Bump the libs group across 1 directory with 6 updates

[dependabot]

Bumps the libs group with 6 updates in the / directory:

Package	From	To
org.jsoup:jsoup	1.19.1	1.21.2
ch.qos.logback:logback-classic	1.5.18	1.5.21
com.google.crypto.tink:tink	1.17.0	1.19.0
org.owasp.dependencycheck	12.1.1	12.1.9
com.diffplug.spotless	7.0.2	8.1.0
com.vanniktech.maven.publish	0.34.0	0.35.0

Updates org.jsoup:jsoup from 1.19.1 to 1.21.2

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.21.2

jsoup 1.21.2 is out now, adding support for custom SSLContext in HTTP/2 connections, and improving consistency in how user data is handled in attributes. It also brings performance gains in DOM manipulation and fragment parsing, and fixes several edge cases in stream parsing, traversal, cloning, and concurrent reads.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Changes

• Deprecated internal (yet visible) methods Normalizer#normalize(String, bool) and Attribute#shouldCollapseAttribute(Document.OutputSettings). These will be removed in a future version.
• Deprecated Connection#sslSocketFactory(SSLSocketFactory) in favor of the new Connection#sslContext(SSLContext). Using sslSocketFactory will force the use of the legacy HttpUrlConnection implementation, which does not support HTTP/2. #2370

Improvements

• When pretty-printing, if there are consecutive text nodes (via DOM manipulation), the non-significant whitespace between them will be collapsed. #2349.
• Updated Connection.Response#statusMessage() to return a simple loggable string message (e.g. "OK") when using the HttpClient implementation, which doesn't otherwise return any server-set status message. #2356
• Attributes#size() and Attributes#isEmpty() now exclude any internal attributes (such as user data) from their count. This aligns with the attributes' serialized output and iterator. #2369
• Added Connection#sslContext(SSLContext) to provide a custom SSL (TLS) context to requests, supporting both the HttpClient and the legacy HttUrlConnection implementations. #2370
• Performance optimizations for DOM manipulation methods including when repeatedly removing an element's first child (element.child(0).remove(), and when using Parser#parseBodyFragement() to parse a large number of direct children. #2373.

Bug Fixes

• When parsing from an InputStream and a multibyte character happened to straddle a buffer boundary, the stream would not be completely read. #2353.
• In NodeTraversor, if a last child element was removed during the head() call, the parent would be visited twice. #2355.
• Cloning an Element that has an Attributes object would add an empty internal user-data attribute to that clone, which would cause unexpected results for Attributes#size() and Attributes#isEmpty(). #2356
• In a multithreaded application where multiple threads are calling Element#children() on the same element concurrently, a race condition could happen when the method was generating the internal child element cache (a filtered view of its child nodes). Since concurrent reads of DOM objects should be threadsafe without external synchronization, this method has been updated to execute atomically. #2366
• When parsing HTML with svg:script elements in SVG elements, don't enter the Text insertion mode, but continue to parse as foreign content. Otherwise, misnested HTML could then cause an IndexOutOfBoundsException. #2374
• Malformed HTML could throw an IndexOutOfBoundsException during the adoption agency. #2377.

jsoup 1.21.1

jsoup 1.21.1 is out now, featuring powerful new node selection capabilities that let you target specific DOM nodes like comments and text nodes using CSS selectors, dynamic tag customization through the new TagSet callback system, and improved defense against mutation XSS attacks with simplified attribute escaping. This release also brings HTTP/2 support by default, numerous API improvements for better developer experience, and fixes for several edge-case parsing issues.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class<T> type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull(Object) (replaced by typed Validate#expectNotNull(T)); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class<T> nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace). #2330
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326
• Added Connection.Response#readFully() as a replacement for Connection.Response#bufferUp() with an explicit IOException. Similarly, added Connection.Response#readBody() over Connection.Response#body(). Deprecated Connection.Response#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

... (truncated)

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.21.2 (2025-Aug-25)

Changes

• Deprecated internal (yet visible) methods Normalizer#normalize(String, bool) and Attribute#shouldCollapseAttribute(Document.OutputSettings). These will be removed in a future version.
• Deprecated Connection#sslSocketFactory(SSLSocketFactory) in favor of the new Connection#sslContext(SSLContext). Using sslSocketFactory will force the use of the legacy HttpUrlConnection implementation, which does not support HTTP/2. #2370

Improvements

• When pretty-printing, if there are consecutive text nodes (via DOM manipulation), the non-significant whitespace between them will be collapsed. #2349.
• Updated Connection.Response#statusMessage() to return a simple loggable string message (e.g. "OK") when using the HttpClient implementation, which doesn't otherwise return any server-set status message. #2356
• Attributes#size() and Attributes#isEmpty() now exclude any internal attributes (such as user data) from their count. This aligns with the attributes' serialized output and iterator. #2369
• Added Connection#sslContext(SSLContext) to provide a custom SSL (TLS) context to requests, supporting both the HttpClient and the legacy HttUrlConnection implementations. #2370
• Performance optimizations for DOM manipulation methods including when repeatedly removing an element's first child (element.child(0).remove(), and when using Parser#parseBodyFragement() to parse a large number of direct children. #2373.

Bug Fixes

• When parsing from an InputStream and a multibyte character happened to straddle a buffer boundary, the stream would not be completely read. #2353.
• In NodeTraversor, if a last child element was removed during the head() call, the parent would be visited twice. #2355.
• Cloning an Element that has an Attributes object would add an empty internal user-data attribute to that clone, which would cause unexpected results for Attributes#size() and Attributes#isEmpty(). #2356
• In a multithreaded application where multiple threads are calling Element#children() on the same element concurrently, a race condition could happen when the method was generating the internal child element cache (a filtered view of its child nodes). Since concurrent reads of DOM objects should be threadsafe without external synchronization, this method has been updated to execute atomically. #2366
• When parsing HTML with svg:script elements in SVG elements, don't enter the Text insertion mode, but continue to parse as foreign content. Otherwise, misnested HTML could then cause an IndexOutOfBoundsException. #2374
• Malformed HTML could throw an IndexOutOfBoundsException during the adoption agency. #2377.

1.21.1 (2025-Jun-23)

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull (replaced by typed Validate#expectNotNull); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace).
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326.
• Added Connection#readFully() as a replacement for Connection#bufferUp() with an explicit IOException. Similarly, added Connection#readBody() over Connection#body(). Deprecated Connection#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

• The contents of a script in a svg foreign context should be parsed as script data, not text. #2320
• Tag#isFormSubmittable() was updating the Tag's options. #2323
• The HTML pretty-printer would incorrectly trim whitespace when text followed an inline element in a block element. #2325
• Custom tags with hyphens or other non-letter characters in their names now work correctly as Data or RcData tags. Their closing tags are now tokenized properly. #2332
• When cloning an Element, the clone would retain the source's cached child Element list (if any), which could lead to incorrect results when modifying the clone's child elements. #2334

... (truncated)

Commits

• b02837b [maven-release-plugin] prepare release jsoup-1.21.2
• 1f0c207 v1.21.2 release date
• b093463 Use central-publishing-maven-plugin
• 615b959 Updating sonatype deploy URLs
• 6961720 Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.2 to 3.11.3 (#2386)
• 82864b2 Bump jetty.version from 9.4.57.v20241219 to 9.4.58.v20250814 (#2385)
• 71f963e Fix for HTML that breaks the select scope
• 6b20f6e Removed effective recursion closing \</select>
• eb2957a Bump actions/checkout from 4 to 5 (#2382)
• 3a9a6c7 Fix ProxyTest in CI
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.21

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

• Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

• Fixed XMLLayout thread safety issue reported in LOGBACK-427.

• Removed superfluous buffering in Zip, GZ and XZ compression code.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit fed6f37ffe3449e40f6a9fffe050936a33116bd1 associated with the tag v_1.5.21. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.20

2025-10-19 Release of logback version 1.5.20

• Due to potential vulnerabilities associated with dynamic, i.e. runtime, java code compilation and execution (using Janino), the 'condition' attribute within the <if> element is deprecated and will be removed in 2027.

An online migration service is provided to help with the transition.

The <condition> element, new in this version, admits custom PropertyEvaluator as a recommended alternative. See also the updated documentation on conditional configuration.

• Initialization procedure was incorrectly reported as having been simplified in this version, i.e. version 1.5.20 by removing the step instantiating a SerializedModelConfigurator. The actual simplification was done in version 1.5.21

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 930fb15c993a4344bcecc6ba2225c12a2c38e676 associated with the tag v_1.5.20. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.19

2025-09-30 Release of logback version 1.5.19

• Disallow "new" operator in the condition attribute of <if> elements. This fixes an ACE vulnerability recorded as CVE-2025-11226.

• At initialization time, slightly better reporting about watched configuration files.

• Softer message regarding usage of ConsoleAppender and its potential impact on performance.

• In ViewStatusMessagesServlet, restrict processing of "Clear" button to POST method. This change was proposed by Ralf Wiebicke who also provided the relevant PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e572d4f87f06674788eb3ca7148e8d1dffc615fa associated with the tag v_1.5.19. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• fed6f37 prepare release 1.5.21
• b111e89 Initialization procedure has been simplified by removing the step
• 1cd2df4 fix issues/871
• dea5b95 minor - remove superflous call to Objects.requireNonNull
• 3cecf29 add comment for the TurboFilter list ACCEPT case
• 1497142 improve performance for 2 or more turbo filters
• 04a7ba5 most subclasses of UnsynchronizedAppenderBase do not need a reentry guard
• ab6a006 add maven cache to github CI, update .github/FUNDING.yml
• 2bf5557 fix failed LegacyPatternLayoutTest#subPattern test due to TZ discrepancies, u...
• 2ca8c52 update funding info
• Additional commits viewable in compare view

Updates com.google.crypto.tink:tink from 1.17.0 to 1.19.0

Release notes

Sourced from com.google.crypto.tink:tink's releases.

Tink Java v1.19.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.19

The complete list of changes since 1.18.0 can be found here.

Build changes

• For Bazel builds, we now use Bazel 7.6.1. in our tests.
• For Bazel builds, Tink now supports bzlmod.
• Tink no longer supports Java 8. The minimum version starting from 1.19.0 is Java 11.

Dependencies

• Protobuf 4.28.2 was upgraded to Protobuf 4.32.1. (Note: we plan to shade protobuf in the next minor version of Tink which should resolve compatibility issues)

Obscure behaviour changes

• Tink will reject custom key types where the Type-Url has non-ASCII characters.

• Tink may serialize keysets slightly differently in certain cases. For example, in the serialization of a ECDSA keyset, the points might be padded differently than before. Users should not depend on the exact format of Tink's serialization.

• Use Conscrypt's AES-CMAC implementation when available and when the input is larger than 64 byte. This may improves the performance of AES-CMAC, AES-SIV and AES-EAX for large inputs.

• Removed usage of thread-local Ciphers for ChaCha20Poly1305.

Added APIs

• Added public JwtEcdsaParameters.Algorithm.getEcParameterSpec method.

• The AES-SIV implementation in subtle now accepts multiple associated datas.

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
</tr></table> 

... (truncated)

Commits

• 55c022d Do not use "--verbose" on the invocation of curl as it leaks the token.
• cbb9892 Fix the lib_name for tink-android.
• 3c34c33 Only put the actual checksums into the checksums file.
• bb2f27b Tag version as 1.19.0.
• 87d732d Fix the path to the encrypted token.
• 0c8c5ef Fix the path to encrypted_password.
• d761f4d Use the correct suffix for the tinkey_release_wrapping_key.
• d5b7ad9 Finish the release automation.
• 022c2b7 Write the key and passphrase into the (hopefully) correct path.
• d0f1937 Update the Java version to 1.19.0-pre0.
• Additional commits viewable in compare view

Updates org.owasp.dependencycheck from 12.1.1 to 12.1.9

Updates com.diffplug.spotless from 7.0.2 to 8.1.0

Updates com.vanniktech.maven.publish from 0.34.0 to 0.35.0

Release notes

Sourced from com.vanniktech.maven.publish's releases.

0.35.0

• Add support for publishing Kotlin Multiplatform libraries that use com.android.kotlin.multiplatform.library.
• Add support for validating deployments to Central Portal
• Raise minimum Gradle version to 8.13
• Raise minimum Android Gradle Plugin version to 8.2.2
• Do not unconditionally disable DocLint
• Fail publishing if SONATYPE_HOST is not set to CENTRAL_PORTAL.
• Fix misleading error message when Android library variant is not found.
• Downgrade transitive OkHttp version.
• Don't check project heirarchy for POM properties when Isolated proejcts is enabled.

Thanks to @​joshfriend, @​Flowdalic and @​Goooler for their contributions to this release.

Minimum supported versions

• JDK 11
• Gradle 8.13
• Android Gradle Plugin 8.2.2
• Kotlin Gradle Plugin 1.9.20

Compatibility tested up to

• JDK 24
• Gradle 9.2.0
• Gradle 9.3.0-milestone-1
• Android Gradle Plugin 8.13.1
• Android Gradle Plugin 9.0.0-alpha14
• Kotlin Gradle Plugin 2.2.21
• Kotlin Gradle Plugin 2.3.0-Beta2

0.35.0-rc1

• Add support for publishing Kotlin Multiplatform libraries that use com.android.kotlin.multiplatform.library.
• Add support for validating deployments to Central Portal
• Raise minimum Gradle version to 8.13
• Raise minimum Android Gradle Plugin version to 8.2.2
• Do not unconditionally disable DocLint
• Fail publishing if SONATYPE_HOST is not set to CENTRAL_PORTAL.
• Fix misleading error message when Android library variant is not found.
• Downgrade transitive OkHttp version.
• Don't check project heirarchy for POM properties when Isolated proejcts is enabled.

Thanks to @​joshfriend, @​Flowdalic and @​Goooler for their contributions to this release.

Minimum supported versions

• JDK 11
• Gradle 8.13
• Android Gradle Plugin 8.2.2
• Kotlin Gradle Plugin 1.9.20

Compatibility tested up to

• JDK 24
• Gradle 9.2.0

... (truncated)

Changelog

Sourced from com.vanniktech.maven.publish's changelog.

0.35.0 (2025-11-11)

• Add support for publishing Kotlin Multiplatform libraries that use com.android.kotlin.multiplatform.library.
• Add support for validating deployments to Central Portal
• Raise minimum Gradle version to 8.13
• Raise minimum Android Gradle Plugin version to 8.2.2
• Do not unconditionally disable DocLint
• Fail publishing if SONATYPE_HOST is not set to CENTRAL_PORTAL.
• Fix misleading error message when Android library variant is not found.
• Downgrade transitive OkHttp version.
• Don't check project heirarchy for POM properties when Isolated proejcts is enabled.

Thanks to @​joshfriend, @​Flowdalic and @​Goooler for their contributions to this release.

Minimum supported versions

• JDK 11
• Gradle 8.13
• Android Gradle Plugin 8.2.2
• Kotlin Gradle Plugin 1.9.20

Compatibility tested up to

• JDK 24
• Gradle 9.2.0
• Gradle 9.3.0-milestone-1
• Android Gradle Plugin 8.13.1
• Android Gradle Plugin 9.0.0-alpha14
• Kotlin Gradle Plugin 2.2.21
• Kotlin Gradle Plugin 2.3.0-Beta2

Commits

• 8232338 update to 0.35.0-rc1
• 85b409d 0.35.0 prep
• 2e01bc6 Always run CI on the latest Java (#1193)
• fb36ee3 Update android.gradle to v8.13.1 (#1194)
• 0f8135b Use Java 25 on CI (#1184)
• 4cc5b52 Clean up toolchain usages in tests (#1191)
• aa456e1 Update plugin android-lint to v8.13.1 (#1195)
• 32a9226 Update dependency com.android.library to v9.0.0-alpha14 (#1188)
• 48a58af Support deploying API html (#1192)
• a795a97 Clean up android extensions in tests (#1190)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.