build(deps): bump the maven-minor-patch group across 1 directory with 165 updates

[dependabot]

Bumps the maven-minor-patch group with 162 updates in the / directory:

Package	From	To
org.apache.commons:commons-lang3	3.18.0	3.20.0
io.projectreactor.netty:reactor-netty-http	1.2.16	1.3.6
io.opentelemetry:opentelemetry-bom	1.62.0	1.63.0
org.eclipse.angus:angus-mail	2.0.4	2.0.5
com.fasterxml.jackson.core:jackson-annotations	2.18.7	2.22
com.fasterxml.jackson.core:jackson-core	2.18.7	2.22
com.fasterxml.jackson.core:jackson-databind	2.18.7	2.22
com.fasterxml.jackson.module:jackson-module-blackbird	2.18.7	2.22
com.fasterxml.jackson.datatype:jackson-datatype-jsr353	2.18.7	2.22
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor	2.18.7	2.22
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml	2.18.7	2.22
io.dropwizard:dropwizard-core	5.0.0	5.0.2
io.dropwizard:dropwizard-assets	5.0.0	5.0.2
io.dropwizard:dropwizard-http2	5.0.0	5.0.2
io.dropwizard:dropwizard-client	5.0.0	5.0.2
io.dropwizard:dropwizard-testing	5.0.0	5.0.2
io.dropwizard:dropwizard-json-logging	5.0.0	5.0.2
io.dropwizard:dropwizard-metrics	5.0.0	5.0.2
io.dropwizard:dropwizard-jersey	5.0.0	5.0.2
io.dropwizard:dropwizard-views	5.0.0	5.0.2
io.dropwizard:dropwizard-jetty	5.0.0	5.0.2
org.eclipse.jetty:jetty-server	12.1.7	12.1.10
org.eclipse.jetty.ee10:jetty-ee10-servlet	12.1.7	12.1.10
org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jetty-server	12.1.7	12.1.10
org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jakarta-server	12.1.7	12.1.10
org.eclipse.jetty.ee10:jetty-ee10-servlets	12.1.7	12.1.10
org.eclipse.jetty:jetty-io	12.1.7	12.1.10
ch.qos.logback:logback-core	1.5.25	1.5.34
ch.qos.logback:logback-classic	1.5.25	1.5.34
ch.qos.logback.access:logback-access-jetty12	2.0.7	2.0.12
ch.qos.logback.access:logback-access-common	2.0.7	2.0.12
org.awaitility:awaitility	4.2.0	4.3.0
io.dropwizard:dropwizard-jdbi3	5.0.0	5.0.2
org.jdbi:jdbi3-core	3.37.1	3.53.0
org.jdbi:jdbi3-sqlobject	3.37.1	3.53.0
commons-cli:commons-cli	1.9.0	1.11.0
commons-io:commons-io	2.17.0	2.22.0
com.mysql:mysql-connector-j	9.3.0	9.7.0
com.google.code.gson:gson	2.13.1	2.14.0
io.swagger.core.v3:swagger-core	2.2.25	2.2.51
io.swagger.core.v3:swagger-jaxrs2	2.2.25	2.2.51
io.swagger.core.v3:swagger-integration	2.2.25	2.2.51
io.swagger.core.v3:swagger-annotations	2.2.25	2.2.51
jakarta.xml.bind:jakarta.xml.bind-api	4.0.2	4.0.5
io.prometheus:prometheus-metrics-instrumentation-dropwizard	1.3.10	1.8.0
org.mockito:mockito-core	5.14.2	5.23.0
org.mockito:mockito-junit-jupiter	5.14.2	5.23.0
com.amazon.redshift:redshift-jdbc42	2.2.2	2.2.7
org.slf4j:slf4j-api	2.0.4	2.0.18
org.slf4j:slf4j-simple	2.0.4	2.0.18
org.projectlombok:lombok	1.18.30	1.18.46
org.apache.tomcat:tomcat-jdbc	11.0.5	11.0.22
com.zaxxer:HikariCP	7.0.2	7.1.0
io.github.classgraph:classgraph	4.8.177	4.8.184
org.reflections:reflections	0.9.11	0.10.2
org.apache.logging.log4j:log4j-core	2.25.4	2.26.0
org.apache.logging.log4j:log4j-api	2.25.4	2.26.0
io.github.resilience4j:resilience4j-retry	2.3.0	2.4.0
io.github.resilience4j:resilience4j-ratelimiter	2.3.0	2.4.0
info.picocli:picocli	4.7.6	4.7.7
com.github.erosb:everit-json-schema	1.14.4	1.14.6
com.github.jknack:handlebars	4.5.0	4.5.2
com.microsoft.azure:msal4j	1.17.2	1.25.0
com.azure:azure-identity	1.15.2	1.18.4
io.netty:netty-bom	4.1.135.Final	4.2.15.Final
org.yaml:snakeyaml	2.3	2.6
org.apache.httpcomponents.core5:httpcore5-h2	5.3.5	5.4.2
org.apache.commons:commons-compress	1.26.0	1.28.0
tools.jackson:jackson-bom	3.1.3	3.2.0
software.amazon.awssdk:bom	2.41.30	2.46.13
org.jacoco:jacoco-maven-plugin	0.8.10	0.8.15
org.apache.maven.plugins:maven-source-plugin	3.3.1	3.4.0
org.apache.maven.plugins:maven-javadoc-plugin	3.6.0	3.12.0
org.apache.maven.plugins:maven-gpg-plugin	3.0.1	3.2.8
org.apache.maven.plugins:maven-jxr-plugin	3.3.0	3.6.0
org.apache.maven.plugins:maven-enforcer-plugin	3.1.0	3.6.3
org.apache.maven.plugins:maven-clean-plugin	3.2.0	3.5.0
org.apache.maven.plugins:maven-deploy-plugin	3.0.0	3.1.4
org.apache.maven.plugins:maven-install-plugin	3.0.1	3.1.4
org.apache.maven.plugins:maven-resources-plugin	3.3.0	3.5.0
org.apache.maven.plugins:maven-assembly-plugin	3.4.2	3.8.0
org.apache.maven.plugins:maven-site-plugin	3.12.1	3.22.0
org.apache.maven.plugins:maven-dependency-plugin	3.6.0	3.11.0
org.apache.maven.plugins:maven-checkstyle-plugin	3.2.0	3.6.0
org.apache.maven.plugins:maven-release-plugin	3.0.1	3.3.1
org.apache.maven.plugins:maven-compiler-plugin	3.13.0	3.15.0
org.apache.maven.plugins:maven-jar-plugin	3.3.0	3.5.0
org.apache.maven.plugins:maven-surefire-plugin	3.1.2	3.5.6
org.apache.maven.plugins:maven-surefire-report-plugin	3.1.2	3.5.6
org.codehaus.mojo:versions-maven-plugin	2.13.0	2.21.0
org.sonatype.central:central-publishing-maven-plugin	0.9.0	0.11.0
org.jsonschema2pojo:jsonschema2pojo-maven-plugin	1.3.1	1.3.3
org.jsonschema2pojo:jsonschema2pojo-core	1.3.1	1.3.3
com.flipkart.zjsonpatch:zjsonpatch	0.4.14	0.4.16
io.socket:socket.io-client	2.1.1	2.1.2
com.auth0:java-jwt	4.4.0	4.5.2
org.eclipse.parsson:parsson	1.1.5	1.1.9
org.apache.maven.plugins:maven-failsafe-plugin	3.1.2	3.5.6
commons-codec:commons-codec	1.17.1	1.22.0
co.elastic.clients:elasticsearch-java	9.2.4	9.4.2
org.apache.maven.plugins:maven-shade-plugin	3.6.0	3.6.2
org.codehaus.mojo:build-helper-maven-plugin	3.4.0	3.6.1
org.opensearch.client:opensearch-java	3.4.0	3.9.0
com.google.cloud:libraries-bom	26.73.0	26.84.0
jakarta.validation:jakarta.validation-api	3.0.2	3.1.1
com.nimbusds:nimbus-jose-jwt	10.0.2	10.9.1
net.minidev:json-smart	2.5.2	2.6.0
com.google.api-client:google-api-client	2.2.0	2.9.0
com.google.oauth-client:google-oauth-client	1.34.1	1.39.0
io.swagger.core.v3:swagger-core-jakarta	2.2.30	2.2.51
io.swagger.core.v3:swagger-jaxrs2-jakarta	2.2.30	2.2.51
com.azure:azure-security-keyvault-secrets	4.10.7	4.11.0
com.azure:azure-identity-extensions	1.0.0	1.2.8
jakarta.servlet:jakarta.servlet-api	6.0.0	6.1.0
io.micrometer:micrometer-observation	1.15.12	1.17.0
io.micrometer:micrometer-registry-prometheus	1.15.12	1.17.0
io.micrometer:micrometer-core	1.15.12	1.17.0
io.dropwizard.metrics:metrics-core	4.2.19	4.2.39
ai.djl:api	0.34.0	0.36.0
ai.djl.pytorch:pytorch-engine	0.34.0	0.36.0
ai.djl.huggingface:tokenizers	0.34.0	0.36.0
org.skyscreamer:jsonassert	1.5.1	1.5.3
io.jsonwebtoken:jjwt	0.9.1	0.13.0
com.auth0:jwks-rsa	0.22.1	0.24.1
io.socket:socket.io-server	4.0.1	4.1.2
io.socket:engine.io-server	6.2.1	6.3.2
org.freemarker:freemarker	2.3.33	2.3.34
org.apache.commons:commons-csv	1.12.0	1.14.1
com.opencsv:opencsv	5.9	5.12.0
org.quartz-scheduler:quartz	2.5.0-rc2	2.5.2
com.mchange:c3p0	0.12.0	0.14.1
com.google.guava:guava	33.4.8-jre	33.6.0-jre
org.testcontainers:junit-jupiter	1.20.3	1.21.4
com.slack.api:bolt-servlet	1.44.1	1.49.0
com.slack.api:slack-api-client	1.44.1	1.49.0
io.github.jamsesso:json-logic-java	1.0.7	1.1.0
org.apache.calcite:calcite-core	1.36.0	1.42.0
org.commonmark:commonmark	0.26.0	0.28.0
org.commonmark:commonmark-ext-gfm-strikethrough	0.26.0	0.28.0
org.commonmark:commonmark-ext-autolink	0.26.0	0.28.0
org.commonmark:commonmark-ext-gfm-tables	0.26.0	0.28.0
com.azure:azure-storage-blob	12.31.1	12.35.0
org.apache.poi:poi	5.4.1	5.5.1
org.apache.poi:poi-ooxml	5.4.1	5.5.1
org.apache.poi:poi-scratchpad	5.4.1	5.5.1
org.apache.tika:tika-core	3.2.3	3.3.1
org.apache.tika:tika-parser-ocr-module	3.2.3	3.3.1
org.codehaus.mojo:buildnumber-maven-plugin	3.0.0	3.3.0
io.swagger.core.v3:swagger-maven-plugin-jakarta	2.2.30	2.2.51
org.testcontainers:k3s	1.20.3	1.21.4
com.github.docker-java:docker-java-bom	3.4.2	3.7.1
com.microsoft.playwright:playwright	1.49.0	1.60.0
org.codehaus.mojo:rpm-maven-plugin	2.2.0	2.3.0
io.github.openfeign:feign-core	13.5	13.13
io.github.openfeign:feign-jackson	13.5	13.13
io.github.openfeign:feign-slf4j	13.5	13.13
io.github.openfeign:feign-okhttp	13.5	13.13
org.openapitools:jackson-databind-nullable	0.2.6	0.2.10
io.swagger.parser.v3:swagger-parser	2.1.23	2.1.44
com.google.auth:google-auth-library-oauth2-http	1.29.0	1.48.0
org.mozilla:rhino	1.7.15.1	1.9.1
org.openapitools:openapi-generator-maven-plugin	7.13.0	7.23.0

Updates org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0

Updates io.projectreactor.netty:reactor-netty-http from 1.2.16 to 1.3.6

Release notes

Sourced from io.projectreactor.netty:reactor-netty-http's releases.

v1.3.6

Reactor Netty 1.3.6 is part of 2025.0.6 Release Train.

What's Changed

⚠️ Update considerations and deprecations

• Tweak DNS resolver channel allocation strategy by @​violetagg in #4230

✨ New features and improvements

• Depend on Reactor Core v3.8.6 by @​violetagg in 511a3b6ef87c2d87da1544bcd669d7251d1035a7, see release notes
• Depend on Netty v4.2.15.Final by @​violetagg in #4237
• Remove multipart exception from isSelfDefinedMessageLength for keep-alive by @​violetagg in #4200
• Store HTTP/2 websocket CONNECT :protocol/:path in channel attributes by @​violetagg in #4202
• Update HTTP/3 configuration by @​violetagg in 1a4c4221afd7deb62e95a17a3d32795481d2f9df

🐞 Bug fixes

• Fix keep-alive race when creating HttpServerOperations by @​koisyu in #4189
• Fix HTTP/3 connection pool drain when server replenishes streams to same level by @​violetagg in #4193
• Fix missing metrics for AdaptiveByteBufAllocator by @​lukas-riedler-dynatrace in #4217
• Throw DecoderException with hostname when SNI AsyncMapping resolves to null by @​kwondh5217 in #4212
• Refine header handling during redirects by @​violetagg in e7ef551eead84ba465324531683fafa03ab96ee9

📖 Documentation

• Add WebSocket echo server example by @​Yelagandula in #4177
• Document TCP/UDP metrics remote.address tag cardinality by @​violetagg in #4201

New Contributors

• @​koisyu made their first contribution in #4189
• @​Yelagandula made their first contribution in #4177
• @​lukas-riedler-dynatrace made their first contribution in #4217
• @​kwondh5217 made their first contribution in #4212

Full Changelog: reactor/reactor-netty@v1.3.5...v1.3.6

v1.3.5

Reactor Netty 1.3.5 is part of 2025.0.5 Release Train.

What's Changed

✨ New features and improvements

• Depend on Reactor Core v3.8.5 by @​violetagg in b68dacab12f5ff46575f9009f34ea676a212879d, see release notes
• Depend on Netty v4.2.12.Final by @​violetagg in #4167
• Depend on Netty QUIC Codec v0.0.75.Final by @​violetagg in #4148
• Depend on Brave v6.3.1 by @​dependabot[bot] in #4159
• Optimise uri construction with baseUrl in HttpClientHandler by @​violetagg in #4130
• Optimise UriEndpoint#toSocketAddressStringWithoutDefaultPort by @​violetagg in #4131
• Store resolved SocketAddress in UriEndpoint for absolute URLs by @​violetagg in #4132
• Lazily compute HttpClientOperations#resourceUrl by @​violetagg in #4135

... (truncated)

Commits

• 511a3b6 [release] Prepare and release 1.3.6
• 3d3bdcb Merge-ignore release 1.2.18 into 1.3.6
• 9bd9255 [release] Back to snapshots, next is 1.2.19-SNAPSHOT
• c753da4 [release] Prepare and release 1.2.18
• 1a4c422 Update HTTP/3 configuration
• 2c6325e Merge e7ef551ee into 1.3.6
• e7ef551 Refine header handling during redirects
• 22ecd82 Merge #4243 into 1.3.6
• b26ac28 Bump biz.aQute.bnd.builder from 7.2.3 to 7.3.0 (#4243)
• bf1c241 Merge #4242 into 1.3.6
• Additional commits viewable in compare view

Updates io.opentelemetry:opentelemetry-bom from 1.62.0 to 1.63.0

Release notes

Sourced from io.opentelemetry:opentelemetry-bom's releases.

Version 1.63.0

API

• Add missing setAttribute shortcuts to Span and LogRecordBuilder (#8255)
• Promote InstrumentationUtil to public class in io.opentelemetry.api.impl package (#8413)
• Fix index-out-of-bounds in StrictContextStorage (#8294)

Incubating

• BREAKING Remove deprecated ExtendedAttributes and related code (#8395)

SDK

Metrics

• Collect async exemplars when exemplar filter is always_on (#8363)
• Move delta record/collect coordination from instrument to series level (#8313)

Exporters

• Add noop() factory method to SpanExporter and LogRecordExporter (#8435)
• BREAKING OTLP: Remove support for deprecated GrpcSenderProvider and HttpSenderProvider SPI property names (use io.opentelemetry.sdk.common.export.GrpcSenderProvider / io.opentelemetry.sdk.common.export.HttpSenderProvider instead) (#8392)
• OTLP: Bound OkHttp sender dispatchers and surface rejections (#8422)
• Prometheus: Limit exemplar label characters to conform to Prometheus limits (#8362)
• Logging: Fix LoggingSpanExporter.flush() to preserve flush failures (#8361)
• Zipkin: Make exporter self-contained by removing shared internal code dependencies (#8413)

Extensions

• BREAKING Autoconfigure: Remove deprecated otel.experimental.config.file property (#8393)
• BREAKING Incubator: Remove deprecated ViewConfig/ViewConfigCustomizer view file config mechanism (#8394)
• Declarative config: Fix model package (#8403)
• Declarative config: Fix Java module name to io.opentelemetry.sdk.autoconfigure.declarativeconfig (#8452)

Shims

• Deprecate OpenTracing shim public API (#8373)

Project tooling

• Finish adding OSGi support across all modules (#8401, #8417)
• Force io.zipkin.zipkin2:zipkin:3.6.1 to avoid problematic gson version (#8430)

🙇 Thank you

This release was possible thanks to the following contributors who shared their brilliant ideas and awesome pull requests:

@​ADITYA-CODE-SOURCE @​anuq @​bogdandrutu

... (truncated)

Changelog

Sourced from io.opentelemetry:opentelemetry-bom's changelog.

Version 1.63.0 (2026-06-05)

API

• Add missing setAttribute shortcuts to Span and LogRecordBuilder (#8255)
• Promote InstrumentationUtil to public class in io.opentelemetry.api.impl package (#8413)
• Fix index-out-of-bounds in StrictContextStorage (#8294)

Incubating

• BREAKING Remove deprecated ExtendedAttributes and related code (#8395)

SDK

Metrics

• Collect async exemplars when exemplar filter is always_on (#8363)
• Move delta record/collect coordination from instrument to series level (#8313)

Exporters

• Add noop() factory method to SpanExporter and LogRecordExporter (#8435)
• BREAKING OTLP: Remove support for deprecated GrpcSenderProvider and HttpSenderProvider SPI property names (use io.opentelemetry.sdk.common.export.GrpcSenderProvider / io.opentelemetry.sdk.common.export.HttpSenderProvider instead) (#8392)
• OTLP: Bound OkHttp sender dispatchers and surface rejections (#8422)
• Prometheus: Limit exemplar label characters to conform to Prometheus limits (#8362)
• Logging: Fix LoggingSpanExporter.flush() to preserve flush failures (#8361)
• Zipkin: Make exporter self-contained by removing shared internal code dependencies (#8413)

Extensions

• BREAKING Autoconfigure: Remove deprecated otel.experimental.config.file property (#8393)
• BREAKING Incubator: Remove deprecated ViewConfig/ViewConfigCustomizer view file config mechanism (#8394)
• Declarative config: Fix model package (#8403)

... (truncated)

Commits

• 485976a [release/v1.63.x] Prepare release 1.63.0 (#8457)
• 38683b0 Prepare for 1.63.0 release (#8453)
• 0e59934 [doc] fix sonatype link and token generation instruction (#8455)
• 315ba13 Fix declarative config artifact moduleName (#8452)
• 539a84a Directly expose noop exporters for spans and logs. (#8435)
• 28f91ed Remove spring slueth link to fix link check (#8448)
• 79608eb Update spotless packages to v8.6.0 (#8441)
• 9ab2f57 Finish adding OSGi support (#8417)
• 63573ce Add jaydeluca as approver (#8443)
• 235ee11 Add psx95 as approver (#8442)
• Additional commits viewable in compare view

Updates org.eclipse.angus:angus-mail from 2.0.4 to 2.0.5

Release notes

Sourced from org.eclipse.angus:angus-mail's releases.

Angus Mail 2.0.5 Final Release

What's Changed

• Ee10 11 sync by @​jbescos in eclipse-ee4j/angus-mail#181
• 2.0.4 release by @​lukasj in eclipse-ee4j/angus-mail#182
• activation api 2.1.4, mail api 2.1.5, angus activation 2.0.3 by @​lukasj in eclipse-ee4j/angus-mail#183

Full Changelog: eclipse-ee4j/angus-mail@2.0.4...2.0.5

Commits

• a7a4a37 Prepare release org.eclipse.angus:all:2.0.5
• a7d6745 activation api 2.1.4, mail api 2.1.5, angus activation 2.0.3
• c93dde0 Merge pull request #182 from eclipse-ee4j/2.0.4-RELEASE
• ddcc8e3 From-Address not parsed correctly #161 (#174)
• c4e72d2 Update github action versions
• f160633 OAuth2.md: POP3 works with O365 with towlines
• acbb015 Update changes files, it was wrong (#177)
• b96c2c3 Rename resource files so JakartaMail and JavaMail can co-exist (#171)
• 8d4a8ce Update CHANGES.txt
• dbd22ec Remove this-escape compiler warnings #141 (#142)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-annotations from 2.18.7 to 2.22

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.18.7 to 2.22

Updates com.fasterxml.jackson.core:jackson-databind from 2.18.7 to 2.22

Updates com.fasterxml.jackson.module:jackson-module-blackbird from 2.18.7 to 2.22

Updates com.fasterxml.jackson.datatype:jackson-datatype-jsr353 from 2.18.7 to 2.22

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 2.18.7 to 2.22

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-yaml from 2.18.7 to 2.22

Updates com.fasterxml.jackson.core:jackson-core from 2.18.7 to 2.22

Updates com.fasterxml.jackson.core:jackson-databind from 2.18.7 to 2.22

Updates com.fasterxml.jackson.module:jackson-module-blackbird from 2.18.7 to 2.22

Updates io.dropwizard:dropwizard-core from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-assets from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-http2 from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-client from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-testing from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-json-logging from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-metrics from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-jersey from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-views from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-jetty from 5.0.0 to 5.0.2

Updates org.eclipse.jetty:jetty-server from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10:jetty-ee10-servlet from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jetty-server from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jakarta-server from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10:jetty-ee10-servlets from 12.1.7 to 12.1.10

Updates org.eclipse.jetty:jetty-io from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10:jetty-ee10-servlet from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jetty-server from 12.1.7 to 12.1.10

Updates org.eclipse.jetty.ee10.websocket:jetty-ee10-websocket-jakarta-server from 12.1.7 to 12.1.10

Updates io.dropwizard:dropwizard-assets from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-http2 from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-client from 5.0.0 to 5.0.2

Updates io.dropwizard:dropwizard-testing from 5.0.0 to 5.0.2

Updates ch.qos.logback:logback-core from 1.5.25 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.32

2026-02-16 Release of logback version 1.5.32

• In DefaultProcessor, fixed incorrect check for dependencies contained within a parent model. Previous only the direct children were scanned. This fixes logback-access/issues/34.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e807335a67535b4eacce94e942c0bcb649665d93 associated with the tag v_1.5.32. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.31

2026-02-14 Release of logback version 1.5.31

• Fixed missing META-INF/services directory in logback-classic.jar. This issue rendered logback-classic version 1.5.30 unusable with SLF4J.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 168e42f9f9a18a3ffdf31eb2bfe80a71e33ecd8b associated with the tag v_1.5.31. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.30

2026-02-14 Release of logback version 1.5.30

• In this version, logback-classic.jar was missing the META-INF/services directory, making it unusable with SLF4J. Version 1.5.31 (released later on the same day) fixes this issue.

• Fix scanning issue when an included file becomes available at a later time. This problem was reported in issues/1021 by Sergey Nazarov.

• Standardized code for version checking across modules.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 44164f10ca3fb44ce0e68519f13564b87e3aca61 associated with the tag v_1.5.30. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.29

... (truncated)

Commits

• e62272a prepare release 1.5.34
• 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
• 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
• 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
• f7a0654 prevent resolveProxyClass bypass
• 249b81f docs are no longer distributed
• 1c3b26a start work on 1.5.34-SNAPSHOT
• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.25 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.32

2026-02-16 Release of logback version 1.5.32

• In DefaultProcessor, fixed incorrect check for dependencies contained within a parent model. Previous only the direct children were scanned. This fixes logback-access/issues/34.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e807335a67535b4eacce94e942c0bcb649665d93 associated with the tag v_1.5.32. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.31

2026-02-14 Release of logback version 1.5.31

• Fixed missing META-INF/services directory in logback-classic.jar. This issue rendered logback-classic version 1.5.30 unusable with SLF4J.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 168e42f9f9a18a3ffdf31eb2bfe80a71e33ecd8b associated with the tag v_1.5.31. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.30

2026-02-14 Release of logback version 1.5.30

• In this version, logback-classic.jar was missing the META-INF/services directory, making it unusable with SLF4J. Version 1.5.31 (released later on the same day) fixes this issue.

• Fix scanning issue when an included file becomes available at a later time. This problem was reported in issues/1021 by Sergey Nazarov.

• Standardized code for version checking across modules.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 44164f10ca3fb44ce0e68519f13564b87e3aca61 associated with the tag v_1.5.30. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.29

... (truncated)

Commits

• e62272a prepare release 1.5.34
• 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
• 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
• 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
• f7a0654 prevent resolveProxyClass bypass
• 249b81f docs are no longer distributed
• 1c3b26a start work on 1.5.34-SNAPSHOT
• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• Additional commits viewable in compare view

Updates ch.qos.logback.access:logback-access-jetty12 from 2.0.7 to 2.0.12

Updates ch.qos.logback.access:logback-access-common from 2.0.7 to 2.0.12

Updates io.dropwizard:dropwizard-json-logging from 5.0.0 to 5.0.2

Updates org.awaitility:awaitility from 4.2.0 to 4.3.0

Changelog

Sourced from org.awaitility:awaitility's changelog.

Changelog 4.3.0 (2025-02-21)

• Support for kotlin.time.Duration in Kotlin DSL (thanks to Ivo Šmíd for PR)

• Upgraded kotlin version in the awaitility-kotlin module to 2.1.10

• Using a more descriptive error message when using VERY long wait conditions or poll durations (issue 290)

• Added an overloaded method of untilAsserted(..) that takes a supplier and a consumer. For example, lets say you have a class like this: public class MyClass { public String myFunction() { // Imagine stuff being executed in asynchronously here and the result of this // operation is a string called "my value" return "my value" } }

  // Then in your test you can wait for the "myFunction" to be asserted by a "consumer" that uses // assertj to make sure that "myFunction" returns ""my value" await().untilAsserted(myClass::myFunction, value -> Assertions.assertThat(value).isEqualTo("my value"));

  This has also been implemented for all atomic, adder, and accumulator methods.

Changelog 4.2.2 (2024-08-07)

• Support JDK EA builds in JavaVersionDetector (thanks to Oleg Estekhin for pull request)

Changelog 4.2.1 (2024-03-15)

• Upgraded Kotlin to 1.9.22

• Added extension properties forever, then, and, given to the Kotlin extension. This allows you to do e.g.:

  await.forever until { .. }

• Added shortcut for enabling logging. Before you had to do e.g.

  await() .with() .conditionEvaluationListener(new ConditionEvaluationLogger(log::info)) .pollInterval(ONE_HUNDRED_MILLISECONDS) .until(logs::size, is(4));

  You can now instead use the "logging" shortcut:

  await() .with() .logging(log::info) .pollInterval(ONE_HUNDRED_MILLISECONDS) .until(logs::size, is(4));

  or simply ".logging()" for "System.out".

  This shortcut has also been added globally:

... (truncated)

Commits

• e3ff879 [maven-release-plugin] prepare release awaitility-4.3.0
• d116712 [ci skip] Preparing changelog for release
• 4e186df Added kotlin source folder explicitly
• e8d3ab7 Upgraded lots of plugin dependencies
• a7a167a Added an overloaded method of untilAsserted(..) that takes a supplier and a c...
• ef8f663 Make ConditionFactory safer to use in java 8
• 5550079 Using a more descriptive error message when using VERY long wait conditions o...
• 2a9814b Upgraded kotlin version in the awaitility-kotlin module to 2.1.10
• 8f22c00 [ci skip] Updated changelog.txt to reflect latest changes
• 6a35c24 #235 Support for kotlin.time.Duration in Kotlin DSL (#285)
• Additional commits viewable in compare view

Updates io.dropwizard:dropwizard-jdbi3 from 5.0.0 to 5.0.2

Updates org.jdbi:jdbi3-core from 3.37.1 to 3.53.0

Release notes

Sourced from org.jdbi:jdbi3-core's releases.

3.53.0

Fixes: Jdbi-Freemarker Security Advisory GHSA-mggx-p7jf-jgw4

The Freemarker configuration allows templates to construct arbitrary Java types, including freemarker.template.utility.Execute.

While exploiting this requires other unsafe practices (letting a user dictate template input), it seems prudent to disable template class resolution.

Please see GHSA-mggx-p7jf-jgw4 for more details.

Upgrade to testcontainers 2.x

While this required no code changes, the testcontainers project has renamed a number of their jar files. Jdbi still supports testcontainers 1.x and now also testcontainers 2.x:

If you are using testcontainers with Jdbi today and can not update to 2.x, make sure that you reference the org.testcontainers:jdbc and org.testcontainers:junit-jupiter dependencies. Those used to be available as transitive dependency from jdbi3-testcontainers.

If you upgrade to testcontainers 2.x, the org.testcontainers:testcontainers-jdbc and org.testcontainers:testcontainers-junit-jupiter dependencies must be available.

• Update testcontainers dependency to 2.0.5 (from 1.21.4)
• Add StatementContext parameter to SqlExceptionHandler and remove return value

3.52.1

• fix regression for java.time.Instant mapping from 3.52.0
• Add missing mappers for java.sql.Date and java.sql.Time
• Add support for java.time.OffsetTime
• Add support for java.time.ZoneOffset

3.52.0

Changes to java.time related classes

JDBC 4.2 added full support to map java.time classes onto SQL types in 2014. This release of Jdbi switches from mapping these objects onto "classic" (java.sql.Date, Time, Timestamp) to using the JDBC 4.2 API (PreparedStatement#setObject and ResultSet#getObject).

These changes should not be visible for any database, except if you were brave enough to map types with time zones or offsets (ZonedDateTime and OffsetDateTime) onto SQL types that have no timezone (TIMESTAMP or DATETIME). This affects databases that do not support the TIMESTAMP WITH TIMEZONE data type. IAW MySQL.

... (truncated)

Changelog

Sourced from org.jdbi:jdbi3-core's changelog.

3.53.0

Fixes: Jdbi-Freemarker Security Advisory GHSA-mggx-p7jf-jgw4

The Freemarker configuration allows templates to construct arbitrary Java types, including freemarker.template.utility.Execute.

While exploiting this requires other unsafe practices (letting a user dictate t...

Description has been truncated

Greptile Summary

Automated dependabot bump across 16 Maven POM files, updating 165 dependencies (libraries and plugins) to their latest minor/patch versions throughout the project.

• Key library jumps: Jackson 2.18.7→2.22, Dropwizard 5.0.0→5.0.2, Jetty 12.1.7→12.1.10, Logback 1.5.25→1.5.34 (includes CVE-2026-10532 and CVE-2026-9828 security fixes), jdbi3 3.37.1→3.53.0, reactor-netty-http 1.2.16→1.3.6 (minor version line change), and jjwt 0.9.1→0.13.0.
• Warning comments not reconciled: The root pom.xml retains <!-- Upgrading to jdbi version causes test failures--> after bumping jdbi3 to 3.53.0, and <!-- Upgrading slf4j causes dropwizard issues --> after bumping slf4j to 2.0.18; neither comment was removed or updated to explain whether the original issue was resolved.
• Logback security fixes included: The logback 1.5.34 release patches two deserialization-related CVEs (CVE-2026-10532, CVE-2026-9828), making the logback upgrade particularly valuable.

Confidence Score: 3/5

Most bumps are safe minor/patch updates, but two historically-flagged upgrades (jdbi3 and slf4j) now proceed with their warning comments intact, leaving it unclear whether the previous breakages were resolved.

The jdbi3 jump from 3.37.1 to 3.53.0 carries a comment that upgrading this library caused test failures, and the comment was not removed — suggesting the issue may not have been explicitly addressed. Similarly, the slf4j bump retains its dropwizard-compatibility warning. Both of these could silently break tests or runtime behavior. The logback upgrade to 1.5.34 is actively beneficial (patches two deserialization CVEs). The majority of the 165 changes are straightforward plugin and library patch updates with low risk.

pom.xml — the root BOM retains two stale warning comments that conflict with the version bumps applied in this PR.

Important Files Changed

Filename	Overview
pom.xml	Root POM: 52 version properties bumped, including jdbi3 (3.37.1→3.53.0) and slf4j (2.0.4→2.0.18) which had existing warning comments about known failures/issues that were not removed
openmetadata-service/pom.xml	Service module: 30+ dependency bumps including Azure, Quartz, Swagger, DJL, Calcite, Slack, and logging stack — all appear to be straightforward minor/patch updates
openmetadata-clients/openmetadata-java-client/pom.xml	Java client: bumps feign (13.5→13.13), openapi-generator (7.13.0→7.23.0), Rhino (1.7.15.1→1.9.1), and auth libraries — no concerns
openmetadata-sdk/pom.xml	SDK: bumps mockito, slf4j, lombok, jwt, parsson — routine minor updates with no concerns
openmetadata-integration-tests/pom.xml	Integration tests: bumps failsafe plugin, docker-java, commons-compress, playwright (1.49→1.60), awaitility, POI — no concerns
openmetadata-k8s-operator/pom.xml	K8s operator: bumps mockito, testcontainers, maven-compiler, surefire/failsafe plugins — routine updates
openmetadata-shaded-deps/elasticsearch-dep/pom.xml	Elasticsearch shaded dep: bumps elasticsearch-java (9.2.4→9.4.2), maven-shade-plugin, build-helper-plugin — straightforward patch updates
openmetadata-shaded-deps/opensearch-dep/pom.xml	OpenSearch shaded dep: bumps opensearch-java (3.4.0→3.9.0), maven-shade-plugin, build-helper-plugin — straightforward updates

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pom.xml root BOM] --> B[openmetadata-service]
    A --> C[openmetadata-sdk]
    A --> D[openmetadata-spec]
    A --> E[common]
    A --> F[openmetadata-clients]
    A --> G[openmetadata-integration-tests]
    A --> H[openmetadata-k8s-operator]
    A --> I[openmetadata-shaded-deps]
    I --> J[elasticsearch-dep]
    I --> K[opensearch-dep]

    subgraph Notable bumps
        L["jdbi3: 3.37.1 → 3.53.0 ⚠️"]
        M["slf4j: 2.0.4 → 2.0.18 ⚠️"]
        N["logback: 1.5.25 → 1.5.34 ✅ CVE fixes"]
        O["Jackson: 2.18.7 → 2.22"]
        P["Dropwizard: 5.0.0 → 5.0.2"]
        Q["Jetty: 12.1.7 → 12.1.10"]
    end

    A -.-> L
    A -.-> M
    A -.-> N
    A -.-> O
    A -.-> P
    A -.-> Q

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[pom.xml root BOM] --> B[openmetadata-service]
    A --> C[openmetadata-sdk]
    A --> D[openmetadata-spec]
    A --> E[common]
    A --> F[openmetadata-clients]
    A --> G[openmetadata-integration-tests]
    A --> H[openmetadata-k8s-operator]
    A --> I[openmetadata-shaded-deps]
    I --> J[elasticsearch-dep]
    I --> K[opensearch-dep]

    subgraph Notable bumps
        L["jdbi3: 3.37.1 → 3.53.0 ⚠️"]
        M["slf4j: 2.0.4 → 2.0.18 ⚠️"]
        N["logback: 1.5.25 → 1.5.34 ✅ CVE fixes"]
        O["Jackson: 2.18.7 → 2.22"]
        P["Dropwizard: 5.0.0 → 5.0.2"]
        Q["Jetty: 12.1.7 → 12.1.10"]
    end

    A -.-> L
    A -.-> M
    A -.-> N
    A -.-> O
    A -.-> P
    A -.-> Q

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump the maven-minor-patch ..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[greptile-apps]

Warning comment contradicts version bump

The comment <!-- Upgrading to jdbi version causes test failures--> is still present while the version was bumped from 3.37.1 to 3.53.0. This comment was placed to guard against upgrades that had been observed to break tests. Jumping 16 minor versions without removing or addressing this comment suggests either the known failures were never explicitly resolved (and may resurface), or the comment is now stale. If the failure mode was fixed, the comment should be removed; if it wasn't, this bump risks test regressions.

The same concern applies to line 74: <!-- Upgrading slf4j causes dropwizard issues --> is still present while slf4j.version was bumped from 2.0.4 to 2.0.18.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Removed "can't be upgraded" guard for reflections library

The comment <!-- Can't be upgraded to the latest --> was removed and org.reflections:reflections was bumped from 0.9.11 to 0.10.2. The reflections 0.10.x line has documented breaking API changes compared to 0.9.x (the query API was redesigned). No Java source file in the repository directly imports from org.reflections, so this is likely fine as a transitive dependency, but it's worth verifying that no runtime classpath scanning code depends on the 0.9.x behavior.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!