Skip to content

Bump the maven group across 1 directory with 5 updates#182

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-8d7653cb17
Open

Bump the maven group across 1 directory with 5 updates#182
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-8d7653cb17

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the maven group with 5 updates in the / directory:

Package From To
org.springframework:spring-core 5.3.39 6.2.11
org.apache.tomcat.embed:tomcat-embed-core 9.0.98 9.0.118
org.springframework.security:spring-security-web 5.7.13 6.5.9
org.springframework.security:spring-security-core 5.7.14 6.2.8
ch.qos.logback:logback-core 1.2.13 1.5.25

Updates org.springframework:spring-core from 5.3.39 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

  • Missing @Nullable on JsonPathAssertions.isEqualTo #35445
  • Graceful fallback for non-default NIO.2 FileSystems #35443
  • Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423
  • Detect Informix error codes as DuplicateKeyException #35400
  • Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377
  • Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372
  • StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

  • "mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409
  • Annotation not found on parameter in overridden method unless method is public #35349
  • Annotations on overridden methods not found in type hierarchy with unresolved generics #35342
  • Performance degradation when using singleton beans with Provider #35330
  • JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319
  • Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

  • Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410
  • Fix links to Reactive Libraries and RestTemplate #35392
  • Fix broken link in WebDriver docs #35374
  • Document Web DataBinder support for RouterFunction #35367
  • Improve documentation for ApplicationEvents to clarify recommended usage #35335
  • Document terms and units in DataSize.parse() #35298
  • Refine @Contract Javadoc #35285
  • Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

  • Upgrade to Micrometer 1.14.11 #35455
  • Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​Kehrlann, @​acktsap, @​khj68, @​ngocnhan-tran1996, @​scordio, and @​sgflt

v6.2.10

⭐ New Features

  • Optimize NIO path resolution in PathEditor #35304
  • Make type in ProblemDetail nullable #35294
  • Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253
  • Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits
  • 4c13425 Release v6.2.11
  • d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
  • 5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
  • 0e3e34b Find annotations on parameters in overridden non-public methods
  • 4745c7c Name local variables consistently
  • 275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
  • 7f9aa39 Polishing
  • c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
  • 9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
  • ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
  • Additional commits viewable in compare view

Updates org.apache.tomcat.embed:tomcat-embed-core from 9.0.98 to 9.0.118

Updates org.springframework.security:spring-security-web from 5.7.13 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-web's releases.

6.5.9

⭐ New Features

  • Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

  • Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
  • saveAuthenticationRequest should read relayState from authenticationRequest #18872
  • Add Missing OnCommitedResponseWrapper Header Overrides #18798
  • Clarify Resource Server startup expectations #18518
  • Correct Reference to Clear-Site-Data Directive enum #18273
  • Fix CookieRequestCache parameters #18857
  • Fix Flaky Crypto Tests #18841
  • Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

  • Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
  • Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
  • Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
  • Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
  • Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
  • Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
  • Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
  • Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
  • Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
  • Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
  • Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
  • Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

6.5.8

⭐ New Features

  • Add @FunctionalInterface to RequestMatcher #18337
  • Spring Security 7 should provide migration path from request-matcher="ant" #18211
  • Stop deploying JavaDoc outside of Antora #18199

🪲 Bug Fixes

  • Add Missing Migration Pages to Navigation #18313
  • Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18235
  • Fix typo in "Preparing for 7.0" in reference to PathPatternRequestMatcher #18336
  • Fix typo in AnnotationTemplateExpressionDefaults documentation #18176

... (truncated)

Commits
  • 0c54a55 Release 6.5.9
  • 01ff3b0 Add Workflow for Deferring Issues
  • 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
  • cdd4b36 Update Antora UI Spring to v0.4.26
  • 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
  • 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
  • a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
  • e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
  • a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
  • 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
  • Additional commits viewable in compare view

Updates org.springframework.security:spring-security-core from 5.7.14 to 6.2.8

Release notes

Sourced from org.springframework.security:spring-security-core's releases.

6.2.8

⭐ New Features

  • Support ServerExchangeRejectedHandler @Bean #16061
  • Support ServerWebExchangeFirewall @Bean #15987

🪲 Bug Fixes

  • Fix error when Bearer token is requested with empty string #15940
  • Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
  • RequestMatcherDelegatingAuthorizationManager should be post-processable #15948
  • Unhandled exception in CookieRequestCache results in 500 Internal Server Error #15985

🔨 Dependency Upgrades

  • Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13 #16128
  • Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16081
  • Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16031
  • Bump org.springframework.data:spring-data-bom from 2023.1.11 to 2023.1.12 #16127
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16100
  • Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15 #16099

🔩 Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16120
  • Update Antora UI Spring to v0.4.17 #15931

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​codeconsole, @​dependabot[bot], @​github-actions[bot], and @​jacknie84

6.2.7

🪲 Bug Fixes

  • Disabling credentials erasure on custom AuthenticationManager is not working #15807
  • Documentation inconsistency in AuthorizationManager's verify method return type #15704
  • Fix code format in OIDC Logout docs #15566
  • Fix OIDC Logout docs: Session Strategy vs. Registry #15686
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15675
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15651
  • SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15766
  • The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15828

🔨 Dependency Upgrades

  • Bump Gradle Wrapper from 8.10.1 to 8.10.2 #15841
  • Bump io.micrometer:micrometer-observation from 1.12.10 to 1.12.11 #15919
  • Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15896

... (truncated)

Commits
  • a5cd7ce Release 6.2.8
  • a8c4d6c Require Locale argument for toLower/toUpperCase usage
  • 5f838b0 Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13
  • bc3e6f2 Bump org.springframework.data:spring-data-bom
  • 810d83e Bump @​antora/collector-extension in /docs
  • 127ed4b Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15
  • da345a3 Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8
  • 0790978 Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12
  • 0d8b8ee Bump io.micrometer:micrometer-observation from 1.12.11 to 1.12.12
  • 81e74e6 Support ServerExchangeRejectedHandler @​Bean
  • Additional commits viewable in compare view

Updates ch.qos.logback:logback-core from 1.2.13 to 1.5.25

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

... (truncated)

Commits
  • f426e00 prepare release of 1.5.25
  • d28931f restrict object creation to expected supertype
  • aa264f7 test default variable values in appender-ref ref attribute
  • 8fb403a adjust copyright year
  • b294a12 check optionList in start()
  • b65040a Add EpochConverter for milliseconds/seconds since epoch (related to issue #96...
  • 0690174 cla for Duncan Jauncey
  • 71dc2af Removed email address for Tony.
  • 1f97ae1 check for undeclared by referenced appenders
  • b07355e Move the artifact version checking code to VersionUtil in logback-core.
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the maven group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [org.springframework:spring-core](https://github.com/spring-projects/spring-framework) | `5.3.39` | `6.2.11` |
| org.apache.tomcat.embed:tomcat-embed-core | `9.0.98` | `9.0.118` |
| [org.springframework.security:spring-security-web](https://github.com/spring-projects/spring-security) | `5.7.13` | `6.5.9` |
| [org.springframework.security:spring-security-core](https://github.com/spring-projects/spring-security) | `5.7.14` | `6.2.8` |
| [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.2.13` | `1.5.25` |



Updates `org.springframework:spring-core` from 5.3.39 to 6.2.11
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v5.3.39...v6.2.11)

Updates `org.apache.tomcat.embed:tomcat-embed-core` from 9.0.98 to 9.0.118

Updates `org.springframework.security:spring-security-web` from 5.7.13 to 6.5.9
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](spring-projects/spring-security@5.7.13...6.5.9)

Updates `org.springframework.security:spring-security-core` from 5.7.14 to 6.2.8
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](spring-projects/spring-security@5.7.14...6.2.8)

Updates `ch.qos.logback:logback-core` from 1.2.13 to 1.5.25
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.2.13...v_1.5.25)

---
updated-dependencies:
- dependency-name: org.springframework:spring-core
  dependency-version: 6.2.11
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.apache.tomcat.embed:tomcat-embed-core
  dependency-version: 9.0.118
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework.security:spring-security-web
  dependency-version: 6.5.9
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework.security:spring-security-core
  dependency-version: 6.2.8
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.25
  dependency-type: direct:production
  dependency-group: maven
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants