Skip to content

Bump the dependencies group across 1 directory with 6 updates#2192

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/dependencies-38d28541c7
Closed

Bump the dependencies group across 1 directory with 6 updates#2192
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/dependencies-38d28541c7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the dependencies group with 6 updates in the / directory:

Package From To
com.github.luben:zstd-jni 1.5.7-8 1.5.7-10
com.google.errorprone:error_prone_core 2.31.0 2.50.0
com.uber.nullaway:nullaway 0.12.6 0.13.6
org.apache.maven.plugins:maven-surefire-plugin 3.5.5 3.5.6
org.jacoco:jacoco-maven-plugin 0.8.14 0.8.15
ch.qos.logback:logback-classic 1.5.32 1.5.34

Updates com.github.luben:zstd-jni from 1.5.7-8 to 1.5.7-10

Commits

Updates com.google.errorprone:error_prone_core from 2.31.0 to 2.50.0

Release notes

Sourced from com.google.errorprone:error_prone_core's releases.

Error Prone 2.50.0

New checks:

Closed issues: #5553, #5649, #5778

Full changelog: google/error-prone@v2.49.0...v2.50.0

Error Prone 2.49.0

This release includes several changes to Matcher APIs, and removed some deprecated or problematic APIs:

  • Remove deprecated MethodMatchers.withSignature API, which relies on fragile toString behaviour. Alternatives for matching on method signatures with varargs and type parameters were added in google/error-prone@a98a1c5.
  • Removed variableType(Matcher) API. Matchers.variableType(Matcher) uses VariableTree#getType to match variable types, which own't work for lambda parameters with inferred types after JDK-8268850. The recommended replacement is variableType(TypePredicate).
  • Make enclosingPackage return an optional. Module elements are not enclosed by a package, checks using enclosingPackage shouldn't assume an enclosing package exists when processing arbitrary elements.
  • New FieldMatchers API, similar to MethodMatchers (google/error-prone@1dd9c3a).

New checks:

Closed issues: #2283, #3503, #5210, #5289, #5548, #5548, #5554, #5609, #5614, #5656

Full changelog: google/error-prone@v2.48.0...v2.49.0

Error Prone 2.48.0

Changes:

New checks:

Closed issues: #5529, #5537, #5522, #5521

Full changelog: google/error-prone@v2.47.0...v2.48.0

... (truncated)

Commits
  • d802cff Release Error Prone 2.50.0
  • b12b5f2 In StringCharset, move the description from explanation to summary.
  • a7ca02a Update AssertThrowsUtils to emit var thrown = assertThrows(...) instead o...
  • 6b56517 Fix handling of nested tags in UnrecognisedJavadocTag
  • d36e74f Remove translation of the fail() message into assertThrows(). We already ...
  • c3581e9 Fix JavacFileManager compiler crash during speculative recompiles in modular ...
  • da1f32b Remove assignments from assertThrows() lambdas. A large percentage of remai...
  • dee62f7 Update AssertThrowsBlockToExpression to re-write single VariableTrees int...
  • 4939448 Only hoist the last statement into the assertThrows() lambda.
  • 30fd05a refactor: Rename JavaLangClash bug pattern to AvoidCommonTypeNames
  • Additional commits viewable in compare view

Updates com.uber.nullaway:nullaway from 0.12.6 to 0.13.6

Release notes

Sourced from com.uber.nullaway:nullaway's releases.

NullAway 0.13.6

(NOTE: originally these notes appeared with the 0.13.5 release, but that release was pushed incorrectly due to an error in our release process.)

Includes various bug fixes, particularly in JSpecify mode. Also, the nullaway-annotations artifact now includes a @Contract annotation. NullAway also now has a built-in handler to reason about field initialization in classes managed by Jakarta Persistence.

Work has begun on support for wildcards in JSpecify mode. Currently, this support is off by default, guarded by the configuration flag HandleWildcardGenerics. The support still has multiple known bugs, and we do not yet recommend enabling it.

  • Initial subtype checking for wildcards (#1520)
  • Handle subtype checking for wildcard super bounds (#1547)
  • Handle most remaining wildcard subtyping / containment cases (#1548)
  • Test case for #1528 (#1556)
  • Initial inference for wildcards (#1549)
  • Fix wildcard inference bug with method references (#1553)
  • Fix nullability for return and parameter wildcards (#1558)
  • Test case for trick to assert chain of accesses is non-null (#1566)
  • Improve inference failure error message (#1567)
  • Adjust more TreePaths to have correct leaf before calling getTreeType (#1570)
  • Add Contract annotation to nullaway-annotations by @​codingkiddo (#1569)
  • Run inference for generic method calls nested inside receivers (#1571)
  • Refactor hasAnyAnnotationMatching method (#1583)
  • Improve handling of var-declared local variables (#1573)
  • Compensate for more annotations inserted by javac (#1574)
  • Enable test for issue 1500 and add comment (#1560)
  • Use ground target types when handling lambdas and method refs passed to generic methods (#1575)
  • Fix for unbounded wildcard passed to @NullUnmarked type variable (#1577)
  • Detect and warn on annotations directly on wildcard types (#1579)
  • Enable HandleWildcardGenerics flag when building NullAway (#1586)
  • Report error when @​Initializer is used on a constructor by @​Vinu2111 (#1546)
  • Add a handler for Jakarta Persistence to reason about field initialization (#1584)
  • Revert "Report error when @​Initializer is used on a constructor (#1546)" (#1588)
  • Maintenance
    • Use Jacoco 0.8.15 snapshot (#1550)
    • Update to Gradle 9.5.0 (#1554)
    • Test with latest Error Prone snapshot on CI (#1555)
    • Add Spring Boot as an integration test (#1557)
    • Enable generic bytecode tests on JDK 17 (#1561)
    • Update spotless and guava-latest deps, removed unused semver4j (#1562)
    • Use text blocks in more tests (#1563)
    • Use text blocks for addInputLines and addOutputLines calls (#1564)
    • Use Temurin JDK 17 always in CI (#1565)
    • Tell agents not to run multiple Gradle builds in parallel (#1582)
    • Update Codecov action to v6 (#1587)

NullAway 0.13.5

DO NOT USE THIS RELEASE. It was pushed incorrectly due to an error in our release process.

... (truncated)

Changelog

Sourced from com.uber.nullaway:nullaway's changelog.

Version 0.13.6

(NOTE: originally these notes appeared with the 0.13.5 release, but that release was pushed incorrectly due to an error in our release process.)

Includes various bug fixes, particularly in JSpecify mode. Also, the nullaway-annotations artifact now includes a @Contract annotation. NullAway also now has a built-in handler to reason about field initialization in classes managed by Jakarta Persistence.

Work has begun on support for wildcards in JSpecify mode. Currently, this support is off by default, guarded by the configuration flag HandleWildcardGenerics. The support still has multiple known bugs, and we do not yet recommend enabling it.

  • Initial subtype checking for wildcards (#1520)
  • Handle subtype checking for wildcard super bounds (#1547)
  • Handle most remaining wildcard subtyping / containment cases (#1548)
  • Test case for #1528 (#1556)
  • Initial inference for wildcards (#1549)
  • Fix wildcard inference bug with method references (#1553)
  • Fix nullability for return and parameter wildcards (#1558)
  • Test case for trick to assert chain of accesses is non-null (#1566)
  • Improve inference failure error message (#1567)
  • Adjust more TreePaths to have correct leaf before calling getTreeType (#1570)
  • Add Contract annotation to nullaway-annotations by @​codingkiddo (#1569)
  • Run inference for generic method calls nested inside receivers (#1571)
  • Refactor hasAnyAnnotationMatching method (#1583)
  • Improve handling of var-declared local variables (#1573)
  • Compensate for more annotations inserted by javac (#1574)
  • Enable test for issue 1500 and add comment (#1560)
  • Use ground target types when handling lambdas and method refs passed to generic methods (#1575)
  • Fix for unbounded wildcard passed to @NullUnmarked type variable (#1577)
  • Detect and warn on annotations directly on wildcard types (#1579)
  • Enable HandleWildcardGenerics flag when building NullAway (#1586)
  • Report error when @​Initializer is used on a constructor by @​Vinu2111 (#1546)
  • Add a handler for Jakarta Persistence to reason about field initialization (#1584)
  • Revert "Report error when @​Initializer is used on a constructor (#1546)" (#1588)
  • Maintenance
    • Use Jacoco 0.8.15 snapshot (#1550)
    • Update to Gradle 9.5.0 (#1554)
    • Test with latest Error Prone snapshot on CI (#1555)
    • Add Spring Boot as an integration test (#1557)
    • Enable generic bytecode tests on JDK 17 (#1561)
    • Update spotless and guava-latest deps, removed unused semver4j (#1562)
    • Use text blocks in more tests (#1563)
    • Use text blocks for addInputLines and addOutputLines calls (#1564)
    • Use Temurin JDK 17 always in CI (#1565)
    • Tell agents not to run multiple Gradle builds in parallel (#1582)
    • Update Codecov action to v6 (#1587)

... (truncated)

Commits

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates org.jacoco:jacoco-maven-plugin from 0.8.14 to 0.8.15

Release notes

Sourced from org.jacoco:jacoco-maven-plugin's releases.

0.8.15

New Features

  • JaCoCo now officially supports Java 26 (GitHub #2076).
  • Experimental support for Java 27 class files (GitHub #2004).
  • Compatibility methods generated by Kotlin compiler for functions defined in interfaces are filtered out during generation of report (GitHub #1905).
  • Compatibility methods generated by Kotlin compiler for exposed boxed inline value classes (JvmExposeBoxed annotation) are filtered out during generation of report (GitHub #1944).
  • Methods generated by the Kotlin compiler for functions with JvmStatic annotation are filtered out during generation of report (GitHub #2097).
  • Improved filtering of bytecode generated by Kotlin compiler for when expressions and statements with kotlin.String subject where first branch condition contains string with largest hash (GitHub #2098).
  • Part of bytecode that javac versions from 24 to 26 generate for switch statements and expressions with selector expression of type java.lang.String inside lambdas is filtered out during generation of report (GitHub #2023).
  • Improved performance of Kotlin files analysis by parsing SMAPs only once per class (GitHub #2114).
  • For better performance agent output methods tcpclient and tcpserver use BufferedOutputStream to write execution data to socket. Maven plugin, Ant tasks, CLI, API usage examples, and ExecDumpClient API use BufferedInputStream to read execution data from socket. Third-party integrations should do the same to benefit from this change in agent (GitHub #2089).

Fixed bugs

  • Fixed processing of Kotlin SMAP in synthetic classes (GitHub #1985).
  • Multiple JaCoCo runtimes within one JVM writing to the same output file should not cause data corruption when running on JDK versions from 6 to 10 affected by JDK-8166253 (GitHub #2065, #2074).
  • For better performance agent writes to output file via BufferedOutputStream, this fixes regression introduced in version 0.6.2 (GitHub #2073).
  • Fixed NullPointerException when JaCoCo agent is loaded by non system class loader, for example when loaded by JBoss Modules (GitHub #1651).

Non-functional Changes

  • JaCoCo now depends on ASM 9.10.1 (GitHub #2134).
Commits
  • 6c5260a Prepare release v0.8.15
  • 5c05141 Transfer of execution data through socket should use buffered stream (#2089)
  • ab5efa9 Remove from Azure Pipelines all builds except with JDK 5 and JDK EA (#2148)
  • 5f6ea38 Use Windows 2025 image in GitHub Actions (#2130)
  • 35a8af2 Use Renovate instead of Dependabot for updates of ASM (#2137)
  • 85b8ddf Upgrade ASM to 9.10.1 (#2134)
  • 2988647 AgentModule should use ClassLoader of agent instead of SystemClassLoader (#1651)
  • 75a4e31 Add filter for Kotlin @JvmExposeBoxed (#1944)
  • 691fa1d Use Renovate instead of Dependabot for updates of GitHub Actions (#2132)
  • 3e18f17 Require at least JDK 21 for build (#2128)
  • Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 11, 2026
@hyperxpro

hyperxpro commented Jun 11, 2026

Copy link
Copy Markdown
Member

@dependabot ignore com.google.errorprone:error_prone_core
@dependabot ignore com.uber.nullaway:nullaway

@dependabot
Bump the dependencies group across 1 directory with 6 updates
60f13de 
Bumps the dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [com.github.luben:zstd-jni](https://github.com/luben/zstd-jni) | `1.5.7-8` | `1.5.7-10` |
| [com.google.errorprone:error_prone_core](https://github.com/google/error-prone) | `2.31.0` | `2.50.0` |
| [com.uber.nullaway:nullaway](https://github.com/uber/NullAway) | `0.12.6` | `0.13.6` |
| [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` |
| [org.jacoco:jacoco-maven-plugin](https://github.com/jacoco/jacoco) | `0.8.14` | `0.8.15` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` |



Updates `com.github.luben:zstd-jni` from 1.5.7-8 to 1.5.7-10
- [Commits](https://github.com/luben/zstd-jni/commits)

Updates `com.google.errorprone:error_prone_core` from 2.31.0 to 2.50.0
- [Release notes](https://github.com/google/error-prone/releases)
- [Commits](google/error-prone@v2.31.0...v2.50.0)

Updates `com.uber.nullaway:nullaway` from 0.12.6 to 0.13.6
- [Release notes](https://github.com/uber/NullAway/releases)
- [Changelog](https://github.com/uber/NullAway/blob/master/CHANGELOG.md)
- [Commits](uber/NullAway@v0.12.6...v0.13.6)

Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `org.jacoco:jacoco-maven-plugin` from 0.8.14 to 0.8.15
- [Release notes](https://github.com/jacoco/jacoco/releases)
- [Commits](jacoco/jacoco@v0.8.14...v0.8.15)

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: com.github.luben:zstd-jni
  dependency-version: 1.5.7-10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: com.google.errorprone:error_prone_core
  dependency-version: 2.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: com.uber.nullaway:nullaway
  dependency-version: 0.13.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-version: 3.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: org.jacoco:jacoco-maven-plugin
  dependency-version: 0.8.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/dependencies-38d28541c7 branch from 801d486 to 60f13de Compare June 12, 2026 22:51
@hyperxpro

hyperxpro commented Jun 12, 2026

Copy link
Copy Markdown
Member

@dependabot ignore com.google.errorprone:error_prone_core

@dependabot @github

dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you about com.google.errorprone:error_prone_core again, unless you unignore it.

@hyperxpro

hyperxpro commented Jun 12, 2026

Copy link
Copy Markdown
Member

@dependabot ignore com.uber.nullaway:nullaway

@dependabot @github

dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you about com.uber.nullaway:nullaway again, unless you unignore it.

@dependabot @github

dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 12, 2026
@dependabot dependabot Bot deleted the dependabot/maven/dependencies-38d28541c7 branch June 12, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperxpro