build(deps): bump the all-java group across 2 directories with 17 updates

[dependabot]

Bumps the all-java group with 11 updates in the /agent/backend directory:

Package	From	To
org.springframework.boot:spring-boot-dependencies	3.5.7	4.0.6
org.springframework.boot:spring-boot-maven-plugin	3.5.7	4.0.6
org.springframework.modulith:spring-modulith-bom	1.4.4	2.0.6
org.springdoc:springdoc-openapi-starter-webmvc-ui	2.8.14	3.0.3
ca.uhn.hapi.fhir:hapi-fhir-base	8.8.1	8.10.0
ca.uhn.hapi.fhir:hapi-fhir-client	8.8.1	8.10.0
ca.uhn.hapi.fhir:hapi-fhir-structures-r4	8.8.1	8.10.0
org.apache.commons:commons-compress	1.26.1	1.28.0
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
com.spotify.fmt:fmt-maven-plugin	2.25	2.29
io.github.git-commit-id:git-commit-id-maven-plugin	9.1.0	10.0.0

Bumps the all-java group with 14 updates in the /server/backend directory:

Package	From	To
org.springframework.boot:spring-boot-dependencies	3.5.7	4.0.6
org.springframework.boot:spring-boot-maven-plugin	3.5.7	4.0.6
org.springframework.modulith:spring-modulith-bom	1.4.0	2.0.6
org.springdoc:springdoc-openapi-starter-webmvc-ui	2.8.14	3.0.3
org.apache.commons:commons-compress	1.26.1	1.28.0
org.testcontainers:testcontainers	2.0.4	2.0.5
org.testcontainers:testcontainers-bom	2.0.4	2.0.5
org.bouncycastle:bcprov-jdk18on	1.83	1.84
io.jsonwebtoken:jjwt-api	0.12.6	0.13.0
io.jsonwebtoken:jjwt-impl	0.12.6	0.13.0
io.jsonwebtoken:jjwt-jackson	0.12.6	0.13.0
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
com.spotify.fmt:fmt-maven-plugin	2.25	2.29
io.github.git-commit-id:git-commit-id-maven-plugin	9.0.2	10.0.0

Updates org.springframework.boot:spring-boot-dependencies from 3.5.7 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.7 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.springframework.modulith:spring-modulith-bom from 1.4.4 to 2.0.6

Release notes

Sourced from org.springframework.modulith:spring-modulith-bom's releases.

2.0.6

💡 Improvements

• Prefer @SpringBootApplication on explicitly declared classes in @ModuleSlicing #1645

🪲 Bugs

• Incorrect parameters in documentation for staleness of event publications of resubmitted event publications #1664
• JdbcEventPublicationRepository deletes currently processing publication #1653
• Improve batch handling in DefaultEventpublicationRegistry.processFailedPublications(…) #1651

🔨 Dependency Upgrades

• Upgrade to Spring Boot 4.0.6 #1679
• Upgrade to MongoDB 5.6.5 #1670
• Upgrade to Lombok 1.18.46 #1669
• Upgrade to Testcontainers 2.0.5 #1668
• Upgrade to ArchUnit 1.4.2 #1667
• Upgrade to Spring Framework 7.0.7 #1666
• Upgrade to Micrometer Tracing 1.6.5 #1665

2.0.5

🔨 Dependency Upgrades

• Upgrade to Spring Boot 4.0.5 #1635

2.0.4

💡 Improvements

• Add details about the refined event publication lifecycle to the reference documentation #1594

🪲 Bugs

• Fix incorrect EventPublication.Status reference in ….staleness.published metadata #1601
• Package-based named interfaces not properly merged #1599

🔨 Dependency Upgrades

• Upgrade to Spring Boot 4.0.4 #1619
• Upgrade to Testcontainers 2.0.4 #1616
• Upgrade to Spring Framework 7.0.6 #1615
• Upgrade to Micrometer Tracing 1.6.4 #1614

2.0.3

💡 Improvements

• Hibernate schema validation fails with JPA event publication registry #1570
• SpringModulithProcessor fails on Windows with KAPT - StringIndexOutOfBoundsException due to hardcoded forward slashes #1546

🪲 Bugs

... (truncated)

Commits

• 20a0cba GH-1675 - Release version 2.0.6.
• 680a6a9 GH-1679 - Upgrade to Spring Boot 4.0.6.
• a328cab GH-1666 - Remove explicit Spring Framework version from examples.
• d0281dd GH-1666 - Adapt to changes in ApplicationListenerMethodAdapter.
• 46c70e9 GH-1668 - Upgrade to Testcontainers 2.0.5.
• 6745da6 GH-1667 - Upgrade to ArchUnit 1.4.2.
• d7e1983 GH-1666 - Upgrade to Spring Framework 7.0.7.
• ce6064b GH-1665 - Upgrade to Micrometer Tracing 1.6.5.
• 5b63b84 GH-1664 - Fix resubmission staleness property naming.
• d5a294f GH-1653 - Fix deletion of completed events in JdbcEventPublicationRepositoryV2.
• Additional commits viewable in compare view

Updates org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.8.14 to 3.0.3

Release notes

Sourced from org.springdoc:springdoc-openapi-starter-webmvc-ui's releases.

springdoc-openapi v3.0.3 released!

Added

• #3246 – Add Springdoc OpenAPI MCP (Model Context Protocol) support
• #3256 – Auto-set nullable: true for Kotlin nullable types in schema properties
• #3239 – Add support for the @Range constraint validation annotation
• #3244 – Handle default values for LocalDate

Changed

• Upgrade Spring Boot to version 4.0.5
• Upgrade swagger-core to version 2.2.47
• Upgrade swagger-ui to version 5.32.2
• #3260 – @ConditionalOnClass(HateoasProperties.class) in SpringDocHateoasConfiguration
• Forwards all MCP non-transport headers to downstream methods
• Dynamically resolve the base path from window.location.pathname for MCP UI

Fixed

• #3258 – Setting API Version Required when using WebFlux breaks the Swagger UI
• #3259 – Annotated Generic properties getting applied to sibling properties
• #3255 – Direction enum: fixed visibility scope of group order so that setGroupsOrder method can be used
• #3247 – Preserve YAML group URLs in Swagger UI
• #3245 – Upgrade swagger-core from version 2.2.43 to 2.2.45
• #3235 – PropertyResolverUtils retains a JsonNode when reading an ExtensionProperty annotation
• #3226 – Propagate JsonView context when resolving Page<T> schema

New Contributors

• @​seregamorph made their first contribution in springdoc/springdoc-openapi#3260

Full Changelog: springdoc/springdoc-openapi@v3.0.2...v3.0.3

springdoc-openapi v3.0.2 released!

Added

• #3229 – Add support for Spring Framework API Versioning with Functional Endpoints
• #3208 – Add springdoc.swagger-ui.document-title property

Changed

• Upgrade Spring Boot to version 4.0.3
• Upgrade swagger-core to version 2.2.43
• Upgrade swagger-ui to version 5.32.0
• Upgrade Scalar to version 0.5.55

Fixed

• #3232 – Gracefully handle springdoc endpoint paths during API version resolution
• #3230 – Scalar source URLs resolve to null/<groupName> on second request when using GroupedOpenApi
• #3228 – springdoc-openapi-starter 3.x doesn't depend on org.springframework.boot:spring-boot-starter

... (truncated)

Changelog

Sourced from org.springdoc:springdoc-openapi-starter-webmvc-ui's changelog.

[3.0.3] - 2026-04-12

Added

• #3246 – Add Springdoc OpenAPI MCP (Model Context Protocol) support
• #3256 – Auto-set nullable: true for Kotlin nullable types in schema properties
• #3239 – Add support for the @Range constraint validation annotation
• #3244 – Handle default values for LocalDate

Changed

• Upgrade Spring Boot to version 4.0.5
• Upgrade swagger-core to version 2.2.47
• Upgrade swagger-ui to version 5.32.2
• #3260 – @ConditionalOnClass(HateoasProperties.class) in SpringDocHateoasConfiguration
• Forwards all MCP non-transport headers to downstream methods
• Dynamically resolve the base path from window.location.pathname for MCP UI

Fixed

• #3258 – Setting API Version Required when using WebFlux breaks the Swagger UI
• #3259 – Annotated Generic properties getting applied to sibling properties
• #3255 – Direction enum: fixed visibility scope of group order so that setGroupsOrder method can be used
• #3247 – Preserve YAML group URLs in Swagger UI
• #3245 – Upgrade swagger-core from version 2.2.43 to 2.2.45
• #3235 – PropertyResolverUtils retains a JsonNode when reading an ExtensionProperty annotation
• #3226 – Propagate JsonView context when resolving Page<T> schema

[3.0.2] - 2026-02-27

Added

• #3229 – Add support for Spring Framework API Versioning with Functional Endpoints
• #3208 – Add springdoc.swagger-ui.document-title property

Changed

• Upgrade Spring Boot to version 4.0.3
• Upgrade swagger-core to version 2.2.43
• Upgrade swagger-ui to version 5.32.0
• Upgrade Scalar to version 0.5.55

Fixed

• #3232 – Gracefully handle springdoc endpoint paths during API version resolution
• #3230 – Scalar source URLs resolve to null/<groupName> on second request when using GroupedOpenApi
• #3228 – springdoc-openapi-starter 3.x doesn't depend on org.springframework.boot:spring-boot-starter
• #3220 – Reachability metadata not compatible with GraalVM 25
• #3195 – Application won't compile when OpenApi and spring-boot-data-rest is present
• #3193 – OpenApi field in SpringDocConfigProperties does not comply with camel case naming conventions

... (truncated)

Commits

• 3c30283 [maven-release-plugin] prepare release v3.0.3
• 4184c05 update .gitignore
• 89745c2 CHANGELOG.md update
• 4d1a730 Merge pull request #3260 from seregamorph/SpringDocHateoasConfiguration-class...
• 54e7650 ConditionalOnClass (HateoasProperties.class) in SpringDocHateoasConfiguration
• 9f354b2 Spring-boot upgrade to version 4.0.5
• 14df32f Forwards all MCP non-transport headers, to downstream methods
• 3ee9a44 Forwards all MCP non-transport headers, to downstream methods
• df99408 upgrade swagger-ui to version 5.32.2
• 6ee70f4 upgrade swagger-api to version 2.2.47
• Additional commits viewable in compare view

Updates ca.uhn.hapi.fhir:hapi-fhir-base from 8.8.1 to 8.10.0

Updates ca.uhn.hapi.fhir:hapi-fhir-client from 8.8.1 to 8.10.0

Updates ca.uhn.hapi.fhir:hapi-fhir-client from 8.8.1 to 8.10.0

Updates ca.uhn.hapi.fhir:hapi-fhir-structures-r4 from 8.8.1 to 8.10.0

Updates org.apache.commons:commons-compress from 1.26.1 to 1.28.0

Changelog

Sourced from org.apache.commons:commons-compress's changelog.

Apache Commons Compress 1.28.0 Release Notes

The Apache Commons Compress team is pleased to announce the release of Apache Commons Compress 1.28.0.

Apache Commons Compress defines an API for working with compression and archive formats. These include bzip2, gzip, pack200, LZMA, XZ, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

This is a feature and maintenance release. Java 8 or later is required.

This release updates Apache Commons Lang to 3.18.0 to pick up the fix for CVE-2025-48924 (https://nvd.nist.gov/vuln/detail/CVE-2025-48924), but is not affected by it.

Changes in this version

Changes in this version include the following.

New Features

•        Add GzipParameters.getModificationInstant(). Thanks to Gary Gregory. 
  

•        Add GzipParameters.setModificationInstant(Instant). Thanks to Gary Gregory. 
  

•        Add GzipParameters.OS, setOS(OS), getOS(). Thanks to Gary Gregory. 
  

•        Add GzipParameters.toString(). Thanks to Gary Gregory. 
  

• COMPRESS-638: Add GzipParameters.setFileNameCharset(Charset) and getFileNameCharset() to override the default ISO-8859-1 Charset #602. Thanks to vincexjl, Gary Gregory, Piotr P. Karwasz.

•        Add support for gzip extra subfields, see GzipParameters.setExtra(HeaderExtraField) [#604](https://github.com/apache/commons-compress/issues/604). Thanks to ddeschenes-1, Gary Gregory. 
  

•        Add CompressFilterOutputStream and refactor to use. Thanks to Gary Gregory. 
  

•        Add ZipFile.stream(). Thanks to Gary Gregory. 
  

•        GzipCompressorInputStream reads the modification time (MTIME) and stores its value incorrectly multiplied by 1,000. Thanks to Danny Deschenes, Gary Gregory. 
  

•        GzipCompressorInputStream writes the modification time (MTIME) the value incorrectly divided by 1,000. Thanks to Danny Deschenes, Gary Gregory. 
  

•        Add optional FHCRC to GZIP header [#627](https://github.com/apache/commons-compress/issues/627). Thanks to Danny Deschenes, Gary Gregory. 
  

•        Add GzipCompressorInputStream.Builder allowing to customize the file name and comment Charsets. Thanks to Gary Gregory. 
  

•        Add GzipCompressorInputStream.Builder.setOnMemberStart(IOConsumer) to monitor member parsing. Thanks to Gary Gregory. 
  

•        Add GzipCompressorInputStream.Builder.setOnMemberEnd(IOConsumer) to monitor member parsing. Thanks to Gary Gregory. 
  

•        Add PMD check to default Maven goal. Thanks to Gary Gregory. 
  

•        Add SevenZFile.Builder.setMaxMemoryLimitKiB(int). Thanks to Gary Gregory. 
  

•        Add MemoryLimitException.MemoryLimitException(long, int, Throwable) and deprecate MemoryLimitException.MemoryLimitException(long, int, Exception). Thanks to Gary Gregory. 
  

• COMPRESS-692: Add support for zstd compression in zip archives. Thanks to Mehmet Karaman, Andrey Loskutov, Gary Gregory.

•        Add support for XZ compression in ZIP archives. Thanks to Gary Gregory. 
  

• COMPRESS-695: Add ZipArchiveInputStream.createZstdInputStream(InputStream) to provide a different InputStream implementation for Zstandard (Zstd) #649. Thanks to Gary Gregory.

•        Add org.apache.commons.compress.harmony.pack200.Pack200Exception.Pack200Exception(String, Throwable). Thanks to Gary Gregory. 
  

• COMPRESS-697: Move BitStream.nextBit() method to BitInputStream #663. Thanks to Fredrik Kjellberg, Gary Gregory.

•        Add org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream.builder/Builder(). Thanks to Gary Gregory. 
  

•        Add org.apache.commons.compress.compressors.lzma.LZMACompressorOutputStream.builder/Builder(). Thanks to Gary Gregory. 
  

•        Add org.apache.commons.compress.compressors.xz.XZCompressorInputStream.builder/Builder(). Thanks to Gary Gregory. 
  

•        Add org.apache.commons.compress.compressors.xz.XZCompressorOutputStream.builder/Builder(). Thanks to Gary Gregory. 
  

•        Add org.apache.commons.compress.compressors.xz.ZstdCompressorOutputStream.builder/Builder() [#666](https://github.com/apache/commons-compress/issues/666). Thanks to Gary Gregory, David Walluck, Piotr P. Karwasz. 
  

•        Add org.apache.commons.compress.compressors.xz.ZstdConstants [#666](https://github.com/apache/commons-compress/issues/666). Thanks to Gary Gregory, David Walluck, Piotr P. Karwasz. 
  

... (truncated)

Commits

• 852d9c2 Prepare for the release candidate 1.28.0 RC1
• f5eb9e2 Prepare for the next release candidate
• 36f204c Camel case parameter name
• 4c04e4a Use final
• 6cb7da1 Javadoc
• 563c9d2 Javadoc
• ce73bd8 Javadoc
• a464ae9 Better parameter names
• c0b2b84 Add TODO for next major version
• c76bc97 Use OpenVEX to document that we are not affected by CVE-2025-48924 in
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.3

🚀 New features and improvements

• Make bannedDependencies report root and transitive dependency in case both are banned. (#940) @​hvoynov
• Add enforceBytecodeVersion rule based on mojohaus (#968) @​cstamas
• Improve formatting of deprecated API warning (#951) @​mthmulders

🐛 Bug Fixes

• Fix handling of Java versions like 21.0.10.0.1 (#967) @​parttimenerd
• Add null checks for modelId in PluginWrapper (#974) @​cpfeiffer

📝 Documentation updates

• Document the banMavenDefaults option for the requirePluginVersions rule. (#936) @​rpkrajewski

👻 Maintenance

• PlexusStringUtils Refaster recipes (#943) @​slachiewicz
• JUnit Jupiter migration from JUnit 4.x (#941) @​slachiewicz

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-core from 2.25.3 to 2.25.4 in /maven-enforcer-plugin/src/it/projects/MENFORCER-434 (#970) @dependabot[bot]
• Deps: Parent POM 48 and align deps (#979) @​cstamas
• Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#973) @dependabot[bot]
• Bump mavenVersion from 3.9.13 to 3.9.14 (#965) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.13 (#964) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#963) @dependabot[bot]
• Update log4j in test to avoid CVE (#961) @​Bukama
• Bump commons-codec:commons-codec from 1.20.0 to 1.21.0 (#962) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#960) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#959) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 46 to 47 (#958) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#957) @dependabot[bot]
• Update to 46 including fixes (#955) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.5.0 (#956) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#948) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#947) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#946) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#945) @dependabot[bot]

Commits

• c7daff3 [maven-release-plugin] prepare release enforcer-3.6.3
• ee46e78 Make bannedDependencies report root and transitive dependency in case both ar...
• 0806924 Document the banMavenDefaults option for the requirePluginVersions rule. (#936)
• 8e4f5b9 Add better enforceBytecodeVersion rule based on mojohaus (#968)
• fd4b148 Add fix for 21.0.10.0.1 issue (#967)
• f32d597 Deps: Parent POM 48 and align deps (#979)
• df0f2a6 Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976)
• 2da7a68 Add null checks for modelId in PluginWrapper
• 91eb4d9 Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975)
• b622245 Bump mavenVersion from 3.9.14 to 3.9.15 (#973)
• Additional commits viewable in compare view

Updates com.spotify.fmt:fmt-maven-plugin from 2.25 to 2.29

Release notes

Sourced from com.spotify.fmt:fmt-maven-plugin's releases.

2.27.0

What's Changed

• Update workflow with new versions by @​andreasfolkesson in spotify/fmt-maven-plugin#201
• Upgrade Google Java Format 1.24.0 -> 1.26.0 by @​vladimirconev in spotify/fmt-maven-plugin#198

New Contributors

• @​andreasfolkesson made their first contribution in spotify/fmt-maven-plugin#201
• @​vladimirconev made their first contribution in spotify/fmt-maven-plugin#198

Full Changelog: spotify/fmt-maven-plugin@2.25...2.27.0

Commits

• 8fb8646 [maven-release-plugin] prepare release 2.29.0
• f52caf7 Add more options
• 4f745a6 Updated documentation
• a75ee04 Support more options from google formatter
• e213b84 [maven-release-plugin] prepare for next development iteration
• cda1940 [maven-release-plugin] prepare release 2.28.0
• e98d9f5 Update root version
• 3d799cc docs: Recommend fixing google-java-format version on README (#202)
• b1db971 [maven-release-plugin] rollback the release of 2.28.0
• f3ca8e0 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates io.github.git-commit-id:git-commit-id-maven-plugin from 9.1.0 to 10.0.0

Release notes

Sourced from io.github.git-commit-id:git-commit-id-maven-plugin's releases.

Version 10.0.0 is finally there and includes various bug-fixes and improvements :-)

⚠️ This is a potentially breaking release. Read the release-notes carefully ⚠️

Potential Breaking changes:

The main key-aspects that might cause a breakage when migrating to the new version:

• #913 / #914: Require Maven 3.9.0 [Maven 3.6.3 is EOL] ⚠️

Getting the latest release

The plugin is available from Maven Central (see here), so you don't have to configure any additional repositories to use this plugin. All you need to do is to configure it inside your project as dependency:

<dependency>
    <groupId>io.github.git-commit-id</groupId>
    <artifactId>git-commit-id-maven-plugin</artifactId>
    <version>10.0.0</version>
</dependency>

Getting the latest snapshot (build automatically)

If you can't wait for the next release, you can also get the latest snapshot version from sonatype, that is being deployed automatically by github actions:

<pluginRepositories>
    <pluginRepository>
        <id>sonatype-snapshots</id>
        <name>Sonatype Snapshots</name>
         <url>https://s01.oss.sonatype.org/content/repositories/snapshots/</url>
    </pluginRepository>
</pluginRepositories>

Even though the github actions will only deploy a new snapshot once all tests have finished, it is recommended to rely on the released and more stable version.

Known Issues / Limitations:

• This plugin is unfortunately not working with Heroku which is due to the fact how Heroku works. In summary Heroku does not copy over the .git-repository but in order to determine the git properties this plugin relies on the fact that it has access to the git-repository. A somewhat workaround to get some information is outlined in ktoso/maven-git-commit-id-plugin#279
• Using maven's plugin prefix resolution (e.g. mvn com.test.plugins:myPlugin:myMojo) might result in unresolved properties even with <injectAllReactorProjects>true</injectAllReactorProjects>. Please refer to git-commit-id/maven-git-commit-id-plugin#287 or git-commit-id/maven-git-commit-id-plugin#413 for details and potential workarounds

Reporting Problems

If you find any problem with this plugin, feel free to report it here

Full Changelog: git-commit-id/git-commit-id-maven-plugin@v9.2.0...v10.0.0

Version 9.2.0 is finally there and includes various Description has been truncated

[dependabot]

Labels

The following labels could not be found: java. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.