diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 59fcfd2d..bf91234d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,12 @@ updates:
- "/"
- "/examples"
- "/benchmarks"
+ # Send Maven update PRs to the integration branch, not the
+ # default branch. Releases are cut from `develop` then merged
+ # to `main`; targeting `main` (the default) made every Dependabot
+ # PR land alongside the latest release and force-diverge from
+ # ongoing dev work — fixed in v1.6.8 after the #111 / #115 episodes.
+ target-branch: develop
schedule:
interval: weekly
day: monday
@@ -37,6 +43,9 @@ updates:
- package-ecosystem: github-actions
directory: "/"
+ # Same reasoning as the maven block above — workflow updates
+ # ride the integration branch.
+ target-branch: develop
schedule:
interval: weekly
day: monday
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0852ef58..21a92492 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,31 @@ follow-ups carried over from the v1.6.7 senior review (see
[ROADMAP.md](ROADMAP.md) and the private taskboard). No breaking
changes are planned.
+### Build
+
+- Bumped `jackson-bom` 2.21.3 → 2.21.4 (broken 2.22.0 skipped via
+ the `.github/dependabot.yml` ignore entry added in v1.6.7),
+ `logback-classic` 1.5.32 → 1.5.34 (fixes
+ [CVE-2026-9828](https://www.cve.org/cverecord?id=CVE-2026-9828) —
+ deserialization whitelist bypass in `HardenedModelInputStream`),
+ `central-publishing-maven-plugin` 0.7.0 → 0.9.0 (0.10.0
+ blocked by the existing ignore entry; revisit after a focused
+ release-profile evaluation), `japicmp-maven-plugin` 0.23.1 →
+ 0.26.1, and a handful of `maven-*-plugin` minor/patch bumps
+ (clean / site / resources / enforcer 3.5.0 → 3.6.3 / surefire
+ 3.5.5 → 3.5.6 / source 3.3.1 → 3.4.0 / gpg 3.2.7 →
+ 3.2.8) ([#115](https://github.com/DemchaAV/GraphCompose/pull/115),
+ cherry-picked from `main` to align `develop`).
+
+### CI
+
+- `.github/dependabot.yml` now pins both ecosystems
+ (`maven`, `github-actions`) to `target-branch: develop` so future
+ grouped PRs land on the integration branch instead of `main`.
+ Closes the divergence root cause behind the v1.6.7-era #111 /
+ #115 episodes where every Dependabot PR force-split history
+ between branches and required a cherry-pick to align.
+
### Documentation
- New quickstart guide
diff --git a/benchmarks/pom.xml b/benchmarks/pom.xml
index 431346c5..2b526d2d 100644
--- a/benchmarks/pom.xml
+++ b/benchmarks/pom.xml
@@ -26,7 +26,7 @@
6.1.0
3.27.7
- 1.5.32
+ 1.5.34
1.0.10
5.5.13.3
@@ -129,7 +129,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.5
+ 3.5.6
org.codehaus.mojo
diff --git a/examples/pom.xml b/examples/pom.xml
index 06923992..39653046 100644
--- a/examples/pom.xml
+++ b/examples/pom.xml
@@ -18,7 +18,7 @@
${project.version}
- 1.5.32
+ 1.5.34
17
6.1.0
@@ -79,7 +79,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.5
+ 3.5.6
diff --git a/pom.xml b/pom.xml
index 60f4033c..500bb703 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,8 +47,8 @@
0.64.8
- 2.21.3
- 1.5.32
+ 2.21.4
+ 1.5.34
1.18.46
3.0.7
5.5.1
@@ -63,20 +63,20 @@
1.18.8
- 0.7.0
+ 0.9.0
3.15.0
- 3.5.0
- 3.2.7
+ 3.6.3
+ 3.2.8
3.12.0
- 3.3.1
- 3.5.5
+ 3.4.0
+ 3.5.6
3.8.0
17
- 0.23.1
+ 0.26.1
v1.6.7