Skip to content

Bump the root-maven-security-updates group across 1 directory with 4 updates#5230

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/maven/root-maven-security-updates-880e672941
Open

Bump the root-maven-security-updates group across 1 directory with 4 updates#5230
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/maven/root-maven-security-updates-880e672941

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Bumps the root-maven-security-updates group with 4 updates in the / directory: org.apache.thrift:libthrift, org.apache.shiro:shiro-core, org.bouncycastle:bcpkix-jdk18on and org.assertj:assertj-core.

Updates org.apache.thrift:libthrift from 0.13.0 to 0.14.0

Release notes

Sourced from org.apache.thrift:libthrift's releases.

Version 0.14.0

For release 0.14.0 head over to the official release download source: http://thrift.apache.org/download

The assets below are added by Github based on the release tag and they may therefore not match the checkums.

Changelog

Sourced from org.apache.thrift:libthrift's changelog.

0.14.0

Deprecated Languages

Removed Languages

  • THRIFT-4980 - Remove deprecated C# and netcore bindings from the code base
  • THRIFT-4981 - Remove deprecated netcore bindings from the code base
  • THRIFT-4982 - Remove deprecated C# bindings from the code base

Breaking Changes

  • THRIFT-4981 - Remove deprecated netcore bindings from the code base
  • THRIFT-4982 - Remove deprecated csharp bindings from the code base
  • THRIFT-4990 - Upgrade to .NET Core 3.1 (LTS)
  • THRIFT-5006 - Implement DEFAULT_MAX_LENGTH at TFramedTransport
  • THRIFT-5069 - In Go library TDeserializer.Transport is now typed *TMemoryBuffer instead of TTransport
  • THRIFT-5072 - Haskell generator fails to distinguish between multiple enum types with conflicting enum identifiers
  • THRIFT-5116 - Upgrade NodeJS to 10.x
  • THRIFT-5138 - Swift generator does not escape keywords properly
  • THRIFT-5164 - In Go library TProcessor interface now includes ProcessorMap and AddToProcessorMap functions.
  • THRIFT-5186 - cpp: use all getaddrinfo() results when retrying failed bind() in T{Nonblocking,}ServerSocket
  • THRIFT-5233 - go: Now all Read*, Write* and Skip functions in TProtocol accept context arg
  • THRIFT-5152 - go: TSocket and TSSLSocket now have separated connect timeout and socket timeout
  • c++: dropped support for Windows XP
  • THRIFT-5326 - go: TException interface now has a new function: TExceptionType
  • THRIFT-4914 - go: TClient.Call now returns ResponseMeta in addition to error

Known Open Issues (Blocker or Critical)

  • THRIFT-3877 - C++: library don't work with HTTP (csharp server, cpp client; need cross test enhancement)
  • THRIFT-5098 - Deprecated: "The high level Network interface is no longer supported. Please use Network.Socket." and other Haskell issues
  • THRIFT-5245 - NPE when the value of map's key is null
  • THRIFT-4687 - Add thrift 0.12.0 to pypi and/or enable more maintainers

Build Process

  • THRIFT-4976 - Docker build: Test failure for StalenessCheckTest on MacOS
  • THRIFT-5087 - test/test.py fails with "AssertionError: Python 3.3 or later is required for proper operation."
  • THRIFT-5097 - Incorrect THRIFT_VERSION in ThriftConfig.cmake
  • THRIFT-5109 - Misc CMake improvements
  • THRIFT-5147 - Add uninstall function
  • THRIFT-5218 - Automated Github release artifacts do not match checksums provided
  • THRIFT-5249 - travis-ci : Failed to run FastbinaryTest.py

C glib

... (truncated)

Commits
  • 8411e18 Version 0.14.0
  • 0be1b7d Version 0.14.0
  • 705f377 Version 0.14.0
  • ebfa771 THRIFT-5274: Enforce Java 8 compatibility
  • 518163a Update README.md
  • de523c7 Updated CHANGES to reflect Version 0.14.0
  • 7ae1ec3 THRIFT-5297: Improve TThreadPoolServer Handling of Incoming Connections
  • ebc2ab5 THRIFT-5345: Allow the ServerContext to be Unwrapped Programmatically
  • 55016bf THRIFT-5343: TTlsSocketTransport does not resolve IPv4 addresses or validate ...
  • 4aaef75 THRIFT-5337 Go set fields write improvement
  • Additional commits viewable in compare view

Updates org.apache.shiro:shiro-core from 1.13.0 to 2.1.0

Release notes

Sourced from org.apache.shiro:shiro-core's releases.

Apache Shiro 2.1.0

What's Changed

... (truncated)

Changelog

Sourced from org.apache.shiro:shiro-core's changelog.

Licensed to the Apache Software Foundation (ASF) under one

or more contributor license agreements. See the NOTICE file

distributed with this work for additional information

regarding copyright ownership. The ASF licenses this file

to you under the Apache License, Version 2.0 (the

"License"); you may not use this file except in compliance

with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,

software distributed under the License is distributed on an

"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the

specific language governing permissions and limitations

under the License.

This is not an official release notes document. It exists for Shiro developers to jot down their notes while working in the source code. These notes will be combined with Jira’s auto-generated release notes during a release for the total set.

###########################################################

2.0.0

###########################################################

Improvement

[SHIRO-290] Implement bcrypt and argon2 KDF algorithms

Backwards Incompatible Changes

  • Changed default DefaultPasswordService.java algorithm to "Argon2id".
  • PasswordService.encryptPassword(Object plaintext) will now throw a NullPointerException on null parameter. It was never specified how this method would behave.
  • Made salt non-nullable.
  • Removed methods in PasswordMatcher.

###########################################################

1.7.1

###########################################################

Bug

[SHIRO-797] - Shiro 1.7.0 is lower than using springboot version 2.0.7 dependency error

###########################################################

... (truncated)

Commits
  • 2b873bc [maven-release-plugin] prepare release shiro-root-2.1.0
  • 8dc0d81 [dependency] Upgrade to Apache POM 37
  • 3b9638b enh: added case-insensitive path filtering
  • f27f46e Update pre-commit workflow set --show-diff-on-failure (#2487)
  • 87d29df chore: Eclipse IDE ignores for license checks (#2484)
  • 2dfa579 Run pre-commit autoupdate to update the hooks (#2486)
  • 9266bfa Merge pull request #2475 from lprimak/fix-private-salt-compat
  • e9e5e3f Merge pull request #1026 from haster/change-pathtraversal-blockmode
  • 4bf410c enh: added test for secret salt with Shiro1 compatibility
  • 84b2fdb Merge branch 'main' into fix-private-salt-compat
  • Additional commits viewable in compare view

Updates org.bouncycastle:bcpkix-jdk18on from 1.80 to 1.84

Changelog

Sourced from org.bouncycastle:bcpkix-jdk18on's changelog.

... (truncated)

Commits

Updates org.assertj:assertj-core from 1.7.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

🚫 Deprecated

Core

  • Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

  • Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

  • Upgrade to Byte Buddy 1.18.3
  • Upgrade to JUnit BOM 5.14.1

Guava

  • Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

  • Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

  • ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits
  • e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
  • 85ca7eb Deprecate XmlStringPrettyFormatter
  • 77081dc Merge commit from fork
  • b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
  • 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
  • d393ef1 Abort tests when symbolic links cannot be created (#3788)
  • 2212433 Add IntelliJ custom inspection for test class names
  • 5717d02 Update JetBrains icon
  • a8ec20b Add icon for JetBrains products
  • c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the root-maven-security-updates group across 1 directory with 4 …
8f8f66d 
…updates

Bumps the root-maven-security-updates group with 4 updates in the / directory: [org.apache.thrift:libthrift](https://github.com/apache/thrift), [org.apache.shiro:shiro-core](https://github.com/apache/shiro), [org.bouncycastle:bcpkix-jdk18on](https://github.com/bcgit/bc-java) and [org.assertj:assertj-core](https://github.com/assertj/assertj).


Updates `org.apache.thrift:libthrift` from 0.13.0 to 0.14.0
- [Release notes](https://github.com/apache/thrift/releases)
- [Changelog](https://github.com/apache/thrift/blob/master/CHANGES.md)
- [Commits](apache/thrift@v0.13.0...v0.14.0)

Updates `org.apache.shiro:shiro-core` from 1.13.0 to 2.1.0
- [Release notes](https://github.com/apache/shiro/releases)
- [Changelog](https://github.com/apache/shiro/blob/main/RELEASE-NOTES)
- [Commits](apache/shiro@shiro-root-1.13.0...shiro-root-2.1.0)

Updates `org.bouncycastle:bcpkix-jdk18on` from 1.80 to 1.84
- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)
- [Commits](https://github.com/bcgit/bc-java/commits)

Updates `org.assertj:assertj-core` from 1.7.0 to 3.27.7
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](assertj/assertj@assertj-core-1.7.0...assertj-build-3.27.7)

---
updated-dependencies:
- dependency-name: org.apache.thrift:libthrift
  dependency-version: 0.14.0
  dependency-type: direct:production
  dependency-group: root-maven-security-updates
- dependency-name: org.apache.shiro:shiro-core
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: root-maven-security-updates
- dependency-name: org.bouncycastle:bcpkix-jdk18on
  dependency-version: '1.84'
  dependency-type: direct:production
  dependency-group: root-maven-security-updates
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.7
  dependency-type: direct:production
  dependency-group: root-maven-security-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants