Skip to content

chore(deps): bump the low-risk group across 1 directory with 18 updates#369

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/low-risk-4a3250df08
Open

chore(deps): bump the low-risk group across 1 directory with 18 updates#369
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/low-risk-4a3250df08

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the low-risk group with 18 updates in the / directory:

Package From To
ch.qos.logback:logback-core 1.5.32 1.5.37
ch.qos.logback:logback-classic 1.5.32 1.5.37
org.junit.jupiter:junit-jupiter 6.1.0 6.1.1
com.fasterxml.jackson:jackson-bom 2.21.3 2.22.0
io.projectreactor:reactor-bom 2025.0.5 2025.0.6
org.springframework.boot:spring-boot-dependencies 3.5.14 3.5.16
org.springframework.cloud:spring-cloud-dependencies 2025.1.1 2025.1.2
io.projectreactor.netty:reactor-netty-core 1.3.5 1.3.6
org.pitest:pitest-parent 1.25.1 1.25.5
org.pitest:pitest-maven 1.25.1 1.25.5
io.netty:netty-codec-http 4.2.14.Final 4.2.15.Final
io.netty:netty-codec 4.2.14.Final 4.2.15.Final
io.netty:netty-common 4.2.14.Final 4.2.15.Final
io.netty:netty-handler 4.2.14.Final 4.2.15.Final
com.github.spotbugs:spotbugs 4.9.8 4.10.2
org.jacoco:jacoco-maven-plugin 0.8.14 0.8.15
com.github.spotbugs:spotbugs-maven-plugin 4.9.8.3 4.10.2.0
org.sonatype.central:central-publishing-maven-plugin 0.10.0 0.11.0

Updates ch.qos.logback:logback-core from 1.5.32 to 1.5.37

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

  1. • Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the <condition> element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

... (truncated)

Commits

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.37

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

  1. • Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the <condition> element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

... (truncated)

Commits

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.37

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

  1. • Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the <condition> element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

... (truncated)

Commits

Updates org.junit.jupiter:junit-jupiter from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0

Commits
  • 112e859 [maven-release-plugin] prepare release jackson-bom-2.22.0
  • 2cae2ce Prep for 2.22.0 release
  • 7955d21 Merge branch '2.21' into 2.x
  • 8922a05 Post-release dep version bump
  • 1fa9943 [maven-release-plugin] prepare for next development iteration
  • d1abd31 [maven-release-plugin] prepare release jackson-bom-2.21.4
  • 2aaea43 Prep for 2.21.4 release
  • 902ec69 Update Woodstox/stax2-api (to 7.2.0/4.3.0)
  • 2570647 Merge branch '2.21' into 2.x
  • 9d3a9d5 Post-release dep version bump
  • Additional commits viewable in compare view

Updates io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6

Release notes

Sourced from io.projectreactor:reactor-bom's releases.

2025.0.6

2025.0.6 release train is made of:

These artifacts didn't have any changes:

Commits
  • 2764b66 [release] Prepare and release BOM 2025.0.6
  • d7fff6b Merge-ignore release 2024.0.18 into 2025.0.6
  • 52e80b7 [release] Back to snapshots, next BOM will be SR 19
  • 518bad4 [release] Prepare and release BOM 2024.0.18
  • 86280c8 Merge #780 into 2025.0.6
  • 8d7d6f3 Bump actions/checkout from 6.0.2 to 6.0.3 (#780)
  • df88e6b Merge 4dece8e9 into 2025.0.6
  • 4dece8e [build] Use non-capturing groups for all numeric segments in qualifyVersion
  • 2f4cdc8 Merge 17214287 into 2025.0.6
  • 1721428 [build] Enhance version parsing to support 4-part numeric versions
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.14 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.16

🔨 Dependency Upgrades

v3.5.15

🐞 Bug Fixes

  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
  • MailSender auto-configuration does not enable hostname verification #50742
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
  • GraphQL WebSocket support does not configure allowed origins #50391
  • Buildpack module does not validate long-to-int casts #50382
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
  • Created StackTracePrinter instances have no access to the Environment #50303
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
  • Meter registries are not removed from the global registry when the context is closed #50235
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50641
  • Remove the use of Optional from Data Neo4j repository examples #50600
  • Fix typos in documentation #50593
  • Document Java 25 requirement for AOT cache #50482
  • Clarify dependency requirement for Bean Validation support #50290
  • Document SSL reloading with Let's Encrypt #50222
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
  • Document known testcontainers lifecycle issues #50210
  • Document configuring multiple connectors with Jetty #50206
  • Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

... (truncated)

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.cloud:spring-cloud-dependencies from 2025.1.1 to 2025.1.2

Release notes

Sourced from org.springframework.cloud:spring-cloud-dependencies's releases.

v2025.1.2

What's Included

  • Spring Cloud Netflix 5.0.2 (issues)
  • Spring Cloud Stream 5.0.2 (issues)
  • Spring Cloud Config 5.0.4 (issues)
  • Spring Cloud Consul 5.0.2 (issues)
  • Spring Cloud Circuitbreaker 5.0.2 (issues)
  • Spring Cloud Starter Build 2025.1.2 (issues)
  • Spring Cloud Build 5.0.2 (issues)
  • Spring Cloud Gateway 5.0.2 (issues)
  • Spring Cloud Bus 5.0.2 (issues)
  • Spring Cloud Contract 5.0.3 (issues)
  • Spring Cloud Vault 5.0.2 (issues)
  • Spring Cloud Task 5.0.2 (issues)
  • Spring Cloud Function 5.0.3 (issues)
  • Spring Cloud Kubernetes 5.0.2 (issues)
  • Spring Cloud Commons 5.0.2 (issues)
  • Spring Cloud Openfeign 5.0.2 (issues)
  • Spring Cloud Zookeeper 5.0.2 (issues)

What's Changed

Full Changelog: spring-cloud/spring-cloud-release@v2025.1.1...v2025.1.2

Commits
  • bda306d Update SNAPSHOT to 2025.1.2
  • 4fd3272 Merge pull request #517 from spring-cloud/dependabot/npm_and_yarn/docs/main/s...
  • be421f5 Bump @​springio/antora-extensions from 1.14.11 to 1.14.12 in /docs
  • 6ad8d9d Merge pull request #513 from spring-cloud/dependabot/maven/main/org.apache.ma...
  • bc10fd4 Merge pull request #514 from spring-cloud/dependabot/maven/org.apache.maven-m...
  • 57ecb39 Bump org.apache.maven:maven-model from 3.9.15 to 3.9.16
  • 3963ec2 Bump org.apache.maven:maven-model from 3.9.15 to 3.9.16
  • def3e63 Upgrading antora to 3.2.0-alpha.12
  • 145f1d6 Bumping versions
  • 0a141a4 Update spring-cloud-config.version to 5.0.4-SNAPSHOT
  • Additional commits viewable in compare view

Updates io.projectreactor.netty:reactor-netty-core from 1.3.5 to 1.3.6

Release notes

Sourced from io.projectreactor.netty:reactor-netty-core's releases.

v1.3.6

Reactor Netty 1.3.6 is part of 2025.0.6 Release Train.

What's Changed

⚠️ Update considerations and deprecations

✨ New features and improvements

🐞 Bug fixes

📖 Documentation

New Contributors

Full Changelog: reactor/reactor-netty@v1.3.5...v1.3.6

Commits
  • 511a3b6 [release] Prepare and release 1.3.6
  • 3d3bdcb Merge-ignore release 1.2.18 into 1.3.6
  • 9bd9255 [release] Back to snapshots, next is 1.2.19-SNAPSHOT
  • c753da4 [release] Prepare and release 1.2.18
  • 1a4c422 Update HTTP/3 configuration
  • 2c6325e Merge e7ef551ee into 1.3.6
  • e7ef551 Refine header handling during redirects
  • 22ecd82 Merge #4243 into 1.3.6
  • b26ac28 Bump biz.aQute.bnd.builder from 7.2.3 to 7.3.0 (#4243)
  • bf1c241 Merge #4242 into 1.3.6
  • Additional commits viewable in compare view

Updates org.pitest:pitest-parent from 1.25.1 to 1.25.5

Release notes

Sourced from org.pitest:pitest-parent's releases.

1.25.5

  • #1479 Single threaded mutant timeout detection (fixes #1478)

1.25.4

1.25.3

  • #1476 Introduce post pre-scan type

1.25.2

  • #1474 Publish sboms via cyclonedx
  • #1475 Bug fix - listeners controlled by feature strings should also be selectable by name
Commits
  • 978c681 Merge pull request #1479 from hcoles/bug/daemon_threads
  • 1f395c2 single threaded mutant timeout detection
  • dcdc5fa update readme
  • 5595375 Merge pull request #1468 from see-quick/support-configurable-decimal-precision

Bumps the low-risk group with 18 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.37` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.37` |
| [org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit-framework) | `6.1.0` | `6.1.1` |
| [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) | `2.21.3` | `2.22.0` |
| [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) | `2025.0.5` | `2025.0.6` |
| [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) | `3.5.14` | `3.5.16` |
| [org.springframework.cloud:spring-cloud-dependencies](https://github.com/spring-cloud/spring-cloud-release) | `2025.1.1` | `2025.1.2` |
| [io.projectreactor.netty:reactor-netty-core](https://github.com/reactor/reactor-netty) | `1.3.5` | `1.3.6` |
| [org.pitest:pitest-parent](https://github.com/hcoles/pitest) | `1.25.1` | `1.25.5` |
| [org.pitest:pitest-maven](https://github.com/hcoles/pitest) | `1.25.1` | `1.25.5` |
| [io.netty:netty-codec-http](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-codec](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-common](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [io.netty:netty-handler](https://github.com/netty/netty) | `4.2.14.Final` | `4.2.15.Final` |
| [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) | `4.9.8` | `4.10.2` |
| [org.jacoco:jacoco-maven-plugin](https://github.com/jacoco/jacoco) | `0.8.14` | `0.8.15` |
| [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) | `4.9.8.3` | `4.10.2.0` |
| [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) | `0.10.0` | `0.11.0` |



Updates `ch.qos.logback:logback-core` from 1.5.32 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.37)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.37)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.37
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.37)

Updates `org.junit.jupiter:junit-jupiter` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `com.fasterxml.jackson:jackson-bom` from 2.21.3 to 2.22.0
- [Commits](FasterXML/jackson-bom@jackson-bom-2.21.3...jackson-bom-2.22.0)

Updates `io.projectreactor:reactor-bom` from 2025.0.5 to 2025.0.6
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](reactor/reactor@2025.0.5...2025.0.6)

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.14 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.14...v3.5.16)

Updates `org.springframework.cloud:spring-cloud-dependencies` from 2025.1.1 to 2025.1.2
- [Release notes](https://github.com/spring-cloud/spring-cloud-release/releases)
- [Commits](spring-cloud/spring-cloud-release@v2025.1.1...v2025.1.2)

Updates `io.projectreactor.netty:reactor-netty-core` from 1.3.5 to 1.3.6
- [Release notes](https://github.com/reactor/reactor-netty/releases)
- [Commits](reactor/reactor-netty@v1.3.5...v1.3.6)

Updates `org.pitest:pitest-parent` from 1.25.1 to 1.25.5
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.5)

Updates `org.pitest:pitest-maven` from 1.25.1 to 1.25.5
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.5)

Updates `io.netty:netty-codec-http` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-common` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-common` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)

Updates `com.github.spotbugs:spotbugs` from 4.9.8 to 4.10.2
- [Release notes](https://github.com/spotbugs/spotbugs/releases)
- [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md)
- [Commits](spotbugs/spotbugs@4.9.8...4.10.2)

Updates `org.jacoco:jacoco-maven-plugin` from 0.8.14 to 0.8.15
- [Release notes](https://github.com/jacoco/jacoco/releases)
- [Commits](jacoco/jacoco@v0.8.14...v0.8.15)

Updates `com.github.spotbugs:spotbugs-maven-plugin` from 4.9.8.3 to 4.10.2.0
- [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases)
- [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.3...spotbugs-maven-plugin-4.10.2.0)

Updates `org.pitest:pitest-maven` from 1.25.1 to 1.25.5
- [Release notes](https://github.com/hcoles/pitest/releases)
- [Commits](hcoles/pitest@1.25.1...1.25.5)

Updates `org.sonatype.central:central-publishing-maven-plugin` from 0.10.0 to 0.11.0
- [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.37
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.junit.jupiter:junit-jupiter
  dependency-version: 6.1.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2025.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.springframework.cloud:spring-cloud-dependencies
  dependency-version: 2025.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.projectreactor.netty:reactor-netty-core
  dependency-version: 1.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-parent
  dependency-version: 1.25.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-maven
  dependency-version: 1.25.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec-http
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-common
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-handler
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-codec
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-common
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: io.netty:netty-handler
  dependency-version: 4.2.15.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.github.spotbugs:spotbugs
  dependency-version: 4.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: org.jacoco:jacoco-maven-plugin
  dependency-version: 0.8.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: com.github.spotbugs:spotbugs-maven-plugin
  dependency-version: 4.10.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: low-risk
- dependency-name: org.pitest:pitest-maven
  dependency-version: 1.25.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: low-risk
- dependency-name: org.sonatype.central:central-publishing-maven-plugin
  dependency-version: 0.11.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: low-risk
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
Copilot AI review requested due to automatic review settings July 6, 2026 04:09
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: RichardSlater. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant