Bump the libs group across 1 directory with 7 updates

[dependabot]

Bumps the libs group with 7 updates in the / directory:

Package	From	To
gradle-wrapper	8.13	9.3.0
org.jsoup:jsoup	1.19.1	1.22.1
ch.qos.logback:logback-classic	1.5.18	1.5.26
com.google.crypto.tink:tink	1.17.0	1.20.0
org.owasp.dependencycheck	12.1.1	12.2.0
com.diffplug.spotless	7.0.2	8.2.0
com.vanniktech.maven.publish	0.34.0	0.36.0

Updates gradle-wrapper from 8.13 to 9.3.0

Updates org.jsoup:jsoup from 1.19.1 to 1.22.1

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.1

jsoup 1.22.1 is out now, adding support for the re2j regular expression engine for regex-based CSS selectors, a configurable maximum parser depth, and numerous bug fixes and improvements.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via Parser.setMaxDepth(). #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

---

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

... (truncated)

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.1 (2026-Jan-01)

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling org.jsoup.helper.Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via org.jsoup.parser.Parser#setMaxDepth. #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

1.21.2 (2025-Aug-25)

Changes

• Deprecated internal (yet visible) methods Normalizer#normalize(String, bool) and Attribute#shouldCollapseAttribute(Document.OutputSettings). These will be removed in a future version.
• Deprecated Connection#sslSocketFactory(SSLSocketFactory) in favor of the new Connection#sslContext(SSLContext). Using sslSocketFactory will force the use of the legacy HttpUrlConnection implementation, which does not support HTTP/2. #2370

Improvements

• When pretty-printing, if there are consecutive text nodes (via DOM manipulation), the non-significant whitespace between them will be collapsed. #2349.
• Updated Connection.Response#statusMessage() to return a simple loggable string message (e.g. "OK") when using the HttpClient implementation, which doesn't otherwise return any server-set status message. #2356
• Attributes#size() and Attributes#isEmpty() now exclude any internal attributes (such as user data) from their count. This aligns with the attributes' serialized output and iterator. #2369
• Added Connection#sslContext(SSLContext) to provide a custom SSL (TLS) context to requests, supporting both the HttpClient and the legacy HttUrlConnection implementations. #2370

... (truncated)

Commits

• 8dd66fe [maven-release-plugin] prepare release jsoup-1.22.1
• d924385 Changelog prep for v1.22.1
• 0f3100c Bump actions/upload-artifact from 5 to 6 (#2457)
• cf6ac20 Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1 (#2455)
• 6bef938 Fix parsing of SVG foreignObject in paragraphs
• 9b1c0fc Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.0 (#2450)
• 1415e64 Bump actions/checkout from 5 to 6 (#2451)
• 0e99fd9 Isolate TagSet copies to prevent shared mutation (#2453)
• 90019cb Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.24.2 to 0.25.0 (#2...
• 9395269 Don't preemptively close
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.26

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.26

2026-01-25 Release of logback version 1.5.26

• InsertFromJNDIModelHandler was accessing javax.naming package forcing the inclusion of the optional java.naming module. This problem was raised in issues/1003 by Marius Hanl who also provided the relevant PR.

• In applications using shadow/fat/shade jars, module or package information could be lost. Thus, in the absence of version information, logback-classic would warn about version mismatches. Logback components now ship with properties files containing version information that survive shadow/fat/shade jars. This issue was reporteed in issues/1002 by Christoph Gritschenberger.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 33deb54506bbfaf1ff151f26f3a5f86936011619 associated with the tag v_1.5.26. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

... (truncated)

Commits

• 33deb54 prepare release 1.5.26
• d38a3e2 refactoring based on usage in logback-access
• 4368333 move VersionUtil.getCoreVersionBySelfDeclaredProperties to CoreVersionUtil
• 8bd5660 modify VersionCheckTest to use logback-core 1.5.25
• 7a8f0b6 version information is self declared by modules.
• 00d272f Do not use javax.naming namespace in the catch block, so that Logback can be ...
• 420d67c mention country only, add missing 2016-03-29
• 033aba4 fix javadoc errors
• 6d52744 start work on 1.5.26-SNAPSHOT
• f426e00 prepare release of 1.5.25
• Additional commits viewable in compare view

Updates com.google.crypto.tink:tink from 1.17.0 to 1.20.0

Release notes

Sourced from com.google.crypto.tink:tink's releases.

Tink Java v1.20.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.20.0

The complete list of changes since 1.19.0 can be found here.

• Updated the Protobuf dependency to 4.33.0.
• Improved performance for creating JWT signature primitives.
• Dropped support for WORKSPACE Bazel files.
• Allow using 32-byte keys in subtle AES-SIV primitive.
• Fixed tink-crypto/tink-java#63

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.20.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.20.0'
}

Bazel:

Using bzlmod

bazel_dep(name = "tink_java")
git_override(

module_name = "tink_java",

remote = "https://github.com/tink-crypto/tink-java",

tag = "v1.20.0",

)

Tink Java v1.19.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.19

... (truncated)

Commits

• fe3e251 Tag version 1.20.0
• efe61ad Move JwtNames.java to /jwt/internal/JwtNames.java
• 2450984 Move JsonUtil to com.google.crypto.tink.jwt.internal.
• 493a645 Add createWithProvider to internal SLH-DSA primitives.
• 71f2a9b Implement the LowLevelCryptoCaller annotation.
• d231253 Make SlhDsa available in SignatureConfigurationV1.
• 47d37db Introduce SlhDsaSign/VerifyConscrypt to Tink Java.
• 067cd7a Introduce SlhDsaProtoSerialization in Tink Java.
• 074bbfb Introduce SlhDsaPrivateKeys to Tink Java.
• ab3558c Introduce SlhDsaPublicKey to Tink Java.
• Additional commits viewable in compare view

Updates org.owasp.dependencycheck from 12.1.1 to 12.2.0

Updates com.diffplug.spotless from 7.0.2 to 8.2.0

Updates com.vanniktech.maven.publish from 0.34.0 to 0.36.0

Release notes

Sourced from com.vanniktech.maven.publish's releases.

0.36.0

BREAKING

• Updated minimum supported JDK, Gradle, Android Gradle Plugin and Kotlin versions.
• Removed support for Dokka v1, it's now required to use Dokka in v2 mode.
• Mark DirectorySignatureType internal.

Behavior changes

• validateDeployment now has the DeploymentValidation enum as type instead of being a boolean. The default is now to just wait for the VALIDATED state. The previous behavior can be achieved by setting it to PUBLISHED. NONE can be used for disabling the validation completely.
• When calling configure(...) manually to configure what to publish and not passing javadocJar explicity, the plugin now defaults to publishing an empty javadoc jar.

Features

• Android projects now support using Dokka for javadoc creation, this will happen automatically when using the default options and the Dokka plugin is applied to the project.
• Added consistent JavadocJar and SourcesJar options to configureBasedOnAppliedPlugins and to all applicable project types that can be passed to configure. The previous Boolean based versions have been deprecated.
• When enabling Maven Central publishing through the DSL, the mavenCentralDeploymentValidation and mavenCentralAutomaticPublishing are used for the default values of the 2 parameters when they are not passed explicitly. This allows to more easily override them in certain environments.
• When isolated projects is enabled the module/project specific gradle.properties files are now considered in the same way they are when isolated projects is disabled.

Improvements

• Better error message when Maven Central credentials are missing.

Minimum supported versions

• JDK 17
• Gradle 9.0.0
• Android Gradle Plugin 8.13.0
• Kotlin Gradle Plugin 2.2.0

Compatibility tested up to

• JDK 25
• Gradle 9.3.0
• Gradle 9.4.0-milestone-4
• Android Gradle Plugin 8.13.2
• Android Gradle Plugin 9.0.0
• Android Gradle Plugin 9.1.0-alpha05
• Kotlin Gradle Plugin 2.3.0
• Kotlin Gradle Plugin 2.3.20-Beta1

0.36.0-rc2

BREAKING

• Updated minimum supported JDK, Gradle, Android Gradle Plugin and Kotlin versions.
• Removed support for Dokka v1, it's now required to use Dokka in v2 mode.
• Mark DirectorySignatureType internal.

... (truncated)

Changelog

Sourced from com.vanniktech.maven.publish's changelog.

0.36.0 (2026-01-13)

BREAKING

• Updated minimum supported JDK, Gradle, Android Gradle Plugin and Kotlin versions.
• Removed support for Dokka v1, it's now required to use Dokka in v2 mode.
• Mark DirectorySignatureType internal.

Behavior changes

• validateDeployment now has the DeploymentValidation enum as type instead of being a boolean. The default is now to just wait for the VALIDATED state. The previous behavior can be achieved by setting it to PUBLISHED. NONE can be used for disabling the validation completely.
• When calling configure(...) manually to configure what to publish and not passing javadocJar explicity, the plugin now defaults to publishing an empty javadoc jar.

Features

• Android projects now support using Dokka for javadoc creation, this will happen automatically when using the default options and the Dokka plugin is applied to the project.
• Added consistent JavadocJar and SourcesJar options to configureBasedOnAppliedPlugins and to all applicable project types that can be passed to configure. The previous Boolean based versions have been deprecated.
• When enabling Maven Central publishing through the DSL, the mavenCentralDeploymentValidation and mavenCentralAutomaticPublishing are used for the default values of the 2 parameters when they are not passed explicitly. This allows to more easily override them in certain environments.
• When isolated projects is enabled the module/project specific gradle.properties files are now considered in the same way they are when isolated projects is disabled.

Improvements

• Better error message when Maven Central credentials are missing.

Minimum supported versions

• JDK 17
• Gradle 9.0.0
• Android Gradle Plugin 8.13.0
• Kotlin Gradle Plugin 2.2.0

Compatibility tested up to

• JDK 25
• Gradle 9.3.0
• Gradle 9.4.0-milestone-4
• Android Gradle Plugin 8.13.2
• Android Gradle Plugin 9.0.0
• Android Gradle Plugin 9.1.0-alpha05
• Kotlin Gradle Plugin 2.3.0
• Kotlin Gradle Plugin 2.3.20-Beta1

0.35.0 (2025-11-11)

• Add support for publishing Kotlin Multiplatform libraries that use com.android.kotlin.multiplatform.library.
• Add support for validating deployments to Central Portal

... (truncated)

Commits

• 0a5fa58 rc2 and wait for published
• 695e18a rc1
• f92dc3a Changelog for 0.36.0
• bddd1e6 Update dependency org.jetbrains.kotlin.jvm to v2.3.20-Beta1 (#1289)
• 22f90b2 Update Gradle to v9.3.0 (#1301)
• d7d5f34 Update android.gradle to v9 (major) (#1298)
• 3d262a6 Update dependency com.android.library to v9.1.0-alpha05 (#1300)
• a8573ed Update plugin com.gradle.develocity to v4.3.1 (#1299)
• ee0f2e3 Fix typo in default DeploymentValidation and correct documentation (#1296)
• 783599f Update dependency com.android.library to v9.0.0 (#1297)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud