Skip to content

[CORE-69]: Bump the minor-patch-dependencies group across 1 directory with 21 updates#167

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/main/minor-patch-dependencies-d26544dc55
Open

[CORE-69]: Bump the minor-patch-dependencies group across 1 directory with 21 updates#167
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/main/minor-patch-dependencies-d26544dc55

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-patch-dependencies group with 20 updates in the / directory:

Package From To
com.google.guava:guava 33.5.0-jre 33.6.0-jre
com.fasterxml.jackson.core:jackson-databind 2.20.1 2.22.0
org.postgresql:postgresql 42.7.8 42.7.12
org.springframework.boot:spring-boot-starter-data-jdbc 3.5.12 3.5.16
org.springframework.boot:spring-boot-starter-web 3.5.12 3.5.16
org.springframework.boot:spring-boot-starter-validation 3.5.12 3.5.16
org.springframework.boot:spring-boot-starter-thymeleaf 3.5.12 3.5.16
org.springframework.boot:spring-boot-configuration-processor 3.5.12 3.5.16
org.springframework.boot:spring-boot-starter-test 3.5.12 3.5.16
org.springframework.boot:spring-boot-starter-actuator 3.5.12 3.5.16
org.springframework.retry:spring-retry 2.0.12 2.0.13
io.sentry:sentry-spring-boot-starter 8.29.0 8.46.0
ch.qos.logback:logback-classic 1.5.23 1.5.37
org.slf4j:slf4j-simple 2.0.17 2.0.18
org.jacoco:org.jacoco.agent 0.8.14 0.8.15
io.micrometer:micrometer-registry-prometheus 1.16.1 1.17.0
com.diffplug.spotless:spotless-plugin-gradle 8.1.0 8.8.0
de.undercouch.download:de.undercouch.download.gradle.plugin 5.6.0 5.7.0
org.springframework.boot:spring-boot-gradle-plugin 3.5.7 3.5.16
org.yaml:snakeyaml 2.5 2.6

Updates com.google.guava:guava from 33.5.0-jre to 33.6.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.6.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.6.0-jre</version>
  <!-- or, for Android: -->
  <version>33.6.0-android</version>
</dependency>

Jar files

Guava requires one runtime dependency, which you can download here:

Javadoc

JDiff

Changelog

  • Migrated some classes from finalize() to PhantomReference in preparation for the removal of finalization. (786b619dd6, 7c6b17c, aeef90988d)
  • cache: Deprecated CacheBuilder APIs that use TimeUnit in favor of those that use Duration. (73f8b0bb84)
  • collect: Added toImmutableSortedMap collectors that use the natural comparator. (64d70b9f94)
  • collect: Changed ConcurrentHashMultiset, ImmutableMap and TreeMultiset deserialization to avoid mutating final fields. In extremely unlikely scenarios in which an instance of that type contains an object that refers back to that instance, this could lead to a broken instance that throws NullPointerException when used. (8240c7e596, 046468055f)
  • graph: Removed @Beta from all APIs in the package. (dae9566b73)
  • graph: Added support to Graphs.transitiveClosure() for different strategies for adding self-loops. (2e13df25b2)
  • graph: Added an asNetwork() view to Graph and ValueGraph. (909c593c61)
  • hash: Added BloomFilter.serializedSize(). (df9bcc251a)
  • net: Added HttpHeaders.CDN_CACHE_CONTROL. (75331b5030)
Commits

Updates com.fasterxml.jackson.core:jackson-databind from 2.20.1 to 2.22.0

Commits

Updates org.postgresql:postgresql from 42.7.8 to 42.7.12

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.12: security

Silent channel-binding authentication downgrade (CVE-2026-54291)

channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.

Two issues combine in releases 42.7.4 through 42.7.11:

The bundled com.ongres.scram:scram-client (3.1 or 3.2) returns an empty byte array instead of failing when it cannot derive the binding hash for such a certificate. This is the library issue tracked as GHSA-p9jg-fcr6-3mhf.

pgJDBC does not enforce channelBinding=require where it matters. ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it neither rejects the empty binding nor checks that the negotiated mechanism uses channel binding. The connection therefore downgrades silently.

Only connections that set channelBinding=require are affected. Under the default prefer policy, and under allow or disable, falling back to plain SCRAM is the documented behaviour.

Releases before 42.7.4 are unaffected, because they do not support channel binding.

v42.7.11

Security

  • fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

🐛 Bug Fixes

  • fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
  • fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
  • fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
  • fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
  • fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
  • fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.12] (2026-xx-xx)

Security

Added

  • feat: reWriteBatchedInserts now merges up to 32768 rows into one multi-values INSERT (bounded by the 65535 bind-parameter limit on the extended protocol) instead of capping at 128, which speeds up batches of few-column rows. The new reWriteBatchedInsertsSize connection property lowers that cap when set; the default of 0 uses that maximum.
  • feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so callers no longer trip on "cached plan must not change result type" without opting into autosave=ALWAYS. Controlled by the new flushCacheOnDdl connection property (default true); set to false for the prior behaviour.
  • feat: add connectExecutor connection property to customize the Executor used to run the worker task that performs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.Executor. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named "PostgreSQL JDBC driver connection thread". The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it.
  • feat: add connectThreadFactory connection property to customize the ThreadFactory used to spawn the worker thread that runs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.ThreadFactory. With a null value, the default, the driver retains the prior behavior of using a daemon thread named "PostgreSQL JDBC driver connection thread". Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads.
  • feat: add classLoaderStrategy connection property to control which classloaders the driver searches when loading a class named by a connection property, for example socketFactory. The default driver-first now falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Set driver to keep the previous driver-classloader-only behaviour, or context-first to prefer the thread context classloader [Issue #2112](pgjdbc/pgjdbc#2112)

Changed

  • refactor: the worker that runs the connection attempt under loginTimeout is now a FutureTask (ConnectTask) instead of the hand-rolled ConnectThread. When the caller hits the timeout, the task is now cancelled with cancel(true), which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, so loginTimeout can stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out.
  • chore: PGXAConnection.ConnectionHandler now rejects setAutoCommit(false) and setSavepoint(...) during an active XA branch, in addition to the long-rejected setAutoCommit(true) / commit() / rollback(). The setSavepoint rejection was already meant to be in place but the guard misspelled the method name as setSavePoint, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4.
  • chore: commitPrepared / rollback-of-prepared now return XAER_RMFAIL instead of XAER_RMERR when the underlying connection is left in a non-idle TransactionState. Transaction managers (Geronimo, Narayana, Atomikos) treat XAER_RMFAIL as retryable on a fresh XAResource; the prepared transaction is no longer abandoned.

Fixed

  • fix: the published GitHub release now ships the released postgresql-<version>.jar and its detached PGP signature, taken from the same signed build that is uploaded to Maven Central, instead of a leftover SNAPSHOT jar [Issue #3812](pgjdbc/pgjdbc#3812) [PR #3814](pgjdbc/pgjdbc#3814)
  • fix: simplify the Statement#cancel state machine by dropping the redundant CANCELLED state. killTimerTask now waits for the state to return to IDLE directly, which removes a spin-forever case when more than one thread observes the cancel completing [PR #1827](pgjdbc/pgjdbc#1827).
  • perf: defer simple-query flushes until the driver reads the response, allowing BEGIN and the following query to share a network flush [Issue #3894](pgjdbc/pgjdbc#3894)
  • fix: reWriteBatchedInserts no longer throws IllegalArgumentException when batching a parameterless INSERT (for example INSERT INTO t VALUES (1, 2)) of 256 rows or more.
  • fix: a comment before CALL in a CallableStatement no longer hides the native call, so OUT parameter registration works for /* comment */ call proc(?, ?) and similar. Parser.modifyJdbcCall now skips leading whitespace and SQL comments (both -- and /* */) before the call, tolerates a trailing comment after a { ... } escape, and no longer adds a spurious comma when moving an OUT parameter into a call whose arguments are only a comment [Issue #2538](pgjdbc/pgjdbc#2538)
  • fix: PreparedStatement.toString() no longer throws for a bytea value supplied as text via PGobject. Hex-format values (\x...) are validated and rendered as a bytea literal, and escape-format values are quoted and cast like any other literal [Issue #3757](pgjdbc/pgjdbc#3757)
  • fix: the driver no longer nulls the contextClassLoader of shared ForkJoinPool.commonPool() worker threads, which previously left unrelated tasks on those threads running with a null classloader [Issue #4155](pgjdbc/pgjdbc#4155)
  • fix: getCharacterStream wraps String in StringReader [PR #4063](pgjdbc/pgjdbc#4063)
  • fix: PGXAConnection no longer saves and restores the underlying connection's JDBC autoCommit flag. All XA-protocol SQL (BEGIN, PREPARE TRANSACTION, COMMIT, ROLLBACK, COMMIT PREPARED, ROLLBACK PREPARED, the recover() SELECT) is sent through QUERY_SUPPRESS_BEGIN, so the caller's autoCommit value is invariant across every XAResource call. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections with autoCommit=false (TomEE, WildFly, WebSphere Liberty).
  • fix: PGXAConnection.prepare() now mutates XA state only after PREPARE TRANSACTION succeeds. A failed PREPARE previously left the driver thinking the branch was already prepared, so the follow-up rollback(xid) tried ROLLBACK PREPARED against a non-existent gid and returned XAER_RMERR. Transaction managers (Narayana) escalated this to HeuristicMixedException. With the fix, rollback(xid) takes the active-branch path and issues a plain ROLLBACK, which the server accepts cleanly. Fixes [Issue #3153](pgjdbc/pgjdbc#3153), [Issue #3123](pgjdbc/pgjdbc#3123).
  • fix: an updatable result set over an unqualified table name is now classified using only the table visible through search_path. When two schemas held a table with the same name and the same primary or unique index name but a different set of key columns, the driver took the union of both schemas' columns, so the result set could be wrongly rejected as not updatable [PR #4214](pgjdbc/pgjdbc#4214). Supersedes [PR #3400](pgjdbc/pgjdbc#3400).

[42.7.11] (2026-04-28)

Security

  • fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

Changed

Fixed

... (truncated)

Commits
  • 77df98e Merge commit from fork
  • 68c53a4 chore: bump version to 42.7.12
  • 78e261f fix: Add sources and javadocs to shaded published lib generation
  • 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
  • d479fa5 Fix scram fix location in changelog and update published artifact developer l...
  • b04fc46 docs: Add scram max iters fix to changelog
  • cf54822 test: Disable scram test on older version without scram_iterations GUC
  • 7dbcc79 test: Add SCRAM max iteration tests
  • c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
  • a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-data-jdbc from 3.5.12 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-data-jdbc's releases.

v3.5.16

🔨 Dependency Upgrades

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-web from 3.5.12 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-web's releases.

v3.5.16

🔨 Dependency Upgrades

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-validation from 3.5.12 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-validation's releases.

v3.5.16

🔨 Dependency Upgrades

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-thymeleaf from 3.5.12 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-thymeleaf's releases.

v3.5.16

🔨 Dependency Upgrades

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0

… with 21 updates

Bumps the minor-patch-dependencies group with 20 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [com.google.guava:guava](https://github.com/google/guava) | `33.5.0-jre` | `33.6.0-jre` |
| [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) | `2.20.1` | `2.22.0` |
| [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) | `42.7.8` | `42.7.12` |
| [org.springframework.boot:spring-boot-starter-data-jdbc](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-starter-web](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-starter-validation](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-starter-thymeleaf](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-configuration-processor](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-starter-test](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.boot:spring-boot-starter-actuator](https://github.com/spring-projects/spring-boot) | `3.5.12` | `3.5.16` |
| [org.springframework.retry:spring-retry](https://github.com/spring-projects/spring-retry) | `2.0.12` | `2.0.13` |
| [io.sentry:sentry-spring-boot-starter](https://github.com/getsentry/sentry-java) | `8.29.0` | `8.46.0` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.23` | `1.5.37` |
| org.slf4j:slf4j-simple | `2.0.17` | `2.0.18` |
| [org.jacoco:org.jacoco.agent](https://github.com/jacoco/jacoco) | `0.8.14` | `0.8.15` |
| [io.micrometer:micrometer-registry-prometheus](https://github.com/micrometer-metrics/micrometer) | `1.16.1` | `1.17.0` |
| [com.diffplug.spotless:spotless-plugin-gradle](https://github.com/diffplug/spotless) | `8.1.0` | `8.8.0` |
| [de.undercouch.download:de.undercouch.download.gradle.plugin](https://github.com/michel-kraemer/gradle-download-task) | `5.6.0` | `5.7.0` |
| [org.springframework.boot:spring-boot-gradle-plugin](https://github.com/spring-projects/spring-boot) | `3.5.7` | `3.5.16` |
| [org.yaml:snakeyaml](https://bitbucket.org/snakeyaml/snakeyaml) | `2.5` | `2.6` |



Updates `com.google.guava:guava` from 33.5.0-jre to 33.6.0-jre
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

Updates `com.fasterxml.jackson.core:jackson-databind` from 2.20.1 to 2.22.0
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `org.postgresql:postgresql` from 42.7.8 to 42.7.12
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.7.8...REL42.7.12)

Updates `org.springframework.boot:spring-boot-starter-data-jdbc` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-web` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-validation` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-thymeleaf` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-configuration-processor` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-test` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-actuator` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-web` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-validation` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-thymeleaf` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.retry:spring-retry` from 2.0.12 to 2.0.13
- [Release notes](https://github.com/spring-projects/spring-retry/releases)
- [Commits](spring-projects/spring-retry@v2.0.12...v2.0.13)

Updates `io.sentry:sentry-spring-boot-starter` from 8.29.0 to 8.46.0
- [Release notes](https://github.com/getsentry/sentry-java/releases)
- [Changelog](https://github.com/getsentry/sentry-java/blob/main/CHANGELOG.md)
- [Commits](getsentry/sentry-java@8.29.0...8.46.0)

Updates `ch.qos.logback:logback-classic` from 1.5.23 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.23...v_1.5.37)

Updates `ch.qos.logback:logback-core` from 1.5.23 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.23...v_1.5.37)

Updates `org.springframework.boot:spring-boot-configuration-processor` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.slf4j:slf4j-simple` from 2.0.17 to 2.0.18

Updates `org.jacoco:org.jacoco.agent` from 0.8.14 to 0.8.15
- [Release notes](https://github.com/jacoco/jacoco/releases)
- [Commits](jacoco/jacoco@v0.8.14...v0.8.15)

Updates `org.springframework.boot:spring-boot-starter-test` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `org.springframework.boot:spring-boot-starter-actuator` from 3.5.12 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.12...v3.5.16)

Updates `io.micrometer:micrometer-registry-prometheus` from 1.16.1 to 1.17.0
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](micrometer-metrics/micrometer@v1.16.1...v1.17.0)

Updates `com.diffplug.spotless:spotless-plugin-gradle` from 8.1.0 to 8.8.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@gradle/8.1.0...gradle/8.8.0)

Updates `de.undercouch.download:de.undercouch.download.gradle.plugin` from 5.6.0 to 5.7.0
- [Release notes](https://github.com/michel-kraemer/gradle-download-task/releases)
- [Commits](michel-kraemer/gradle-download-task@5.6.0...5.7.0)

Updates `org.springframework.boot:spring-boot-gradle-plugin` from 3.5.7 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.7...v3.5.16)

Updates `org.yaml:snakeyaml` from 2.5 to 2.6
- [Commits](https://bitbucket.org/snakeyaml/snakeyaml/branches/compare/snakeyaml-2.6..snakeyaml-2.5)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-version: 33.6.0-jre
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-data-jdbc
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-web
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-validation
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-thymeleaf
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-configuration-processor
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-test
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-actuator
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-web
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-validation
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-thymeleaf
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.retry:spring-retry
  dependency-version: 2.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: io.sentry:sentry-spring-boot-starter
  dependency-version: 8.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-configuration-processor
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.slf4j:slf4j-simple
  dependency-version: 2.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.jacoco:org.jacoco.agent
  dependency-version: 0.8.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-test
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-starter-actuator
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: io.micrometer:micrometer-registry-prometheus
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: com.diffplug.spotless:spotless-plugin-gradle
  dependency-version: 8.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: de.undercouch.download:de.undercouch.download.gradle.plugin
  dependency-version: 5.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
- dependency-name: org.springframework.boot:spring-boot-gradle-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch-dependencies
- dependency-name: org.yaml:snakeyaml
  dependency-version: '2.6'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 10:08
@dependabot dependabot Bot requested review from jgainerdewar and removed request for a team July 1, 2026 10:08
@dependabot dependabot Bot added the dependency label Jul 1, 2026
@dependabot dependabot Bot requested a review from marctalbott July 1, 2026 10:08
@dependabot dependabot Bot added the gradle label Jul 1, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants