build(deps): Bump the dev-dependencies group with 18 updates#7
Merged
github-actions[bot] merged 1 commit intoMay 15, 2026
Merged
Conversation
Bumps the dev-dependencies group with 18 updates: | Package | From | To | | --- | --- | --- | | software.amazon.awssdk:dynamodb | `2.44.5` | `2.44.6` | | software.amazon.awssdk:dynamodb-enhanced | `2.44.5` | `2.44.6` | | io.dropwizard:dropwizard-core | `4.0.14` | `5.0.1` | | io.dropwizard:dropwizard-auth | `4.0.14` | `5.0.1` | | io.dropwizard:dropwizard-jersey | `4.0.14` | `5.0.1` | | io.dropwizard:dropwizard-testing | `4.0.14` | `5.0.1` | | io.dropwizard:dropwizard-assets | `4.0.14` | `5.0.1` | | [com.google.dagger:dagger](https://github.com/google/dagger) | `2.56.2` | `2.59.2` | | [com.google.dagger:dagger-compiler](https://github.com/google/dagger) | `2.56.2` | `2.59.2` | | [org.springframework.boot:spring-boot-autoconfigure](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.boot:spring-boot-starter](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.boot:spring-boot-starter-web](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.boot:spring-boot-starter-security](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.boot:spring-boot-starter-test](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.boot:spring-boot-configuration-processor](https://github.com/spring-projects/spring-boot) | `3.5.5` | `4.0.6` | | [org.springframework.security:spring-security-test](https://github.com/spring-projects/spring-security) | `6.5.3` | `7.0.5` | | [com.diffplug.spotless:spotless-plugin-gradle](https://github.com/diffplug/spotless) | `8.4.0` | `8.5.0` | | com.diffplug.spotless | `8.4.0` | `8.5.0` | Updates `software.amazon.awssdk:dynamodb` from 2.44.5 to 2.44.6 Updates `software.amazon.awssdk:dynamodb-enhanced` from 2.44.5 to 2.44.6 Updates `software.amazon.awssdk:dynamodb-enhanced` from 2.44.5 to 2.44.6 Updates `io.dropwizard:dropwizard-core` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-auth` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-jersey` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-testing` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-assets` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-auth` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-jersey` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-testing` from 4.0.14 to 5.0.1 Updates `io.dropwizard:dropwizard-assets` from 4.0.14 to 5.0.1 Updates `com.google.dagger:dagger` from 2.56.2 to 2.59.2 - [Release notes](https://github.com/google/dagger/releases) - [Changelog](https://github.com/google/dagger/blob/master/CHANGELOG.md) - [Commits](google/dagger@dagger-2.56.2...dagger-2.59.2) Updates `com.google.dagger:dagger-compiler` from 2.56.2 to 2.59.2 - [Release notes](https://github.com/google/dagger/releases) - [Changelog](https://github.com/google/dagger/blob/master/CHANGELOG.md) - [Commits](google/dagger@dagger-2.56.2...dagger-2.59.2) Updates `com.google.dagger:dagger-compiler` from 2.56.2 to 2.59.2 - [Release notes](https://github.com/google/dagger/releases) - [Changelog](https://github.com/google/dagger/blob/master/CHANGELOG.md) - [Commits](google/dagger@dagger-2.56.2...dagger-2.59.2) Updates `org.springframework.boot:spring-boot-autoconfigure` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-web` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-security` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-test` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-configuration-processor` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-web` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-security` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-starter-test` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.boot:spring-boot-configuration-processor` from 3.5.5 to 4.0.6 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.5...v4.0.6) Updates `org.springframework.security:spring-security-test` from 6.5.3 to 7.0.5 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](spring-projects/spring-security@6.5.3...7.0.5) Updates `com.diffplug.spotless:spotless-plugin-gradle` from 8.4.0 to 8.5.0 - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](diffplug/spotless@gradle/8.4.0...gradle/8.5.0) Updates `com.diffplug.spotless` from 8.4.0 to 8.5.0 Updates `com.diffplug.spotless` from 8.4.0 to 8.5.0 --- updated-dependencies: - dependency-name: software.amazon.awssdk:dynamodb dependency-version: 2.44.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dev-dependencies - dependency-name: software.amazon.awssdk:dynamodb-enhanced dependency-version: 2.44.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dev-dependencies - dependency-name: software.amazon.awssdk:dynamodb-enhanced dependency-version: 2.44.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-core dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-auth dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-jersey dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-testing dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-assets dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-auth dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-jersey dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-testing dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: io.dropwizard:dropwizard-assets dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: com.google.dagger:dagger dependency-version: 2.59.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies - dependency-name: com.google.dagger:dagger-compiler dependency-version: 2.59.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies - dependency-name: com.google.dagger:dagger-compiler dependency-version: 2.59.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-autoconfigure dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-web dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-security dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-test dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-configuration-processor dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-web dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-security dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-starter-test dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.boot:spring-boot-configuration-processor dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: org.springframework.security:spring-security-test dependency-version: 7.0.5 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dev-dependencies - dependency-name: com.diffplug.spotless:spotless-plugin-gradle dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies - dependency-name: com.diffplug.spotless dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies - dependency-name: com.diffplug.spotless dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dev-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
github-actions
Bot
deleted the
dependabot/gradle/dev-dependencies-e383fbd5ea
branch
May 15, 2026 04:59
wolpert
added a commit
that referenced
this pull request
May 15, 2026
…rd 5 majors Dependabot's dev-dependencies batch (#7) bumped three frameworks across major version boundaries, all of which break our adapter modules: - Spring Boot 3.5.5 → 4.0.6 drops Jackson 2 in favor of Jackson 3 (`tools.jackson.*`). Our Phase 8 `PkAuthJacksonModule` bridges Jackson 2 ↔ pk-auth's Jackson 3 wire types. Spring Boot 4 makes that bridge unbuildable: `com.fasterxml.jackson.*` packages no longer exist on Spring's classpath. - Spring Security 6.5.3 → 7.0.5 is tied to Spring Framework 7 / Spring Boot 4 and breaks the same way. - Dropwizard 4.0.14 → 5.0.1 changes the bundle and configuration surface that Phase 9's `PkAuthBundle<HasPkAuthConfig>` depends on. All three are explicitly pinned by the build brief (§6.10 Spring Boot 3.5.x, §6.11 Dropwizard 4.x). Revert each to the pre-bump version and add semver-major Dependabot ignore rules so this doesn't recur: - spring-boot 3.5.5 - spring-security 6.5.3 - dropwizard 4.0.14 Patches/minors from the same Dependabot batch left in place: aws-sdk 2.44.5 → 2.44.6, dagger 2.56.2 → 2.59.2. Spotless's existing >=8 ignore already covers that one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert
added a commit
that referenced
this pull request
May 16, 2026
- ceremony: default UV to REQUIRED so WebAuthn4J enforces flagUV (#2) - ceremony: refuse the non-strict WebAuthnManager when attestation conveyance is not NONE; force operators to wire a strict manager explicitly (#3) - jwt(spring): fail-fast on HS256 secrets shorter than 32 bytes; remove the silent expand() helper that masked weak keys (#4) - jwt(micronaut): fail-fast on blank or short HS256 secrets; remove the zero-pad and random-on-blank fallbacks (#5) - persistence: make signCount updates atomic against concurrent racing assertions so clone detection cannot be silently defeated — JDBI adds AND sign_count < :sc, DynamoDB adds a conditional UpdateItem (#6) - starters: gate LoggingEmailSender / LoggingSmsSender behind dev-mode so magic-link tokens and OTP codes don't silently leak to production logs (#7) - magic-link: replace the unbounded ConcurrentHashMap of consumed JTIs with a TTL-bounded Caffeine cache; fix the Javadoc to match reality (#8) - magic-link: bind verification email to the user via UserLookup#emailFor and reject mismatches; admin service maps the new EmailMismatch result to a 400 (#9) - persistence(dynamodb): server-enforce single-use for backup-code consume and OTP consume/incrementAttempts via ConditionExpression (#10) - persistence(dynamodb): server-enforce challenge expiry in takeOnce via ConditionExpression on expiresAt instead of post-filtering in Java (#11) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert
added a commit
that referenced
this pull request
May 16, 2026
#1 — JdbiOtpRepository.incrementAttempts now unconditional; OtpService.verify uses >= #2 — BackupCodeRepository.consume returns boolean; impls atomic; race-loser → NoMatch #3 — OtpRepository.consume returns boolean; JDBI adds consumed=FALSE guard #4 — PkAuthJwtValidator rejects kid-less tokens when keyset has any kid-bearing key #5 — new ConsumedJtiStore SPI; in-memory Caffeine default; single-instance WARN #6 — startAuthentication/startRegistration always emit non-null [] credential lists #7 — new CeremonyRateLimiter SPI; default Caffeine impl; RateLimited variant; 429 #8 — JDBI/DynamoDB/InMemory repos wrap backend errors as PkAuthPersistenceException #18 — new DuplicateCredentialException extends PkAuthPersistenceException (sealed) #28 — OtpRepository.incrementAttempts returns OptionalInt; empty → NoActiveOtp Blocked: none Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the dev-dependencies group with 18 updates:
2.44.52.44.62.44.52.44.64.0.145.0.14.0.145.0.14.0.145.0.14.0.145.0.14.0.145.0.12.56.22.59.22.56.22.59.23.5.54.0.63.5.54.0.63.5.54.0.63.5.54.0.63.5.54.0.63.5.54.0.66.5.37.0.58.4.08.5.08.4.08.5.0Updates
software.amazon.awssdk:dynamodbfrom 2.44.5 to 2.44.6Updates
software.amazon.awssdk:dynamodb-enhancedfrom 2.44.5 to 2.44.6Updates
software.amazon.awssdk:dynamodb-enhancedfrom 2.44.5 to 2.44.6Updates
io.dropwizard:dropwizard-corefrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-authfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-jerseyfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-testingfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-assetsfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-authfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-jerseyfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-testingfrom 4.0.14 to 5.0.1Updates
io.dropwizard:dropwizard-assetsfrom 4.0.14 to 5.0.1Updates
com.google.dagger:daggerfrom 2.56.2 to 2.59.2Release notes
Sourced from com.google.dagger:dagger's releases.
... (truncated)
Commits
118f2e52.59.2 release1be5765Change HiltSyncTask to extend DefaultTask instead of Sync.f7e31b8Replace Hilt's "android-classes" transform with attribute rules.5909005Automated Code Change3507b0dSupport nullability in Switching Providers1900560Internal changes8c69595Update Dagger yml and README with new latest version number.1dbb1ddInternal refactoring62b5423Internal changes8dcce87Add AggregatedPackagesTransform for "android-classes" artifact type.Updates
com.google.dagger:dagger-compilerfrom 2.56.2 to 2.59.2Release notes
Sourced from com.google.dagger:dagger-compiler's releases.
... (truncated)
Commits
118f2e52.59.2 release1be5765Change HiltSyncTask to extend DefaultTask instead of Sync.f7e31b8Replace Hilt's "android-classes" transform with attribute rules.5909005Automated Code Change3507b0dSupport nullability in Switching Providers1900560Internal changes8c69595Update Dagger yml and README with new latest version number.1dbb1ddInternal refactoring62b5423Internal changes8dcce87Add AggregatedPackagesTransform for "android-classes" artifact type.Updates
com.google.dagger:dagger-compilerfrom 2.56.2 to 2.59.2Release notes
Sourced from com.google.dagger:dagger-compiler's releases.
... (truncated)
Commits
118f2e52.59.2 release1be5765Change HiltSyncTask to extend DefaultTask instead of Sync.f7e31b8Replace Hilt's "android-classes" transform with attribute rules.5909005Automated Code Change3507b0dSupport nullability in Switching Providers1900560Internal changes8c69595Update Dagger yml and README with new latest version number.1dbb1ddInternal refactoring62b5423Internal changes8dcce87Add AggregatedPackagesTransform for "android-classes" artifact type.Updates
org.springframework.boot:spring-boot-autoconfigurefrom 3.5.5 to 4.0.6Release notes
Sourced from org.springframework.boot:spring-boot-autoconfigure's releases.
... (truncated)
Commits
8821ad2Release v4.0.69e4048aMerge branch '3.5.x' into 4.0.x20bb11cNext development version (v3.5.15-SNAPSHOT)98daa8eMerge branch '3.5.x' into 4.0.x9dc5aa2Polish874f629Fix default security with actuator but without healthe41b3bfEnable hostname verification for SSL connections to Elasticsearchef8527bMerge branch '3.5.x' into 4.0.xf533a45Do not follow symlinks when writing PID file4a7bd33Merge branch '3.5.x' into 4.0.xUpdates
org.springframework.boot:spring-boot-starterfrom 3.5.5 to 4.0.6Release notes
Sourced from org.springframework.boot:spring-boot-starter's releases.
... (truncated)
Commits
8821ad2Release v4.0.69e4048aMerge branch '3.5.x' into 4.0.x20bb11cNext development version (v3.5.15-SNAPSHOT)98daa8eMerge branch '3.5.x' into 4.0.x9dc5aa2Polish874f629Fix default security with actuator but without healthe41b3bfEnable hostname verification for SSL connections to Elasticsearchef8527bMerge branch '3.5.x' into 4.0.xf533a45Do not follow symlinks when writing PID file4a7bd33Merge branch '3.5.x' into 4.0.xUpdates
org.springframework.boot:spring-boot-starter-webfrom 3.5.5 to 4.0.6Release notes
Sourced from org.springframework.boot:spring-boot-starter-web's releases.
... (truncated)
Commits
8821ad2Release v4.0.69e4048aMerge branch '3.5.x' into 4.0.x20bb11cNext development version (v3.5.15-SNAPSHOT)98daa8eMerge branch '3.5.x' into 4.0.x9dc5aa2Polish874f629Fix default security with actuator but without healthe41b3bfEnable hostname verification for SSL connections to Elasticsearchef8527bMerge branch '3.5.x' into 4.0.xf533a45Do not follow symlinks when writing PID file4a7bd33Merge branch '3.5.x' into 4.0.xUpdates
org.springframework.boot:spring-boot-starter-securityfrom 3.5.5 to 4.0.6Release notes
Sourced from org.springframework.boot:spring-boot-starter-security's releases.
... (truncated)
Commits
8821ad2Release v4.0.69e4048aMerge branch '3.5.x' into 4.0.x20bb11cNext development version (v3.5.15-SNAPSHOT)98daa8eMerge branch '3.5.x' into 4.0.x9dc5aa2Polish874f629Fix default security with actuator but without healthe41b3bfEnable hostname verification for SSL connections to Elasticsearchef8527bMerge branch '3.5.x' into 4.0.xf533a45Do not follow symlinks when writing PID file4a7bd33Merge branch '3.5.x' into 4.0.xUpdates
org.springframework.boot:spring-boot-starter-testfrom 3.5.5 to 4.0.6Release notes
Sourced from org.springframework.boot:spring-boot-starter-test's releases.