deps(deps): bump the maven-dependencies group across 1 directory with 12 updates

[dependabot]

Bumps the maven-dependencies group with 12 updates in the / directory:

Package	From	To
com.google.protobuf:protobuf-java	4.33.3	4.33.5
org.assertj:assertj-core	3.27.6	3.27.7
com.puppycrawl.tools:checkstyle	13.0.0	13.1.0
net.sourceforge.pmd:pmd-core	7.20.0	7.21.0
net.sourceforge.pmd:pmd-java	7.20.0	7.21.0
org.apache.maven.plugins:maven-compiler-plugin	3.14.1	3.15.0
software.amazon.awssdk:bom	2.41.10	2.41.19
com.nimbusds:oauth2-oidc-sdk	11.31.1	11.32
com.auth0:auth0	3.0.0	3.1.0
com.google.auth:google-auth-library-oauth2-http	1.41.0	1.42.1
org.apache.sshd:sshd-sftp	2.16.0	2.17.1
com.mysql:mysql-connector-j	9.5.0	9.6.0

Updates com.google.protobuf:protobuf-java from 4.33.3 to 4.33.5

Commits

• See full diff in compare view

Updates org.assertj:assertj-core from 3.27.6 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates com.puppycrawl.tools:checkstyle from 13.0.0 to 13.1.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.1.0

Checkstyle 13.1.0 - https://checkstyle.org/releasenotes.html#Release_13.1.0

Breaking backward compatibility:

#12556 - Remove deprecated method CheckstyleAntTask:createClasspath()

New:

#18329 - ImportControl: add module attribute to allow/disallow module imports #18368 - New check: MissingOverrideOnRecordAccessor to require Override on record component accessor methods

Bug fixes:

#16087 - false positive invalid tag JavadocType #18790 - IllegalTokenText reports false positives for Unicode whitespace characters without escape sequences #18118 - Inconsistent behaviour of Indentation check #13038 - VariableDeclarationUsageDistanceCheck doesn't handle method definition properly #11103 - Indentation: Lambda in Enum causes error loop #18644 - False-negative: SummaryJavadoc:forbiddenSummaryFragments for tab-formatted code #6807 - False-positive RightCurly in google_checks since 8.20 #17561 - Google style: Override is required on explicitly declared accessor method for a record #18559 - Add missing checks to sun_checks.xml: DeclarationOrder, FallThrough, OneStatementPerLine

... (truncated)

Commits

• 079d68d [maven-release-plugin] prepare release checkstyle-13.1.0
• aa2d5a0 doc: release notes for 13.1.0
• a4873e0 Issue #18556: updating multifileregexpheader and adding external xml in check
• e4080e0 Issue #17882: added comments for SNIPPET_* tokens
• 30a2615 Pull #18795: Dedicate rewrite recipes #18794 #18673 #18791
• 5802cb8 Issue #15456: defining violation message visibility
• 9fd55e1 minor: setting lf line ending for InputJavadocTypeWithBlockComment.java
• 9f09882 Issue #7523: CLI '-s' option does not match by data from '-t'
• 40f2a1d Issue #17882: Add JAVADOC_INLINE_TAG_END token documentation
• 464188e Issue #16087: Refractor JavadocTypCheck
• Additional commits viewable in compare view

Updates net.sourceforge.pmd:pmd-core from 7.20.0 to 7.21.0

Release notes

Sourced from net.sourceforge.pmd:pmd-core's releases.

PMD 7.21.0 (30-January-2026)

30-January-2026 - 7.21.0

The PMD team is pleased to announce PMD 7.21.0.

This is a minor release.

Table Of Contents

• 🚀️ New and noteworthy
  • 🚀️ New: Java 26 Support
  • Build Requirement is Java 21
  • CPD
• 🌟️ New and Changed Rules
  • New Rules
  • Changed Rules
  • Deprecated Rules
• 🐛️ Fixed Issues
• 🚨️ API Changes
  • Deprecations
• ✨️ Merged pull requests
• 📦️ Dependency updates
• 📈️ Stats

🚀️ New and noteworthy

🚀️ New: Java 26 Support

This release of PMD brings support for Java 26.

There are no new standard language features.

There is one preview language feature:

• JEP 530: Primitive Types in Patterns, instanceof, and switch (Fourth Preview)

In order to analyze a project with PMD that uses these preview language features, you'll need to select the new language version 26-preview:

pmd check --use-version java-26-preview ...

Note: Support for Java 24 preview language features have been removed. The version "24-preview" is no longer available.

Build Requirement is Java 21

From now on, Java 21 or newer is required to build PMD. PMD itself still remains compatible with Java 8, so that it still can be used in a pure Java 8 environment. This allows us to use the latest checkstyle version during the build.

... (truncated)

Commits

• 4558030 [release] prepare release pmd_releases/7.21.0
• 8fcf973 Prepare pmd release 7.21.0
• e91caec [doc] chore: add keywords for auxclasspath in Java documentation (#6429)
• ed0838b [doc] ADR 3: Clarify javadoc tags (#6392)
• 840a29f chore: update javadoc internal API tags (#6391)
• 75fb5eb chore: update javadoc experimental tags (#6390)
• c4c1edb chore: update javadoc deprecated tags (#6389)
• e7d9729 chore: update javadoc deprecated tags
• 8fb286a chore: update javadoc experimental tags
• 7dcfeea chore: add full description to internalApi javadoc
• Additional commits viewable in compare view

Updates net.sourceforge.pmd:pmd-java from 7.20.0 to 7.21.0

Release notes

Sourced from net.sourceforge.pmd:pmd-java's releases.

PMD 7.21.0 (30-January-2026)

30-January-2026 - 7.21.0

The PMD team is pleased to announce PMD 7.21.0.

This is a minor release.

Table Of Contents

• 🚀️ New and noteworthy
  • 🚀️ New: Java 26 Support
  • Build Requirement is Java 21
  • CPD
• 🌟️ New and Changed Rules
  • New Rules
  • Changed Rules
  • Deprecated Rules
• 🐛️ Fixed Issues
• 🚨️ API Changes
  • Deprecations
• ✨️ Merged pull requests
• 📦️ Dependency updates
• 📈️ Stats

🚀️ New and noteworthy

🚀️ New: Java 26 Support

This release of PMD brings support for Java 26.

There are no new standard language features.

There is one preview language feature:

• JEP 530: Primitive Types in Patterns, instanceof, and switch (Fourth Preview)

In order to analyze a project with PMD that uses these preview language features, you'll need to select the new language version 26-preview:

pmd check --use-version java-26-preview ...

Note: Support for Java 24 preview language features have been removed. The version "24-preview" is no longer available.

Build Requirement is Java 21

From now on, Java 21 or newer is required to build PMD. PMD itself still remains compatible with Java 8, so that it still can be used in a pure Java 8 environment. This allows us to use the latest checkstyle version during the build.

... (truncated)

Commits

• 4558030 [release] prepare release pmd_releases/7.21.0
• 8fcf973 Prepare pmd release 7.21.0
• e91caec [doc] chore: add keywords for auxclasspath in Java documentation (#6429)
• ed0838b [doc] ADR 3: Clarify javadoc tags (#6392)
• 840a29f chore: update javadoc internal API tags (#6391)
• 75fb5eb chore: update javadoc experimental tags (#6390)
• c4c1edb chore: update javadoc deprecated tags (#6389)
• e7d9729 chore: update javadoc deprecated tags
• 8fb286a chore: update javadoc experimental tags
• 7dcfeea chore: add full description to internalApi javadoc
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0

Release notes

Sourced from org.apache.maven.plugins:maven-compiler-plugin's releases.

3.15.0

🐛 Bug Fixes

• Fix Java 25 compatibility during integration tests (#1020) @​desruisseaux
• [MCOMPILER-540] - useIncrementalCompilation=false may add generated sources to the sources list (#192) @​mensinda

👻 Maintenance

• Bump org.apache.maven.plugins:maven-plugins from 45 to 46 (#1015) @​slachiewicz
• Remove declaration of "plexus-snapshots" repository (#1010) @​desruisseaux
• Works only with Maven 4.0.0 rc4 (#996) @​slachiewicz
• Enable Java 25 and Maven 4 in CI (#975) @​slachiewicz

📦 Dependency updates

• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.0 (#1016) @dependabot[bot]
• Bump plexusCompilerVersion from 2.16.1 to 2.16.2 (#1021) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 46 to 47 (#1019) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2 (#1008) @dependabot[bot]
• Bump org.ow2.asm:asm from 9.9 to 9.9.1 (#1005) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#1007) @dependabot[bot]
• Bump maven-plugin-testing-harness to 3.4.0 (#1001) @​slawekjaranowski
• Bump plexusCompilerVersion from 2.16.0 to 2.16.1 (#999) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.1 (#993) @dependabot[bot]
• Bump plexusCompilerVersion from 2.15.0 to 2.16.0 (#992) @dependabot[bot]
• Bump org.ow2.asm:asm from 9.8 to 9.9 (#981) @dependabot[bot]

Commits

• 9290cb3 [maven-release-plugin] prepare release maven-compiler-plugin-3.15.0
• 3657d40 Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness
• 7bbf805 Bump plexusCompilerVersion from 2.16.1 to 2.16.2
• 57fa938 Bump org.apache.maven.plugins:maven-plugins from 46 to 47
• 385e3f2 Fix Java 25 compatibility during integration tests (#1020)
• 6b34423 Bump org.apache.maven.plugins:maven-plugins from 45 to 46
• aaeb9c6 [MCOMPILER-540] useIncrementalCompilation=false may add generated sources to ...
• 6e3db9d Bump org.codehaus.plexus:plexus-java from 1.5.1 to 1.5.2
• 0fe9b84 Remove declaration of "plexus-snapshots" repository (#1010)
• 35f6800 Bump org.ow2.asm:asm from 9.9 to 9.9.1
• Additional commits viewable in compare view

Updates software.amazon.awssdk:bom from 2.41.10 to 2.41.19

Updates com.nimbusds:oauth2-oidc-sdk from 11.31.1 to 11.32

Changelog

Sourced from com.nimbusds:oauth2-oidc-sdk's changelog.

version 1.0 (2012-05-29) * First official release with authorisation endpoint, token endpoint, check ID endpoint and UserInfo endpoint support. * JSON Web Tokens (JWTs) support through the Nimbus-JWT library. * Language Tags (RFC 5646) support through the Nimbus-LangTag library. * JSON support through the JSON Smart library.

version 2.0 (2013-05-13) * Intermediary development release with Maven build, published to Maven Central.

version 2.1 (2013-06-06) * Updates the APIs to OpenID Connect Messages draft 20, OpenID Connect Standard draft 21, OpenID Connect Discovery draft 17 and OpenID Connect Registration draft 19. * Major refactoring of the APIs for greater simplicity. * Adds JUnit tests.

version 2.2 (2013-06-18) * Refactors dynamic OpenID Connect client registration. * Adds partial support of the OAuth 2.0 Dynamic Client Registration Protocol (draft-ietf-oauth-dyn-reg-12). * Optimises parsing of request parameters consisting of one or more tokens (scope, response type, etc).

version 2.3 (2013-06-19) * Renames OAuth 2.0 dynamic client registration package. * Adds ClientInformation.getClientMetadata() method. * Adds OIDCClientInformation class.

version 2.4 (2013-06-20) * Adds static OIDCClientInformation.parse(JSONObject) method.

version 2.5 (2013-06-22) * Adds support OAuth 2.0 dynamic client update. * Adds OpenID Connect dynamic client registration classes.

version 2.6 (2013-06-25) * Enforces order of preference of ACR values in OpenID Connect client metadata, as required by the specification. * Documentation and performance improvements.

version 2.7 (2013-06-26) * Switches Identifier generation to java.security.SecureRandom.

version 2.8 (2013-06-30) * Fixes serialisation and assignment bugs in ClientMetadata. * Switches Secret generation to java.security.SecureRandom.

version 2.9 (2013-09-17)

... (truncated)

Commits

• db01993 [maven-release-plugin] prepare for next development iteration
• 92f8521 Fixes JavaDoc typos in DPoPProofContext
• bb6f01e Adds new verify methods to DPoPTokenRequestVerifier and DPoPProtectedResource...
• 41b6f13 Refreshes src/test/resources/connect2id-com-chain.pem
• e03cd48 Adds Receiver<T> interface, makes DPoPProofContext public
• ef0766e DPoPProofClaimsSetVerifier saves the JWTClaimsSet to the DPoPProofContext, va...
• e3becf1 Adds new verify methods to DPoPTokenRequestVerifier and DPoPProtectedResource...
• 89cd639 [maven-release-plugin] prepare release 11.32
• See full diff in compare view

Updates com.auth0:auth0 from 3.0.0 to 3.1.0

Release notes

Sourced from com.auth0:auth0's releases.

3.1.0

Added

• Feat: Added Support for App Access Permission and Inbound User Directory GA #813 (fern-api[bot])
• Feat: Added Self Service Organization Domain Java Support #808 (fern-api[bot])
• Updated Readme #809 (tanya732)

Changelog

Sourced from com.auth0:auth0's changelog.

3.1.0 (2026-01-30)

Full Changelog

Added

• Feat: Added Support for App Access Permission and Inbound User Directory GA #813 (fern-api[bot])
• Feat: Added Self Service Organization Domain Java Support #808 (fern-api[bot])
• Updated Readme #809 (tanya732)

Commits

• af87c10 Release 3.1.0 (#818)
• c366033 Revert "Release 3.1.0" (#817)
• a8f0abf Revert "Patch: Github actions and Workflow" (#816)
• 41458d8 Release 3.1.0 (#815)
• 9b67de2 Feat: Added Support for App Access Permission and Inbound User Directory GA (...
• 6f8c26a 🌿 Fern Regeneration -- January 13, 2026 (#808)
• 730e0bd Patch: Github actions and Workflow (#810)
• a253288 Updated Readme (#809)
• See full diff in compare view

Updates com.google.auth:google-auth-library-oauth2-http from 1.41.0 to 1.42.1

Updates org.apache.sshd:sshd-sftp from 2.16.0 to 2.17.1

Release notes

Sourced from org.apache.sshd:sshd-sftp's releases.

Apache MINA SSHD 2.17.1

This patch release fixes the broken Maven deployment of 2.17.0. (The root pom was missing).

There were no code changes, only a pom update to work around a tooling bug that caused the problem with 2.17.0:

• GH-875 Use Apache Parent POM 36

For the real changes since version 2.16.0 see the 2.17.0 change notes.

Apache MINA SSHD 2.17.0

Warning: the publication of this release to Maven Central somehow went wrong; it is missing the root POM.

Use the 2.17.1 release instead.

See the change log.

New Contributors

• @​JannuMies made their first contribution in apache/mina-sshd#832
• @​bemoty made their first contribution in apache/mina-sshd#843
• @​chrjohn made their first contribution in apache/mina-sshd#849
• @​denyshorman made their first contribution in apache/mina-sshd#870

Full Changelog: apache/mina-sshd@sshd-2.16.0...sshd-2.17.0

Changelog

Sourced from org.apache.sshd:sshd-sftp's changelog.

Previous Versions

• Version 2.1.0 to 2.2.0
• Version 2.2.0 to 2.3.0
• Version 2.3.0 to 2.4.0
• Version 2.4.0 to 2.5.0
• Version 2.5.0 to 2.5.1
• Version 2.5.1 to 2.6.0
• Version 2.6.0 to 2.7.0
• Version 2.7.0 to 2.8.0
• Version 2.8.0 to 2.9.0
• Version 2.9.0 to 2.9.1
• Version 2.9.1 to 2.9.2
• Version 2.9.2 to 2.10.0
• Version 2.10.0 to 2.11.0
• Version 2.11.0 to 2.12.0
• Version 2.12.0 to 2.12.1
• Version 2.12.1 to 2.13.0
• Version 2.13.0 to 2.13.1
• Version 2.13.1 to 2.13.2
• Version 2.13.2 to 2.14.0
• Version 2.14.0 to 2.15.0
• Version 2.15.0 to 2.16.0
• Version 2.16.0 to 2.17.0

Latest Version

• Version 2.17.0 to 2.17.1

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits

• 03df246 [maven-release-plugin] prepare release sshd-2.17.1
• e661b4a GH-875: Update Apache Parent POM
• 42d2c7d [maven-release-plugin] prepare for next development iteration
• 9308c1e [maven-release-plugin] prepare release sshd-2.17.0
• 5f6bef6 Prepare documentation for a 2.17.0 release
• 5ee81f4 Fix duplicate character echoing in ProcessShell
• b6848c0 Mock git configuration in git-related tests
• d839c95 Bump JUnit 5 to latest patch version
• 7a7f2bb CoreTestSupportUtils: fix test framework
• 7b397c7 [releng] Build with Java 25 in CI
• Additional commits viewable in compare view

Updates com.mysql:mysql-connector-j from 9.5.0 to 9.6.0

Changelog

Sourced from com.mysql:mysql-connector-j's changelog.

Changelog

https://dev.mysql.com/doc/relnotes/connector-j/en/

Version 9.6.0

• Fix for Bug#118002 (Bug#37843004), The setFetchSize() method in the Statement class may have a potential bug.

• Fix for Bug#113130 (Bug#36043125), getGeneratedKeys() returns a zero resultset with non-key-generating statements.

• Fix for Bug#113336 (Bug#36080226), Inconsistent getUpdateCount() Behavior with allowMultiQueries.

• Fix for Bug#118234 (Bug#37975837), A potential bugs in Mysql Connector/J.

• Fix for Bug#113413 (Bug#36107426), Connection.changeUser cannot be done after DriverManager.loginTimeout elapses. Thanks to Kazuhisa Kawashima for his contribution.

• Fix for Bug#119271 (Bug#38599496), Connector/J fails to accept legacy value zeroDateTimeBehavior=convertToNull on multi-host URLs (failover).

• Fix for Bug#119245 (Bug#38599240), Select into fix breaks queries with 'into' in them.

Version 9.5.0

• Fix for Bug#72036 (Bug#18403804), XA isSameRM() shouldn't take database into account.

• Fix for Bug#62693 (Bug#16722068), XAConnection savepoint capability.

• Fix for Bug#81128 (Bug#23146631), Master host list overwritten by slave list when loadBalanceConnectionGroup used.

• Fix for Bug#19887224, RUNNING THE TEST SUITE WITH SOCKSPROXY* PROPERTIES HANGS IN TEST TESTBUG56429.

• Fix for Bug#98699 (Bug#30932850), Allow empty keyStore file for keyStoreTypes that do not require files. Thanks to Kolbe Kegel for his contribution.

• Fix for Bug#118938 (Bug#38396227), DatabaseMetaDataInformationSchema#getSchemas has a bug.

• Fix for Bug#99292 (Bug#31195955), Contribution: Support Windows time zone 'Coordinated Universal Time'. Thanks to Frédéric Barrière for his contribution.

• Fix for Bug#107094 (Bug#34104230), NullPointerException when calling equals with null on MultiHostConnectionProxy.

• Fix for Bug#107543 (Bug#34464351), Cannot execute a SELECT statement that writes to an OUTFILE.

• Fix for Bug#17881458, BEHAVIOR OF SETBINARYSTREAM() METHOD IS DIFFERENT WHEN USESERVERPREPSTMTS=TRUE.

• Fix for Bug#45554 (Bug#11754018), Connector/J does not encode binary data if useServerPrepStatements=false.

• Fix for Bug#114974 (Bug#36614381), the SQL in batch will not clear after statement close. Thanks to Chengyi Dong for his contribution.

• Fix for Bug#118688 (Bug#38222681), com.mysql.cj.protocol.a.StringValueEncoder#getString does not handle string escaping.

... (truncated)

Commits

• fdef61f Update copyright year.
• 43aced7 Update for GPL license book.
• 46758ca Fix for non deterministic results in some StatementRegressionTest tests.
• a281379 Fix for Bug#118002 (Bug#37843004), The setFetchSize() method in the Statement...
• 5767fc5 Fix for tests in MetaDataTest using conflicting table names.
• 3394bf6 Fix for Bug#113130 (Bug#36043125), getGeneratedKeys() returns a zero resultse...
• 3b9c627 Fix for Bug#113336 (Bug#36080226), Inconsistent getUpdateCount() Behavior wit...
• b369d81 Fix for Bug#118234 (Bug#37975837), A potential bugs in Mysql Connector/J.
• af0aa94 Fix for Bug#113413 (Bug#36107426), Connection.changeUser cannot be done after...
• e9dfbe8 Fix for Bug#119271 (Bug#38599496), Connector/J fails to accept legacy value z...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions