Skip to content

fix(deps): bump the prod-deps group with 3 updates#360

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-d7177e16b2
Closed

fix(deps): bump the prod-deps group with 3 updates#360
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-d7177e16b2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 26, 2026
edited
Loading

Bumps the prod-deps group with 3 updates: org.springframework.boot:spring-boot-starter-parent, org.hibernate.orm:hibernate-jpamodelgen and org.jsoup:jsoup.

Updates org.springframework.boot:spring-boot-starter-parent from 4.0.5 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.6

🐞 Bug Fixes

  • Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
  • Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
  • ApplicationPidFileWriter does not handle symlinks correctly #50185
  • RandomValuePropertySource is not suitable for secrets #50183
  • Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
  • ApplicationTemp does not handle symlinks correctly #50178
  • Remote DevTools performs comparison incorrectly #50176
  • spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
  • Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
  • Classic starters are missing several modules #50071
  • Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
  • Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
  • EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
  • WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
  • Imports on a containing test class are ignored when a nested class has imports #50012
  • With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
  • 500 response from env endpoint when supplied pattern is invalid #49946
  • Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
  • HTTP method is lost when configuring excludes in EndpointRequest #49943
  • Honor HttpMethod for reactive additional endpoint paths #49880
  • Docker Compose support doesn't work with apache/artemis image #49869
  • Docker Compose support doesn't work with apache/activemq image #49866
  • Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
  • API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

  • Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
  • HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
  • Link to the observability section of the Lettuce documentation is broken #50097
  • Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
  • MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
  • Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
  • Link to the Kubernetes documentation when discussing startup probes #50015
  • Typo in JdbcSessionAutoConfiguration Javadoc #49873
  • Clarify that configuration property default values are not available through the Environment #49851
  • Document the need for Liquibase and Flyway starters #49839
  • Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

... (truncated)

Commits
  • 8821ad2 Release v4.0.6
  • 9e4048a Merge branch '3.5.x' into 4.0.x
  • 20bb11c Next development version (v3.5.15-SNAPSHOT)
  • 98daa8e Merge branch '3.5.x' into 4.0.x
  • 9dc5aa2 Polish
  • 874f629 Fix default security with actuator but without health
  • e41b3bf Enable hostname verification for SSL connections to Elasticsearch
  • ef8527b Merge branch '3.5.x' into 4.0.x
  • f533a45 Do not follow symlinks when writing PID file
  • 4a7bd33 Merge branch '3.5.x' into 4.0.x
  • Additional commits viewable in compare view

Updates org.hibernate.orm:hibernate-jpamodelgen from 7.2.7.Final to 7.2.12.Final

Release notes

Sourced from org.hibernate.orm:hibernate-jpamodelgen's releases.

Release 7.2.12

Hibernate ORM 7.2.12.Final released

Today, we published a new release of Hibernate ORM 7.2: 7.2.12.Final.

You can find the full list of 7.2.12.Final changes here.

What's new

  • See the website for requirements and compatibilities.
  • See the What's New guide for details about new features and capabilities.
  • See the Migration Guide for details about migration.

Conclusion

For additional details, see:

See also the following resources related to supported APIs:

Visit the website for details on getting in touch with us.

Release 7.2.11

Hibernate ORM 7.2.11.Final released

Today, we published a new release of Hibernate ORM 7.2: 7.2.11.Final.

You can find the full list of 7.2.11.Final changes here.

What's new

  • See the website for requirements and compatibilities.
  • See the What's New guide for details about new features and capabilities.
  • See the Migration Guide for details about migration.

Conclusion

... (truncated)

Changelog

Sourced from org.hibernate.orm:hibernate-jpamodelgen's changelog.

Changes in 7.2.12.Final (April 19, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38758

** Bug * HHH-20320 detached versioned entity parameter triggers auto-flush transient check * HHH-20317 Envers does not reflect @​DiscriminatorOptions for history entities

** Task * HHH-20334 Upgrade to Log4j 2.25.4

Changes in 7.2.11.Final (April 12, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38655

** Bug * HHH-20326 ClassCastException when joining array within embeddable

Changes in 7.2.10.Final (April 05, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38553

** Bug * HHH-20287 DataException ( Parameter is not set) when updating only the version of an Entity with a PartitionKey

Changes in 7.2.9.Final (March 30, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38419

** Bug * HHH-20251 NPE: query with fetch graph and read-only hint on bytecode enhanced entities * HHH-20209 Race Condition in JavaTypeRegistry causing SemanticException during parallel UNION queries with projection. * HHH-20126 NPE when querying with a lockMode/lockScope * HHH-20053 HQL grammar ambiguity for NOT keyword * HHH-19429 ConcurrentModificationException observed while executing JPQL update query with VERSIONED clause

Changes in 7.2.8.Final (March 26, 2026)

https://hibernate.atlassian.net/projects/HHH/versions/38218

... (truncated)

Commits
  • ecd25d8 [Jenkins release job] Preparing release 7.2.12.Final
  • 172b45d [Jenkins release job] changelog.txt updated by release build 7.2.12.Final
  • 992d63b HHH-20317 fix: Envers does not reflect @​DiscriminatorOptions for history enti...
  • a24f8f5 HHH-20334 Upgrade to Log4j 2.25.4
  • 473c253 HHH-20334 Fix invalid log4j config
  • d93ed67 HHH-20320 fix issue
  • 2b01155 HHH-20320 add test by @​ymajoros
  • e95fd08 [Jenkins release job] Preparing next development iteration
  • a17113b [Jenkins release job] Preparing release 7.2.11.Final
  • 82b260b [Jenkins release job] changelog.txt updated by release build 7.2.11.Final
  • Additional commits viewable in compare view

Updates org.jsoup:jsoup from 1.22.1 to 1.22.2

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.2

jsoup 1.22.2 is out now, with fixes and refinements across the library. It makes editing the DOM during traversal more predictable, refreshes the default HTML tag definitions with newer elements and better text boundaries, and improves reliability in parsing and HTTP transport. The release also fixes a number of edge cases in cleaning, stream parsing, XML doctype handling, and Android packaging.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

  • Expanded and clarified NodeTraversor support for in-place DOM rewrites during NodeVisitor.head(). Current-node edits such as remove, replace, and unwrap now recover more predictably, while traversal stays within the original root subtree. This makes single-pass tree cleanup and normalization visitors easier to write, for example when unwrapping presentational elements or replacing text nodes as you walk the DOM. #2472
  • Documentation: clarified that a configured Cleaner may be reused across concurrent threads, and that shared Safelist instances should not be mutated while in use. #2473
  • Updated the default HTML TagSet for current HTML elements: added dialog, search, picture, and slot; made ins, del, button, audio, video, and canvas inline by default (Tag#isInline(), aligned to phrasing content in the spec); and added readable Element.text() boundaries for controls and embedded objects via the new Tag.TextBoundary option. This improves pretty-printing and keeps normalized text from running adjacent words together. #2493

Bug Fixes

  • Android (R8/ProGuard): added a rule to ignore the optional re2j dependency when not present. #2459
  • Fixed a NodeTraversor regression in 1.21.2 where removing or replacing the current node during head() could revisit the replacement node and loop indefinitely. The traversal docs now also clarify which inserted nodes are visited in the current pass. #2472
  • Parsing during charset sniffing no longer fails if an advisory available() call throws IOException, as seen on JDK 8 HttpURLConnection. #2474
  • Cleaner no longer makes relative URL attributes in the input document absolute when cleaning or validating a Document. URL normalization now applies only to the cleaned output, and Safelist.isSafeAttribute() is side effect free. #2475
  • Cleaner no longer duplicates enforced attributes when the input Document preserves attribute case. A case-variant source attribute is now replaced by the enforced attribute in the cleaned output. #2476
  • If a per-request SOCKS proxy is configured, jsoup now avoids using the JDK HttpClient, because the JDK would silently ignore that proxy and attempt to connect directly. Those requests now fall back to the legacy HttpURLConnection transport instead, which does support SOCKS. #2468
  • Connection.Response.streamParser() and DataUtil.streamParser(Path, ...) could fail on small inputs without a declared charset, if the initial 5 KB charset sniff fully consumed the input and closed it before the stream parse began. #2483
  • In XML mode, doctypes with an internal subset, such as <!DOCTYPE root [<!ENTITY name "value">]>, now round-trip correctly. The subset is preserved as raw text only; entities are not expanded and external DTDs are not loaded. #2486

Build Changes

  • Migrated the integration test server from Jetty to Netty, which actively maintains support for our minimum JDK target (8). #2491

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.2 (2026-Apr-20)

Improvements

  • Expanded and clarified NodeTraversor support for in-place DOM rewrites during NodeVisitor.head(). Current-node edits such as remove, replace, and unwrap now recover more predictably, while traversal stays within the original root subtree. This makes single-pass tree cleanup and normalization visitors easier to write, for example when unwrapping presentational elements or replacing text nodes as you walk the DOM. #2472
  • Documentation: clarified that a configured Cleaner may be reused across concurrent threads, and that shared Safelist instances should not be mutated while in use. #2473
  • Updated the default HTML TagSet for current HTML elements: added dialog, search, picture, and slot; made ins, del, button, audio, video, and canvas inline by default (Tag#isInline(), aligned to phrasing content in the spec); and added readable Element.text() boundaries for controls and embedded objects via the new Tag.TextBoundary option. This improves pretty-printing and keeps normalized text from running adjacent words together. #2493

Bug Fixes

  • Android (R8/ProGuard): added a rule to ignore the optional re2j dependency when not present. #2459
  • Fixed a NodeTraversor regression in 1.21.2 where removing or replacing the current node during head() could revisit the replacement node and loop indefinitely. The traversal docs now also clarify which inserted nodes are visited in the current pass. #2472
  • Parsing during charset sniffing no longer fails if an advisory available() call throws IOException, as seen on JDK 8 HttpURLConnection. #2474
  • Cleaner no longer makes relative URL attributes in the input document absolute when cleaning or validating a Document. URL normalization now applies only to the cleaned output, and Safelist.isSafeAttribute() is side effect free. #2475
  • Cleaner no longer duplicates enforced attributes when the input Document preserves attribute case. A case-variant source attribute is now replaced by the enforced attribute in the cleaned output. #2476
  • If a per-request SOCKS proxy is configured, jsoup now avoids using the JDK HttpClient, because the JDK would silently ignore that proxy and attempt to connect directly. Those requests now fall back to the legacy HttpURLConnection transport instead, which does support SOCKS. #2468
  • Connection.Response.streamParser() and DataUtil.streamParser(Path, ...) could fail on small inputs without a declared charset, if the initial 5 KB charset sniff fully consumed the input and closed it before the stream parse began. #2483
  • In XML mode, doctypes with an internal subset, such as <!DOCTYPE root [<!ENTITY name "value">]>, now round-trip correctly. The subset is preserved as raw text only; entities are not expanded and external DTDs are not loaded. #2486

Build Changes

  • Migrated the integration test server from Jetty to Netty, which actively maintains support for our minimum JDK target (8). #2491
Commits
  • ac28afe [maven-release-plugin] prepare release jsoup-1.22.2
  • 52f2cd3 Improve entity example in changelog
  • cf6ffe0 Add Tag#TextBoundary option; bring TagSet to spec (#2493)
  • 2be739c Bump github/codeql-action from 4 to 4.35.1 (#2492)
  • 45de7cb Migrate integration test server from Jetty to Netty (#2491)
  • 1df14ed Preserve XML doctype internal subset
  • 06fa52d Adding Contribution Guide
  • d4a8941 Simplify the test; doesn't need the buffer
  • 823709f Don't reuse a fully read sniffed doc for StreamParser
  • e1b0df5 NodeFilter javadoc tweak
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
fix(deps): bump the prod-deps group with 3 updates
532c258 
Bumps the prod-deps group with 3 updates: [org.springframework.boot:spring-boot-starter-parent](https://github.com/spring-projects/spring-boot), [org.hibernate.orm:hibernate-jpamodelgen](https://github.com/hibernate/hibernate-orm) and [org.jsoup:jsoup](https://github.com/jhy/jsoup).


Updates `org.springframework.boot:spring-boot-starter-parent` from 4.0.5 to 4.0.6
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v4.0.5...v4.0.6)

Updates `org.hibernate.orm:hibernate-jpamodelgen` from 7.2.7.Final to 7.2.12.Final
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.2.12/changelog.txt)
- [Commits](hibernate/hibernate-orm@7.2.7...7.2.12)

Updates `org.jsoup:jsoup` from 1.22.1 to 1.22.2
- [Release notes](https://github.com/jhy/jsoup/releases)
- [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES.md)
- [Commits](jhy/jsoup@jsoup-1.22.1...jsoup-1.22.2)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-starter-parent
  dependency-version: 4.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: org.hibernate.orm:hibernate-jpamodelgen
  dependency-version: 7.2.12.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: org.jsoup:jsoup
  dependency-version: 1.22.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Apr 26, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 26, 2026 15:53
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 26, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 3, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 3, 2026
@dependabot dependabot Bot deleted the dependabot/maven/prod-deps-d7177e16b2 branch May 3, 2026 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SvitlanaKovalova1 SvitlanaKovalova1 SvitlanaKovalova1 approved these changes

@psmagin psmagin Awaiting requested review from psmagin psmagin is a code owner automatically assigned from folio-org/spitfire-backend

@viacheslavkol viacheslavkol Awaiting requested review from viacheslavkol viacheslavkol is a code owner automatically assigned from folio-org/spitfire-backend

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SvitlanaKovalova1