fix(deps): bump the prod-deps group with 2 updates

[dependabot]

Bumps the prod-deps group with 2 updates: org.springframework.boot:spring-boot-starter-parent and org.projectlombok:lombok.

Updates org.springframework.boot:spring-boot-starter-parent from 4.0.3 to 4.0.4

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.4

⚠️ Attention Required

• Provide advance warning of the deprecation and forthcoming removal of OpenTelemetry's ZipkinSpanExporter #49453
• Upgrade to Jackson 2 Bom 2.21.1 #49389
• Upgrade to Jackson Bom 3.1.0 #49383
• Tomcat's default max part count is too low in 4.0.x #49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49649
• "/cloudfoundryapplication" web path is not limited to Actuator #49646
• Fix EndpointRequest.toLinks() when base-path is '/' #49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49596
• RSocket exposes duplicate endpoint for websocket setups #49593
• Failure analysis for a missing mail sender is misleading #49582
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49535
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49482
• "spring.main.cloud-platform=none" does not disable cloud features #49479
• SSL support with Docker Compose does not work as documented #49385
• Auto-configuration overrides authorization server configuration applied by Customizer beans #49367
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49344
• NoSuchMethodException when forcing the use of Log4J2LoggingSystem using org.springframework.boot.logging.LoggingSystem system property #49343
• RouterFunctions descriptions in Actuator do not support nesting #49302
• Maven plugin does not set '-parameters' option when processing AOT code #49295
• HTTP Service Interface Client doesn't work in a native image due to missing property binding #49274
• ErrorPageRegistrarBeanPostProcessor is not auto-configured in war deployments and the ErrorPageCustomizer is not applied #49176
• Missing starter for spring-boot-restdocs #48289

📔 Documentation

• Document support for Java 26 #49604
• List all supported colors when describing color-coded log output #49562
• Improve EndpointRequest matcher documentation #49520
• Clarify that running is the only supported input state when triggering a Quartz job through the Actuator endpoint #49514
• Document security considerations for forwarded headers in cloud deployments #49507
• Tutorial in the reference guide has outdated instructions #49429
• Document additional repositories required for shibboleth.net #49392
• Javadoc of JettyHttpClientBuilder refers to the wrong type #49387
• Example spring-devtools.properties file is shown in the wrong format #49362
• Clarify inferred relationships between OAuth 2 registrations and providers #49327
• Mention using org.springframework.boot.aot Gradle plugin directly for AOT processing with the JVM #49321
• Remove superfluous semi-colon from read timeout configuration example for HTTP service interface clients #49306
• Update CLI's INSTALL.txt to reflect Groovy no longer being bundled #49298
• JDK requirement for the CLI still refers to Java 8 #49293
• Java and Kotlin samples of an environment post processor are inconsistent #49287

🔨 Dependency Upgrades

• Upgrade to Commons Logging 1.3.6 #49545

... (truncated)

Commits

• 8bdd6f8 Release v4.0.4
• 79a3850 Merge branch '3.5.x' into 4.0.x
• 3ebd147 Next development version (v3.5.13-SNAPSHOT)
• 26edf79 Merge branch '3.5.x' into 4.0.x
• 6620dea Polishing
• 7151419 Upgrade to Testcontainers 2.0.4
• cc6bb61 Merge branch '3.5.x' into 4.0.x
• dd54841 Upgrade to Spring Batch 5.2.5
• 2739427 Upgrade to Spring Batch 6.0.3
• a6d8c48 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.projectlombok:lombok from 1.18.42 to 1.18.44

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.44 (March 11th, 2026)

• FEATURE: @Jacksonized now supports both Jackson2 and Jackson3; you'll get a warning until you configure which one (or even both!) you want lombok to generate. #3950.
• BUGFIX: On JDK25, val and @ExtensionMethod could sometimes cause erroneous errors (in that you see errors but compilation succeeds anyway) using javac. #3947.
• BUGFIX: @Jacksonized + fields marked transient would result in those transient fields being serialised which is surprising (and thus undesired) behaviour. #3936.

Commits

• 17c78fe [version] pre-release version bump
• 1edca70 [test][@Jacksonized] Test emission of warning when not choosing jackson ver...
• e789e82 [test] Update the generation of eclipse test targets from JDK14 to JDK25.
• a54cecd [trivial][changelog]
• 3db0a6c [bugfix][@Jacksonized] javac handler of jacksonized checked for existing ja...
• 12572fc [test] Adjusted tests to the new 'jackson version is a list' config key setup.
• 0e9699c [changelog] Document implementation of Jackson3 support: #3950.
• d441be1 [jacksonized] infrastructure for previous merge resolution: Changed to the co...
• d62b2d5 Merge branch 'master' into cachescrubber-gh-3950
• f49f0fe [test] Remove tests for deprecated @Logger(access = MODULE). They're deprec...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[julianladisch]

This fixes Jackson CVE-2026-29062 = GHSA-6v53-7c9g-w56r