Update Maven dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.maven.plugins:maven-resources-plugin (source)	3.4.0 → 3.5.0
com.google.code.gson:gson	2.13.1 → 2.14.0
commons-io:commons-io (source)	2.19.0 → 2.22.0
org.springframework:spring-expression	6.2.11 → 6.2.18
org.junit:junit-bom (source)	5.11.2 → 5.14.4
com.google.guava:guava	33.4.8-jre → 33.6.0-jre
org.apache.maven.plugins:maven-shade-plugin (source)	3.5.1 → 3.6.2
org.slf4j:slf4j-api (source, changelog)	1.7.30 → 1.7.36
org.slf4j:slf4j-simple (source, changelog)	1.7.30 → 1.7.36
org.mockito:mockito-core	5.18.0 → 5.23.0
org.mockito:mockito-junit-jupiter	5.18.0 → 5.23.0
org.jacoco:org.jacoco.agent (source)	0.8.13 → 0.8.14
org.apache.struts:struts-core (source)	1.3.9 → 1.3.10
commons-collections:commons-collections	3.2.1 → 3.2.2
com.googlecode.maven-download-plugin:download-maven-plugin	1.6.3 → 1.13.0
org.codehaus.mojo:build-helper-maven-plugin (source)	3.5.0 → 3.6.1
org.codehaus.mojo:exec-maven-plugin (source)	3.2.0 → 3.6.3
org.apache.tomcat.embed:tomcat-embed-jasper	9.0.112 → 9.0.117
org.apache.maven.plugins:maven-compiler-plugin (source)	3.13.0 → 3.15.0

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-expression)

v6.2.18

Compare Source

⭐ New Features

• Improve SpringValidatorAdapter and MethodValidationAdapter performance #​36624
• Add missing @Deprecated(forRemoval = true) for deleted in 7.0 #​36591
• Deprecate methodIdentification() in CacheAspectSupport for removal #​36576
• Improve error handling in multipart codecs #​36564
• LazyConnectionDataSourceProxy does not work well with Hibernate's multi-tenancy by schema strategy #​36529
• MySQL Error 149 (Galera/WSREP conflict) not translated to ConcurrencyFailureException in Spring JDBC/ORM #​36510

🐞 Bug Fixes

• Handle Kotlin nullable value class param correctly in CoroutineUtils #​36643
• NullPointerException in ServerSentEvent when trying to set id or event properties #​36634
• @Sql fails if DataSource is wrapped in a TransactionAwareDataSourceProxy #​36630
• WebDataBinder unnecessarily instantiates collections when using the "!" and "_" prefixes #​36627
• Cache pollution from high-cardinality FieldError default messages in MessageSourceSupport #​36623
• ContentCachingRequestWrapper does not allow unlimited content caching #​36620
• MergedAnnotation does not use ClassLoader for method or field #​36614
• AnnotationBeanNameGenerator fails when an annotation references a non-existent class #​36588
• FileSystemResource does not strictly follow the Resource#isReadable() contract #​36585
• Query not hidden in DefaultClientResponse checkpoint #​36571
• LazyConnectionDataSourceProxy does not pass on holdability to target Connection #​36530
• DefaultJmsListenerContainer may hang in an endless loop in doShutdown #​36511
• Inconsistent codings resolution in resource resolvers #​36508

📔 Documentation

• Clarify semantics of HttpMethod.valueOf() #​36653
• Document that spring.profiles.active is ignored by @ActiveProfiles #​36636
• Document whitespace semantics in SpEL expressions #​36629
• MergedAnnotation.asAnnotationAttributes() Javadoc incorrectly states that it creates an immutable map #​36568
• Introduce Kotlin examples for Bean Overrides (@MockitoBean, etc.) #​36542
• Fix incorrect cross-reference links in AbstractEnvironment Javadoc #​36517

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.15.11 #​36661
• Upgrade to Reactor 2024.0.17 #​36660

v6.2.17

Compare Source

⭐ New Features

• Leverage ResourceHandlerUtils in ScriptTemplateView #​36459
• Restore ScriptTemplateViewTests #​36457
• Fix log message in ConfigurationClassBeanDefinitionReader #​36454
• Resolve context initializers only once in AbstractTestContextBootstrapper #​36431
• Exclude legacy @javax.validation.Constraint from convention-based annotation attribute override check #​36412
• Optimize MediaType(MediaType, Charset) constructor #​36351
• Optimize the addition of a charset to the MediaType in AbstractHttpMessageConverter #​36350
• Consistent adaptation of HTTP headers on Servlet responses #​36345
• Improve performance of validation groups determination in WebFlux #​36337
• Detect all common size exceptions from Tomcat and Commons FileUpload 2.x #​36324

🐞 Bug Fixes

• Guard against invalid id/event values in Server Sent Events #​36442
• Incomplete debug message in ConfigurationClassBeanDefinitionReader #​36411
• Inconsistent ApplicationEventMulticaster state after removing ApplicationListener implemented by FactoryBean #​36405
• Graceful shutdown of SimpleAsyncTaskExecutor #​36384
• HttpMediaTypeException thrown when calculating compatible media types #​36363
• ResolvableType#getGenerics() breaks serialization #​36347
• Multipart upload leak on client abort (ByteBuf.release() not called) #​36327

📔 Documentation

• Document @Fallback alongside Primary in the reference manual and @Bean Javadoc #​36441
• Document registration recommendations for BeanPostProcessor and BeanFactoryPostProcessor #​36436
• Fix links to UriComponentsBuilder and polish examples #​36406
• Emphasize @Configuration classes over XML and Groovy in testing chapter #​36394
• Polish SpEL operator examples in reference docs #​36375

🔨 Dependency Upgrades

• Upgrade to JUnit 5.14.3 #​36388
• Upgrade to Micrometer 1.15.10 #​36446
• Upgrade to Reactor 2024.0.16 #​36445

v6.2.16

Compare Source

⭐ New Features

• Improve performance of hashcode calculations for request mappings #​36297
• Improve performance of HandlerMethod bean lookup #​36296
• Improve performance of validation groups determination #​36295
• Improve performance of single pattern request mappings #​36294
• Optimize NamedParameterUtils#buildValueArray by lazily fetching SqlParameter #​36232
• Consistently close streams through try-with-resources in FileCopyUtils #​36224
• SqlBinaryValue and SqlCharacterValue should support InputStream content with undetermined length #​36220
• DataBufferUtils.write() with NettyDataBuffer on JDK 25 hangs indefinitely #​36189
• WebClient (Reactor) attributes on Netty channel do not clear after connection release #​36163
• Reintroduce WebLogicJtaTransactionManager in Spring Framework 6.2.x #​36152
• DisconnectedClientHelper should detect presence of RestClientException and WebClientException separately #​36150
• Add DataAccessException and MessagingException to the excluded outermost exceptions in DisconnectedClientHelper #​36135
• Improve user check in TransportHandlingSockJsService #​36129

🐞 Bug Fixes

• Avoid lock congestion in ConcurrentReferenceHashMap #​36308
• Resolved HttpEntity Controller argument does not reflect mutated HTTP headers #​36301
• AbstractMessageConverter does not support wildcards in supported MIME types #​36286
• Make LocalEntityManagerFactoryBean#setDataSource work on Hibernate as well as EclipseLink #​36272
• Deadlock might occur when calling System.exit on startup (against multiple shutdown hooks) #​36268
• Netty4HeadersAdapter.remove returns empty list instead of null for non-existing key #​36227
• EclipseLinkConnectionHandle can fail against transaction isolation race condition #​36166
• WiretapConnector leaks data buffers when response body not consumed #​36051
• UriComponentsBuilder loses the fragment when it consists of only a single character #​36035
• SimpleBeanInfoFactory fails to reliably resolve read/write methods in type hierarchies with unresolved generics #​36026

📔 Documentation

• Fix links to JUnit User Guide #​36218
• Fix LocalContainerEntityManagerFactoryBean#setPersistenceUnitName javadoc #​36206
• Update documentation on trailing slash handling where type-level @GetMapping("/base") is combined with method level @GetMapping("/") #​36200
• Update documentation on the MediaType used for ProblemDetail #​36193
• Replace getErrors() with getBindingResult() in examples #​36172
• Upgrade Antora dependencies #​36106
• Fix typos and grammar #​36023

🔨 Dependency Upgrades

• Bump fast-xml-parser from 4.5.2 to 5.3.4 in /framework-docs #​36239
• Upgrade to ASM 9.9.1 and Objenesis 3.5 #​36244
• Upgrade to JUnit 5.14.2 #​36148
• Upgrade to Micrometer 1.15.9 #​36290
• Upgrade to Reactor 2024.0.15 #​36289

v6.2.15

Compare Source

⭐ New Features

• Avoid package cycle caused by use of UriComponentsBuilder in ServletServerHttpRequest #​35954
• DefaultHandshakeHandler should not log client faults on error level #​35948
• Use concurrent set behind reactive TransactionSynchronizationManager#registerSynchronization #​35922
• Expose Collection on FragmentsRendering to facilitate Unit Tests #​35912
• Different ReactorNettyWebSocketSession call getId() may return the same value #​35911
• Enhance handleTypeMismatch error message in ResponseEntityExceptionHandler #​35878

🐞 Bug Fixes

• NullPointerException thrown from JdkClientHttpRequestFactory for null request header value #​35998
• State inconsistency in LazyConnectionDataSourceProxy when connection settings fail #​35981
• SubscriberInputStream#resume misuses parked thread reference #​35979
• PathMatchingResourcePatternResolver fails with URI in JAR manifest Class-Path entries #​35967
• Strong locking in ConcurrentReferenceHashMap#computeIfAbsent may cause context initialisation deadlock #​35945
• BridgeMethodResolver change in 6.2.13 breaks Spring Data entity introspection #​35941
• DefaultMessageListenerContainer does not clear Session and MessageConsumer for paused invokers #​35935
• Tighten cacheable decision behind @Lazy injection point #​35918
• Use provided ReactiveAdapterRegistry in BindingContext constructor #​35914
• Accidental fallback match for Collection-type beans due to @Bean-level qualifier annotation #​35909
• SortedResourcesFactoryBean does not accept non-existent resources anymore #​35896

📔 Documentation

• Document that annotations are ignored if attributes reference types not present in the classpath #​35973
• Fix broken Javadoc links to methods #​35904
• Refer to "Spring Tools" instead of "Spring Tools for Eclipse" in reference manual #​35902
• Clarify JMS sessionTransacted flag for local versus global transaction #​35898
• Reference docs should not use obsolete "junit5" links #​35893
• Testing chapter references nonexistent Dependency Management documentation #​35891

🔨 Dependency Upgrades

• Upgrade to json-path 2.10.0 #​35937
• Upgrade to Micrometer 1.14.14 #​35986
• Upgrade to Reactor 2024.0.13 #​35987

v6.2.14

Compare Source

⭐ New Features

• Add resetCaches() method to Caffeine/ConcurrentMapCacheManager #​35841
• Fix single-check idiom in UnmodifiableMultiValueMap #​35831
• Fix Spliterator characteristics in ConcurrentReferenceHashMap #​35828

🐞 Bug Fixes

• MissingPathVariableException produces wrong status code in ProblemDetail #​35856
• Fix getCacheNames() concurrent access in NoOpCacheManager #​35844
• Annotation discovery regression for interfaces extending BeanNameAware and co. #​35838
• Fix HtmlUtils unescape for supplementary chars #​35832

📔 Documentation

• Fix cross-reference links in HtmlUnit sections #​35857
• Remove @see Javadoc references to deprecated PropertiesBeanDefinitionReader #​35854

v6.2.13

Compare Source

⭐ New Features

• Support response encoding in select and options JSP form tags #​35783
• Preserve Connection readOnly state for DataSource with defaultReadOnly configuration #​35743
• Optimize resource URL resolution in SortedResourcesFactoryBean #​35687
• Relax multiple segment matching constraints in PathPattern #​35686
• Support wildcard path elements at the start of path patterns #​35679
• Validating byte[]s may produce OutOfMemoryError #​35675
• Update in FragmentsRendering to names of static methods #​33974

🐞 Bug Fixes

• ConcurrentReferenceHashMap misses dedicated computeIfAbsent, computeIfPresent, compute, merge implementations #​35794
• Avoid unnecessary bridge method resolution around getMostSpecificMethod #​35780
• Fix multi-release JAR issue with VirtualThreadDelegate #​35773
• ContentNegotiationManager not finding media type when request includes quality parameter #​35754
• Race condition in BufferingClientHttpResponseWrapper.getBody() #​35745
• Deprecate setConnectTimeout on HttpComponentsClientHttpRequestFactory #​35748
• Fix PathMatchingResourcePatternResolver to handle absolute paths in JAR manifests #​35732
• BeanDefinitionBuilder.addAutowiredProperty causes error during AOT processing #​35731
• Improve HttpServiceMethod support for Kotlin suspending functions returning Flow #​35718
• Exception translation does not expose original BatchUpdateException anymore #​35717
• Add hints for entities package-private methods #​35711
• Fix concurrency permit leak causing deadlock in SimpleAsyncTaskExecutor #​35708
• Remove jibx-marshaller element from spring-oxm.xsd #​35699
• NullPointerException When Handling 407 with JdkClientHttpConnector in WebClient #​35692
• Method-based Map injection fails against target Map with incomplete generics despite bean name or qualifier match #​35690
• JUnit Jupiter TEST_METHOD ExtensionContextScope is not fully supported #​35680
• Introduce isAutowirableConstructor(Executable, PropertyProvider) in TestConstructorUtils and deprecate existing variants #​35676
• Reflection on java.sql.Types without runtime hints #​35674
• getPubliclyAccessibleMethodIfPossible() returns hidden static method #​35667
• RestClient hangs during upload with ReactorClientHttpRequestFactory #​34707

📔 Documentation

• Correct formatting for Mono type #​35786
• Improve Java Bean Validation documentation for controller methods #​35759
• Fix typo in @NumberFormat Javadoc #​35742
• Javadoc of AsyncConfigurer does not match runtime behavior #​35736
• Document PathPattern behavior difference between */{name} and **/{*path} #​35727
• Fix minor typo in RestClient documentation #​35723
• Document test-method scoped TestContext semantics #​35716
• Improve docs on AbstractStreamingClientHttpRequest for streaming vs buffering mode #​35700
• Fix minor typo in JDBC Core Classes documentation #​35684
• Fix typos #​35656
• Improve spring-web filter documentation #​30454

🔨 Dependency Upgrades

• Upgrade to ASM 9.9 plus lenient version check patch #​35763
• Upgrade to Jetty 12.0.30 #​35806
• Upgrade to Micrometer 1.14.13 #​35810
• Upgrade to Reactor 2024.0.12 #​35809

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Anxton, @​Artur-, @​HJC96, @​MoadElfatihi, @​NYgomets, @​cbsingh1, @​dmitrysulman, @​ekcom, and @​scordio

v6.2.12

Compare Source

⭐ New Features

• Add "forEachByte" variant to DataBuffer for efficient traversing #​35623
• Nested transaction support via savepoints is broken in HSQLDB database [followup] #​35618
• Improve exception handling in ConfigurationClassBeanDefinitionReader #​35631
• Add MySQL/MariaDB to TableMetaDataProviderFactory for correct generated-keys support #​35593
• Optimize state management in StompSubProtocolHandler #​35591
• ServletServerHttpRequest.getRemoteAddress() may perform DNS lookup #​35589
• Emit log message when multiple primary beans are detected #​35550
• Duplicate key error is mapped to TransientDataAccessException by SQLStateSQLExceptionTranslator for BatchUpdateException #​35547
• Remove redundant object allocation in cglib proxy method calls #​35543
• Remove deprecation on CandidateComponentsIndex and CandidateComponentsIndexLoader #​35472
• Processing response with no Content-Length header and no body raises EOFException #​35361

🐞 Bug Fixes

• DefaultListableBeanFactory::getBeanNamesForType does not always return all bean names #​35634
• Consider defaultCandidate for scoped proxies #​35627
• Release data buffer in AbstractCharSequenceDecoder even when String creation fails #​35625
• PathMatchingResourcePatternResolver is not able to resolve file in SpringBoot Packaged JAR #​35617
• Prevent NoClassDefFoundError when Jetty Reactive HttpClient is not available #​35608
• Performance regression with Property Placeholder Resolution #​35594
• Retain order of produces media types in @ExceptionHandler #​35587
• Nested transaction support via savepoints is broken in HSQLDB database #​35564
• SpEL expression parser uses more CPU after upgrade to 6.2.9 #​35556
• Thread race during FactoryBean instantiations starting with 6.2 due to lenient locks #​35545
• Update parsed path handling in UrlHandlerFilter #​35538
• ResourceHttpMessageWriter.write has unexpected error handling for invalid range requests (offset > content length) #​35536
• AbstractTestNGSpringContextTests is not thread-safe regarding tracked exceptions #​35528
• UrlHandlerFilter breaks RequestDispatcher.forward() on Tomcat #​35509
• AbstractMockHttpServletRequestBuilder#buildRequest is not idempotent #​35493
• Add support for JvmDefault (default in Kotlin 2.2.20+) #​35487
• InstanceSupplierCodeGenerator fails to detect deprecated type on package private factory method #​35486
• Fix synchronization in ResponseBodyEmitter #​35466
• useCaches option in PathMatchingResourcePatternResolver not applied in special case #​35465
• Deadlock during context initialization due to EntityManager lock #​35398

📔 Documentation

• Improve guidance in WebFlux on how to join inbound and outbound streams in WebSocketHandler #​35572
• Fix idref example in reference manual #​35560
• Fix URI Patterns docs in WebMVC and WebFlux Request Mapping #​35551
• Allow event listener method declared with multiple event classes to take a single parameter that is assignable from all of those event classes #​35506
• Improve Task Javadoc about Runnable wrapping #​35394

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.12 #​35640
• Upgrade to Reactor 2024.0.11 #​35638

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Entea, @​IMurzich, @​hosea, @​maziyarbahramian, @​mlichtblau, @​nstdio, @​reckart, and @​reda-alaoui

mockito/mockito (org.mockito:mockito-core)

v5.23.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline (#​3792)
• Fix StackOverflowError with AbstractList after using mockSingleton (#​3790)
• Mark parameters of Mockito.when @Nullable (#​3503)

v5.22.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.22.0

• 2026-02-27 - 6 commit(s) by Joshua Selbo, NiMv1, Rafael Winterhalter, dependabot[bot], eunbin son
• Avoid mocking of internal static utilities (#​3785)
• Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#​3780)
• Static mocking of UUID.class corrupted under JDK 25 (#​3778)
• Bump actions/upload-artifact from 5 to 6 (#​3774)
• docs: clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#​3773)
• Add tests for Sets utility class (#​3771)
• Add core API to enable Kotlin singleton mocking (#​3762)
• Stubbing Kotlin object singletons (#​3652)
• Incorrect documentation for RETURNS_MOCKS (#​3285)

v5.21.0

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 (#​3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 (#​3767)
• Bump actions/checkout from 5 to 6 (#​3765)
• Adds output of matchers to potential mismatch; Fixes #​2468 (#​3760)
• Forbid mocking WeakReference with inline mock maker (#​3759)
• StackOverflowError when mocking WeakReference (#​3758)
• Bump actions/upload-artifact from 4 to 5 (#​3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 (#​3755)
• Support primitives in GenericArrayReturnType. (#​3753)
• ClassNotFoundException when stubbing array of primitive type on Android (#​3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 (#​3744)
• Bump gradle/actions from 4 to 5 (#​3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 (#​3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 (#​3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 (#​3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#​3733)
• Bump errorprone from 2.41.0 to 2.42.0 (#​3732)
• Feat: automatically detect class to mock in mockStatic and mockConstruction (#​3731)
• Return completed futures for unstubbed Future/CompletionStage in ReturnsEmptyValues (#​3727)
• automatically detect class to mock (#​2779)
• Incorrect "has following stubbing(s) with different arguments" message when using Argument Matchers (#​2468)

v5.20.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.20.0

• 2025-09-20 - 11 commit(s) by Adrian-Kim, Giulio Longfils, Rafael Winterhalter, dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#​3730)
• Introducing the Ability to Mock Construction of Generic Types (#​2401) (#​3729)
• Bump com.gradle.develocity from 4.1.1 to 4.2 (#​3726)
• Bump graalvm/setup-graalvm from 1.3.6 to 1.3.7 (#​3725)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.100 to 3.23.200 (#​3720)
• Bump graalvm/setup-graalvm from 1.3.5 to 1.3.6 (#​3719)
• Bump actions/setup-java from 4 to 5 (#​3715)
• Bump com.gradle.develocity from 4.1 to 4.1.1 (#​3713)
• Bump bytebuddy from 1.17.6 to 1.17.7 (#​3712)
• test: Use Assume.assumeThat for SequencedCollection tests (#​3711)
• Fix #​3709 (#​3710)
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Introducing the Ability to Mock Construction of Generic Types (#​2401)

v5.19.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.19.0

• 2025-08-15 - 37 commit(s) by Adrian-Kim, Tim van der Lippe, Tran Ngoc Nhan, dependabot[bot], juyeop
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Bump actions/checkout from 4 to 5 (#​3707)
• build: Allow overriding 'Created-By' for reproducible builds (#​3704)
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#​3703)
• Bump androidx.test:runner from 1.6.2 to 1.7.0 (#​3697)
• Bump org.junit.platform:junit-platform-launcher from 1.13.3 to 1.13.4 (#​3694)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.1.0 to 7.2.1 (#​3693)
• Bump junit-jupiter from 5.13.3 to 5.13.4 (#​3691)
• Bump com.gradle.develocity from 4.0.2 to 4.1 (#​3689)
• Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 (#​3688)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.27.0 (#​3686)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.4 to 7.1.0 (#​3685)
• Bump junit-jupiter from 5.13.2 to 5.13.3 (#​3684)
• Bump org.shipkit:shipkit-auto-version from 2.1.0 to 2.1.2 (#​3683)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.2 to 7.0.4 (#​3682)
• Only run release after both Java and Android tests have finished
  (#​3681)
• Bump org.junit.platform:junit-platform-launcher from 1.12.2 to 1.13.3 (#​3680)
• Bump org.codehaus.groovy:groovy from 3.0.24 to 3.0.25 (#​3679)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.0 to 3.23.100 (#​3678)
• Can no longer publish snapshot releases (#​3677)
• Update Gradle to 8.14.2 (#​3676)
• Bump errorprone from 2.23.0 to 2.39.0 (#​3674)
• Correct Junit docs link (#​3672)
• Bump net.ltgt.gradle:gradle-errorprone-plugin from 4.1.0 to 4.3.0 (#​3670)
• Bump junit-jupiter from 5.13.1 to 5.13.2 (#​3669)
• Bump bytebuddy from 1.17.5 to 1.17.6 (#​3668)
• Bump junit-jupiter from 5.12.2 to 5.13.1 (#​3666)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 2.0.21 to 2.2.0 (#​3665)
• Bump org.gradle.toolchains.foojay-resolver-convention from 0.9.0 to 1.0.0 (#​3661)
• Bump org.junit.platform:junit-platform-launcher from 1.11.4 to 1.12.2 (#​3660)
• Add JDK21 sequenced collections for ReturnsEmptyValues (#​3659)
• Bump com.gradle.develocity from 3.19.1 to 4.0.2 (#​3658)
• Bump ru.vyarus:gradle-animalsniffer-plugin from 1.7.2 to 2.0.1 (#​3657)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.22.0 to 3.23.0 (#​3656)
• Bump org.codehaus.groovy:groovy from 3.0.23 to 3.0.24 (#​3655)
• Bump junit-jupiter from 5.11.4 to 5.12.2 (#​3653)
• Reproducible Build: need to inject JDK distribution details to rebuild (#​3563)

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SONARJAVA-6350

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

Routine Maven dependency updates across the project. This PR updates 20+ dependencies including build plugins and runtime libraries:

Key updates:

• Build plugins: maven-shade-plugin (3.5.1 → 3.6.2), maven-resources-plugin (3.4.0 → 3.5.0), maven-compiler-plugin (3.13.0 → 3.15.0)
• Test dependencies: JUnit (5.11.2 → 5.14.4), Mockito (5.18.0 → 5.23.0), JaCoCo (0.8.13 → 0.8.14)
• Production libraries: Guava (33.4.8 → 33.6.0), Gson (2.13.1 → 2.14.0), commons-io (2.19.0 → 2.22.0), Spring (6.2.11 → 6.2.18), SLF4J (1.7.30 → 1.7.36)
• Legacy test artifacts: commons-collections (3.2.1 → 3.2.2), struts-core (1.3.9 → 1.3.10)

Most updates are patch-level or minor version increments. JUnit jumps from 5.11.x to 5.14.x, a larger gap that warrants verification.

What reviewers should know

For reviewers:

1. Start with root pom.xml (lines 110-305) — contains the main dependency version definitions
2. Pay attention to:
   • JUnit 5.14.4 is a significant version jump (3 minor versions). Check if any test APIs changed or if compatibility is maintained
   • Spring 6.2.18 and commons-io 2.22.0 are stable patch updates with minimal risk
   • Tomcat, Guava, and Gson updates are routine patch releases
3. Secondary concern: Plugin updates (maven-shade, maven-resources, maven-compiler) — verify the build completes successfully
4. Note: Downloads from test resources (java-frontend, its/vibebot) are unchanged except for version strings; output directories still reference old versions (e.g., "commons-collections-3.2.1", "struts-core-1.3.9") despite updated artifact versions — this is intentional and correct
5. Test coverage: This PR likely has passing CI since it's dependency-focused, but verify no test failures arose from the JUnit update

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

Two of the artifact version bumps in java-frontend/pom.xml are incomplete in a way that will silently analyse a different version of each library than the test expected-metric values were calibrated against. Everything else in the PR is clean.

🗣️ Give feedback

[sonar-review-alpha]

The artifact version was bumped from 3.2.1 to 3.2.2, but both outputDirectory paths still embed commons-collections-3.2.1. The test class CommonsCollectionsTest.java:27 resolves target/test-projects/commons-collections-3.2.1 as its PROJECT_DIR and asserts hard-coded metric counts (412 classes, 26 323 ncloc, …) that were calibrated against 3.2.1 sources.

At runtime, Maven will download the 3.2.2 sources/jar into the old directory name, so the test runs, but it analyses 3.2.2 code while expecting 3.2.1 numbers. If the source changed between those patch releases (commons-collections 3.2.2 was a security patch that did touch source files), the assertions will fail. At minimum, the directory name misrepresents what version is actually being tested.

Fix:

1. Update the output directory names here to commons-collections-3.2.2 (suggestion below).
2. Update CommonsCollectionsTest.java:27 to reference commons-collections-3.2.2.
3. Run the test locally and update the hard-coded metric counts if they differ.

Suggested change

	<artifactItem>
	<groupId>commons-collections</groupId>
	<artifactId>commons-collections</artifactId>
	<version>3.2.1</version>
	<version>3.2.2</version>
	<classifier>sources</classifier>
	<outputDirectory>${project.build.directory}/test-projects/commons-collections-3.2.1/src</outputDirectory>
	</artifactItem>
	<artifactItem>
	<groupId>commons-collections</groupId>
	<artifactId>commons-collections</artifactId>
	<version>3.2.1</version>
	<version>3.2.2</version>
	<outputDirectory>${project.build.directory}/test-projects/commons-collections-3.2.1/bin</outputDirectory>
	<artifactItem>
	<groupId>commons-collections</groupId>
	<artifactId>commons-collections</artifactId>
	<version>3.2.2</version>
	<classifier>sources</classifier>
	<outputDirectory>${project.build.directory}/test-projects/commons-collections-3.2.2/src</outputDirectory>
	</artifactItem>
	<artifactItem>
	<groupId>commons-collections</groupId>
	<artifactId>commons-collections</artifactId>
	<version>3.2.2</version>
	<outputDirectory>${project.build.directory}/test-projects/commons-collections-3.2.2/bin</outputDirectory>
	</artifactItem>

• Mark as noise

[sonar-review-alpha]

Same issue as the commons-collections block above: the artifact version was bumped to 1.3.10 but both outputDirectory paths still say struts-core-1.3.9. StrutsTest.java:27 resolves target/test-projects/struts-core-1.3.9 and asserts metric counts (146 classes, 14 007 ncloc, …) that were calibrated against 1.3.9 source.

Fix:

1. Update the output directory names here to struts-core-1.3.10 (suggestion below).
2. Update StrutsTest.java:27 to reference struts-core-1.3.10.
3. Run the test and update the hard-coded metric assertions if the source changed.

Suggested change

	<artifactItem>
	<groupId>org.apache.struts</groupId>
	<artifactId>struts-core</artifactId>
	<version>1.3.9</version>
	<version>1.3.10</version>
	<classifier>sources</classifier>
	<outputDirectory>${project.build.directory}/test-projects/struts-core-1.3.9/src</outputDirectory>
	</artifactItem>
	<artifactItem>
	<groupId>org.apache.struts</groupId>
	<artifactId>struts-core</artifactId>
	<version>1.3.9</version>
	<version>1.3.10</version>
	<outputDirectory>${project.build.directory}/test-projects/struts-core-1.3.9/bin</outputDirectory>
	</artifactItem>
	<artifactItem>
	<groupId>org.apache.struts</groupId>
	<artifactId>struts-core</artifactId>
	<version>1.3.10</version>
	<classifier>sources</classifier>
	<outputDirectory>${project.build.directory}/test-projects/struts-core-1.3.10/src</outputDirectory>
	</artifactItem>
	<artifactItem>
	<groupId>org.apache.struts</groupId>
	<artifactId>struts-core</artifactId>
	<version>1.3.10</version>
	<outputDirectory>${project.build.directory}/test-projects/struts-core-1.3.10/bin</outputDirectory>
	</artifactItem>

• Mark as noise