/avaje-inject#975

Full Changelog: avaje/avaje-inject@12.3...12.4

12.3

What's Changed

• Custom module bug by @​SentryMan in avaje/avaje-inject#960
• Use @Prototype for prototype proxy classes by @​SentryMan in avaje/avaje-inject#964
• Support Lazy Observe by @​SentryMan in avaje/avaje-inject#965
• Refactor internal code generation indentation by @​rbygrave in avaje/avaje-inject#967
• Use pkg of the annotated element for import by @​SentryMan in avaje/avaje-inject#970
• Prototype PreDestroy by @​SentryMan in avaje/avaje-inject#968
• Use Java Conversion Scripts by @​SentryMan in avaje/avaje-inject#972

Full Changelog: avaje/avaje-inject@12.2...12.3

12.2

What's Changed

• Make isBeanAbsent not count secondary beans by @​SentryMan in avaje/avaje-inject#953
• Add avaje-inject-bom bill of materials by @​rbygrave in avaje/avaje-inject#955
• Fix Generic Wildcard Field Injection by @​SentryMan in avaje/avaje-inject#956
• [workflow]: Bump actions/cache from 4 to 5 by @​dependabot[bot] in avaje/avaje-inject#958
• Bump the dependencies group with 7 updates by @​dependabot[bot] in avaje/avaje-inject#957

Full Changelog: avaje/avaje-inject@12.1...12.2

12.1

What's Changed

• fix valhalla workflow by @​SentryMan in avaje/avaje-inject#907
• Fix Valhalla worklow again by @​SentryMan in avaje/avaje-inject#910
• Fixes providesBeans not generating by @​SentryMan in avaje/avaje-inject#911
• [events] support custom executor for async, add ObserverManager.Builder by @​rbygrave in avaje/avaje-inject#915
• error when io.avaje.inject.spi.AvajeModule class not found by @​andponlin in avaje/avaje-inject#916
• Reformat Javadoc in .inject.spi.AvajeModule by @​mechite in avaje/avaje-inject#919
• Reformat Javadoc in .inject.spi.ConfigPropertyPlugin by @​mechite in avaje/avaje-inject#918
• Bump bytebuddy dependencies for Java 25 support by @​rob-bygrave in avaje/avaje-inject#923
• Add proc full error message by @​SentryMan in avaje/avaje-inject#926
• Throw compile error for nested factory by @​SentryMan in avaje/avaje-inject#927
• Fix cases where a package private nested public class causes a compile error by @​SentryMan in avaje/avaje-inject#925
• Only auto merge external services if on the module-path by @​SentryMan in avaje/avaje-inject#928
• Generate components before the last round by @​SentryMan in avaje/avaje-inject#938
• Fix Lazy Priority Generation by @​SentryMan in avaje/avaje-inject#937
• Replace Class.forName with Module Check and Direct Load by @​SentryMan in avaje/avaje-inject#932
• Support default package by @​SentryMan in avaje/avaje-inject#942
• Support Builder using name qualifier with List and Set by @​rbygrave in avaje/avaje-inject#944

... (truncated)

Commits

• See full diff in compare view

Updates io.avaje:avaje-inject-generator from 12.0-RC4 to 12.4-javax

Updates io.avaje:avaje-config from 4.1 to 5.1

Release notes

Sourced from io.avaje:avaje-config's releases.

5.1

What's Changed

• fix milestone action by @​SentryMan in avaje/avaje-config#246
• Support ~/ prefix as user home when loading configuration files by @​rbygrave in avaje/avaje-config#250
• Remove PROP_FILE environment var read that was never used by @​rbygrave in avaje/avaje-config#251
• Add "config.file" system property and "CONFIG_FILE" env property by @​rbygrave in avaje/avaje-config#252

dependencies

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.23 in the dependencies group by @​dependabot[bot] in avaje/avaje-config#247
• Bump the dependencies group with 3 updates by @​dependabot[bot] in avaje/avaje-config#248
• Bump the dependencies group with 2 updates by @​dependabot[bot] in avaje/avaje-config#249
• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 in the dependencies group by @​dependabot[bot] in avaje/avaje-config#253

Full Changelog: avaje/avaje-config@5.0...5.1

5.0

What's Changed

• Behaviour change - match Spring for overriding and fallback values by @​rob-bygrave in avaje/avaje-config#239
• #240 Fix: NoClassDefFoundError: org/yaml/snakeyaml/Yaml in version 4.… by @​rbygrave in avaje/avaje-config#241
• Add workflow to close milestone on release publish by @​SentryMan in avaje/avaje-config#243
• Bump the dependencies group with 2 updates by @​dependabot[bot] in avaje/avaje-config#244
• [workflow]: Bump actions/cache from 4 to 5 by @​dependabot[bot] in avaje/avaje-config#245

Full Changelog: avaje/avaje-config@4.3...5.0

4.4

What's Changed

• [4.x] backport bugfix for Parsers #240 SnakeYaml NoClassDefFoundError by @​rbygrave in avaje/avaje-config#242

Full Changelog: avaje/avaje-config@4.3...4.4

4.3

What's Changed

• 4.2 by @​SentryMan in avaje/avaje-config#226
• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 in the dependencies group by @​dependabot[bot] in avaje/avaje-config#230
• [AWS AppConfig] Fix #228 - Expect ConnectException on shutdown by @​rbygrave in avaje/avaje-config#229
• [workflow]: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in avaje/avaje-config#232
• Bump io.avaje:junit from 1.6 to 1.7 in the dependencies group by @​dependabot[bot] in avaje/avaje-config#233
• Fix Colon Yml List parsing by @​SentryMan in avaje/avaje-config#234
• fix null precondition checks by @​andponlin in avaje/avaje-config#235
• Add missing @​Nullable annotations on internal methods by @​rob-bygrave in avaje/avaje-config#237
• Replace Class.forName with Module Check and Direct Load by @​SentryMan in avaje/avaje-config#231
• Remove hyphens when reading env variables by @​SentryMan in avaje/avaje-config#238

New Contributors

• @​andponlin made their first contribution in avaje/avaje-config#235

Full Changelog: avaje/avaje-config@4.2...4.3

... (truncated)

Commits

• c90d373 Version 5.1
• 43e9e91 Merge pull request #253 from avaje/dependabot/maven/master/dependencies-d9e29...
• b4e6d90 Bump ch.qos.logback:logback-classic in the dependencies group
• be802ca Add "config.file" system property and "CONFIG_FILE" env property (#252)
• 0368152 Remove PROP_FILE environment var read that was never used (#251)
• 99d65d0 Support ~/ prefix as user home when loading configuration files (#250)
• 0f215b8 Merge pull request #249 from avaje/dependabot/maven/master/dependencies-d054d...
• c612a84 Bump the dependencies group with 2 updates
• 1a0e8fb Merge pull request #248 from avaje/dependabot/maven/master/dependencies-fc1d3...
• 887f853 Bump the dependencies group with 3 updates
• Additional commits viewable in compare view

Updates com.auth0:java-jwt from 4.5.0 to 4.5.1

Release notes

Sourced from com.auth0:java-jwt's releases.

4.5.1

Added

• Update jackson dependency #732 (tanya732)

Changelog

Sourced from com.auth0:java-jwt's changelog.

4.5.1 (2026-02-10)

Full Changelog

Added

• Update jackson dependency #732 (tanya732)

Commits

• e818480 Release 4.5.1 (#736)
• a48fcb5 Merge branch 'master' into release/4.5.1
• 718be3a Added Nexus Publishing Plugin (#737)
• 0caa2b9 Added hash version for gradle validation
• 1570283 Added nexus block
• 3feb886 Moved dependabot file
• 924f120 Added Nexus Publishing Plugin
• c03f682 Release 4.5.1
• 2f10748 Update jackson dependency (#732)
• eb618db Merge branch 'master' into gh-issue-update-jackson
• Additional commits viewable in compare view

Updates io.avaje:avaje-inject-generator from 12.0-RC4 to 12.4-javax

Updates com.spotify.fmt:fmt-maven-plugin from 2.28 to 2.29

Release notes

Sourced from com.spotify.fmt:fmt-maven-plugin's releases.

2.14.0 (first with com.spotify.fmt groupId)

#124 Change groupId and package to com.spotify.fmt

Commits

• 8fb8646 [maven-release-plugin] prepare release 2.29.0
• f52caf7 Add more options
• 4f745a6 Updated documentation
• a75ee04 Support more options from google formatter
• e213b84 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions