Skip to content

build(deps): Bump the dev-dependencies group with 2 updates#5

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/dev-dependencies-f30de56827
May 14, 2026
Merged

build(deps): Bump the dev-dependencies group with 2 updates#5
github-actions[bot] merged 1 commit into
mainfrom
dependabot/gradle/dev-dependencies-f30de56827

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the dev-dependencies group with 2 updates: com.diffplug.spotless:spotless-plugin-gradle and com.diffplug.spotless.

Updates com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.4.0

Release notes

Sourced from com.diffplug.spotless:spotless-plugin-gradle's releases.

Gradle Plugin v8.4.0

Added

  • Add tableTest format type for standalone .table files. (#2880)

Fixed

  • Fix illegal mutation when using predeclared dependencies. (#2892)

Changes

  • Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Gradle Plugin v8.3.0

Added

  • Partial support for isolated projects. They work if predeclared dependencies are not used. (#2854)
  • Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

  • Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
  • [fix] ConcurrentModificationException in expandWildcardImports (#2830)

Gradle Plugin v8.2.1

Fixed

  • Fix OutOfMemoryError and slow configuration phase in large multi-project builds when using Eclipse-based formatters (Eclipse JDT, GrEclipse, Eclipse CDT) by implementing P2 dependency caching. (#2788)

Gradle Plugin v8.2.0

Added

  • Add a expandWildcardImports API for java (#2679)
  • Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)
  • Add support for passing multiple file paths using the -PspotlessIdeHook option. (#2774)

Fixed

  • configuration cache for groovy. (#2797)
  • [fix] NPE due to workingTreeIterator being null for git ignored files. #911 (#2771)
  • Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)

Changes

  • Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
  • Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
  • Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

Gradle Plugin v8.1.0

Changes

  • Bump default ktfmt version to latest 0.58 -> 0.59. (#2681
  • Bump default jackson version to latest 2.20.0 -> 2.20.1. (#2730)
  • Bump default cleanthat version to latest 2.23 -> 2.24. (#2620)
  • POTENTIALLY BREAKING Removed support for ktlint versions below 1.0. (#2711)

Fixed

  • Tasks were being eagerly instantiated, now avoided using TaskProviders. #2719
    • POTENTIALLY BREAKING Bump minimum supported Gradle version from 7.3 to 8.1. #2719
  • Use absolute path in the git pre push hook.
  • palantirJavaFormat is no longer arbitrarily set to outdated versions on Java 17, latest available version is always used (#2686 fixes #2685)

Added

  • forbidModuleImports() API for java (#2679)
  • new options to customize Flexmark, e.g. to allow YAML front matter (#2616)

Gradle Plugin v8.0.0

... (truncated)

Commits
  • 1cc0163 Published gradle/8.4.0
  • a4cd808 Published lib/4.5.0
  • 9066bf6 Add links to the changelog.
  • db8dc1c Fix for illegal mutation issue with predeclareDeps (#2892)
  • 0eb98a9 chore: Updated gradle plugin change
  • 3f7f12e chore: Removes check for predeclare as it's not needed anymore
  • 55c0c5c fix: IsolatedProjectTest.predeclaredIsUnsupported() is now actually supported...
  • 47489af fix: avoid IllegalMutationException when root project uses predeclareDeps() w...
  • 4010e8b test: Introduce a test harnessing predeclared deps
  • 441dddc fix(deps): update selfie to v3 (major) (#2889)
  • Additional commits viewable in compare view

Updates com.diffplug.spotless from 7.2.1 to 8.4.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dev-dependencies group with 2 updates: [com.diffplug.spotless:spotless-plugin-gradle](https://github.com/diffplug/spotless) and com.diffplug.spotless.


Updates `com.diffplug.spotless:spotless-plugin-gradle` from 7.2.1 to 8.4.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@gradle/7.2.1...gradle/8.4.0)

Updates `com.diffplug.spotless` from 7.2.1 to 8.4.0

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-plugin-gradle
  dependency-version: 8.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dev-dependencies
- dependency-name: com.diffplug.spotless
  dependency-version: 8.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 14, 2026
@github-actions
github-actions Bot merged commit 9552e8b into main May 14, 2026
2 checks passed
@github-actions
github-actions Bot deleted the dependabot/gradle/dev-dependencies-f30de56827 branch May 14, 2026 02:51
wolpert added a commit that referenced this pull request May 16, 2026
- ceremony: default UV to REQUIRED so WebAuthn4J enforces flagUV (#2)
- ceremony: refuse the non-strict WebAuthnManager when attestation conveyance
  is not NONE; force operators to wire a strict manager explicitly (#3)
- jwt(spring): fail-fast on HS256 secrets shorter than 32 bytes; remove the
  silent expand() helper that masked weak keys (#4)
- jwt(micronaut): fail-fast on blank or short HS256 secrets; remove the
  zero-pad and random-on-blank fallbacks (#5)
- persistence: make signCount updates atomic against concurrent racing
  assertions so clone detection cannot be silently defeated — JDBI adds
  AND sign_count < :sc, DynamoDB adds a conditional UpdateItem (#6)
- starters: gate LoggingEmailSender / LoggingSmsSender behind dev-mode so
  magic-link tokens and OTP codes don't silently leak to production logs (#7)
- magic-link: replace the unbounded ConcurrentHashMap of consumed JTIs with
  a TTL-bounded Caffeine cache; fix the Javadoc to match reality (#8)
- magic-link: bind verification email to the user via UserLookup#emailFor
  and reject mismatches; admin service maps the new EmailMismatch result to
  a 400 (#9)
- persistence(dynamodb): server-enforce single-use for backup-code consume
  and OTP consume/incrementAttempts via ConditionExpression (#10)
- persistence(dynamodb): server-enforce challenge expiry in takeOnce
  via ConditionExpression on expiresAt instead of post-filtering in Java (#11)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert added a commit that referenced this pull request May 16, 2026
#1 — JdbiOtpRepository.incrementAttempts now unconditional; OtpService.verify uses >=
#2 — BackupCodeRepository.consume returns boolean; impls atomic; race-loser → NoMatch
#3 — OtpRepository.consume returns boolean; JDBI adds consumed=FALSE guard
#4 — PkAuthJwtValidator rejects kid-less tokens when keyset has any kid-bearing key
#5 — new ConsumedJtiStore SPI; in-memory Caffeine default; single-instance WARN
#6 — startAuthentication/startRegistration always emit non-null [] credential lists
#7 — new CeremonyRateLimiter SPI; default Caffeine impl; RateLimited variant; 429
#8 — JDBI/DynamoDB/InMemory repos wrap backend errors as PkAuthPersistenceException
#18 — new DuplicateCredentialException extends PkAuthPersistenceException (sealed)
#28 — OtpRepository.incrementAttempts returns OptionalInt; empty → NoActiveOtp

Blocked: none

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert added a commit that referenced this pull request Jun 13, 2026
…IGH)

Dependabot alert #5: esbuild 0.27.7 (transitive dev dep via tsup and
vitest->vite) is vulnerable to GHSA-gv7w-rqvm-qjhr — missing binary integrity
verification in the Deno module enables RCE via NPM_CONFIG_REGISTRY (patched in
0.28.1). The actual exploit path doesn't apply here (esbuild is used via Node,
not Deno, and is build-only — never shipped in the published bundle), but it's
a HIGH advisory and trivially fixable.

Add an npm override pinning esbuild to ^0.28.1; both tsup and vite now resolve
to 0.28.1. Build (tsup ESM/CJS/DTS), typecheck, and the full vitest suite
(76 tests) all pass on the bumped version. npm audit reports no remaining
high-severity issues.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants