Skip to content

chore(deps): bump the low-risk group across 1 directory with 17 updates#368

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/low-risk-cc80992f79
Open

chore(deps): bump the low-risk group across 1 directory with 17 updates#368
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/low-risk-cc80992f79

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the low-risk group with 17 updates in the / directory:

Package From To
ch.qos.logback:logback-core 1.5.32 1.5.34
ch.qos.logback:logback-classic 1.5.32 1.5.34
com.fasterxml.jackson:jackson-bom 2.21.3 2.22.0
io.projectreactor:reactor-bom 2025.0.5 2025.0.6
org.springframework.boot:spring-boot-dependencies 3.5.14 3.5.15
org.springframework.cloud:spring-cloud-dependencies 2025.1.1 2025.1.2
io.projectreactor.netty:reactor-netty-core 1.3.5 1.3.6
org.pitest:pitest-parent 1.25.1 1.25.4
org.pitest:pitest-maven 1.25.1 1.25.4
io.netty:netty-codec-http 4.2.14.Final 4.2.15.Final
io.netty:netty-codec 4.2.14.Final 4.2.15.Final
io.netty:netty-common 4.2.14.Final 4.2.15.Final
io.netty:netty-handler 4.2.14.Final 4.2.15.Final
com.github.spotbugs:spotbugs 4.9.8 4.10.2
org.jacoco:jacoco-maven-plugin 0.8.14 0.8.15
com.github.spotbugs:spotbugs-maven-plugin 4.9.8.3 4.10.2.0
org.sonatype.central:central-publishing-maven-plugin 0.10.0 0.11.0

Updates ch.qos.logback:logback-core from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0

Commits
  • 112e859 [maven-release-plugin] prepare release jackson-bom-2.22.0
  • 2cae2ce Prep for 2.22.0 release
  • 7955d21 Merge branch '2.21' into 2.x
  • 8922a05 Post-release dep version bump
  • 1fa9943 [maven-release-plugin] prepare for next development iteration
  • d1abd31 [maven-release-plugin] prepare release jackson-bom-2.21.4
  • 2aaea43 Prep for 2.21.4 release
  • 902ec69 Update Woodstox/stax2-api (to 7.2.0/4.3.0)
  • 2570647 Merge branch '2.21' into 2.x
  • 9d3a9d5 Post-release dep version bump
  • Additional commits viewable in compare view

Updates io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6

Release notes

Sourced from io.projectreactor:reactor-bom's releases.

2025.0.6

2025.0.6 release train is made of:

These artifacts didn't have any changes:

Commits
  • 2764b66 [release] Prepare and release BOM 2025.0.6
  • d7fff6b Merge-ignore release 2024.0.18 into 2025.0.6
  • 52e80b7 [release] Back to snapshots, next BOM will be SR 19
  • 518bad4 [release] Prepare and release BOM 2024.0.18
  • 86280c8 Merge #780 into 2025.0.6
  • 8d7d6f3 Bump actions/checkout from 6.0.2 to 6.0.3 (#780)
  • df88e6b Merge 4dece8e9 into 2025.0.6
  • 4dece8e [build] Use non-capturing groups for all numeric segments in qualifyVersion
  • 2f4cdc8 Merge 17214287 into 2025.0.6
  • 1721428 [build] Enhance version parsing to support 4-part numeric versions
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.14 to 3.5.15

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • c069bce Release v3.5.15
  • b068647 Upgrade to Spring Integration 6.5.9
  • 327bef3 Enable hostname verification by default in Mail auto-config
  • 4218bd7 Fix predictable temp directory in Artemis embedded configuration
  • b2a67be Upgrade to Spring GraphQL 1.4.6
  • 54ef8d3 Upgrade to Spring Batch 5.2.6
  • d3f60fe Upgrade to Spring WS 4.1.4
  • 28d4ae8 Upgrade to Spring Session 3.5.7
  • 190c452 Upgrade to Spring Security 6.5.11
  • 34e7b58 Upgrade to Spring Pulsar 1.2.18
  • Additional commits viewable in compare view

Updates org.springframework.cloud:spring-cloud-dependencies from 2025.1.1 to 2025.1.2

Release notes

Sourced from org.springframework.cloud:spring-cloud-dependencies's releases.

v2025.1.2

What's Included

  • Spring Cloud Netflix 5.0.2 (issues)
  • Spring Cloud Stream 5.0.2 (issues)
  • Spring Cloud Config 5.0.4 (issues)
  • Spring Cloud Consul 5.0.2 (issues)
  • Spring Cloud Circuitbreaker 5.0.2 (issues)
  • Spring Cloud Starter Build 2025.1.2 (issues)
  • Spring Cloud Build 5.0.2 (issues)
  • Spring Cloud Gateway 5.0.2 (issues)
  • Spring Cloud Bus 5.0.2 (issues)
  • Spring Cloud Contract 5.0.3 (issues)
  • Spring Cloud Vault 5.0.2 (issues)
  • Spring Cloud Task 5.0.2 (issues)
  • Spring Cloud Function 5.0.3 (issues)
  • Spring Cloud Kubernetes 5.0.2 (issues)
  • Spring Cloud Commons 5.0.2 (issues)
  • Spring Cloud Openfeign 5.0.2 (issues)
  • Spring Cloud Zookeeper 5.0.2 (issues)

What's Changed

Full Changelog: spring-cloud/spring-cloud-release@v2025.1.1...v2025.1.2

Commits
  • bda306d Update SNAPSHOT to 2025.1.2
  • 4fd3272 Merge pull request #517 from spring-cloud/dependabot/npm_and_yarn/docs/main/s...
  • be421f5 Bump @​springio/antora-extensions from 1.14.11 to 1.14.12 in /docs
  • 6ad8d9d Merge pull request #513 from spring-cloud/dependabot/maven/main/org.apache.ma...
  • bc10fd4 Merge pull request #514 from spring-cloud/dependabot/maven/org.apache.maven-m...
  • 57ecb39 Bump org.apache.maven:maven-model from 3.9.15 to 3.9.16
  • 3963ec2 Bump org.apache.maven:maven-model from 3.9.15 to 3.9.16
  • def3e63 Upgrading antora to 3.2.0-alpha.12
  • 145f1d6 Bumping versions
  • 0a141a4 Update spring-cloud-config.version to 5.0.4-SNAPSHOT
  • Additional commits viewable in compare view

Updates io.projectreactor.netty:reactor-netty-core from 1.3.5 to 1.3.6

Release notes

Sourced from io.projectreactor.netty:reactor-netty-core's releases.

v1.3.6

Reactor Netty 1.3.6 is part of 2025.0.6 Release Train.

What's Changed

⚠️ Update considerations and deprecations

✨ New features and improvements

🐞 Bug fixes

📖 Documentation

New Contributors

Full Changelog: reactor/reactor-netty@v1.3.5...v1.3.6

Commits
  • 511a3b6 [release] Prepare and release 1.3.6
  • 3d3bdcb Merge-ignore release 1.2.18 into 1.3.6
  • 9bd9255 [release] Back to snapshots, next is 1.2.19-SNAPSHOT
  • c753da4 [release] Prepare and release 1.2.18
  • 1a4c422 Update HTTP/3 configuration
  • 2c6325e Merge e7ef551ee into 1.3.6
  • e7ef551 Refine header handling during redirects
  • 22ecd82 Merge #4243 into 1.3.6
  • b26ac28 Bump biz.aQute.bnd.builder from 7.2.3 to 7.3.0 (#4243)
  • bf1c241 Merge #4242 into 1.3.6
  • Additional commits viewable in compare view

Updates org.pitest:pitest-parent from 1.25.1 to 1.25.4

Release notes

Sourced from org.pitest:pitest-parent's releases.

1.25.4

1.25.3

  • #1476 Introduce post pre-scan type

1.25.2

  • #1474 Publish sboms via cyclonedx
  • #1475 Bug fix - listeners controlled by feature strings should also be selectable by name
Commits
  • 5595375 Merge pull request #1468 from see-quick/support-configurable-decimal-precision
  • 180da11 update readme for 1.25.3
  • 29cfaa7 Merge pull request #1476 from hcoles/feature/post_checks
  • e61ab0d introduce post pre-scan type
  • 168a03e update readme for 1.25.2
  • 35328f4 Merge pull request #1475 from hcoles/bug/feature_output_formats
  • 19eaf7c feture listeners can be selected by name of feature
  • dece940 fix output formats
  • afcf116 force sbom deployment
  • 7ed1572 Merge pull request #1474 from hcoles/feature/setup_cyclonedx
  • Additional commits viewable in compare view

Updates org.pitest:pitest-maven from 1.25.1 to 1.25.4

Release notes

Sourced from org.pitest:pitest-maven's releases.

1.25.4

1.25.3

  • #1476 Introduce post pre-scan type

1.25.2

  • #1474 Publish sboms via cyclonedx
  • #1475 Bug fix - listeners controlled by feature strings should also be selectable by name
Commits
  • 5595375 Merge pull request #1468 from see-quick/support-configurable-decimal-precision
  • 180da11 update readme for 1.25.3
  • 29cfaa7 Merge pull request #1476 from hcoles/feature/post_checks
  • e61ab0d introduce post pre-scan type
  • 168a03e update readme for 1.25.2
  • 35328f4 Merge pull request #1475 from hcoles/bug/feature_output_formats
  • 19eaf7c feture listeners can be selected by name of feature
  • dece940 fix output formats
  • afcf116 force sbom deployment
  • 7ed1572 Merge pull request #1474 from hcoles/feature/setup_cyclonedx
  • Additional commits viewable in compare view

Updates io.netty:netty-codec-http from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.2.15.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

New Contributors

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits
  • a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
  • 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
  • 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
  • 76291f5 Fix SCTP and Redis tests (#16893)
  • e067b6e Fix revapi warnings (#16885)
  • 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)

Bumps the low-risk group with 17 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` |
| [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) | `2.21.3` | `2.22.0` |
| [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) | `2025.0.5` | `2025.0.6` |
| [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) | `3.5.14` | `3.5.15` |
| [org.springframework.cloud:spring-cloud-dependencies](https://github.com/spring-cloud/spring-cloud-release) | `2025.1.1` | `2025.1.2` |
| [io.projectreactor.netty:reactor-netty-core](https://github.com/reactor/reactor-netty) | `1.3.5` | `1.3.6` |
| [org.pitest:pitest-parent](https://github.com/hcoles/pitest) | `1.25.1` | `1.25.4` |
| [org.pitest:pitest-maven](https://github.com/hcoles/pitest) | `1.25.1` | `1.25.4` |
| [io.netty:netty-codec-http](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-codec](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-common](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-handler](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) | `4.9.8` | `4.10.2` |
| [org.jacoco:jacoco-maven-plugin](https://github.com/jacoco/jacoco) | `0.8.14` | `0.8.15` |
| [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) | `4.9.8.3` | `4.10.2.0` |
| [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) | `0.10.0` | `0.11.0` |



Updates `ch.qos.logback:logback-core` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

Updates `com.fasterxml.jackson:jackson-bom` from 2.21.3 to 2.22.0
- [Commits](FasterXML/jackson-bom@jackson-bom-2.21.3...jackson-bom-2.22.0)

Updates `io.projectreactor:reactor-bom` from 2025.0.5 to 2025.0.6
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](reactor/reactor@2025.0.5...2025.0.6)

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.14 to 3.5.15
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.14...v3.5.15)

Updates `org.springframework.cloud:spring-cloud-dependencies` from 2025.1.1 to 2025.1.2
- [Release notes](https://github.com/spring-cloud/spring-cloud-release/releases)
- [Commits](spring-cloud/spring-cloud-release@v2025.1.1...v2025.1.2)

Updates `io.projectreactor.netty:reactor-netty-core` from 1.3.5 to 1.3.6
- [Release notes](https://github.com/reactor/reactor-netty/releases)
- [Commits](reactor/reactor-netty@v1.3.5...v1.3.6)

Updates `org.pitest:pitest-parent` from 1.25.1 to 1.25.4
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.4)

Updates `org.pitest:pitest-maven` from 1.25.1 to 1.25.4
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.4)

Updates `io.netty:netty-codec-http` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-common` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-common` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `com.github.spotbugs:spotbugs` from 4.9.8 to 4.10.2
- [Release notes](https://github.com/spotbugs/spotbugs/releases)
- [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md)
- [Commits](spotbugs/spotbugs@4.9.8...4.10.2)

Updates `org.jacoco:jacoco-maven-plugin` from 0.8.14 to 0.8.15
- [Release notes](https://github.com/jacoco/jacoco/releases)
- [Commits](jacoco/jacoco@v0.8.14...v0.8.15)

Updates `com.github.spotbugs:spotbugs-maven-plugin` from 4.9.8.3 to 4.10.2.0
- [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases)
- [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.3...spotbugs-maven-plugin-4.10.2.0)

Updates `org.pitest:pitest-maven` from 1.25.1 to 1.25.4
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.4)

Updates `org.sonatype.central:central-publishing-maven-plugin` from 0.10.0 to 0.11.0
- [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2025.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.springframework.cloud:spring-cloud-dependencies
  dependency-version: 2025.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.projectreactor.netty:reactor-netty-core
  dependency-version: 1.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-parent
  dependency-version: 1.25.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-maven
  dependency-version: 1.25.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec-http
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-common
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-handler
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-common
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-handler
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.github.spotbugs:spotbugs
  dependency-version: 4.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: org.jacoco:jacoco-maven-plugin
  dependency-version: 0.8.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.github.spotbugs:spotbugs-maven-plugin
  dependency-version: 4.10.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-maven
  dependency-version: 1.25.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.sonatype.central:central-publishing-maven-plugin
  dependency-version: 0.11.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: low-risk
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: RichardSlater. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 22, 2026
Copilot AI review requested due to automatic review settings June 22, 2026 04:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant