Bump the maven group across 42 directories with 28 updates

[dependabot]

Bumps the maven group with 1 update in the /apache-kafka directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 1 update in the /apache-kafka-2 directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 2 updates in the /apache-libraries directory: org.apache.opennlp:opennlp-tools and com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 2 updates in the /apache-spark directory: org.apache.spark:spark-core_2.12 and org.postgresql:postgresql.
Bumps the maven group with 1 update in the /apache-thrift directory: org.apache.thrift:libthrift.
Bumps the maven group with 1 update in the /atomikos directory: org.hibernate:hibernate-core.
Bumps the maven group with 2 updates in the /aws-modules/aws-lambda-modules/shipping-tracker-lambda/ShippingFunction directory: org.postgresql:postgresql and org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /core-java-modules/core-java-networking-2 directory: org.asynchttpclient:async-http-client.
Bumps the maven group with 1 update in the /core-java-modules/core-java-optional directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /custom-pmd directory: net.sourceforge.pmd:pmd-core.
Bumps the maven group with 1 update in the /jackson-modules/jackson-polymorphic-deserialization directory: com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 1 update in the /libraries-2 directory: net.sf.jasperreports:jasperreports.
Bumps the maven group with 1 update in the /libraries-4 directory: com.fasterxml.jackson.core:jackson-core.
Bumps the maven group with 1 update in the /libraries-ai directory: org.apache.opennlp:opennlp-tools.
Bumps the maven group with 1 update in the /libraries-data directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 2 updates in the /libraries-data-io directory: com.fasterxml.jackson.core:jackson-core and org.apache.thrift:libthrift.
Bumps the maven group with 2 updates in the /libraries-http directory: com.fasterxml.jackson.core:jackson-core and org.asynchttpclient:async-http-client.
Bumps the maven group with 1 update in the /libraries-http-2 directory: org.springframework:spring-webflux.
Bumps the maven group with 2 updates in the /libraries-security directory: org.bouncycastle:bcprov-jdk15on and org.bouncycastle:bcpkix-jdk15on.
Bumps the maven group with 1 update in the /libraries-server directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 2 updates in the /logging-modules/log-mdc directory: org.springframework:spring-webmvc and org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j2 directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /messaging-modules/spring-jms directory: org.apache.activemq:activemq-all.
Bumps the maven group with 1 update in the /patterns-modules/design-patterns-architectural directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /pdf directory: org.thymeleaf:thymeleaf.
Bumps the maven group with 3 updates in the /persistence-modules/hibernate-annotations directory: org.hibernate:hibernate-core, org.hibernate:hibernate-testing and org.hibernate:hibernate-spatial.
Bumps the maven group with 2 updates in the /persistence-modules/hibernate-libraries directory: org.hibernate:hibernate-core and org.springframework.boot:spring-boot-devtools.
Bumps the maven group with 1 update in the /persistence-modules/java-jpa-3 directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /persistence-modules/read-only-transactions directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /persistence-modules/spring-hibernate-5 directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /spring-boot-modules/spring-boot-custom-starter/greeter-spring-boot-autoconfigure directory: org.springframework.boot:spring-boot.
Bumps the maven group with 1 update in the /spring-ejb-modules/ejb-beans directory: org.apache.activemq:activemq-broker.
Bumps the maven group with 4 updates in the /spring-security-modules/spring-security-web-sockets directory: com.fasterxml.jackson.core:jackson-core, org.hibernate:hibernate-core, org.springframework:spring-webmvc and org.springframework.security:spring-security-web.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-basics-2 directory: org.springframework:spring-webmvc and org.thymeleaf:thymeleaf.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-crash directory: org.springframework:spring-web and org.springframework:spring-webmvc.
Bumps the maven group with 4 updates in the /spring-web-modules/spring-mvc-views directory: org.hibernate:hibernate-core, org.springframework:spring-webmvc, org.springframework:spring-context and org.springframework.security:spring-security-web.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-webflow directory: org.springframework:spring-web and org.springframework:spring-webmvc.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-xml directory: org.springframework:spring-web and org.springframework:spring-webmvc.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-xml-2 directory: org.springframework:spring-web and org.springframework:spring-webmvc.
Bumps the maven group with 1 update in the /testing-modules/spring-testing directory: org.springframework:spring-webmvc.
Bumps the maven group with 1 update in the /vertx-modules/vertx directory: io.vertx:vertx-core.

Updates org.apache.kafka:kafka-clients from 3.4.0 to 3.9.2

Updates org.apache.kafka:kafka-clients from 2.8.0 to 3.9.2

Updates org.apache.opennlp:opennlp-tools from 1.8.4 to 2.5.9

Release notes

Sourced from org.apache.opennlp:opennlp-tools's releases.

OpenNLP 2.5.9

Apache OpenNLP 2.5.9

This is a maintenance and security release on the 2.x line. It backports the security fixes shipped in 3.0.0-M3 and refreshes several dependencies.

Security Fixes

Three security issues are addressed in this release (also fixed in 3.0.0-M3 on the 3.x line).

XXE in DictionaryEntryPersistor (OPENNLP-1819)

The DictionaryEntryPersistor previously used a SAXParserFactory that did not enable secure processing or disable DTD handling, leaving external entity resolution active. A malicious dictionary file could exploit this for local file disclosure or SSRF before any dictionary entry was processed.

The parsing path is now aligned with the project's existing XmlUtil helper, which properly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl.

Arbitrary Class Instantiation in ExtensionLoader (OPENNLP-1820)

ExtensionLoader.instantiateExtension() performed its isAssignableFrom type check after Class.forName() had already executed the target class's static initializer, allowing a crafted model archive to trigger the static initializer of any class on the classpath.

The fix introduces a package-prefix allowlist consulted before Class.forName() is invoked:

• Classes under opennlp.* remain permitted by default.
• Other packages must be opted in via ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property (comma-separated list).

OOM via Unbounded Array Allocation in AbstractModelReader (OPENNLP-1821)

getOutcomes(), getOutcomePatterns(), and getPredicates() read attacker-controlled 32-bit count fields from binary model streams and passed them directly to array allocations. A crafted .bin file could trigger an immediate OutOfMemoryError and crash the JVM.

Each count is now bounded (default 10,000,000, configurable via -DOPENNLP_MAX_ENTRIES=<n>), with negative or oversized values failing fast via IllegalArgumentException.

⚠️ For all three issues, users who cannot upgrade immediately should restrict input (dictionary and model files) to trusted sources only.

What's Changed

• Apache OpenNLP 2.5.8 by @​mawiesne in apache/opennlp#1004
• [2.x]: OPENNLP-1817: Update log4j2 to 2.25.4 by @​dependabot[bot] in apache/opennlp#999
• [2.x] Regenerated NOTICE file after dependency changes by @​github-actions[bot] in apache/opennlp#1008
• [2.x]: Bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in apache/opennlp#1018
• [2.x]: Bump com.ruleoftech:markdown-page-generator-plugin from 2.4.2 to 2.4.3 by @​dependabot[bot] in apache/opennlp#1015
• [2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in apache/opennlp#1013
• [2.x] OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil by @​rzo1 in apache/opennlp#1020
• [2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 by @​dependabot[bot] in apache/opennlp#1023
• [2.x] Regenerated NOTICE file after dependency changes by @​github-actions[bot] in apache/opennlp#1026

Full Changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12356814

OpenNLP 2.5.8

Summary

Maintenance Infos:

• Bug Fixes:
  • The SentenceDetector got three fixes in handling edge cases with abbreviation dictionaries (OPENNLP-1809, OPENNLP-1810, OPENNLP-1811)
• Improvements:
  • The OpenNLP developer manual (HTML + PDF) got an uplift for the UIMA documentation part, being largely extended (OPENNLP-49)
  • Some updates of dependencies

... (truncated)

Commits

• 420b7a4 [maven-release-plugin] prepare release opennlp-2.5.9
• 44a02a7 OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes (#1021)
• 49ba4ef OPENNLP-1821: Prevent OutOfMemory Due To Huge Array Allocation (#1022)
• 94f89b5 Minor: Regenerated NOTICE File for 3eb21bcf093324c4a43b780383a4e5f37aaaf606 (...
• 3eb21bc [2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 (#1023)
• d9aaa47 OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil helper ...
• cd6c49d [2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
• d28365f [2.x]: Bump com.ruleoftech:markdown-page-generator-plugin
• ad5d200 [2.x]: Bump actions/cache from 5.0.4 to 5.0.5
• a219be1 OPENNLP-53: Fix compile error in ParseTest on 2.x The ch...
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.15.2 to 2.18.6

Commits

• 9a46ef8 [maven-release-plugin] prepare release jackson-core-2.18.6
• 5f192db Prep for 2.18.6 release
• b0c428e Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) pars...
• 7c8b6d5 Add test for nesting for DataInput-backed JsonParser (#1550)
• 97a647b Update CI: JDK 23 -> 25
• 1601331 (backport from 2.21) Fix #1548: validate max doc length for fixed buffer inpu...
• fae2542 release notes update
• 70c99ba Update UTF8DataInputJsonParser.java (#1512)
• caea665 Post-release dep version bump
• 635d3bd [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates org.apache.spark:spark-core_2.12 from 3.3.2 to 3.5.7

Updates org.postgresql:postgresql from 42.5.4 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)
• style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](pgjdbc/pgjdbc#3917)

Fixed

• fix: non-standard strings failing test for version 19 [PR #3934](pgjdbc/pgjdbc#3934)
• fix: small issues in ConnectionFactoryImpl [PR #3929](pgjdbc/pgjdbc#3929)
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos [PR #3911](pgjdbc/pgjdbc#3911)
• doc: datasource.md, fix minor formatting issue [PR #3912](pgjdbc/pgjdbc#3912)
• doc: add the new PGP signing key to the official documentation [PR #3912](pgjdbc/pgjdbc#3813)

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#3837) (#3887)" [PR #3932](pgjdbc/pgjdbc#3932)

[42.7.9] (2026-01-14)

Added

... (truncated)

Commits

• 78e261f fix: Add sources and javadocs to shaded published lib generation
• 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
• d479fa5 Fix scram fix location in changelog and update published artifact developer l...
• b04fc46 docs: Add scram max iters fix to changelog
• cf54822 test: Disable scram test on older version without scram_iterations GUC
• 7dbcc79 test: Add SCRAM max iteration tests
• c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
• a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
• 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
• 23af03b chore(deps): update actions/checkout action to v6
• Additional commits viewable in compare view

Updates org.apache.thrift:libthrift from 0.10.0 to 0.23.0

Release notes

Sourced from org.apache.thrift:libthrift's releases.

Version 0.23.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.22.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.21.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.20.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.19.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.18.1

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.18.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.17.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.16.0

For release 0.16.0 head over to the official release download source:

... (truncated)

Changelog

Sourced from org.apache.thrift:libthrift's changelog.

0.23.0

Build Process

• THRIFT-5877 - Add cpp cross tests
• THRIFT-5866 - Dockerfile to support Ubuntu 24.04 LTS (Noble Numbat)
• THRIFT-5909 - add Ruby in GitHub workflow
• THRIFT-5649 - add go in GitHub workflow / action

C glib

• THRIFT-5931 - thrift_ssl_socket_get_ssl_error() can underflow its remaining-buffer counter and write past the stack buffer
• THRIFT-5871 - Improve MAX_MESSAGE_SIZE check and friends

C++

• THRIFT-5911 - Inconsistent UUID compilation for aliased types
• THRIFT-5912 - Assertion failed: delta > 0, file ThreadManagerTests.h, line 162
• THRIFT-5880 - C++ TSocket on an IPv6-only system fails if you use a hostname of 127.0.0.1
• THRIFT-3268 - warning: token pasting of ',' and __VA_ARGS__ is a GNU extension
• THRIFT-5887 - build/cmake/ should be prepended (not appended) to CMAKE_MODULE_PATH
• THRIFT-5878 - Add UUID support for THeaderProtocol and TProtocolTap
• THRIFT-5898 - Unable to build Thrift as a shared library on Windows

Contributed

• THRIFT-5920 - Remove threadsafe warnings in thrift-maven-plugin

Delphi

• THRIFT-5939 - Replace GUID generation with stable UUID algorithm
• THRIFT-5876 - Add Delphi WinHTTP client TLS1.3 support

Go

• THRIFT-5896 - Race condition in TServerSocket.Addr() method

Java

• THRIFT-5925 - UUID implementation in JAVA is not according to the Thrift Specification
• THRIFT-5869 - Close the transport after TServerEventHandler deleteContext
• THRIFT-5863 - Make TServerTransport able to customize the max message size
• THRIFT-5774 - Add remote client's IP address to ServerContext in TServerEventHandler
• THRIFT-4280 - Add async nonblocking ssl support in java client
• THRIFT-5879 - java and kotlin cross tests fail in the GitHub action

netstd

• THRIFT-5902 - Add net10 support

... (truncated)

Commits

• e4b684f Updated CHANGES.md
• c4cbe43 Address vulnerabilities in Rack
• 68ac8e9 Enable TLS hostname verification in TNonblockingSSLSocket
• 5e4f01d Harden Node.js WebSocket server handling
• e242889 Add input validation to Swift protocol layer
• 4af8c7c Add recursion depth limit to Node.js protocol skip()
• a30c552 Enable TLS hostname verification in TSSLTransportFactory
• 0f8ec9c Fix parent class resolution in c_glib generated dispatch_call
• 276ec88 THRIFT-5929: Fix build failure on PHP 8.5 due to removed zend_exception_get_d...
• 17f2c13 Added missing 0.23.0 JIRA tickets to CHANGES.md
• Additional commits viewable in compare view

Updates org.hibernate:hibernate-core from 5.4.3.Final to 6.0.0.Final

Changelog

Sourced from org.hibernate:hibernate-core's changelog.

Changes in 6.0.0.Final (March 31, 2022)

https://hibernate.atlassian.net/projects/HHH/versions/32049

** Bug * [HHH-15131] - JPA Compliance issue with Envers * [HHH-15118] - PooledOptimizer generates duplicate ids when several JVMs initialize optimizer and sequence value is the initial value * [HHH-15117] - ConstraintViolationException is thrown using same @​SecondaryTable on two entities * [HHH-15115] - Deleting an entity with Joined inheritance and default schema set is throwing and error * [HHH-15113] - Exception setting ParameterExpressions on Update Queries * [HHH-15111] - MappingException is thrown for @​JoinColumn with referencedColumnName on a @​SecondaryTable * [HHH-15105] - Getting the CacheRegionStatistics before executing a query leads to a NPE later on * [HHH-15098] - suboptimal/incorrect behavior when updating managed oneToMany collection on entity with naturalId * [HHH-15091] - EntityManager.persist does not verify the existence of the one side of a many-to-one relationship, introduced 5.4.17 * [HHH-14487] - PropertyAccessStrategyMapImpl imports wrong class

** Improvement * [HHH-15144] - Add IncubationLogger * [HHH-15143] - Add an "implicit naming strategy" for database structures (sequence and tables) for identifier generators * [HHH-15138] - Remove support for Eviction Listeners in BoundedConcurrentHashMap * [HHH-15078] - Support for Tuple and SelectionQuery * [HHH-15055] - Document SelectionQuery and MutationQuery * [HHH-14672] - Allow specifying CHAR-based storage for UUID mappings * [HHH-14510] - Remove deprecated id-gen related contracts and classes * [HHH-13135] - Add support for KEY/NO KEY locking in PostgreSQL

** New Feature * [HHH-14739] - Implement ILike support in 6

** Task * [HHH-15139] - Improvements for QueryInterpretationCache * [HHH-15133] - Use specified result-type to better infer "shape" of query results with implicit selections * [HHH-15132] - Improvements for NavigablePath * [HHH-15119] - Upgrade to ByteBuddy 1.12.8 * [HHH-15107] - Update build to make tests pass against JDK19 * [HHH-14884] - More improvements to Domain Model chapter of the User Guide * [HHH-14872] - Re-enable hibernate-gradle-plugin

Changes in 6.0.0.CR2 (March 09, 2022)

https://hibernate.atlassian.net/projects/HHH/versions/32033

** Bug * [HHH-15084] - JpaCompliantLifecycleStrategy uses deprecated BeanManager method that's gone in CDI 4.0 * [HHH-15082] - JDBC Statement leaks after exceptions other than SQLException during insert/update/... * [HHH-15073] - Criteria query built from JPA metamodel throws PersistenceException: Specified result type [long] did not match Query selection type [java.lang.Long] * [HHH-15071] - "this.anticipatedType" is null

... (truncated)

Commits

• 2560cc6 Post-steps for release : 6.0.0.Final
• 53889db Pre-steps for release : 6.0.0.Final
• 6180e94 - Drop building of bundles for SourceForge
• fa7cb3f Fix issues with respecting padding and limit for in list rendering
• ad828a0 release announcement, doc artifacts
• 8d20c03 Address test failures in Gradle plugin module
• 3358157 HHH-15078 - Support for Tuple and SelectionQuery
• aa0c57a HHH-15078 - Support for Tuple and SelectionQuery
• 88938ac Address test failures in Gradle plugin module
• 5b0c49e HHH-15133 - Use specified result-type to better infer "shape" of query result...
• Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.2.16 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)
• style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](