Bump the maven group across 44 directories with 27 updates

[dependabot]

Bumps the maven group with 2 updates in the /apache-cxf-modules/cxf-aegis directory: org.apache.cxf:cxf-rt-databinding-aegis and org.assertj:assertj-core.
Bumps the maven group with 2 updates in the /apache-kafka directory: org.assertj:assertj-core and org.apache.kafka:kafka-clients.
Bumps the maven group with 2 updates in the /apache-kafka-2 directory: org.assertj:assertj-core and org.apache.kafka:kafka-clients.
Bumps the maven group with 4 updates in the /apache-libraries directory: org.assertj:assertj-core, org.apache.avro:avro-compiler, org.apache.opennlp:opennlp-tools and com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 3 updates in the /apache-spark directory: org.assertj:assertj-core, org.apache.spark:spark-core_2.12 and org.postgresql:postgresql.
Bumps the maven group with 1 update in the /atomikos directory: org.assertj:assertj-core.
Bumps the maven group with 2 updates in the /aws-modules/aws-lambda-modules/shipping-tracker-lambda/ShippingFunction directory: org.postgresql:postgresql and org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /core-java-modules/core-java-20 directory: org.assertj:assertj-core.
Bumps the maven group with 1 update in the /core-java-modules/core-java-networking-2 directory: org.asynchttpclient:async-http-client.
Bumps the maven group with 1 update in the /core-java-modules/core-java-streams-5 directory: org.assertj:assertj-core.
Bumps the maven group with 1 update in the /core-java-modules/core-java-streams-maps directory: org.assertj:assertj-core.
Bumps the maven group with 2 updates in the /custom-pmd directory: org.assertj:assertj-core and net.sourceforge.pmd:pmd-core.
Bumps the maven group with 1 update in the /jackson-modules/jackson-polymorphic-deserialization directory: com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 2 updates in the /libraries-2 directory: org.assertj:assertj-core and net.sf.jasperreports:jasperreports.
Bumps the maven group with 2 updates in the /libraries-4 directory: org.assertj:assertj-core and com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 2 updates in the /libraries-ai directory: org.assertj:assertj-core and org.apache.opennlp:opennlp-tools.
Bumps the maven group with 2 updates in the /libraries-data directory: org.assertj:assertj-core and org.apache.kafka:kafka-clients.
Bumps the maven group with 2 updates in the /libraries-files directory: org.assertj:assertj-core and com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 3 updates in the /libraries-http directory: org.assertj:assertj-core, com.fasterxml.jackson.core:jackson-core and org.asynchttpclient:async-http-client.
Bumps the maven group with 2 updates in the /libraries-http-2 directory: org.assertj:assertj-core and org.springframework:spring-webflux.
Bumps the maven group with 3 updates in the /libraries-security directory: org.assertj:assertj-core, org.bouncycastle:bcprov-jdk15on and org.bouncycastle:bcpkix-jdk15on.
Bumps the maven group with 2 updates in the /libraries-server directory: org.assertj:assertj-core and org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 3 updates in the /logging-modules/log-mdc directory: org.assertj:assertj-core, org.springframework:spring-webmvc and org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j2 directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /messaging-modules/spring-jms directory: org.apache.activemq:activemq-all.
Bumps the maven group with 2 updates in the /pdf directory: org.assertj:assertj-core and org.thymeleaf:thymeleaf.
Bumps the maven group with 1 update in the /persistence-modules/core-java-persistence directory: com.mchange:c3p0.
Bumps the maven group with 2 updates in the /persistence-modules/hibernate-libraries directory: org.hibernate:hibernate-core and org.springframework.boot:spring-boot-devtools.
Bumps the maven group with 1 update in the /persistence-modules/java-jpa-3 directory: org.hibernate:hibernate-core.
Bumps the maven group with 2 updates in the /persistence-modules/redis directory: org.assertj:assertj-core and io.netty:netty-transport-native-epoll.
Bumps the maven group with 1 update in the /persistence-modules/spring-hibernate-5 directory: org.hibernate:hibernate-core.
Bumps the maven group with 2 updates in the /security-modules/apache-shiro directory: org.assertj:assertj-core and org.apache.shiro:shiro-core.
Bumps the maven group with 2 updates in the /spring-boot-modules/spring-boot-custom-starter/greeter-spring-boot-autoconfigure directory: org.assertj:assertj-core and org.springframework.boot:spring-boot.
Bumps the maven group with 2 updates in the /spring-ejb-modules/ejb-beans directory: org.assertj:assertj-core and org.apache.activemq:activemq-broker.
Bumps the maven group with 4 updates in the /spring-security-modules/spring-security-web-sockets directory: org.assertj:assertj-core, com.fasterxml.jackson.core:jackson-core, org.springframework:spring-webmvc and org.springframework.security:spring-security-web.
Bumps the maven group with 1 update in the /spring-swagger-codegen/spring-openapi-generator-api-client directory: com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 3 updates in the /spring-web-modules/spring-mvc-basics-2 directory: org.assertj:assertj-core, org.springframework:spring-webmvc and org.thymeleaf:thymeleaf.
Bumps the maven group with 1 update in the /spring-web-modules/spring-mvc-crash directory: org.assertj:assertj-core.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-views directory: org.assertj:assertj-core and org.springframework.security:spring-security-web.
Bumps the maven group with 1 update in the /spring-web-modules/spring-mvc-webflow directory: org.assertj:assertj-core.
Bumps the maven group with 1 update in the /spring-web-modules/spring-mvc-xml directory: org.assertj:assertj-core.
Bumps the maven group with 1 update in the /spring-web-modules/spring-mvc-xml-2 directory: org.assertj:assertj-core.
Bumps the maven group with 2 updates in the /testing-modules/spring-testing directory: org.assertj:assertj-core and org.springframework:spring-webmvc.

Updates org.apache.cxf:cxf-rt-databinding-aegis from 4.0.0 to 4.0.4

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.apache.kafka:kafka-clients from 3.4.0 to 3.9.2

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.apache.kafka:kafka-clients from 2.8.0 to 3.9.2

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.apache.avro:avro-compiler from 1.8.2 to 1.11.5

Updates org.apache.opennlp:opennlp-tools from 1.8.4 to 2.5.9

Release notes

Sourced from org.apache.opennlp:opennlp-tools's releases.

OpenNLP 2.5.9

Apache OpenNLP 2.5.9

This is a maintenance and security release on the 2.x line. It backports the security fixes shipped in 3.0.0-M3 and refreshes several dependencies.

Security Fixes

Three security issues are addressed in this release (also fixed in 3.0.0-M3 on the 3.x line).

XXE in DictionaryEntryPersistor (OPENNLP-1819)

The DictionaryEntryPersistor previously used a SAXParserFactory that did not enable secure processing or disable DTD handling, leaving external entity resolution active. A malicious dictionary file could exploit this for local file disclosure or SSRF before any dictionary entry was processed.

The parsing path is now aligned with the project's existing XmlUtil helper, which properly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl.

Arbitrary Class Instantiation in ExtensionLoader (OPENNLP-1820)

ExtensionLoader.instantiateExtension() performed its isAssignableFrom type check after Class.forName() had already executed the target class's static initializer, allowing a crafted model archive to trigger the static initializer of any class on the classpath.

The fix introduces a package-prefix allowlist consulted before Class.forName() is invoked:

• Classes under opennlp.* remain permitted by default.
• Other packages must be opted in via ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property (comma-separated list).

OOM via Unbounded Array Allocation in AbstractModelReader (OPENNLP-1821)

getOutcomes(), getOutcomePatterns(), and getPredicates() read attacker-controlled 32-bit count fields from binary model streams and passed them directly to array allocations. A crafted .bin file could trigger an immediate OutOfMemoryError and crash the JVM.

Each count is now bounded (default 10,000,000, configurable via -DOPENNLP_MAX_ENTRIES=<n>), with negative or oversized values failing fast via IllegalArgumentException.

⚠️ For all three issues, users who cannot upgrade immediately should restrict input (dictionary and model files) to trusted sources only.

What's Changed

• Apache OpenNLP 2.5.8 by @​mawiesne in apache/opennlp#1004
• [2.x]: OPENNLP-1817: Update log4j2 to 2.25.4 by @​dependabot[bot] in apache/opennlp#999
• [2.x] Regenerated NOTICE file after dependency changes by @​github-actions[bot] in apache/opennlp#1008
• [2.x]: Bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in apache/opennlp#1018
• [2.x]: Bump com.ruleoftech:markdown-page-generator-plugin from 2.4.2 to 2.4.3 by @​dependabot[bot] in apache/opennlp#1015
• [2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in apache/opennlp#1013
• [2.x] OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil by @​rzo1 in apache/opennlp#1020
• [2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 by @​dependabot[bot] in apache/opennlp#1023
• [2.x] Regenerated NOTICE file after dependency changes by @​github-actions[bot] in apache/opennlp#1026

Full Changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12356814

OpenNLP 2.5.8

Summary

Maintenance Infos:

• Bug Fixes:
  • The SentenceDetector got three fixes in handling edge cases with abbreviation dictionaries (OPENNLP-1809, OPENNLP-1810, OPENNLP-1811)
• Improvements:
  • The OpenNLP developer manual (HTML + PDF) got an uplift for the UIMA documentation part, being largely extended (OPENNLP-49)
  • Some updates of dependencies

... (truncated)

Commits

• 420b7a4 [maven-release-plugin] prepare release opennlp-2.5.9
• 44a02a7 OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes (#1021)
• 49ba4ef OPENNLP-1821: Prevent OutOfMemory Due To Huge Array Allocation (#1022)
• 94f89b5 Minor: Regenerated NOTICE File for 3eb21bcf093324c4a43b780383a4e5f37aaaf606 (...
• 3eb21bc [2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 (#1023)
• d9aaa47 OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil helper ...
• cd6c49d [2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
• d28365f [2.x]: Bump com.ruleoftech:markdown-page-generator-plugin
• ad5d200 [2.x]: Bump actions/cache from 5.0.4 to 5.0.5
• a219be1 OPENNLP-53: Fix compile error in ParseTest on 2.x The ch...
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.15.2 to 2.18.6

Commits

• 9a46ef8 [maven-release-plugin] prepare release jackson-core-2.18.6
• 5f192db Prep for 2.18.6 release
• b0c428e Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) pars...
• 7c8b6d5 Add test for nesting for DataInput-backed JsonParser (#1550)
• 97a647b Update CI: JDK 23 -> 25
• 1601331 (backport from 2.21) Fix #1548: validate max doc length for fixed buffer inpu...
• fae2542 release notes update
• 70c99ba Update UTF8DataInputJsonParser.java (#1512)
• caea665 Post-release dep version bump
• 635d3bd [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.apache.spark:spark-core_2.12 from 3.3.2 to 3.5.7

Updates org.postgresql:postgresql from 42.5.4 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)
• style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](pgjdbc/pgjdbc#3917)

Fixed

• fix: non-standard strings failing test for version 19 [PR #3934](pgjdbc/pgjdbc#3934)
• fix: small issues in ConnectionFactoryImpl [PR #3929](pgjdbc/pgjdbc#3929)
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos [PR #3911](pgjdbc/pgjdbc#3911)
• doc: datasource.md, fix minor formatting issue [PR #3912](pgjdbc/pgjdbc#3912)
• doc: add the new PGP signing key to the official documentation [PR #3912](pgjdbc/pgjdbc#3813)

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#3837) (#3887)" [PR #3932](pgjdbc/pgjdbc#3932)

[42.7.9] (2026-01-14)

Added

... (truncated)

Commits

• 78e261f fix: Add sources and javadocs to shaded published lib generation
• 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
• d479fa5 Fix scram fix location in changelog and update published artifact developer l...
• b04fc46 docs: Add scram max iters fix to changelog
• cf54822 test: Disable scram test on older version without scram_iterations GUC
• 7dbcc79 test: Add SCRAM max iteration tests
• c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
• a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
• 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
• 23af03b chore(deps): update actions/checkout action to v6
• Additional commits viewable in compare view

Updates org.assertj:assertj-core from 3.21.0 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.2.16 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue