Bump the maven group across 36 directories with 24 updates by dependabot[bot] · Pull Request #1365 · Centaurioun/tutorials

dependabot · 2026-05-21T00:37:26Z

Bumps the maven group with 1 update in the /apache-kafka directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 1 update in the /apache-kafka-2 directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 1 update in the /apache-libraries directory: org.apache.opennlp:opennlp-tools.
Bumps the maven group with 2 updates in the /apache-spark directory: org.apache.spark:spark-core_2.12 and org.postgresql:postgresql.
Bumps the maven group with 1 update in the /apache-thrift directory: org.apache.thrift:libthrift.
Bumps the maven group with 1 update in the /atomikos directory: org.hibernate:hibernate-core.
Bumps the maven group with 3 updates in the /aws-modules/aws-lambda-modules/shipping-tracker-lambda/ShippingFunction directory: com.fasterxml.jackson.core:jackson-databind, org.postgresql:postgresql and org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /core-java-modules/core-java-networking-2 directory: org.asynchttpclient:async-http-client.
Bumps the maven group with 1 update in the /core-java-modules/core-java-optional directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /custom-pmd directory: net.sourceforge.pmd:pmd-core.
Bumps the maven group with 1 update in the /libraries-2 directory: net.sf.jasperreports:jasperreports.
Bumps the maven group with 1 update in the /libraries-ai directory: org.apache.opennlp:opennlp-tools.
Bumps the maven group with 1 update in the /libraries-data directory: org.apache.kafka:kafka-clients.
Bumps the maven group with 1 update in the /libraries-data-io directory: org.apache.thrift:libthrift.
Bumps the maven group with 1 update in the /libraries-files directory: org.apache.commons:commons-configuration2.
Bumps the maven group with 1 update in the /libraries-http directory: org.asynchttpclient:async-http-client.
Bumps the maven group with 1 update in the /libraries-http-2 directory: org.springframework:spring-webflux.
Bumps the maven group with 2 updates in the /libraries-security directory: org.bouncycastle:bcprov-jdk15on and org.bouncycastle:bcpkix-jdk15on.
Bumps the maven group with 1 update in the /libraries-server directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 2 updates in the /logging-modules/log-mdc directory: org.springframework:spring-webmvc and org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /logging-modules/log4j2 directory: org.apache.logging.log4j:log4j-core.
Bumps the maven group with 1 update in the /messaging-modules/spring-jms directory: org.apache.activemq:activemq-all.
Bumps the maven group with 1 update in the /patterns-modules/design-patterns-architectural directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /pdf directory: org.thymeleaf:thymeleaf.
Bumps the maven group with 2 updates in the /persistence-modules/hibernate-libraries directory: org.hibernate:hibernate-core and org.springframework.boot:spring-boot-devtools.
Bumps the maven group with 1 update in the /persistence-modules/java-jpa-3 directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /persistence-modules/read-only-transactions directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /persistence-modules/spring-hibernate-5 directory: org.hibernate:hibernate-core.
Bumps the maven group with 1 update in the /spring-boot-modules/spring-boot-custom-starter/greeter-spring-boot-autoconfigure directory: org.springframework.boot:spring-boot.
Bumps the maven group with 1 update in the /spring-ejb-modules/ejb-beans directory: org.apache.activemq:activemq-broker.
Bumps the maven group with 3 updates in the /spring-security-modules/spring-security-web-sockets directory: org.hibernate:hibernate-core, org.springframework:spring-webmvc and org.springframework.security:spring-security-web.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-basics-2 directory: org.springframework:spring-webmvc and org.thymeleaf:thymeleaf.
Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-views directory: org.hibernate:hibernate-core and org.springframework.security:spring-security-web.
Bumps the maven group with 1 update in the /testing-modules/spring-testing directory: org.springframework:spring-webmvc.
Bumps the maven group with 1 update in the /vertx-modules/vertx directory: io.vertx:vertx-core.

Updates org.apache.kafka:kafka-clients from 3.4.0 to 3.9.2

Updates org.apache.kafka:kafka-clients from 2.8.0 to 3.9.2

Updates org.apache.opennlp:opennlp-tools from 1.8.4 to 2.5.9

Release notes

Sourced from org.apache.opennlp:opennlp-tools's releases.

OpenNLP 2.5.9

Apache OpenNLP 2.5.9

This is a maintenance and security release on the 2.x line. It backports the security fixes shipped in 3.0.0-M3 and refreshes several dependencies.

Security Fixes

Three security issues are addressed in this release (also fixed in 3.0.0-M3 on the 3.x line).

XXE in DictionaryEntryPersistor (OPENNLP-1819)

The DictionaryEntryPersistor previously used a SAXParserFactory that did not enable secure processing or disable DTD handling, leaving external entity resolution active. A malicious dictionary file could exploit this for local file disclosure or SSRF before any dictionary entry was processed.

The parsing path is now aligned with the project's existing XmlUtil helper, which properly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl.

Arbitrary Class Instantiation in ExtensionLoader (OPENNLP-1820)

ExtensionLoader.instantiateExtension() performed its isAssignableFrom type check after Class.forName() had already executed the target class's static initializer, allowing a crafted model archive to trigger the static initializer of any class on the classpath.

The fix introduces a package-prefix allowlist consulted before Class.forName() is invoked:

Classes under opennlp.* remain permitted by default.

Other packages must be opted in via ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property (comma-separated list).

OOM via Unbounded Array Allocation in AbstractModelReader (OPENNLP-1821)

getOutcomes(), getOutcomePatterns(), and getPredicates() read attacker-controlled 32-bit count fields from binary model streams and passed them directly to array allocations. A crafted .bin file could trigger an immediate OutOfMemoryError and crash the JVM.

Each count is now bounded (default 10,000,000, configurable via -DOPENNLP_MAX_ENTRIES=<n>), with negative or oversized values failing fast via IllegalArgumentException.

⚠️ For all three issues, users who cannot upgrade immediately should restrict input (dictionary and model files) to trusted sources only.

What's Changed

Apache OpenNLP 2.5.8 by @mawiesne in apache/opennlp#1004

[2.x]: OPENNLP-1817: Update log4j2 to 2.25.4 by @dependabot[bot] in apache/opennlp#999

[2.x] Regenerated NOTICE file after dependency changes by @github-actions[bot] in apache/opennlp#1008

[2.x]: Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in apache/opennlp#1018

[2.x]: Bump com.ruleoftech:markdown-page-generator-plugin from 2.4.2 to 2.4.3 by @dependabot[bot] in apache/opennlp#1015

[2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @dependabot[bot] in apache/opennlp#1013

[2.x] OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil by @rzo1 in apache/opennlp#1020

[2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 by @dependabot[bot] in apache/opennlp#1023

[2.x] Regenerated NOTICE file after dependency changes by @github-actions[bot] in apache/opennlp#1026

Full Changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12356814

OpenNLP 2.5.8

Summary

Maintenance Infos:

Bug Fixes:

The SentenceDetector got three fixes in handling edge cases with abbreviation dictionaries (OPENNLP-1809, OPENNLP-1810, OPENNLP-1811)

Improvements:

The OpenNLP developer manual (HTML + PDF) got an uplift for the UIMA documentation part, being largely extended (OPENNLP-49)

Some updates of dependencies

... (truncated)

Commits

420b7a4 [maven-release-plugin] prepare release opennlp-2.5.9
44a02a7 OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes (#1021)
49ba4ef OPENNLP-1821: Prevent OutOfMemory Due To Huge Array Allocation (#1022)
94f89b5 Minor: Regenerated NOTICE File for 3eb21bcf093324c4a43b780383a4e5f37aaaf606 (...
3eb21bc [2.x]: OPENNLP-1822: Update ONNX runtime to 1.25.0 (#1023)
d9aaa47 OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil helper ...
cd6c49d [2.x]: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
d28365f [2.x]: Bump com.ruleoftech:markdown-page-generator-plugin
ad5d200 [2.x]: Bump actions/cache from 5.0.4 to 5.0.5
a219be1 OPENNLP-53: Fix compile error in ParseTest on 2.x The ch...
Additional commits viewable in compare view

Updates org.apache.spark:spark-core_2.12 from 3.3.2 to 3.5.7

Updates org.postgresql:postgresql from 42.5.4 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

fix: Add sources and javadocs to shaded published lib generation @sehrope (#4043)

update Changelog and website for release of 42.7.11 @davecramer (#4042)

Fix scram fix location in changelog and update published artifact developer list @sehrope (#4041)

Restrict test with scram_iterations to v16+ and release notes @sehrope (#4040)

chore(deps): update ubuntu:24.04 docker digest to 84e77de @renovate-bot (#4017)

test: add tests for QueryExecutor#getTransactionState @vlsi (#4006)

chore(deps): update actions/create-github-app-token action to v2.2.2 @renovate-bot (#3983)

fix: fix flaky CopyBothResponseTest by using WAL flush LSN @vlsi (#3979)

fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @vlsi (#3975)

test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @vlsi (#3974)

chore: replace Appveyor with ikalnytskyi/action-setup-postgres @vlsi (#3966)

test: move test table creation from @BeforeEach to @BeforeAll @vlsi (#3967)

Return jsonb as PGObject fixes Issue #3926 @davecramer (#3956)

Update docker scripts @davecramer (#3958)

implement require_auth, this is pretty much how libpq does this. @davecramer (#3895)

docs: add SCRAM authentication test setup section to TESTING.md @emmaeng700 (#3945)

Add RequireServerVersion annotation for tests @sehrope (#3939)

🐛 Bug Fixes

fix: ensure extended protocol messages end with Sync message @vlsi (#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @vlsi (#3996)

fix: retry with SSL on IOException when sslMode=ALLOW @vlsi (#3973)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @vlsi (#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @vlsi (#3962)

fix: use compareTo for LogSequenceNumber comparison @vlsi (#3961)

fix: release COPY lock on IOException to prevent connection hang (#3957) @vlsi (#3960)

🧰 Maintenance

style: replace @exception with @throws in getBoolean javadoc @vlsi (#4035)

chore: use @vlsi/github-actions-random-matrix npm package @vlsi (#4008)

chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @vlsi (#4007)

chore: bump errorprone to 2.48.0 @vlsi (#4005)

test: add @DisableLogger annotation to suppress expected log warnings in tests @vlsi (#3971)

chore: suppress deprecations in test code to reduce build verbosity @vlsi (#3972)

chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @vlsi (#3970)

chore: use greedy pairwise coverage for CI matrix generation @vlsi (#3965)

chore: use full version tags in GitHub Actions comments @vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)

chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)

fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)

fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)

fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)

fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)

fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)

fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)

fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

chore: Migrate to Shadow 9 PR 3931

style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)

style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)

test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](pgjdbc/pgjdbc#3917)

Fixed

fix: non-standard strings failing test for version 19 [PR #3934](pgjdbc/pgjdbc#3934)

fix: small issues in ConnectionFactoryImpl [PR #3929](pgjdbc/pgjdbc#3929)

fix: process pending responses before fastpath to avoid protocol errors PR # 3913

doc: use.md, fix typos [PR #3911](pgjdbc/pgjdbc#3911)

doc: datasource.md, fix minor formatting issue [PR #3912](pgjdbc/pgjdbc#3912)

doc: add the new PGP signing key to the official documentation [PR #3912](pgjdbc/pgjdbc#3813)

Reverted

Revert "fix: make all Calendar instances proleptic Gregorian (#3837) (#3887)" [PR #3932](pgjdbc/pgjdbc#3932)

[42.7.9] (2026-01-14)

Added

... (truncated)

Commits

78e261f fix: Add sources and javadocs to shaded published lib generation
1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
d479fa5 Fix scram fix location in changelog and update published artifact developer l...
b04fc46 docs: Add scram max iters fix to changelog
cf54822 test: Disable scram test on older version without scram_iterations GUC
7dbcc79 test: Add SCRAM max iteration tests
c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
a340cb2 style: replace @exception with @throws in getBoolean javadoc
77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
23af03b chore(deps): update actions/checkout action to v6
Additional commits viewable in compare view

Updates org.apache.thrift:libthrift from 0.10.0 to 0.23.0

Release notes

Sourced from org.apache.thrift:libthrift's releases.

Version 0.23.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.22.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.21.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.20.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.19.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.18.1

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.18.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.17.0

Please head over to the official release download source: http://thrift.apache.org/download

The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.

Version 0.16.0

For release 0.16.0 head over to the official release download source:

... (truncated)

Changelog

Sourced from org.apache.thrift:libthrift's changelog.

0.23.0

Build Process

THRIFT-5877 - Add cpp cross tests

THRIFT-5866 - Dockerfile to support Ubuntu 24.04 LTS (Noble Numbat)

THRIFT-5909 - add Ruby in GitHub workflow

THRIFT-5649 - add go in GitHub workflow / action

C glib

THRIFT-5931 - thrift_ssl_socket_get_ssl_error() can underflow its remaining-buffer counter and write past the stack buffer

THRIFT-5871 - Improve MAX_MESSAGE_SIZE check and friends

C++

THRIFT-5911 - Inconsistent UUID compilation for aliased types

THRIFT-5912 - Assertion failed: delta > 0, file ThreadManagerTests.h, line 162

THRIFT-5880 - C++ TSocket on an IPv6-only system fails if you use a hostname of 127.0.0.1

THRIFT-3268 - warning: token pasting of ',' and __VA_ARGS__ is a GNU extension

THRIFT-5887 - build/cmake/ should be prepended (not appended) to CMAKE_MODULE_PATH

THRIFT-5878 - Add UUID support for THeaderProtocol and TProtocolTap

THRIFT-5898 - Unable to build Thrift as a shared library on Windows

Contributed

THRIFT-5920 - Remove threadsafe warnings in thrift-maven-plugin

Delphi

THRIFT-5939 - Replace GUID generation with stable UUID algorithm

THRIFT-5876 - Add Delphi WinHTTP client TLS1.3 support

Go

THRIFT-5896 - Race condition in TServerSocket.Addr() method

Java

THRIFT-5925 - UUID implementation in JAVA is not according to the Thrift Specification

THRIFT-5869 - Close the transport after TServerEventHandler deleteContext

THRIFT-5863 - Make TServerTransport able to customize the max message size

THRIFT-5774 - Add remote client's IP address to ServerContext in TServerEventHandler

THRIFT-4280 - Add async nonblocking ssl support in java client

THRIFT-5879 - java and kotlin cross tests fail in the GitHub action

netstd

THRIFT-5902 - Add net10 support

... (truncated)

Commits

e4b684f Updated CHANGES.md
c4cbe43 Address vulnerabilities in Rack
68ac8e9 Enable TLS hostname verification in TNonblockingSSLSocket
5e4f01d Harden Node.js WebSocket server handling
e242889 Add input validation to Swift protocol layer
4af8c7c Add recursion depth limit to Node.js protocol skip()
a30c552 Enable TLS hostname verification in TSSLTransportFactory
0f8ec9c Fix parent class resolution in c_glib generated dispatch_call
276ec88 THRIFT-5929: Fix build failure on PHP 8.5 due to removed zend_exception_get_d...
17f2c13 Added missing 0.23.0 JIRA tickets to CHANGES.md
Additional commits viewable in compare view

Updates org.hibernate:hibernate-core from 5.4.3.Final to 6.0.0.Final

Changelog

Sourced from org.hibernate:hibernate-core's changelog.

Changes in 6.0.0.Final (March 31, 2022)

https://hibernate.atlassian.net/projects/HHH/versions/32049

** Bug * [HHH-15131] - JPA Compliance issue with Envers * [HHH-15118] - PooledOptimizer generates duplicate ids when several JVMs initialize optimizer and sequence value is the initial value * [HHH-15117] - ConstraintViolationException is thrown using same @SecondaryTable on two entities * [HHH-15115] - Deleting an entity with Joined inheritance and default schema set is throwing and error * [HHH-15113] - Exception setting ParameterExpressions on Update Queries * [HHH-15111] - MappingException is thrown for @JoinColumn with referencedColumnName on a @SecondaryTable * [HHH-15105] - Getting the CacheRegionStatistics before executing a query leads to a NPE later on * [HHH-15098] - suboptimal/incorrect behavior when updating managed oneToMany collection on entity with naturalId * [HHH-15091] - EntityManager.persist does not verify the existence of the one side of a many-to-one relationship, introduced 5.4.17 * [HHH-14487] - PropertyAccessStrategyMapImpl imports wrong class

** Improvement * [HHH-15144] - Add IncubationLogger * [HHH-15143] - Add an "implicit naming strategy" for database structures (sequence and tables) for identifier generators * [HHH-15138] - Remove support for Eviction Listeners in BoundedConcurrentHashMap * [HHH-15078] - Support for Tuple and SelectionQuery * [HHH-15055] - Document SelectionQuery and MutationQuery * [HHH-14672] - Allow specifying CHAR-based storage for UUID mappings * [HHH-14510] - Remove deprecated id-gen related contracts and classes * [HHH-13135] - Add support for KEY/NO KEY locking in PostgreSQL

** New Feature * [HHH-14739] - Implement ILike support in 6

** Task * [HHH-15139] - Improvements for QueryInterpretationCache * [HHH-15133] - Use specified result-type to better infer "shape" of query results with implicit selections * [HHH-15132] - Improvements for NavigablePath * [HHH-15119] - Upgrade to ByteBuddy 1.12.8 * [HHH-15107] - Update build to make tests pass against JDK19 * [HHH-14884] - More improvements to Domain Model chapter of the User Guide * [HHH-14872] - Re-enable hibernate-gradle-plugin

Changes in 6.0.0.CR2 (March 09, 2022)

https://hibernate.atlassian.net/projects/HHH/versions/32033

** Bug * [HHH-15084] - JpaCompliantLifecycleStrategy uses deprecated BeanManager method that's gone in CDI 4.0 * [HHH-15082] - JDBC Statement leaks after exceptions other than SQLException during insert/update/... * [HHH-15073] - Criteria query built from JPA metamodel throws PersistenceException: Specified result type [long] did not match Query selection type [java.lang.Long] * [HHH-15071] - "this.anticipatedType" is null

... (truncated)

Commits

2560cc6 Post-steps for release : 6.0.0.Final
53889db Pre-steps for release : 6.0.0.Final
6180e94 - Drop building of bundles for SourceForge
fa7cb3f Fix issues with respecting padding and limit for in list rendering
ad828a0 release announcement, doc artifacts
8d20c03 Address test failures in Gradle plugin module
3358157 HHH-15078 - Support for Tuple and SelectionQuery
aa0c57a HHH-15078 - Support for Tuple and SelectionQuery
88938ac Address test failures in Gradle plugin module
5b0c49e HHH-15133 - Use specified result-type to better infer "shape" of query result...
Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.11.2 to 2.12.6

Commits

See full diff in compare view

Updates org.postgresql:postgresql from 42.2.16 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

fix: Add sources and javadocs to shaded published lib generation @sehrope (#4043)

update Changelog and website for release of 42.7.11 @davecramer (#4042)

Fix scram fix location in changelog and update published artifact developer list @sehrope (#4041)

Restrict test with scram_iterations to v16+ and release notes @sehrope (#4040)

chore(deps): update ubuntu:24.04 docker digest to 84e77de @renovate-bot (#4017)

test: add tests for QueryExecutor#getTransactionState @vlsi (#4006)

chore(deps): update actions/create-github-app-token action to v2.2.2 @renovate-bot (#3983)

fix: fix flaky CopyBothResponseTest by using WAL flush LSN @vlsi (#3979)

fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @vlsi (#3975)

test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @vlsi (#3974)

chore: replace Appveyor with ikalnytskyi/action-setup-postgres @vlsi (#3966)

test: move test table creation from @BeforeEach to @BeforeAll @vlsi (#3967)

Return jsonb as PGObject fixes Issue #3926 @davecramer (#3956)

Update docker scripts @davecramer (#3958)

implement require_auth, this is pretty much how libpq does this. @davecramer (#3895)

docs: add SCRAM authentication test setup section to TESTING.md @emmaeng700 (#3945)

Add RequireServerVersion annotation for tests @sehrope (#3939)

🐛 Bug Fixes

fix: ensure extended protocol messages end with Sync message @vlsi (#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @vlsi (#3996)

fix: retry with SSL on IOException when sslMode=ALLOW @vlsi (#3973)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @vlsi (#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @vlsi (#3962)

fix: use compareTo for LogSequenceNumber comparison @vlsi (#3961)

fix: release COPY lock on IOException to prevent connection hang (#3957) @vlsi (#3960)

🧰 Maintenance

style: replace @exception with @throws in getBoolean javadoc @vlsi (#4035)

chore: use @vlsi/github-actions-random-matrix npm package @vlsi (#4008)

chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @vlsi (#4007)

chore: bump errorprone to 2.48.0 @vlsi (#4005)

test: add @DisableLogger annotation to suppress expected log warnings in tests @vlsi (#3971)

chore: suppress deprecations in test code to reduce build verbosity @vlsi (#3972)

chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @vlsi (#3970)

chore: use greedy pairwise coverage for CI matrix generation @vlsi (#3965)

chore: use full version tags in GitHub Actions comments @vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)

chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)

fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)

fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)

fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)

fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)

fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)

fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)

fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

chore: Migrate to Shadow 9 PR 3931

style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)

style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)

test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](pgjdbc/pgjdbc#3917)

Fixed

fix: non-standard strings failing test for version 19 [PR #3934](pgjdbc/pgjdbc#3934)

fix: small issues in ConnectionFactoryImpl [PR #3929](pgjdbc/pgjdbc#3929)

fix: process pending responses before fastpath to avoid protocol errors PR # 3913

doc: use.md, fix typos [PR #3911](pgjdbc/pgjdbc#3911)

doc: datasource.md, fix minor formatting issue [PR #3912](pgjdbc/pgjdbc#3912)

doc: add the new PGP signing key to the official documentation [PR #3912](pgjdbc/pgjdbc#3813)

Reverted

Revert "fix: make all Calendar instances proleptic Gregorian (#3837) (#3887)" [PR #3932](pgjdbc/pgjdbc#3932)

[42.7.9] (2026-01-14)

Added

... (truncated)

Commits

78e261f fix: Add sources and javadocs to shaded published lib generation
1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
d479fa5 Fix scram fix location in changelog and update published artifact developer l...
b04fc46 docs: Add scram max iters fix to changelog
cf54822 test: Disable scram test on older version without scram_iterations GUC
7dbcc79 test: Add SCRAM max iteration tests
c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
a340cb2 style: replace @exception with @throws in getBoolean javadoc
77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
23af03b chore(deps): update actions/checkout action to v6
Additional commits viewable in compare view

Updates org.hibernate:hibernate-core from 5.4.21.Final to 6.0.0.Final

Changelog

Sourced from

Bumps the maven group with 1 update in the /apache-kafka directory: org.apache.kafka:kafka-clients. Bumps the maven group with 1 update in the /apache-kafka-2 directory: org.apache.kafka:kafka-clients. Bumps the maven group with 1 update in the /apache-libraries directory: [org.apache.opennlp:opennlp-tools](https://github.com/apache/opennlp). Bumps the maven group with 2 updates in the /apache-spark directory: org.apache.spark:spark-core_2.12 and [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc). Bumps the maven group with 1 update in the /apache-thrift directory: [org.apache.thrift:libthrift](https://github.com/apache/thrift). Bumps the maven group with 1 update in the /atomikos directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 3 updates in the /aws-modules/aws-lambda-modules/shipping-tracker-lambda/ShippingFunction directory: [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson), [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) and [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /core-java-modules/core-java-networking-2 directory: [org.asynchttpclient:async-http-client](https://github.com/AsyncHttpClient/async-http-client). Bumps the maven group with 1 update in the /core-java-modules/core-java-optional directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /custom-pmd directory: [net.sourceforge.pmd:pmd-core](https://github.com/pmd/pmd). Bumps the maven group with 1 update in the /libraries-2 directory: [net.sf.jasperreports:jasperreports](https://github.com/Jaspersoft/jasperreports). Bumps the maven group with 1 update in the /libraries-ai directory: [org.apache.opennlp:opennlp-tools](https://github.com/apache/opennlp). Bumps the maven group with 1 update in the /libraries-data directory: org.apache.kafka:kafka-clients. Bumps the maven group with 1 update in the /libraries-data-io directory: [org.apache.thrift:libthrift](https://github.com/apache/thrift). Bumps the maven group with 1 update in the /libraries-files directory: org.apache.commons:commons-configuration2. Bumps the maven group with 1 update in the /libraries-http directory: [org.asynchttpclient:async-http-client](https://github.com/AsyncHttpClient/async-http-client). Bumps the maven group with 1 update in the /libraries-http-2 directory: [org.springframework:spring-webflux](https://github.com/spring-projects/spring-framework). Bumps the maven group with 2 updates in the /libraries-security directory: [org.bouncycastle:bcprov-jdk15on](https://github.com/bcgit/bc-java) and [org.bouncycastle:bcpkix-jdk15on](https://github.com/bcgit/bc-java). Bumps the maven group with 1 update in the /libraries-server directory: org.apache.tomcat:tomcat-catalina. Bumps the maven group with 2 updates in the /logging-modules/log-mdc directory: [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework) and org.apache.logging.log4j:log4j-core. Bumps the maven group with 1 update in the /logging-modules/log4j directory: org.apache.logging.log4j:log4j-core. Bumps the maven group with 1 update in the /logging-modules/log4j2 directory: org.apache.logging.log4j:log4j-core. Bumps the maven group with 1 update in the /messaging-modules/spring-jms directory: [org.apache.activemq:activemq-all](https://github.com/apache/activemq). Bumps the maven group with 1 update in the /patterns-modules/design-patterns-architectural directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /pdf directory: org.thymeleaf:thymeleaf. Bumps the maven group with 2 updates in the /persistence-modules/hibernate-libraries directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) and [org.springframework.boot:spring-boot-devtools](https://github.com/spring-projects/spring-boot). Bumps the maven group with 1 update in the /persistence-modules/java-jpa-3 directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /persistence-modules/read-only-transactions directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /persistence-modules/spring-hibernate-5 directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm). Bumps the maven group with 1 update in the /spring-boot-modules/spring-boot-custom-starter/greeter-spring-boot-autoconfigure directory: [org.springframework.boot:spring-boot](https://github.com/spring-projects/spring-boot). Bumps the maven group with 1 update in the /spring-ejb-modules/ejb-beans directory: [org.apache.activemq:activemq-broker](https://github.com/apache/activemq). Bumps the maven group with 3 updates in the /spring-security-modules/spring-security-web-sockets directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm), [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework) and [org.springframework.security:spring-security-web](https://github.com/spring-projects/spring-security). Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-basics-2 directory: [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework) and org.thymeleaf:thymeleaf. Bumps the maven group with 2 updates in the /spring-web-modules/spring-mvc-views directory: [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) and [org.springframework.security:spring-security-web](https://github.com/spring-projects/spring-security). Bumps the maven group with 1 update in the /testing-modules/spring-testing directory: [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework). Bumps the maven group with 1 update in the /vertx-modules/vertx directory: [io.vertx:vertx-core](https://github.com/eclipse/vert.x). Updates `org.apache.kafka:kafka-clients` from 3.4.0 to 3.9.2 Updates `org.apache.kafka:kafka-clients` from 2.8.0 to 3.9.2 Updates `org.apache.opennlp:opennlp-tools` from 1.8.4 to 2.5.9 - [Release notes](https://github.com/apache/opennlp/releases) - [Commits](apache/opennlp@opennlp-1.8.4...opennlp-2.5.9) Updates `org.apache.spark:spark-core_2.12` from 3.3.2 to 3.5.7 Updates `org.postgresql:postgresql` from 42.5.4 to 42.7.11 - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.5.4...REL42.7.11) Updates `org.apache.thrift:libthrift` from 0.10.0 to 0.23.0 - [Release notes](https://github.com/apache/thrift/releases) - [Changelog](https://github.com/apache/thrift/blob/master/CHANGES.md) - [Commits](apache/thrift@0.10.0...v0.23.0) Updates `org.hibernate:hibernate-core` from 5.4.3.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `com.fasterxml.jackson.core:jackson-databind` from 2.11.2 to 2.12.6 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `org.postgresql:postgresql` from 42.2.16 to 42.7.11 - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.5.4...REL42.7.11) Updates `org.hibernate:hibernate-core` from 5.4.21.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.asynchttpclient:async-http-client` from 2.4.5 to 2.15.0 - [Release notes](https://github.com/AsyncHttpClient/async-http-client/releases) - [Commits](AsyncHttpClient/async-http-client@async-http-client-project-2.4.5...async-http-client-project-2.15.0) Updates `org.hibernate:hibernate-core` from 5.4.0.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `net.sourceforge.pmd:pmd-core` from 6.53.0 to 7.22.0 - [Release notes](https://github.com/pmd/pmd/releases) - [Commits](pmd/pmd@pmd_releases/6.53.0...pmd_releases/7.22.0) Updates `net.sf.jasperreports:jasperreports` from 6.20.0 to 7.0.4 - [Release notes](https://github.com/Jaspersoft/jasperreports/releases) - [Changelog](https://github.com/Jaspersoft/jasperreports/blob/master/changes.txt) - [Commits](Jaspersoft/jasperreports@6.20.0...7.0.4) Updates `org.apache.opennlp:opennlp-tools` from 2.1.1 to 2.5.9 - [Release notes](https://github.com/apache/opennlp/releases) - [Commits](apache/opennlp@opennlp-1.8.4...opennlp-2.5.9) Updates `org.apache.kafka:kafka-clients` from 3.3.1 to 3.9.2 Updates `org.apache.thrift:libthrift` from 0.14.2 to 0.23.0 - [Release notes](https://github.com/apache/thrift/releases) - [Changelog](https://github.com/apache/thrift/blob/master/CHANGES.md) - [Commits](apache/thrift@0.10.0...v0.23.0) Updates `org.apache.commons:commons-configuration2` from 2.8.0 to 2.15.0 Updates `org.asynchttpclient:async-http-client` from 2.2.0 to 2.15.0 - [Release notes](https://github.com/AsyncHttpClient/async-http-client/releases) - [Commits](AsyncHttpClient/async-http-client@async-http-client-project-2.4.5...async-http-client-project-2.15.0) Updates `org.springframework:spring-webflux` from 5.1.9.RELEASE to 6.2.18 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v6.2.18) Updates `org.bouncycastle:bcprov-jdk15on` from 1.58 to 1.70 - [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html) - [Commits](https://github.com/bcgit/bc-java/commits) Updates `org.bouncycastle:bcpkix-jdk15on` from 1.58 to 1.70 - [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html) - [Commits](https://github.com/bcgit/bc-java/commits) Updates `org.bouncycastle:bcpkix-jdk15on` from 1.58 to 1.70 - [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html) - [Commits](https://github.com/bcgit/bc-java/commits) Updates `org.apache.tomcat:tomcat-catalina` from 8.5.24 to 9.0.118 Updates `org.springframework:spring-webmvc` from 5.3.28 to 6.2.17 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.28...v6.2.17) Updates `org.apache.logging.log4j:log4j-core` from 2.17.1 to 2.25.4 Updates `org.apache.logging.log4j:log4j-core` from 2.17.1 to 2.25.4 Updates `org.apache.logging.log4j:log4j-core` from 2.19.0 to 2.25.4 Updates `org.apache.activemq:activemq-all` from 5.14.1 to 5.19.6 - [Release notes](https://github.com/apache/activemq/releases) - [Commits](apache/activemq@activemq-5.14.1...activemq-5.19.6) Updates `org.hibernate:hibernate-core` from 5.2.16.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.thymeleaf:thymeleaf` from 3.0.11.RELEASE to 3.1.5.RELEASE Updates `org.hibernate:hibernate-core` from 5.4.14.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.springframework.boot:spring-boot-devtools` from 2.1.3.RELEASE to 3.0.0 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v2.1.3.RELEASE...v3.0.0) Updates `org.hibernate:hibernate-core` from 5.4.14.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.hibernate:hibernate-core` from 5.6.1.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.hibernate:hibernate-core` from 5.2.10.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.springframework.boot:spring-boot` from 2.2.6.RELEASE to 3.0.0 - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v2.2.6.RELEASE...v3.0.0) Updates `org.apache.activemq:activemq-broker` from 5.16.3 to 5.19.5 - [Release notes](https://github.com/apache/activemq/releases) - [Commits](apache/activemq@activemq-5.16.3...activemq-5.19.5) Updates `org.hibernate:hibernate-core` from 5.2.10.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.springframework:spring-webmvc` from 5.3.28 to 6.2.17 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.28...v6.2.17) Updates `org.springframework.security:spring-security-web` from 5.7.3 to 6.5.9 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](spring-projects/spring-security@5.7.3...6.5.9) Updates `org.springframework:spring-webmvc` from 5.3.28 to 6.2.17 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.28...v6.2.17) Updates `org.thymeleaf:thymeleaf` from 3.0.11.RELEASE to 3.1.5.RELEASE Updates `org.hibernate:hibernate-core` from 5.4.9.Final to 6.0.0.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.0.0/changelog.txt) - [Commits](hibernate/hibernate-orm@5.4.3...6.0.0) Updates `org.springframework.security:spring-security-web` from 5.2.1.RELEASE to 6.5.9 - [Release notes](https://github.com/spring-projects/spring-security/releases) - [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc) - [Commits](spring-projects/spring-security@5.7.3...6.5.9) Updates `org.springframework:spring-webmvc` from 5.3.4 to 6.2.17 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.3.28...v6.2.17) Updates `io.vertx:vertx-core` from 3.9.15 to 4.5.26 - [Commits](eclipse-vertx/vert.x@3.9.15...4.5.26) --- updated-dependencies: - dependency-name: org.apache.kafka:kafka-clients dependency-version: 3.9.2 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.kafka:kafka-clients dependency-version: 3.9.2 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.opennlp:opennlp-tools dependency-version: 2.5.9 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.spark:spark-core_2.12 dependency-version: 3.5.7 dependency-type: direct:production dependency-group: maven - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.thrift:libthrift dependency-version: 0.23.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: 2.12.6 dependency-type: direct:production dependency-group: maven - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.asynchttpclient:async-http-client dependency-version: 2.15.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: net.sourceforge.pmd:pmd-core dependency-version: 7.22.0 dependency-type: direct:production dependency-group: maven - dependency-name: net.sf.jasperreports:jasperreports dependency-version: 7.0.4 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.opennlp:opennlp-tools dependency-version: 2.5.9 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.kafka:kafka-clients dependency-version: 3.9.2 dependency-type: direct:development dependency-group: maven - dependency-name: org.apache.thrift:libthrift dependency-version: 0.23.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.commons:commons-configuration2 dependency-version: 2.15.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.asynchttpclient:async-http-client dependency-version: 2.15.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-webflux dependency-version: 6.2.18 dependency-type: direct:production dependency-group: maven - dependency-name: org.bouncycastle:bcprov-jdk15on dependency-version: '1.70' dependency-type: direct:production dependency-group: maven - dependency-name: org.bouncycastle:bcpkix-jdk15on dependency-version: '1.70' dependency-type: direct:production dependency-group: maven - dependency-name: org.bouncycastle:bcpkix-jdk15on dependency-version: '1.70' dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.tomcat:tomcat-catalina dependency-version: 9.0.118 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-webmvc dependency-version: 6.2.17 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.4 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.4 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.4 dependency-type: direct:development dependency-group: maven - dependency-name: org.apache.activemq:activemq-all dependency-version: 5.19.6 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.thymeleaf:thymeleaf dependency-version: 3.1.5.RELEASE dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.boot:spring-boot-devtools dependency-version: 3.0.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.boot:spring-boot dependency-version: 3.0.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.activemq:activemq-broker dependency-version: 5.19.5 dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-webmvc dependency-version: 6.2.17 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.security:spring-security-web dependency-version: 6.5.9 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-webmvc dependency-version: 6.2.17 dependency-type: direct:production dependency-group: maven - dependency-name: org.thymeleaf:thymeleaf dependency-version: 3.1.5.RELEASE dependency-type: direct:production dependency-group: maven - dependency-name: org.hibernate:hibernate-core dependency-version: 6.0.0.Final dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework.security:spring-security-web dependency-version: 6.5.9 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-webmvc dependency-version: 6.2.17 dependency-type: direct:production dependency-group: maven - dependency-name: io.vertx:vertx-core dependency-version: 4.5.26 dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels May 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the maven group across 36 directories with 24 updates#1365

Bump the maven group across 36 directories with 24 updates#1365
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/apache-kafka/maven-3059705f6c

dependabot Bot commented on behalf of github May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 21, 2026

OpenNLP 2.5.9

Apache OpenNLP 2.5.9

Security Fixes

XXE in DictionaryEntryPersistor (OPENNLP-1819)

Arbitrary Class Instantiation in ExtensionLoader (OPENNLP-1820)

OOM via Unbounded Array Allocation in AbstractModelReader (OPENNLP-1821)

What's Changed

OpenNLP 2.5.8

Summary

Maintenance Infos:

v42.7.11

Security

Changes

🐛 Bug Fixes

🧰 Maintenance

⬆️ Dependencies

[42.7.11] (2026-04-28)

Security

Added

Changed

Fixed

[42.7.10] (2026-02-11)

Changed

Fixed

Reverted

[42.7.9] (2026-01-14)

Added

Version 0.23.0

Version 0.22.0

Version 0.21.0

Version 0.20.0

Version 0.19.0

Version 0.18.1

Version 0.18.0

Version 0.17.0

Version 0.16.0

0.23.0

Build Process

C glib

C++

Contributed

Delphi

Go

Java

netstd

Changes in 6.0.0.Final (March 31, 2022)

Changes in 6.0.0.CR2 (March 09, 2022)

v42.7.11

Security

Changes

🐛 Bug Fixes

🧰 Maintenance

⬆️ Dependencies

[42.7.11] (2026-04-28)

Security

Added

Changed

Fixed

[42.7.10] (2026-02-11)

Changed

Fixed

Reverted

[42.7.9] (2026-01-14)

Added

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

XXE in `DictionaryEntryPersistor` (OPENNLP-1819)

Arbitrary Class Instantiation in `ExtensionLoader` (OPENNLP-1820)

OOM via Unbounded Array Allocation in `AbstractModelReader` (OPENNLP-1821)