chore(deps): update all stable non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.codehaus.mojo:exec-maven-plugin (source)	3.6.2 → 3.6.3
org.apache.maven.plugins:maven-release-plugin (source)	3.2.0 → 3.3.1
org.apache.logging.log4j:log4j-slf4j2-impl (source)	2.25.2 → 2.25.3
org.apache.logging.log4j:log4j-core (source)	2.25.2 → 2.25.3

GitHub Vulnerability Alerts

CVE-2025-68161

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

• The attacker is able to intercept or redirect network traffic between the client and the log receiver.
• The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

---

Release Notes

mojohaus/exec-maven-plugin (org.codehaus.mojo:exec-maven-plugin)

v3.6.3

Compare Source

📝 Documentation updates

• Document thread group isolation limitation in java goal (#​503) @​copilot-swe-agent[bot]

👻 Maintenance

• JUnit 5 best practices (#​505) @​slachiewicz
• Move ExecJavaMojoTest, ExecMojoTest to JUnit 5 (#​502) @​slawekjaranowski
• Add support for JEP 512 for for package-private static main method (#​499) @​anuragagarwal561994
• Move to JUnit 5 (#​501) @​slawekjaranowski

📦 Dependency updates

• Bump asm.version from 9.9 to 9.9.1 (#​509) @​dependabot[bot]
• Bump org.apache.commons:commons-exec from 1.5.0 to 1.6.0 (#​508) @​dependabot[bot]

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.