Bump org.jboss.pnc:pnc-api from 3.4.4 to 3.5.0 by dependabot[bot] · Pull Request #570 · project-ncl/cleaner

dependabot · 2026-05-14T00:03:16Z

Bumps org.jboss.pnc:pnc-api from 3.4.4 to 3.5.0.

Release notes

Sourced from org.jboss.pnc:pnc-api's releases.

3.5.0

What's Changed

🐛 Fixes / 🚀 Enhancements

NCL-9508 - Add taillines to bifrost by @polacektomas in project-ncl/pnc-api#308

bump version to 3.4.2-SNAPSHOT by @michalovjan in project-ncl/pnc-api#309

no shapshot pls by @michalovjan in project-ncl/pnc-api#310

[NCL-9535]: Slsa Provenance has invalid digest key (commit) by @vibe13 in project-ncl/pnc-api#311

bump version to 3.4.3-SNAPSHOT by @michalovjan in project-ncl/pnc-api#316

[NCLSUP-1366] Accept URL with slashes at the end by @akridl in project-ncl/pnc-api#317

bump version to new minor 3.5.0-SNAPSHOT by @michalovjan in project-ncl/pnc-api#318

[cyclic-dependency] move internal classes back to orch and remove cyclic dependency by @michalovjan in project-ncl/pnc-api#319

Reference dto by @michalovjan in project-ncl/pnc-api#320

[NCL-9428] add attachment types by @michalovjan in project-ncl/pnc-api#321

NCL-9545 - Remove Alignment 2 by @rnc in project-ncl/pnc-api#323

NCL-9421 - Change error message format by @polacektomas in project-ncl/pnc-api#325

[NCL-9532] add RPM RepositoryType and BuildType by @michalovjan in project-ncl/pnc-api#322

NCL-9564 Remove GA/GAV classes by @rnc in project-ncl/pnc-api#329

[NCL-9275] Add ExceptionResolution to ReqourCallback by @patrikk0123 in project-ncl/pnc-api#332

Zizmorify github actions by @thescouser89 in project-ncl/pnc-api#338

Add RPM Artifact by @polacektomas in project-ncl/pnc-api#339

Bump gh-action to v0.0.14 and fix typo by @thescouser89 in project-ncl/pnc-api#340

[NCL-9557] create Bifrost FinalLog /checksums endpoint by @michalovjan in project-ncl/pnc-api#341

add Builder and Jacksonized to Checksums by @michalovjan in project-ncl/pnc-api#343

Add keys to enhance the provenance attestations and map build environ… by @vibe13 in project-ncl/pnc-api#342

Update release workflow to main which fixes releases by @thescouser89 in project-ncl/pnc-api#349

Add potential values for a BC parameter key by @akridl in project-ncl/pnc-api#353

[NCL-9667] Remove AUTO as a possible build category by @akridl in project-ncl/pnc-api#350

[NCL-9656,NCL-9657,NCL-9661] Add release,exclude,and validate ghaction by @thescouser89 in project-ncl/pnc-api#351

[NCL-9668] Introduce build categories for IBM and Red Hat suffixing by @akridl in project-ncl/pnc-api#354

[NCL-9665] Fix description for BUILD_CATEGORY by @akridl in project-ncl/pnc-api#356

IBM instance changes only by @akridl in project-ncl/pnc-api#364

Use jboss-parent and revert to JDK8 API. Update gh-actions. by @rnc in project-ncl/pnc-api#363

Remove redundant plugin and property overrides by @rnc in project-ncl/pnc-api#365

Define name for child modules by @akridl in project-ncl/pnc-api#366

👒 Project Dependencies

Bump project-ncl/shared-github-actions/.github/workflows/maven-ci.yml from 0.0.10 to 0.0.12 by @dependabot[bot] in project-ncl/pnc-api#315

Bump project-ncl/shared-github-actions/.github/workflows/maven-snapshot.yml from 0.0.10 to 0.0.12 by @dependabot[bot] in project-ncl/pnc-api#314

Bump project-ncl/shared-github-actions/.github/workflows/maven-release.yml from 0.0.10 to 0.0.12 by @dependabot[bot] in project-ncl/pnc-api#313

Bump version.junit-jupiter-api from 6.0.2 to 6.0.3 by @dependabot[bot] in project-ncl/pnc-api#324

Bump com.fasterxml.jackson.core:jackson-databind from 2.21.0 to 2.21.1 by @dependabot[bot] in project-ncl/pnc-api#326

Bump com.diffplug.spotless:spotless-maven-plugin from 3.2.1 to 3.3.0 by @dependabot[bot] in project-ncl/pnc-api#327

Bump org.projectlombok:lombok from 1.18.42 to 1.18.44 by @dependabot[bot] in project-ncl/pnc-api#328

Bump com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.4.0 by @dependabot[bot] in project-ncl/pnc-api#330

Bump com.fasterxml.jackson.core:jackson-databind from 2.21.1 to 2.21.2 by @dependabot[bot] in project-ncl/pnc-api#333

Bump project-ncl/shared-github-actions/.github/workflows/maven-release.yml from 0.0.14 to 0.0.15 by @dependabot[bot] in project-ncl/pnc-api#347

Bump project-ncl/shared-github-actions/.github/workflows/maven-set-version.yml from 0.0.14 to 0.0.15 by @dependabot[bot] in project-ncl/pnc-api#345

Bump project-ncl/shared-github-actions/.github/workflows/maven-snapshot.yml from 0.0.14 to 0.0.15 by @dependabot[bot] in project-ncl/pnc-api#346

Bump project-ncl/shared-github-actions/.github/workflows/maven-ci.yml from 0.0.14 to 0.0.15 by @dependabot[bot] in project-ncl/pnc-api#344

... (truncated)

Commits

402f876 [maven-release-plugin] prepare release 3.5.0
6ae5cae Define name for child modules
f0d3a8a Remove redundant plugin and property overrides
9f79650 Modify maven-pr permissions
b2a31a3 Use jboss-parent and revert to JDK8 API. Update gh-actions.
db86760 Revert "[NCL-9665] Fix description for BUILD_CATEGORY"
45d751d Revert "[NCL-9668] Introduce build categories for IBM and Red Hat suffixing"
f23040a Bump project-ncl/shared-github-actions/.github/workflows/maven-release.yml
dee3653 [NCL-9665] Fix description for BUILD_CATEGORY
a335e29 Bump org.projectlombok:lombok from 1.18.44 to 1.18.46
Additional commits viewable in compare view

github-actions · 2026-05-14T00:11:05Z

Mend Scan Results

Status: ⚠️ Findings detected

⚠️ SCA findings detected

⚠️ SAST findings detected

SCA scan output

netty.git - netty-4.2.13.Final,io.netty:netty-codec-http:4.1.133.Final,    |
|          |                                       |                | io.netty:netty-codec-http:4.2.13.Final                                                              |
+----------+---------------------------------------+----------------+-----------------------------------------------------------------------------------------------------+
| MEDIUM   | netty-codec-http-4.1.132.Final.jar    | CVE-2026-42581 | Upgrade to version  https://github.com/netty/netty.git - netty-4.1.133.Final,                       |
|          |                                       |                | io.netty:netty-codec-http:4.2.13.Final, https://github.com/netty/netty.git - netty-4.2.13.Final,    |
|          |                                       |                | io.netty:netty-codec-http:4.1.133.Final                                                             |
+----------+---------------------------------------+----------------+-----------------------------------------------------------------------------------------------------+
| MEDIUM   | netty-codec-http-4.1.132.Final.jar    | CVE-2026-42585 | Upgrade to version io.netty:netty-codec-http:4.2.13.Final,io.netty:netty-codec-http:4.1.133.Final   |
+----------+---------------------------------------+----------------+-----------------------------------------------------------------------------------------------------+
| MEDIUM   | opentelemetry-api-1.60.1.jar          | CVE-2026-45292 | N/A                                                                                                 |
+----------+---------------------------------------+----------------+-----------------------------------------------------------------------------------------------------+
| MEDIUM   | reload4j-1.2.19.jar                   | WS-2022-0467   | Upgrade to version ch.qos.reload4j:reload4j:1.2.22                                                  |
+----------+---------------------------------------+----------------+-----------------------------------------------------------------------------------------------------+


Paths at risk

P = policy violation
MSC = malicious vulnerability
CRITICAL/HIGH/MEDIUM/LOW = vulnerability severity

quarkus-jdbc-postgresql-3.35.2.jar
|-- postgresql-42.7.10.jar [1 HIGH]
quarkus-oidc-client-3.35.2.jar
|-- quarkus-vertx-3.35.2.jar
	|-- netty-codec-haproxy-4.1.132.Final.jar
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
	|-- quarkus-netty-3.35.2.jar
		|-- netty-codec-http2-4.1.132.Final.jar [1 HIGH]
		|-- netty-codec-http-4.1.132.Final.jar [2 HIGH, 4 MEDIUM]
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
quarkus-opentelemetry-3.35.2.jar
|-- opentelemetry-instrumentation-annotations-support-2.26.1-alpha.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-instrumentation-annotations-2.26.1.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-instrumentation-api-2.26.1.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-jdbc-2.26.1-alpha.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-runtime-telemetry-java17-2.26.1-alpha.jar
	|-- opentelemetry-runtime-telemetry-2.26.1-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-api-incubator-1.60.1-alpha.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-exporter-otlp-common-1.60.1.jar
	|-- opentelemetry-exporter-common-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-exporter-otlp-1.60.1.jar
	|-- opentelemetry-sdk-trace-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- opentelemetry-sdk-1.60.1.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-sdk-common-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-sdk-logs-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-sdk-metrics-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- quarkus-grpc-common-3.35.2.jar
	|-- vertx-grpc-4.5.26.jar
		|-- grpc-netty-1.79.0.jar
			|-- netty-codec-http2-4.1.132.Final.jar [1 HIGH]
			|-- netty-handler-proxy-4.1.132.Final.jar [1 HIGH]
failsafe-2.4.4.jar
|-- vertx-core-4.5.26.jar
	|-- netty-codec-http2-4.1.132.Final.jar [1 HIGH]
		|-- netty-codec-http-4.1.132.Final.jar [2 HIGH, 4 MEDIUM]
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
	|-- netty-codec-http-4.1.132.Final.jar [2 HIGH, 4 MEDIUM]
	|-- netty-handler-proxy-4.1.132.Final.jar [1 HIGH]
		|-- netty-codec-http-4.1.132.Final.jar [2 HIGH, 4 MEDIUM]
		|-- netty-codec-socks-4.1.132.Final.jar
			|-- netty-codec-4.1.132.Final.jar [1 HIGH]
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
	|-- netty-handler-4.1.132.Final.jar
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
	|-- netty-resolver-dns-4.1.132.Final.jar
		|-- netty-codec-dns-4.1.132.Final.jar [1 HIGH]
			|-- netty-codec-4.1.132.Final.jar [1 HIGH]
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]
indy-client-core-java-3.4.5.jar
|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
quarkus-logging-kafka-3.0.4.jar
|-- kafka-log4j-appender-3.9.2.jar
	|-- slf4j-reload4j-1.7.36.jar
		|-- reload4j-1.2.19.jar [1 MEDIUM]
pnc-common-3.5.0-jakarta.jar
|-- opentelemetry-ext-cli-java-2.0.0.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-semconv-1.29.0-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- jsoup-1.22.2.jar
	|-- netty-codec-http-4.1.132.Final.jar [2 HIGH, 4 MEDIUM]
		|-- netty-codec-4.1.132.Final.jar [1 HIGH]


No Policy violations were detected

Project 'cleaner' was updated, for more information, visit the Mend platform: https://ibmets.whitesourcesoftware.com/app/orgs/Enterprise%20Applications/applications/summary?project=b6b32547-c032-445d-a1e9-03a59d6b736b
Or the Core UI: https://ibmets.whitesourcesoftware.com/Wss/WSS.html#!project;token=10a714dfb5574fcead8c6d64898dcf58d430f60259204c6eb77f4ee4bf394908

Mend AI scan succeeded.

Support Token: 30989e2089c0b4619b082588aae24019e1778859220722

SAST scan output

warning: 'warn' method could be abused to perform a Log Injection attack. User input reached a Log4j sink. (src/main/java/org/jboss/pnc/cleaner/temporaryBuilds/DeleteCallbackManager.java:98)

Full logs and artifacts

thescouser89 · 2026-05-15T15:25:59Z

@dependabot rebase

Bumps [org.jboss.pnc:pnc-api](https://github.com/project-ncl/pnc-api) from 3.4.4 to 3.5.0. - [Release notes](https://github.com/project-ncl/pnc-api/releases) - [Commits](project-ncl/pnc-api@3.4.4...3.5.0) --- updated-dependencies: - dependency-name: org.jboss.pnc:pnc-api dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 14, 2026

dependabot Bot force-pushed the dependabot/maven/org.jboss.pnc-pnc-api-3.5.0 branch from fbd666b to feb3c23 Compare May 15, 2026 15:26

thescouser89 merged commit 67dd879 into master May 15, 2026
3 checks passed

dependabot Bot deleted the dependabot/maven/org.jboss.pnc-pnc-api-3.5.0 branch May 15, 2026 15:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump org.jboss.pnc:pnc-api from 3.4.4 to 3.5.0#570

Bump org.jboss.pnc:pnc-api from 3.4.4 to 3.5.0#570
thescouser89 merged 1 commit into
masterfrom
dependabot/maven/org.jboss.pnc-pnc-api-3.5.0

dependabot Bot commented on behalf of github May 14, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 14, 2026 •

edited

Loading

Uh oh!

thescouser89 commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

3.5.0

What's Changed

🐛 Fixes / 🚀 Enhancements

👒 Project Dependencies

Uh oh!

github-actions Bot commented May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Mend Scan Results

Uh oh!

thescouser89 commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github May 14, 2026 •

edited

Loading

github-actions Bot commented May 14, 2026 •

edited

Loading