Skip to content

Bump the all-maven-dependencies group across 2 directories with 4 updates#679

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/all-maven-dependencies-c9237c2846
Open

Bump the all-maven-dependencies group across 2 directories with 4 updates#679
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/all-maven-dependencies-c9237c2846

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Bumps the all-maven-dependencies group with 4 updates in the / directory: com.sap.cloud.security:java-bom, org.apache.maven.plugins:maven-surefire-plugin, org.apache.maven.plugins:maven-failsafe-plugin and com.diffplug.spotless:spotless-maven-plugin.
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: com.sap.cloud.security:java-bom, org.apache.maven.plugins:maven-surefire-plugin, org.apache.maven.plugins:maven-failsafe-plugin and com.diffplug.spotless:spotless-maven-plugin.

Updates com.sap.cloud.security:java-bom from 3.7.2 to 3.7.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.3

Dependency upgrades

  • Bump org.springframework.boot:spring-boot from 3.5.9 to 3.5.14
  • Bump org.springframework:spring-core from 6.2.15 to 6.2.18
  • Bump org.springframework.security from 6.5.7 to 6.5.10
  • Bump org.eclipse.jetty:jetty-bom from 12.1.7 to 12.1.9
  • Bump io.projectreactor:reactor-core from 3.8.3 to 3.8.5
  • Bump org.apache.logging.log4j from 2.25.3 to 2.25.4
  • Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18
  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1
  • Bump com.github.ben-manes.caffeine:caffeine from 3.2.0 to 3.2.4
  • Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • Bump org.mockito:mockito-core from 5.22.0 to 5.23.0
  • Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.1 to 4.9.8.3
  • Bump com.sap.cloud.environment.servicebinding:java-bom from 0.21.0 to 0.31.0
Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
    • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

  • Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

    • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
    • The app_tid is extracted from the incoming access token and included when present

4.0.4

  • Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

  • Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

  • Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
  • Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

  • Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

  • Spring Boot: Upgraded from 3.x to 4.0.3
  • Spring Framework: Upgraded from 6.x to 7.0.5

... (truncated)

Commits

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-failsafe-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.5.1 to 3.6.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.6.0

Added

  • Add <cacheDirectory> to <eclipse>, <greclipse>, and <eclipseCdt> for the Equo/Solstice P2 cache. (#2944)
  • EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)

Fixed

  • <versionCatalog> no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)
  • spotless:apply no longer aborts on the first file with lints; it now formats all files and reports a single aggregated lint failure across every file, matching the Gradle plugin's behavior. (#2937)
  • <greclipse> and <eclipseCdt> now default P2 data to the Maven local repository. (#2944)
  • forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)

Changes

  • Improved formatting performance by eliminating redundant per-step line-ending normalization in the core formatter loop. (#2934)
Commits
  • 71a433c Published maven/3.6.0
  • 3a0f101 Published gradle/8.6.0
  • 007e9d8 Published lib/4.6.2
  • a074d53 Allow setting the local P2 cache dir in the Spotless Gradle plugin (#2944)
  • a266fc2 Merge branch 'main' into add-cache-directory-dsl
  • e0d466e Fix: sort members treats record declarations as types (#2942)
  • 3936b6f Merge branch 'main' into main
  • 278765f fix: expandWildcardImports support pom type dependency, fix #2839 (#2935)
  • a18ddec Remove maxLineLength from versionCatalog step (#2949)
  • b91ad87 Add changelog entries for versionCatalog maxLineLength removal
  • Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.7.2 to 3.7.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.3

Dependency upgrades

  • Bump org.springframework.boot:spring-boot from 3.5.9 to 3.5.14
  • Bump org.springframework:spring-core from 6.2.15 to 6.2.18
  • Bump org.springframework.security from 6.5.7 to 6.5.10
  • Bump org.eclipse.jetty:jetty-bom from 12.1.7 to 12.1.9
  • Bump io.projectreactor:reactor-core from 3.8.3 to 3.8.5
  • Bump org.apache.logging.log4j from 2.25.3 to 2.25.4
  • Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18
  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1
  • Bump com.github.ben-manes.caffeine:caffeine from 3.2.0 to 3.2.4
  • Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • Bump org.mockito:mockito-core from 5.22.0 to 5.23.0
  • Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.1 to 4.9.8.3
  • Bump com.sap.cloud.environment.servicebinding:java-bom from 0.21.0 to 0.31.0
Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
    • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

  • Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

    • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
    • The app_tid is extracted from the incoming access token and included when present

4.0.4

  • Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

  • Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

  • Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
  • Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

  • Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

  • Spring Boot: Upgraded from 3.x to 4.0.3
  • Spring Framework: Upgraded from 6.x to 7.0.5

... (truncated)

Commits

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-failsafe-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.5.1 to 3.6.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.6.0

Added

  • Add <cacheDirectory> to <eclipse>, <greclipse>, and <eclipseCdt> for the Equo/Solstice P2 cache. (#2944)
  • EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)

Fixed

  • <versionCatalog> no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)
  • spotless:apply no longer aborts on the first file with lints; it now formats all files and reports a single aggregated lint failure across every file, matching the Gradle plugin's behavior. (#2937)
  • <greclipse> and <eclipseCdt> now default P2 data to the Maven local repository. (#2944)
  • forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)

Changes

  • Improved formatting performance by eliminating redundant per-step line-ending normalization in the core formatter loop. (#2934)
Commits
  • 71a433c Published maven/3.6.0
  • 3a0f101 Published gradle/8.6.0
  • 007e9d8 Published lib/4.6.2
  • a074d53 Allow setting the local P2 cache dir in the Spotless Gradle plugin (#2944)
  • a266fc2 Merge branch 'main' into add-cache-directory-dsl
  • e0d466e Fix: sort members treats record declarations as types (#2942)
  • 3936b6f Merge branch 'main' into main
  • 278765f fix: expandWildcardImports support pom type dependency, fix #2839 (#2935)
  • a18ddec Remove maxLineLength from versionCatalog step (#2949)
  • b91ad87 Add changelog entries for versionCatalog maxLineLength removal
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the all-maven-dependencies group across 2 directories with 4 upd…
7362573 
…ates

Bumps the all-maven-dependencies group with 4 updates in the / directory: [com.sap.cloud.security:java-bom](https://github.com/SAP/cloud-security-xsuaa-integration), [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire), [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) and [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless).
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: [com.sap.cloud.security:java-bom](https://github.com/SAP/cloud-security-xsuaa-integration), [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire), [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) and [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless).


Updates `com.sap.cloud.security:java-bom` from 3.7.2 to 3.7.3
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.2...3.7.3)

Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `org.apache.maven.plugins:maven-failsafe-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.5.1 to 3.6.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.5.1...maven/3.6.0)

Updates `com.sap.cloud.security:java-bom` from 3.7.2 to 3.7.3
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.2...3.7.3)

Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `org.apache.maven.plugins:maven-failsafe-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.5.1 to 3.6.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.5.1...maven/3.6.0)

---
updated-dependencies:
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-version: 3.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.apache.maven.plugins:maven-failsafe-plugin
  dependency-version: 3.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-version: 3.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.apache.maven.plugins:maven-failsafe-plugin
  dependency-version: 3.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants