deps(deps-dev): bump com.diffplug.spotless:spotless-maven-plugin from 3.4.0 to 3.6.0

[dependabot]

Bumps com.diffplug.spotless:spotless-maven-plugin from 3.4.0 to 3.6.0.

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.6.0

Added

• Add <cacheDirectory> to <eclipse>, <greclipse>, and <eclipseCdt> for the Equo/Solstice P2 cache. (#2944)
• EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)

Fixed

• <versionCatalog> no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)
• spotless:apply no longer aborts on the first file with lints; it now formats all files and reports a single aggregated lint failure across every file, matching the Gradle plugin's behavior. (#2937)
• <greclipse> and <eclipseCdt> now default P2 data to the Maven local repository. (#2944)
• forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)

Changes

• Improved formatting performance by eliminating redundant per-step line-ending normalization in the core formatter loop. (#2934)

Maven Plugin v3.5.1

Fixed

• <licenseHeader> with <yearMode>SET_FROM_GIT</yearMode> no longer runs git log through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.
• Bump transitive plexus-utils 4.0.2 -> 4.0.3 to address CVE-2025-67030. (#2919)

Maven Plugin v3.5.0

Added

• <scalafmt> now reads the version from the version field in the scalafmt config file when no <version> is explicitly set, falling back to the built-in default only if neither is available. (#2922)
• Add <toml> format type with <versionCatalog> step for formatting and sorting Gradle version catalog files. (#2916)
• Add <javaparserVersion> option to <cleanthat>, allowing users to override the JavaParser version pulled in transitively by Cleanthat. (#2903)
• Add a expandWildcardImports API for java (#2829)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• The -Dspotless.ratchetFrom=... user property now takes priority over <ratchetFrom> configured in the plugin or in individual formatters, instead of being overridden by them. (#2896, fixes #2842)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

Commits

• 71a433c Published maven/3.6.0
• 3a0f101 Published gradle/8.6.0
• 007e9d8 Published lib/4.6.2
• a074d53 Allow setting the local P2 cache dir in the Spotless Gradle plugin (#2944)
• a266fc2 Merge branch 'main' into add-cache-directory-dsl
• e0d466e Fix: sort members treats record declarations as types (#2942)
• 3936b6f Merge branch 'main' into main
• 278765f fix: expandWildcardImports support pom type dependency, fix #2839 (#2935)
• a18ddec Remove maxLineLength from versionCatalog step (#2949)
• b91ad87 Add changelog entries for versionCatalog maxLineLength removal
• Additional commits viewable in compare view

[github-actions]

📋 Unreleased Changelog Preview

This is what the next release notes will look like based on commits in this PR.

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

✨ Features

• Added integrations tests — @nil-malh

• Add integration test classes and configure JaCoCo for code coverage — @nil-malh

⬆️ Dependency Updates

• Updated KTestify Core to 0.1.0-rc1 — @nil-malh

• Bump com.azure:azure-storage-blob (deps) — @dependabot[bot]

• Bump com.diffplug.spotless:spotless-maven-plugin (deps-dev)

🐛 Bug Fixes

• Fixed integration-tests.yml that was failing trying to install ktestify-core from local — @nil-malh

🔧 Miscellaneous

• Migrated workflows from GitHub PAT to GITHUB_TOKEN — @nil-malh

🎉 New Contributors

• @nil-malh made their first contribution in #1

---

Generated by git-cliff

---

🔄 Run #28 · Mon, 01 Jun 2026 23:18:53 GMT

[github-actions]

✅ Test Results

	Metric	Count
✅	Passed	103
❌	Failed	0
⏭️	Skipped	0
📊	Total	103

✅ Coverage

	Type	Coverage	Covered / Total
📏	Lines	80.8%	286 / 354
🌿	Branches	64.8%	92 / 142
🔧	Methods	95.5%	64 / 67

---

🔄 CI run #40 · Sat, 13 Jun 2026 14:10:18 GMT

[github-actions]

📋 Unreleased Changelog Preview

This is what the next release notes will look like based on commits in this PR.

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

Bug Fixes

• Fixed integration-tests.yml that was failing trying to install ktestify-core from local — @nil-malh

Miscellaneous

• Migrated workflows from GitHub PAT to GITHUB_TOKEN — @nil-malh

• Removed codeql.yml to use GitHub's & fixed an issue with the release workflow. — @nil-malh

✨ Features

• Added integrations tests — @nil-malh

• Add integration test classes and configure JaCoCo for code coverage — @nil-malh

• Add README.md and update changelog configuration — @nil-malh

⬆️ Dependency Updates

• Updated KTestify Core to 0.1.0-rc1 — @nil-malh

• Bump com.azure:azure-storage-blob (deps) — @dependabot[bot]

• Bump com.diffplug.spotless:spotless-maven-plugin (deps-dev)

New Contributors

• @nil-malh made their first contribution in #15

---

Generated by git-cliff

---

🔄 Run #35 · Sat, 13 Jun 2026 14:09:17 GMT

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

pom.xml

Package	Version	License	Issue Type
com.diffplug.spotless:spotless-maven-plugin	3.6.0	Null	Unknown License

Allowed Licenses:

Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, LGPL-2.0-only, LGPL-2.1-only, LGPL-2.1-or-later, EPL-1.0, EPL-2.0, CDDL-1.0, CC0-1.0

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.diffplug.spotless:spotless-maven-plugin	3.6.0	🟢 6.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 9/12 approved changesets -- score normalized to 7 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 7 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• pom.xml