chore(deps): bump the maven-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the maven-dependencies group with 11 updates in the / directory:

Package	From	To
ch.qos.logback:logback-core	1.5.34	1.5.35
ch.qos.logback:logback-classic	1.5.34	1.5.35
org.hibernate.orm:hibernate-core	7.4.1.Final	7.4.2.Final
org.apache.tomcat.embed:tomcat-embed-core	11.0.22	11.0.23
org.apache.tomcat.embed:tomcat-embed-el	11.0.22	11.0.23
org.apache.tomcat.embed:tomcat-embed-websocket	11.0.22	11.0.23
org.apache.tomcat:tomcat-jaspic-api	11.0.22	11.0.23
org.apache.tomcat:tomcat-catalina	11.0.22	11.0.23
org.apache.tomcat:tomcat-jasper	11.0.22	11.0.23
org.apache.tomcat:tomcat-jasper-el	11.0.22	11.0.23
fish.payara.extras:payara-micro	7.2026.5	7.2026.6

Updates ch.qos.logback:logback-core from 1.5.34 to 1.5.35

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

• ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

• JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 08bd159 preapre release 1.5.35
• 37d256b indentation changes only
• d3d7307 minor comment
• fa0411a radomize file location
• 834fdba disable consoleCharset test
• 42eabc3 fix messages in IfModelHandler
• 347efc8 add unicode escape prevention
• 1b6ba73 allow derived classes to override makeAnotherInstance
• 340e8be check for unicode escape codes in Janino conditions
• 4468f5e adding support for certifying configurators
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.34 to 1.5.35

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

• ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

• JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 08bd159 preapre release 1.5.35
• 37d256b indentation changes only
• d3d7307 minor comment
• fa0411a radomize file location
• 834fdba disable consoleCharset test
• 42eabc3 fix messages in IfModelHandler
• 347efc8 add unicode escape prevention
• 1b6ba73 allow derived classes to override makeAnotherInstance
• 340e8be check for unicode escape codes in Janino conditions
• 4468f5e adding support for certifying configurators
• Additional commits viewable in compare view

Updates org.hibernate.orm:hibernate-core from 7.4.1.Final to 7.4.2.Final

Release notes

Sourced from org.hibernate.orm:hibernate-core's releases.

Release 7.4.2

Hibernate ORM 7.4.2.Final released

Today, we published a new release of Hibernate ORM 7.4: 7.4.2.Final.

You can find the full list of 7.4.2.Final changes here.

What's new

• See the website for requirements and compatibilities.
• See the What's New guide for details about new features and capabilities.
• See the Migration Guide for details about migration.

Conclusion

For additional details, see:

• the release page
• the Migration Guide
• the Introduction Guide
• the User Guide
• the API docs

See also the following resources related to supported APIs:

• the compatibility policy
• the incubating API report (@Incubating)
• the deprecated API report (@Deprecated + @Remove)
• the internal API report (internal packages, @Internal)

Visit the website for details on getting in touch with us.

Changelog

Sourced from org.hibernate.orm:hibernate-core's changelog.

Changes in 7.4.2.Final (June 21, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/39622

** Bug * HHH-20587 Log "Attempt to stop an already-stopped RegionFactory" is a warning but should just be debug * HHH-20561 NullPointerException in Query.setCacheRetrieveMode() and Query.setCacheStoreMode() * HHH-20425 Identifier not detected while @Id is placed in @MappedSuperClass and combined with @Access

Commits

• 3c999f3 [Jenkins release job] Preparing release 7.4.2.Final
• 01439c1 [Jenkins release job] changelog.txt updated by release build 7.4.2.Final
• 641a4eb HHH-20561 fix NPE Query.setCacheRetrieveMode/setCacheStoreMode
• 849ea4c HHH-20587 Downgrade "already-stopped RegionFactory" log from WARN to DEBUG
• 0b819b1 HHH-20425 Handle misplaced @​Access on identifier members
• 4f90944 [Jenkins release job] Preparing next development iteration
• See full diff in compare view

Updates org.apache.tomcat.embed:tomcat-embed-core from 11.0.22 to 11.0.23

Updates org.apache.tomcat.embed:tomcat-embed-el from 11.0.22 to 11.0.23

Updates org.apache.tomcat.embed:tomcat-embed-websocket from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-jaspic-api from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-catalina from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-jasper from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-jasper-el from 11.0.22 to 11.0.23

Updates org.apache.tomcat.embed:tomcat-embed-el from 11.0.22 to 11.0.23

Updates org.apache.tomcat.embed:tomcat-embed-websocket from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-jaspic-api from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-catalina from 11.0.22 to 11.0.23

Updates fish.payara.extras:payara-micro from 7.2026.5 to 7.2026.6

Release notes

Sourced from fish.payara.extras:payara-micro's releases.

Azul Payara Community 7.2026.6

Supported APIs and Applications

• Jakarta EE 11

• Jakarta EE 11 Applications

• MicroProfile 6.1

Security Fixes

• [FISH-13637] Fix CSRF + SSRF in Admin Console / REST Management Interface

Bug Fixes

• [FISH-10485] Fix Payara Micro Boot Properties Not Applied With the Right Timing

• [FISH-11896] Fix Quoted-Argument Parsing in prebootCommandFile (asadmin) and PREBOOT_COMMANDS (Docker)

• [FISH-12270] Fix Misleading Log Entries Generated While Configuring Additional Properties for Virtual Servers

• [FISH-12800] Fix MicroProfile /metrics Endpoint Containing Duplicate Metrics

• [FISH-13058] [Community Contribution - lprimak] Fix Missing JSESSIONIDVERSION Leading to Session Not Being Correctly Retrieved in Relaxed Mode

• [FISH-13091] Assorted Deployment Group Fixes

• [FISH-13137] Fix Prometheus Metrics to Report Histogram Times in Seconds

• [FISH-13138] Fix Payara Micro’s --outputlauncher to Respect payara-boot.properties

• [FISH-13400] Fix WELD-001408 Unsatisfied Dependency for Repository Injection in CDI Bean

• [FISH-13447] Fix Micro NullPointerException with log-to-console Access Log Option

• [FISH-13779] Fix Changing the Admin Password in the Admin Console Not Working

Improvements

• [FISH-11606] Avoid Parsing Method Names on Every Jakarta Data HTTP Request

• [FISH-12426] Reintroduce Standalone OpenMQ Support for Windows

• [FISH-13097] Add Default OpenMQ Credentials Warning

• [FISH-13339] Add warlibs Support to remove-library Command

... (truncated)

Commits

• 1cb0ec9 Merge pull request #8241 from Pandrex247/FISH-13532-Windows-Release
• 679c9f2 FISH-13532 Improve Windows SSH Node detection
• 64a172a FISH-13532 SSH Node Liveness improvements
• 92139ab FISH-13532 Fix copyright
• 82207e6 Merge pull request #8239 from Pandrex247/FISH-13823-EDDSA
• 7f165d5 FISH-13823 Replace eddsa with net-i2p-crypto-eddsa
• d90e9fa Increment version numbers for Release
• be83ab0 Merge pull request #8229 from raushan606/FISH-13637
• b95e118 FISH-13637: Do not pass restUrl over request parameters
• a67eae1 Merge pull request #8223 from felixif/FISH-13779
• Additional commits viewable in compare view

Updates org.apache.tomcat:tomcat-jasper from 11.0.22 to 11.0.23

Updates org.apache.tomcat:tomcat-jasper-el from 11.0.22 to 11.0.23

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions