chore(deps): bump the all-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the all-dependencies group with 5 updates in the / directory:

Package	From	To
org.eclipse.jetty:jetty-bom	12.0.32	12.1.8
org.apache.maven.plugins:maven-surefire-plugin	3.2.5	3.5.5
com.diffplug.spotless:spotless-maven-plugin	3.3.0	3.4.0
org.springframework.boot:spring-boot-dependencies	3.4.5	4.0.5
org.springframework.boot:spring-boot-maven-plugin	3.4.5	4.0.5

Updates org.eclipse.jetty:jetty-bom from 12.0.32 to 12.1.8

Release notes

Sourced from org.eclipse.jetty:jetty-bom's releases.

12.1.8

Special Thanks to the following Eclipse Jetty community members

• @​afarber (Alexander Farber)

Changelog

• 14757 Fixes for JASPI isMandatory, authType and isAuthenticationRequest params - Addresses CVE-2026-5795
• #14752 - Jetty 12.1 Violation of RFC9113 with Host and :authority headers
• #14747 - Revert usage of SLF4J2 fluent APIs
• #14732 - possible race condition in jetty 12.x code
• #14694 - Sync jetty-ee11 with jetty-ee10
• #14689 - ThreadIdPool.take() bottlenecks QueuedThreadPool.tryExecute()
• #14687 - Destinations don't keep track of redirections.
• #14685 - CachingHttpContentFactory#getContent may return null if httpContent size is not set
• #14651 - Retain negative Max-Age cookie attribute
• #14494 - Review use of CharsetStringBuilder subclasses
• #14431 - ServletContainerInitializers are always excluded when used with absolute-ordering
• #14332 - Complete mess with idleTimeout
• #13685 - Infinite loop on Content.copy() with Content.Source.from(... , Path, ) when Path has size 0.
• #13513 - Make MemoryEndPoint use RBB.DynamicCapacity (@​afarber)
• #10906 - Add Slf4j ConsoleRequestLog (JettySlf4jRequestLog) module

12.1.7

Special Thanks to the following Eclipse Jetty community members

• @​afarber (Alexander Farber)

Changelog

• #14566 - CompressionHandler/GzipEncoderSink not respect setSyncFlush(true)
• #14495 - Support Transfer-Encoding chunk extensions - Addresses CVE-2026-2332
• #14485 - Illegal header value on UTF-8 encoding when using HTTP/2
• #14442 - Allow splitting of Transfer-Encoding chunks
• #14436 - Jetty 12.1.6 HttpFields from(HttpField...) does not provide opportunity to set compliance listener (@​afarber)
• #14435 - NoSuchMethodError error raised by HttpStateChannel with Jetty 12.1.6 run with maven plugin
• #14408 - Redundant database index created by JDBCSessionDataStore
• #14373 - Response listener that avoids any data copies
• #14366 - Clarify Deprecation Policy
• #14165 - Integrating Eclipse Soteria with Jetty EE10+

12.1.6

Special Thanks to the following Eclipse Jetty community members

• @​afarber (Alexander Farber)

Changelog

... (truncated)

Commits

• c9cdc9a Updating to version 12.1.8
• 1f4039c Fixes for JASPI isMandatory, authType and isAuthenticationRequest params (#14...
• 0bc383d Issue #14431 - fixes for ServletContainerInitializer exclusion with absolute-...
• 31824d4 Optimize ThreadIdPool (#14746)
• fc10b2d Fixes #14651 - Retain negative Max-Age cookie attribute. (#14652)
• 3c269e3 Merge pull request #14687 from jetty/fix/jetty-12.1.x/108-cache-permanent-red...
• 5a63f39 Fixes#108 - Destinations don't keep track of redirections.
• 74fde46 Fixes #14751 - jetty-bom is missing jetty-quic-quiche-server
• 124558c Fixes #14752 - Jetty 12.1 Violation of RFC9113 with Host and :authority heade...
• 8c218d9 [12.1.x Root pom] Bump com.google.protobuf:protobuf-java (#14796)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.5.5

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.5

🚀 New features and improvements

• Replace runing external process and parsing output with simple ProcessHandle if available (Java9+) (#3252) @​olamy
• Pass slf4j context to spawned thread (#3241) @​scottrw93
• [SUREFIRE-3239] - allow override of statistics file checksum (#3247) @​XN137
• Reduce log level for skipped tests result to info (#3232) @​strangelookingnerd

🐛 Bug Fixes

• Use PowerShell instead of WMIC for detecting zombie process on Windows (#3258) @​jbliznak. Please note if you are using Windows with Java 8 and not PowerShell (you have options to: use Java 9+, install PowerShell or stay on Surefire 3.5.4)
• Properly work with test failures caused during beforeAll phase (#3194) @​Frawless

📝 Documentation updates

• Clarify how late placeholder replacement (@{...}) deals with (#3208) @​kwin

👻 Maintenance

• Fix Jenkin badges in README (#3254) @​slawekjaranowski
• Use JUnit5 in failsafe ITs (#3251) @​slawekjaranowski
• Remove long-deprecated unused encoding property from VerifyMojo (#3198) @​Tomlincoln
• Add IT and deal with corner cases of handling beforeAll failures (#3200) @​Frawless
• Revert PR #3194 that handle beforeAll failures to follow proper contributing rules (#3211) @​Frawless

🔧 Build

• Missing many files in the GH Artifacts of CI ex-post. (#3219) @​Tibor17

📦 Dependency updates

• Bump org.xmlunit:xmlunit-core from 2.10.4 to 2.11.0 (#3209) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.1 (#3260) @dependabot[bot]
• Bump parent from 44 to 47 (#3253) @​slawekjaranowski
• Bump org.assertj:assertj-core from 3.16.1 to 3.27.7 in /surefire-its/src/test/resources/surefire-1733-testng (#3246) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#3245) @dependabot[bot]
• Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.26 to 1.27 (#3243) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.20.0 to 4.21.0 (#3236) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2 (#3235) @dependabot[bot]
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.25.3 in /surefire-its/src/test/resources/surefire-1659-stream-corruption (#3234) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.19.0 to 4.20.0 (#3228) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.18.0 to 4.19.0 (#3224) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#3223) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29 (#3221) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-i18n from 1.0.0 to 1.1.0 (#3220) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#3217) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.4.0 (#3214) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.1 (#3218) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.16.0 to 4.18.0 (#3213) @dependabot[bot]

... (truncated)

Commits

• 968cb38 [maven-release-plugin] prepare release surefire-3.5.5
• 8e7dc41 Reapply "Replace runing external process and parsing output with simple Proce...
• 4ced57c Revert "Replace runing external process and parsing output with simple Proces…"
• 8496d9a Bump org.xmlunit:xmlunit-core from 2.10.4 to 2.11.0 (#3209)
• 68265e5 Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness (#3260)
• 0b19014 Replace runing external process and parsing output with simple ProcessHandle ...
• 688f8c4 Use PowerShell instead of WMIC for detecting zombie process on Windows (#3258)
• e5c01a6 Build only by the latest Maven on Jenkins (#3255)
• 9c99e97 Fix Jenkin badges in README (#3254)
• 20930ea Bump parent from 44 to 47 (#3253)
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.4.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

Added

• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Changes

• Bump default cleanthat version 2.24 -> 2.25. (#2903)

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

• Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
• [fix] ConcurrentModificationException in expandWildcardImports (#2830)

[4.3.0] - 2026-01-27

Added

• Add P2Provisioner interface in lib-extra to enable build-tool-specific caching strategies for Eclipse P2 dependencies, fixing OutOfMemoryError in large multi-project builds. (#2788)

Fixed

• removeSemicolons() should not be applied to multiline strings in groovy #2780 (#2792)

[4.2.0] - 2026-01-22

Added

• Add a expandWildcardImports API for java (#2679)
• Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)

Fixed

• Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)
• Git ratchet no longer throws an error with Git worktrees. (#2779)

Changes

• Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
• Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
• Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

[4.1.0] - 2025-11-18

... (truncated)

Commits

• 708a1b0 Published maven/3.4.0
• 1cc0163 Published gradle/8.4.0
• a4cd808 Published lib/4.5.0
• 9066bf6 Add links to the changelog.
• db8dc1c Fix for illegal mutation issue with predeclareDeps (#2892)
• 0eb98a9 chore: Updated gradle plugin change
• 3f7f12e chore: Removes check for predeclare as it's not needed anymore
• 55c0c5c fix: IsolatedProjectTest.predeclaredIsUnsupported() is now actually supported...
• 47489af fix: avoid IllegalMutationException when root project uses predeclareDeps() w...
• 4010e8b test: Introduce a test harnessing predeclared deps
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.4.5 to 4.0.5

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v4.0.5

🐞 Bug Fixes

• Test starter for Spring Integration does not include Spring Integration test module #49784
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49782
• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49753
• WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #49749
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49738
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49731
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49706
• Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #49695
• @GraphQlTest does not include @ControllerAdvice #49672

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49727
• Add some more Kotlin examples and trivial style fixes #49714
• Overhaul Spring Session documentation following modularization #49704

🔨 Dependency Upgrades

• Upgrade to Brave 6.3.1 #49763
• Upgrade to Jackson 2 Bom 2.21.2 #49764
• Upgrade to jOOQ 3.19.31 #49765
• Upgrade to Netty 4.2.12.Final #49794
• Upgrade to Tomcat 11.0.20 #49767
• Upgrade to Zipkin Reporter 3.5.3 #49762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, @​kwondh5217, @​ljrmorgan, and @​quaff

v4.0.4

⚠️ Attention Required

• OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #49453
• Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #49389
• Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #49383
• The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49649
• "/cloudfoundryapplication" web path is not limited to Actuator #49646
• Fix EndpointRequest.toLinks() when base-path is '/' #49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49596
• RSocket exposes duplicate endpoint for websocket setups #49593
• Failure analysis for a missing mail sender is misleading #49582

... (truncated)

Commits

• fe74b31 Release v4.0.5
• e1d6e5a Merge branch '3.5.x' into 4.0.x
• 6c9e52a Next development version (v3.5.14-SNAPSHOT)
• a413e95 Upgrade to Netty 4.2.12.Final
• c1694b5 Add missing Spring Integration test module to the relevant starter
• 51ffdc6 Merge branch '3.5.x' into 4.0.x
• 696a60e Full auto-configure transaction management in slice tests
• ba70d41 Upgrade to Tomcat 11.0.20
• fd94ca0 Upgrade to Netty 4.2.11.Final
• 7e6833b Upgrade to jOOQ 3.19.31
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.4.5 to 4.0.5

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v4.0.5

🐞 Bug Fixes

• Test starter for Spring Integration does not include Spring Integration test module #49784
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49782
• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49753
• WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #49749
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49738
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49731
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49706
• Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #49695
• @GraphQlTest does not include @ControllerAdvice #49672

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49727
• Add some more Kotlin examples and trivial style fixes #49714
• Overhaul Spring Session documentation following modularization #49704

🔨 Dependency Upgrades

• Upgrade to Brave 6.3.1 #49763
• Upgrade to Jackson 2 Bom 2.21.2 #49764
• Upgrade to jOOQ 3.19.31 #49765
• Upgrade to Netty 4.2.12.Final #49794
• Upgrade to Tomcat 11.0.20 #49767
• Upgrade to Zipkin Reporter 3.5.3 #49762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, @​kwondh5217, @​ljrmorgan, and @​quaff

v4.0.4

⚠️ Attention Required

• OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #49453
• Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #49389
• Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #49383
• The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49649
• "/cloudfoundryapplication" web path is not limited to Actuator #49646
• Fix EndpointRequest.toLinks() when base-path is '/' #49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49596
• RSocket exposes duplicate endpoint for websocket setups #49593
• Failure analysis for a missing mail sender is misleading #49582

... (truncated)

Commits

• fe74b31 Release v4.0.5
• e1d6e5a Merge branch '3.5.x' into 4.0.x
• 6c9e52a Next development version (v3.5.14-SNAPSHOT)
• a413e95 Upgrade to Netty 4.2.12.Final
• c1694b5 Add missing Spring Integration test module to the relevant starter
• 51ffdc6 Merge branch '3.5.x' into 4.0.x
• 696a60e Full auto-configure transaction management in slice tests
• ba70d41 Upgrade to Tomcat 11.0.20
• fd94ca0 Upgrade to Netty 4.2.11.Final
• 7e6833b Upgrade to jOOQ 3.19.31
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.4.5 to 4.0.5

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v4.0.5

🐞 Bug Fixes

• Test starter for Spring Integration does not include Spring Integration test module #49784
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49782
• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49753
• WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #49749
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49738
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49731
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49706
• Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #49695
• @GraphQlTest does not include @ControllerAdvice #49672

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49727
• Add some more Kotlin examples and trivial style fixes #49714
• Overhaul Spring Session documentation following modularization #49704

🔨 Dependency Upgrades

• Upgrade to Brave 6.3.1 #49763
• Upgrade to Jackson 2 Bom 2.21.2 #49764
• Upgrade to jOOQ 3.19.31 #49765
• Upgrade to Netty 4.2.12.Final #49794
• Upgrade to Tomcat 11.0.20 #49767
• Upgrade to Zipkin Reporter 3.5.3 #49762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, @​kwondh5217, @​ljrmorgan, and @​quaff

v4.0.4

⚠️ Attention Required

• OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #49453
• Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #49389
• Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #49383
• The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49649
• "/cloudfoundryapplication" web path is not limited to Actuator #49646
• Fix EndpointRequest.toLinks() when base-path is '/' #49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49596
• RSocket exposes duplicate endpoint for websocket setups #49593
• Failure analysis for a missing mail sender is misleading #49582

... (truncated)

Commits

• fe74b31 Release v4.0.5
• e1d6e5a Merge branch '3.5.x' into 4.0.x
• 6c9e52a Next development version (v3.5.14-SNAPSHOT)
• a413e95 Upgrade to Netty 4.2.12.Final
• c1694b5 Add missing Spring Integration test module to the relevant starter
• 51ffdc6 Merge branch '3.5.x' into 4.0.x
• 696a60e Full auto-configure transaction management in slice tests
• ba70d41 Upgrade to Tomcat 11.0.20
• fd94ca0 Upgrade to Netty 4.2.11.Final
• 7e6833b Upgrade to jOOQ 3.19.31
• Additional commits viewable in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.