chore(deps): bump the all-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the all-dependencies group with 6 updates in the / directory:

Package	From	To
org.eclipse.jetty:jetty-bom	12.0.32	12.1.9
com.fasterxml.jackson:jackson-bom	2.21.2	2.21.3
org.apache.maven.plugins:maven-surefire-plugin	3.2.5	3.5.5
com.diffplug.spotless:spotless-maven-plugin	3.3.0	3.4.0
org.springframework.boot:spring-boot-dependencies	3.4.5	4.0.6
org.springframework.boot:spring-boot-maven-plugin	3.4.5	4.0.6

Updates org.eclipse.jetty:jetty-bom from 12.0.32 to 12.1.9

Release notes

Sourced from org.eclipse.jetty:jetty-bom's releases.

12.1.9

Changelog

• #14972 - Jetty 12.1.8 jetty-home has lib/*-config.jar files
• #14913 - Upgrade to Quiche version 0.28.0
• #14870 - Refactor compliance checks
• #14853 - CombinedResource.getRealURI() returns null when multiple members exist, causing 404 for all static resources
• #14846 - NPE in MimeTypes$Mutable.getMimeByExtension on startup with web-fragment with mime mapping
• #14824 - FileSystemPool doesn't always own its filesystems
• #14821 - Websocket IllegalStateException ('Demand already fulfilled') since Jetty 12.1
• #14805 - HTTP/3 server crashes on quiche_header_info
• #14646 - Regression in Jetty 12.1: Invalid UTF-8 exception for application/x-www-form-urlencoded; charset=iso-8859-1
• #14564 - Jetty 12.1.x TLS connections hang after several requests with internal HTTPS self-requests
• #14541 - Jetty HTTP Client - setMaxRequestHeadersSize resulting in java.lang.OutOfMemoryError
• #14196 - Using passivation with eviction: HttpServletRequest.getSession() may return null due to race-condition
• #12110 - Request Authority checks needed
• #8876 - Jetty 12 - JMX-ify HttpContent.Factory implementations

12.1.8

Special Thanks to the following Eclipse Jetty community members

• @​afarber (Alexander Farber)

Changelog

• 14757 Fixes for JASPI isMandatory, authType and isAuthenticationRequest params - Addresses CVE-2026-5795
• #14752 - Jetty 12.1 Violation of RFC9113 with Host and :authority headers
• #14747 - Revert usage of SLF4J2 fluent APIs
• #14732 - possible race condition in jetty 12.x code
• #14694 - Sync jetty-ee11 with jetty-ee10
• #14689 - ThreadIdPool.take() bottlenecks QueuedThreadPool.tryExecute()
• #14687 - Destinations don't keep track of redirections.
• #14685 - CachingHttpContentFactory#getContent may return null if httpContent size is not set
• #14651 - Retain negative Max-Age cookie attribute
• #14494 - Review use of CharsetStringBuilder subclasses
• #14431 - ServletContainerInitializers are always excluded when used with absolute-ordering
• #14332 - Complete mess with idleTimeout
• #13685 - Infinite loop on Content.copy() with Content.Source.from(... , Path, ) when Path has size 0.
• #13513 - Make MemoryEndPoint use RBB.DynamicCapacity (@​afarber)
• #10906 - Add Slf4j ConsoleRequestLog (JettySlf4jRequestLog) module

12.1.7

Special Thanks to the following Eclipse Jetty community members

• @​afarber (Alexander Farber)

Changelog

... (truncated)

Commits

• b1fb145 Updating to version 12.1.9
• 6ca6c9a Fixes #14564 - Jetty 12.1.x TLS connections hang after several requests with ...
• 98524be Fixes #14541 - Jetty HTTP Client - setMaxRequestHeadersSize resulting in java...
• d0c3b5f Fixes #14972 - Jetty 12.1.8 jetty-home has lib/*-config.jar files
• 3e5a4da Fixes #12110 - Request Authority checks needed. (#14970)
• 650e6f6 Merge pull request #14969 from jetty/fix/jetty-12.1.x/UriUtilCleanup
• ade27ce Various cleanups for URIUtil
• b4fafbc Issue #14196 fix race in session eviction
• 87bc532 Fix imports in DispatcherTest
• cb8fceb Fixed newlines in the expected response.
• Additional commits viewable in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3

Commits

• 374fbd0 [maven-release-plugin] prepare release jackson-bom-2.21.3
• 7059df7 Prep for 2.21.3 release
• 2fd60bd Merge branch '2.20' into 2.21
• b82a364 Merge branch '2.19' into 2.20
• ef4e013 Merge branch '2.18' into 2.19
• 536ae51 Post-release dep version bump
• 536c533 [maven-release-plugin] prepare for next development iteration
• 426b778 [maven-release-plugin] prepare release jackson-bom-2.18.7
• a73cda9 Prep for 2.18.7 release
• 76b4a05 Post-release dep version bump
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.5.5

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.5

🚀 New features and improvements

• Replace runing external process and parsing output with simple ProcessHandle if available (Java9+) (#3252) @​olamy
• Pass slf4j context to spawned thread (#3241) @​scottrw93
• [SUREFIRE-3239] - allow override of statistics file checksum (#3247) @​XN137
• Reduce log level for skipped tests result to info (#3232) @​strangelookingnerd

🐛 Bug Fixes

• Use PowerShell instead of WMIC for detecting zombie process on Windows (#3258) @​jbliznak. Please note if you are using Windows with Java 8 and not PowerShell (you have options to: use Java 9+, install PowerShell or stay on Surefire 3.5.4)
• Properly work with test failures caused during beforeAll phase (#3194) @​Frawless

📝 Documentation updates

• Clarify how late placeholder replacement (@{...}) deals with (#3208) @​kwin

👻 Maintenance

• Fix Jenkin badges in README (#3254) @​slawekjaranowski
• Use JUnit5 in failsafe ITs (#3251) @​slawekjaranowski
• Remove long-deprecated unused encoding property from VerifyMojo (#3198) @​Tomlincoln
• Add IT and deal with corner cases of handling beforeAll failures (#3200) @​Frawless
• Revert PR #3194 that handle beforeAll failures to follow proper contributing rules (#3211) @​Frawless

🔧 Build

• Missing many files in the GH Artifacts of CI ex-post. (#3219) @​Tibor17

📦 Dependency updates

• Bump org.xmlunit:xmlunit-core from 2.10.4 to 2.11.0 (#3209) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.1 (#3260) @dependabot[bot]
• Bump parent from 44 to 47 (#3253) @​slawekjaranowski
• Bump org.assertj:assertj-core from 3.16.1 to 3.27.7 in /surefire-its/src/test/resources/surefire-1733-testng (#3246) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#3245) @dependabot[bot]
• Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.26 to 1.27 (#3243) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.20.0 to 4.21.0 (#3236) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2 (#3235) @dependabot[bot]
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.25.3 in /surefire-its/src/test/resources/surefire-1659-stream-corruption (#3234) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.19.0 to 4.20.0 (#3228) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.18.0 to 4.19.0 (#3224) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#3223) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29 (#3221) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-i18n from 1.0.0 to 1.1.0 (#3220) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#3217) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.4.0 (#3214) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.1 (#3218) @dependabot[bot]
• Bump org.htmlunit:htmlunit from 4.16.0 to 4.18.0 (#3213) @dependabot[bot]

... (truncated)

Commits

• 968cb38 [maven-release-plugin] prepare release surefire-3.5.5
• 8e7dc41 Reapply "Replace runing external process and parsing output with simple Proce...
• 4ced57c Revert "Replace runing external process and parsing output with simple Proces…"
• 8496d9a Bump org.xmlunit:xmlunit-core from 2.10.4 to 2.11.0 (#3209)
• 68265e5 Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness (#3260)
• 0b19014 Replace runing external process and parsing output with simple ProcessHandle ...
• 688f8c4 Use PowerShell instead of WMIC for detecting zombie process on Windows (#3258)
• e5c01a6 Build only by the latest Maven on Jenkins (#3255)
• 9c99e97 Fix Jenkin badges in README (#3254)
• 20930ea Bump parent from 44 to 47 (#3253)
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.4.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

Added

• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Changes

• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

• Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
• [fix] ConcurrentModificationException in expandWildcardImports (#2830)

[4.3.0] - 2026-01-27

Added

• Add P2Provisioner interface in lib-extra to enable build-tool-specific caching strategies for Eclipse P2 dependencies, fixing OutOfMemoryError in large multi-project builds. (#2788)

Fixed

• removeSemicolons() should not be applied to multiline strings in groovy #2780 (#2792)

[4.2.0] - 2026-01-22

Added

• Add a expandWildcardImports API for java (#2679)
• Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)

Fixed

• Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)
• Git ratchet no longer throws an error with Git worktrees. (#2779)

Changes

• Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
• Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
• Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

... (truncated)

Commits

• 708a1b0 Published maven/3.4.0
• 1cc0163 Published gradle/8.4.0
• a4cd808 Published lib/4.5.0
• 9066bf6 Add links to the changelog.
• db8dc1c Fix for illegal mutation issue with predeclareDeps (#2892)
• 0eb98a9 chore: Updated gradle plugin change
• 3f7f12e chore: Removes check for predeclare as it's not needed anymore
• 55c0c5c fix: IsolatedProjectTest.predeclaredIsUnsupported() is now actually supported...
• 47489af fix: avoid IllegalMutationException when root project uses predeclareDeps() w...
• 4010e8b test: Introduce a test harnessing predeclared deps
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.4.5 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.4.5 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.4.5 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.