build(deps): bump the gradle-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the gradle-dependencies group with 9 updates in the / directory:

Package	From	To
com.github.spotbugs:spotbugs-annotations	4.9.8	4.10.2
com.gradleup.nmcp.settings	1.5.0	1.6.0
gradle-wrapper	9.5.1	9.6.0
org.junit.jupiter:junit-jupiter	6.0.3	6.1.0
com.peterabeles.gversion	1.10.3	1.11.0
com.gradleup.shadow	9.4.1	9.4.2
pl.allegro.tech.build.axion-release	1.21.1	1.21.2
com.diffplug.spotless	8.5.1	8.7.0
com.github.spotbugs	6.5.4	6.5.8

Updates com.github.spotbugs:spotbugs-annotations from 4.9.8 to 4.10.2

Release notes

Sourced from com.github.spotbugs:spotbugs-annotations's releases.

4.10.2

SpotBugs 4.10.2

CHANGELOG

Build

• Add release protection to ensure version released matches the tag and that snapshot has been removed. (#4156)
• Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#4159)
• Add binary check to the gradle build to ensure compatibility remains. (#4159)

CHECKSUM

file	checksum (sha256)
spotbugs-4.10.2-javadoc.jar	97bf36f386f75cecacbb7663700266d65176f8544c6f62bc7f21e0ecfb868444
spotbugs-4.10.2-sources.jar	76476f61ce6dc0eb0c38801e21da44e77043ba21226aef6c1b9d21df06d2395a
spotbugs-4.10.2.tgz	63d7687c35fba12cbc8e55ec2a889a2bbf1b9be299dea91f2b0d351dc285308a
spotbugs-4.10.2.zip	d5c9ad825cd015fc943802f5c96d89c515fd9a6f7fbbd9ddc7d0aa24b13664df
spotbugs-annotations-4.10.2-javadoc.jar	a948f311281429a3060e4870d5a60e8508372113ce678c7e1e04b58ba07a2ec2
spotbugs-annotations-4.10.2-sources.jar	87974d23caffbc8c6e66c567747627267b5ed06573cee966d7af6d236b8d65bd
spotbugs-annotations.jar	5335e5107c74cdd62ef96a7908066c51abb3de63b1ebf99dc953c2c7d0747678
spotbugs-ant-4.10.2-javadoc.jar	6e016db4c2929c0319c9f973ec1c76724d9ba17d26cd7b87136a8dbf0731cecb
spotbugs-ant-4.10.2-sources.jar	91477d93b1fd1bebae35d318427b5238fb458e726478dc1a8ac41ce74838a1e6
spotbugs-ant.jar	22f2fa397e86663adcd4828cc1c91e63aa6cc2bfc56832885b749a86fac5c784
spotbugs.jar	46f5c9524c08d027cf96cda2704e5d8ded633626b94a19dc9ced3ae67595d80b
test-harness-4.10.2-javadoc.jar	ec93ddaa099a27c8fdb0522d8c0b24a3d696e10aaf7d71a5d8426a643c00f1b2
test-harness-4.10.2-sources.jar	805d2d124b0d4ea513ee9262d4ad6027c3471d45defd80fd7d20e23425d17df7
test-harness-4.10.2.jar	bd10d1f11a1b93e4ca4db4d27772f611bd3407f9452dbbd2d1ba62584ddc171f
test-harness-core-4.10.2-javadoc.jar	a9782f2a1ecb26d561b4601c46f2dbcfbe4045d587c6ce545ae830cd61399118
test-harness-core-4.10.2-sources.jar	043a55d99a517c0d9cf702b0c183b4afd3f03af9eff4a86d59bb37df1b35b532
test-harness-core-4.10.2.jar	1f9a0ee8f150dd71f960ca4f59dcf7912a45d0e9e6aefc4585fd44b975454bc0
test-harness-jupiter-4.10.2-javadoc.jar	eb18358668b3f2099ddcfe21e817210d34ee969eb7fecc6f697c6eecca803846
test-harness-jupiter-4.10.2-sources.jar	17144f315686bfd01c02fa4ae7c916060c41de8eed58d5b8470416fa08f46ced
test-harness-jupiter-4.10.2.jar	a91146da3e993479cfefd2690781cbd102c6360ecc63a96d88995be3bd60fcbb

4.10.1

SpotBugs 4.10.1

Note

SpotBugs 4.10.0 was superseded by 4.10.1 due to a release issue. Users should use 4.10.1. See the discussion below for additional details:

spotbugs/spotbugs#4155

CHANGELOG

Build

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

CHECKSUM

file	checksum (sha256)
spotbugs-4.10.1-javadoc.jar	582dc49e95b080333b1025dc23e76630e5f6f1648b2f9fa71ee34918f6d9dd2c

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs-annotations's changelog.

4.10.2 - 2026-06-09

Build

• Add release protection to ensure version released matches the tag and that snapshot has been removed. (#4156)
• Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#4159)
• Add binary check to the gradle build to ensure compatibility remains. (#4159)

4.10.1 - 2026-06-08

Build

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

4.10.0 - 2026-06-07

Refactor

• Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (#3858)
• Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (#3861)
• Renamed methods from edu.umd.cs.findbugs.SwitchHandler to reflect that they return a PC, not an offset (#3869)
• Make the progress bar more visually appealing by adding some borders (#3896)
• Reuse DismantleBytecode.isIf introduced in (#3869)

Added

• Add partial support for org.jspecify.annotations.Nullable, org.jspecify.annotations.NonNull, org.jspecify.annotations.NullUnmarked and org.jspecify.annotations.NullMarked annotations. These are aliased to the closest existing SpotBugs nullness annotations. This is not a complete implementation of the JSpecify spec; scope-level semantics of @NullMarked and @NullUnmarked are not yet supported. (#3996)
• Recognize jakarta.annotation.Nonnull and jakarta.annotation.Nullable (#3780)
• Detect use of sun.misc.Unsafe and jdk.internal.misc.Unsafe (#3804)
• New bug type is introduced: NCR_NOT_PROPERLY_CHECKED_READ. Improper validation of the return value from the read() method in InputStream and Reader classes may result in an array not being fully filled. (#3766)
• New detector FindImproperSynchronization and introduced new bug types:
  • USO_UNSAFE_METHOD_SYNCHRONIZATION is reported when using synchronized methods with the class' accessible intrinsic lock,
  • USO_UNSAFE_STATIC_METHOD_SYNCHRONIZATION is reported when using static synchronized methods with the class' exposed intrinsic lock,
  • USO_UNSAFE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is visible from the outside,
  • USO_UNSAFE_ACCESSIBLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is made accessible, with methods that update or return the lock, to the outside,
  • USO_UNSAFE_INHERITABLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is can be altered by subclasses,
  • USO_UNSAFE_EXPOSED_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is later exposed in the subclasses.
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_BACKING_COLLECTION is reported when the backing collection of a lock is visible from the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_ACCESSIBLE_BACKING_COLLECTION is reported when the backing collection of a lock is made accessible, with methods that update or return the lock, to the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_INHERITABLE_BACKING_COLLECTION is reported when the backing collection of a lock can be altered by subclasses. (See SEI CERT rule LCK00-J and SEI CERT rule LCK04-J)
• New detector FindIncreasedAccessibilityOfMethods for new bug type IAOM_DO_NOT_INCREASE_METHOD_ACCESSIBILITY. This detector reports a bug if a class increases the accessibility of overridden or hidden methods. (See SEI CERT rule MET04-J)

Fixed

• Fix DM_STRING_TOSTRING false negative when toString() is chained before a method call (e.g., s.toString().toLowerCase()); multiple occurrences in the same method are now all reported (#3966)
• Stop exposing JUnit BOM as a transitive dependency to consumers (#3908)
• Fix incorrect bug counts and sizes when unioning reports (#3721)
• Classes containing only methods throwing UnsupportedOperationException with setter-like names are no longer considered as mutable (#1601)
• Enhanced SARIF output with full description sections - adding markdown is still an open issue (#2339)
• Added missing null check to MultipleInstantiationsOfSingletons detector (#3823)
• Fix invalid syntax in findbugsfilter.xsd (#3832)
• Fix CT_CONSTRUCTOR_THROW FP with public and private constructors (#3822)
• Fix tool name in usage info, (#3847)
• Fix the building of relative chains of ./././ in filenames in fbp files (#3852)
• Fix IllegalArgumentException initializing spotbugs when inside a fat jar on Java 25 (#3875)
• Do not report DM_DEFAULT_ENCODING for classes compiled with target >= 18 (#3866)
• Fix FS_BAD_DATE_FORMAT_FLAG_COMBO not suppressed by field-level annotation (#3838)

... (truncated)

Commits

• 9efccc9 release v4.10.2
• 205d91b Check binary compatibility (#4159)
• a177422 Update spring core to v7.0.8 (#4158)
• 2d6857f update sonatype link in RELEASE_PROCEDURE.md (#4157)
• 32d4fb9 chore(build): Add verification on tag release that version matches the tag (#...
• 6657922 prepare for next release
• 7460889 release v4.10.1
• f6c4597 prepare for next release
• 6e64d99 release v4.10.0
• 73a6f59 feat: add partial JSpecify annotations support (from PR #3142) (#3996)
• Additional commits viewable in compare view

Updates com.gradleup.nmcp.settings from 1.5.0 to 1.6.0

Release notes

Sourced from com.gradleup.nmcp.settings's releases.

v1.6.0

Nmcp 1.6.0 stops publishing the following checksums:

• signature checksums (.asc.md5, .asc.sha1, .asc.sha256, .asc.sha512)
• all non-required checksums (.sha256, .sha512)
• all maven-metadata checksums (only for local publishing, maven-metadata.xml is never sent to Central Portal)

This is all disabled by default.

If you like the checksums, you can send them again by setting publishAllChecksums:

nmcpAggregation {
  publishAllChecksums.set(true)
}

If you do, please let me know why, I'm curious!

Changelog

Sourced from com.gradleup.nmcp.settings's changelog.

Version 1.6.0

2026-06-21

Nmcp 1.6.0 stop publishing the following checksums:

• signature checksums (.asc.md5, .asc.sha1, .asc.sha256, .asc.sha512)
• all non-required checksums (.sha256, .sha512)
• all maven-metadata checksums (for local publishing, maven-metadata.xml is never sent to Central Portal)

You can send the checksums by setting publishAllChecksums

nmcpAggregation {
  publishAllChecksums.set(true)
}

Commits

• 431b572 Switch to USER_MANAGED
• b6ffb40 Remove another place where checksums where added (#259)
• 942bcd8 Do not publish checksums for maven-metadata (#258)
• 4ad0a51 Update dependencies (#257)
• cf04ce0 Filter out checksums (#256)
• 7ef98bf Version is now 1.5.1-SNAPSHOT (#254)
• See full diff in compare view

Updates gradle-wrapper from 9.5.1 to 9.6.0

Release notes

Sourced from gradle-wrapper's releases.

9.6.0

The Gradle team is excited to announce Gradle 9.6.0.

Here are the highlights of this release:

• Improved Configuration Cache hit rates
• Additional CLI rendering options
• Important project hierarchy lookup deprecations

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: Aharnish Solanki, Benedikt Johannes, Devendra Reddy Pennabadi, Dmytro Rodionov, Dreeam, Elías Hernández Rodríguez, Eng Zer Jun, FinlayRJW, Kamal Kansal, Marcono1234, Nelson Osacky, Philip Wedemann, Ravi, Roberto Perez Alcolea, Ryan Schmitt, Sebastian Schuberth, seunghun.ham, sk-reddy17, Suvrat Acharya, Vedant Madane.

Upgrade instructions

Switch your build to use Gradle 9.6.0 by updating your wrapper:

./gradlew :wrapper --gradle-version=9.6.0 && ./gradlew :wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.6.0 RC3

... (truncated)

Commits

• 3f750f0 Update distro size for Gradle 9.6.0 release (#38243)
• ae93cfa update distro size
• f7e22b5 Update Gradle wrapper to version 9.6.0-rc-3 (#38227)
• 71a8eb9 Update Gradle wrapper to version 9.6.0-rc-3
• 70a8745 Prepare release notes for Gradle 9.6.0RC3 (#38220)
• 9706522 some final polishing for release notes
• af308eb Restore GradleInternal.getRootProject overload for binary compatibility (#38214)
• 239361b Restore GradleInternal.getRootProject overload for binary compatibility
• 896dc44 Update Gradle wrapper to version 9.6.0-rc-2 (#38187)
• 2d4ec25 Update Gradle wrapper to version 9.6.0-rc-2
• Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

• @​JarvisCraft made their first contribution in junit-team/junit-framework#5633
• @​Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

• @​mariokhoury4 made their first contribution in junit-team/junit-framework#4574
• @​Ogu1208 made their first contribution in junit-team/junit-framework#5145
• @​HyungGeun94 made their first contribution in junit-team/junit-framework#5271
• @​yalishevant made their first contribution in junit-team/junit-framework#5316
• @​JINU-CHANG made their first contribution in junit-team/junit-framework#5290
• @​jaschdoc made their first contribution in junit-team/junit-framework#5427
• @​kawshikbuet17 made their first contribution in junit-team/junit-framework#5561
• @​msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

• @​vy made their first contribution in junit-team/junit-framework#5041
• @​Pankraz76 made their first contribution in junit-team/junit-framework#5006
• @​arukiidou made their first contribution in junit-team/junit-framework#5066
• @​laeubi made their first contribution in junit-team/junit-framework#5092
• @​jihun4452 made their first contribution in junit-team/junit-framework#5088
• @​TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

• 0dc3af1 Release 6.1.0
• 1d13002 Prepare 6.1.0 release notes
• 072b217 Update plugin spotless to v8.5.0 (#5668)
• 3a53480 Update Gradle to v9.5.1 (#5666)
• 0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
• 0a2634f Update github/codeql-action action to v4.35.5 (#5671)
• 4dbd556 Restructure workflows to have single "status" job (#5670)
• f2194ce Increase timeout to reduce flakiness
• 5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
• 43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
• Additional commits viewable in compare view

Updates com.peterabeles.gversion from 1.10.3 to 1.11.0

Updates com.gradleup.shadow from 9.4.1 to 9.4.2

Release notes

Sourced from com.gradleup.shadow's releases.

9.4.2

Changed

• Update jdependency to support Java 27. (#2033)

Commits

• 29c432a Prepare version 9.4.2
• 8aa8e6c Update dependency org.vafer:jdependency to v2.16 (#2033)
• See full diff in compare view

Updates pl.allegro.tech.build.axion-release from 1.21.1 to 1.21.2

Release notes

Sourced from pl.allegro.tech.build.axion-release's releases.

v1.21.2

Changed

• @​DisableCachingByDefault added by @​bgalek in allegro/axion-release-plugin#1017
• Fix IllegalStateException when plugin is applied in pluginManagement by @​bgalek in allegro/axion-release-plugin#1018
• Predefined version incrementer integration test by @​bgalek in allegro/axion-release-plugin#987

What's Changed

Dependency updates

• Bump net.bytebuddy:byte-buddy from 1.18.1 to 1.18.2 by @​dependabot[bot] in allegro/axion-release-plugin#1004
• Bump pl.allegro.tech.build.axion-release from 1.21.0 to 1.21.1 by @​dependabot[bot] in allegro/axion-release-plugin#1003
• Bump mkdocs-material from 9.7.0 to 9.7.3 by @​dependabot[bot] in allegro/axion-release-plugin#1009
• Bump gradle/actions from 5 to 6 by @​dependabot[bot] in allegro/axion-release-plugin#1015
• Bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in allegro/axion-release-plugin#1014
• Bump org.apache.sshd:sshd-git from 2.16.0 to 2.17.1 by @​dependabot[bot] in allegro/axion-release-plugin#1012
• Bump mkdocs-material from 9.7.3 to 9.7.6 by @​dependabot[bot] in allegro/axion-release-plugin#1011
• Bump org.junit.jupiter:junit-jupiter from 6.0.1 to 6.0.3 by @​dependabot[bot] in allegro/axion-release-plugin#1022
• Bump net.bytebuddy:byte-buddy from 1.18.2 to 1.18.8 by @​dependabot[bot] in allegro/axion-release-plugin#1020
• Bump org.testcontainers:spock from 1.21.3 to 1.21.4 by @​dependabot[bot] in allegro/axion-release-plugin#1021
• Bump org.objenesis:objenesis from 3.4 to 3.5 by @​dependabot[bot] in allegro/axion-release-plugin#1025
• Bump com.gradle.plugin-publish from 2.0.0 to 2.1.1 by @​dependabot[bot] in allegro/axion-release-plugin#1024
• Bump org.apache.sshd:sshd-git from 2.17.1 to 2.18.0 by @​dependabot[bot] in allegro/axion-release-plugin#1031
• Bump org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0 by @​dependabot[bot] in allegro/axion-release-plugin#1028
• Bump net.bytebuddy:byte-buddy from 1.18.8 to 1.18.9 by @​dependabot[bot] in allegro/axion-release-plugin#1029

Full Changelog: allegro/axion-release-plugin@v1.21.1...v1.21.2

Commits

• 371bd0b Bump net.bytebuddy:byte-buddy from 1.18.8 to 1.18.9 (#1029)
• 538204d Bump org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0 (#1028)
• 7d9dee9 Bump org.apache.sshd:sshd-git from 2.17.1 to 2.18.0 (#1031)
• ec55554 Bump com.gradle.plugin-publish from 2.0.0 to 2.1.1 (#1024)
• 1a3aa8f Bump org.objenesis:objenesis from 3.4 to 3.5 (#1025)
• afc349c Predefined version incrementer integration test (#987)
• dcf4d52 Bump org.testcontainers:spock from 1.21.3 to 1.21.4 (#1021)
• 392f599 Bump net.bytebuddy:byte-buddy from 1.18.2 to 1.18.8 (#1020)
• 50479fb Bump org.junit.jupiter:junit-jupiter from 6.0.1 to 6.0.3 (#1022)
• aeed686 Fix IllegalStateException when plugin is applied in pluginManagement { includ...
• Additional commits viewable in compare view

Updates com.diffplug.spotless from 8.5.1 to 8.7.0

Updates com.github.spotbugs from 6.5.4 to 6.5.8

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, java. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud