Bump the all-dependencies group across 1 directory with 35 updates

[dependabot]

Bumps the all-dependencies group with 35 updates in the / directory:

Package	From	To
org.junit:junit-bom	5.12.2	6.0.2
org.junit.jupiter:junit-jupiter	5.12.2	6.0.2
commons-net:commons-net	3.11.1	3.12.0
org.apache.commons:commons-lang3	3.17.0	3.20.0
org.projectlombok:lombok	1.18.38	1.18.42
dnsjava:dnsjava	3.6.3	3.6.4
org.apache.httpcomponents.client5:httpclient5	5.4.3	5.6
org.apache.httpcomponents.client5:httpclient5-fluent	5.4.4	5.6
ch.qos.logback:logback-classic	1.5.18	1.5.25
org.bouncycastle:bcprov-jdk18on	1.80	1.83
org.bouncycastle:bcpkix-jdk18on	1.80	1.83
com.ibm.icu:icu4j	77.1	78.2
org.mockito:mockito-core	5.17.0	5.21.0
org.mockito:mockito-junit-jupiter	5.17.0	5.21.0
org.apache.maven.plugins:maven-compiler-plugin	3.14.0	3.14.1
org.apache.maven.plugins:maven-surefire-plugin	3.5.3	3.5.4
org.sonarsource.scanner.maven:sonar-maven-plugin	5.1.0.4751	5.5.0.6356
org.jacoco:jacoco-maven-plugin	0.8.13	0.8.14
org.apache.maven.plugins:maven-source-plugin	3.3.1	3.4.0
org.apache.maven.plugins:maven-javadoc-plugin	3.11.2	3.12.0
org.apache.maven.plugins:maven-gpg-plugin	3.2.7	3.2.8
org.sonatype.central:central-publishing-maven-plugin	0.7.0	0.10.0
org.springframework.boot:spring-boot-starter-web	3.4.5	4.0.1
org.springframework.boot:spring-boot-starter-data-jpa	3.4.5	4.0.1
org.springframework.boot:spring-boot-starter-webflux	3.4.5	4.0.1
org.springframework.boot:spring-boot-starter-test	3.4.5	4.0.1
org.springframework.boot:spring-boot-maven-plugin	3.4.5	4.0.1
com.h2database:h2	2.3.232	2.4.240
io.projectreactor:reactor-test	3.7.5	3.8.2
com.mysql:mysql-connector-j	9.3.0	9.5.0
com.fasterxml.jackson.core:jackson-databind	2.19.0	2.21.0
com.fasterxml.jackson.core:jackson-core	2.19.0	2.21.0
com.fasterxml.jackson.core:jackson-annotations	2.19.0	2.21.0
org.apache.maven.plugins:maven-jar-plugin	3.4.2	3.5.0
org.apache.maven.plugins:maven-failsafe-plugin	3.5.3	3.5.4

Updates org.junit:junit-bom from 5.12.2 to 6.0.2

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.0.2 = Platform 6.0.2 + Jupiter 6.0.2 + Vintage 6.0.2

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.1...r6.0.2

JUnit 6.0.1 = Platform 6.0.1 + Jupiter 6.0.1 + Vintage 6.0.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.0...r6.0.1

JUnit 6.0.0 = Platform 6.0.0 + Jupiter 6.0.0 + Vintage 6.0.0

See Release Notes.

New Contributors

• @​2897robo made their first contribution in junit-team/junit-framework#4525
• @​strangelookingnerd made their first contribution in junit-team/junit-framework#4683
• @​eric6iese made their first contribution in junit-team/junit-framework#4717
• @​raccoonback made their first contribution in junit-team/junit-framework#4822
• @​currenjin made their first contribution in junit-team/junit-framework#4823
• @​mehulimukherjee made their first contribution in junit-team/junit-framework#4913
• @​lslonina made their first contribution in junit-team/junit-framework#4629

Full Changelog: junit-team/junit-framework@r5.14.0...r6.0.0

JUnit 6.0.0-RC3 = Platform 6.0.0-RC3 + Jupiter 6.0.0-RC3 + Vintage 6.0.0-RC3

See Release Notes.

New Contributors

• @​mehulimukherjee made their first contribution in junit-team/junit-framework#4913
• @​lslonina made their first contribution in junit-team/junit-framework#4629

Full Changelog: junit-team/junit-framework@r6.0.0-RC2...r6.0.0-RC3

JUnit 6.0.0-RC2 = Platform 6.0.0-RC2 + Jupiter 6.0.0-RC2 + Vintage 6.0.0-RC2

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.0-RC1...r6.0.0-RC2

JUnit 6.0.0-RC1 = Platform 6.0.0-RC1 + Jupiter 6.0.0-RC1 + Vintage 6.0.0-RC1

See Release Notes.

New Contributors

• @​raccoonback made their first contribution in junit-team/junit-framework#4822
• @​currenjin made their first contribution in junit-team/junit-framework#4823

... (truncated)

Commits

• c5c5de5 Release 6.0.2
• 98b6f78 Add missing checkout step
• 732dc27 Finalize 6.0.2 release notes
• 6a25736 Finalize 5.14.2 release notes
• 33e66bf Move release notes for #5238 entry to 6.1.0-M2
• 11f0f82 Update copyright headers
• 6ce1265 Consistently add license header to all java source files
• 4d454ee Update dependency @​antora/lunr-extension to v1.0.0-alpha.12
• faf4a58 Use --since feature of Javadoc
• 5cc8b05 Mark new recommended APIs as "maintained" rather than "experimental"
• Additional commits viewable in compare view

Updates org.junit.jupiter:junit-jupiter from 5.12.2 to 6.0.2

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.0.2 = Platform 6.0.2 + Jupiter 6.0.2 + Vintage 6.0.2

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.1...r6.0.2

JUnit 6.0.1 = Platform 6.0.1 + Jupiter 6.0.1 + Vintage 6.0.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.0...r6.0.1

JUnit 6.0.0 = Platform 6.0.0 + Jupiter 6.0.0 + Vintage 6.0.0

See Release Notes.

New Contributors

• @​2897robo made their first contribution in junit-team/junit-framework#4525
• @​strangelookingnerd made their first contribution in junit-team/junit-framework#4683
• @​eric6iese made their first contribution in junit-team/junit-framework#4717
• @​raccoonback made their first contribution in junit-team/junit-framework#4822
• @​currenjin made their first contribution in junit-team/junit-framework#4823
• @​mehulimukherjee made their first contribution in junit-team/junit-framework#4913
• @​lslonina made their first contribution in junit-team/junit-framework#4629

Full Changelog: junit-team/junit-framework@r5.14.0...r6.0.0

JUnit 6.0.0-RC3 = Platform 6.0.0-RC3 + Jupiter 6.0.0-RC3 + Vintage 6.0.0-RC3

See Release Notes.

New Contributors

• @​mehulimukherjee made their first contribution in junit-team/junit-framework#4913
• @​lslonina made their first contribution in junit-team/junit-framework#4629

Full Changelog: junit-team/junit-framework@r6.0.0-RC2...r6.0.0-RC3

JUnit 6.0.0-RC2 = Platform 6.0.0-RC2 + Jupiter 6.0.0-RC2 + Vintage 6.0.0-RC2

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.0-RC1...r6.0.0-RC2

JUnit 6.0.0-RC1 = Platform 6.0.0-RC1 + Jupiter 6.0.0-RC1 + Vintage 6.0.0-RC1

See Release Notes.

New Contributors

• @​raccoonback made their first contribution in junit-team/junit-framework#4822
• @​currenjin made their first contribution in junit-team/junit-framework#4823

... (truncated)

Commits

• c5c5de5 Release 6.0.2
• 98b6f78 Add missing checkout step
• 732dc27 Finalize 6.0.2 release notes
• 6a25736 Finalize 5.14.2 release notes
• 33e66bf Move release notes for #5238 entry to 6.1.0-M2
• 11f0f82 Update copyright headers
• 6ce1265 Consistently add license header to all java source files
• 4d454ee Update dependency @​antora/lunr-extension to v1.0.0-alpha.12
• faf4a58 Use --since feature of Javadoc
• 5cc8b05 Mark new recommended APIs as "maintained" rather than "experimental"
• Additional commits viewable in compare view

Updates commons-net:commons-net from 3.11.1 to 3.12.0

Changelog

Sourced from commons-net:commons-net's changelog.

Apache Commons Net 3.12.0 Release Notes

The Apache Commons Net team is pleased to announce the release of Apache Commons Net 3.12.0.

Apache Commons Net library contains a collection of network utilities and protocol implementations. Supported protocols include Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, and Whois.

This is a feature and maintenance release. Java 8 or later is required.

For complete information on Apache Commons Net, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Net website:

https://commons.apache.org/proper/commons-net/

Download page: https://commons.apache.org/proper/commons-net/download_net.cgi

New features

o Add org.apache.commons.net.nntp.Article#getChild(). Thanks to Gary Gregory. o Add org.apache.commons.net.nntp.Article#getNext(). Thanks to Gary Gregory. o Add private SubnetAddressStringIterable and private SubnetAddressStringIterator to implement SubnetInfo.iterableAddressStrings() and SubnetInfo.streamAddressStrings() #298. Thanks to Lixiongyou, Gary Gregory. o Add SubnetInfo.iterableAddressStrings(). Thanks to Gary Gregory. o Add SubnetInfo.streamAddressStrings(). Thanks to Gary Gregory. o Add FTPCmd.OPTS. Thanks to Gary Gregory. o Add FTP.opts(String, String). Thanks to Gary Gregory. o Add FTP.opts(String...). Thanks to Gary Gregory. o Add FTP.setControlEncoding(Charset). Thanks to Gary Gregory. o Add --OPTS to FTPClientExample. Thanks to Gary Gregory. o NET-727: Add accessing options map for TFTP request packet and allow using 'blksize' option #331. Thanks to Gary Gregory. o Add org.apache.commons.net.util.ListenerList.isEmpty(). Thanks to Gary Gregory. o Add org.apache.commons.net.ftp.FTPClient.getSystemTypeOverride(). Thanks to Gary Gregory. o Add generics to ListenerList. Thanks to Gary Gregory. o Add module-info.class in the JAR file instead of an Automatic-Module-Name in MANIFEST.MF. Thanks to Gary Gregory.

Fixed Bugs

o Increase message limit in IMAPReply.TAGGED_RESPONSE from 80 to 500 characters. Thanks to Andreas Lemke, Gary Gregory. o Increase message limit in IMAPReply.UNTAGGED_RESPONSE from 160 to 500 characters. Thanks to Andreas Lemke, Gary Gregory. o Remove InvalidKeySpecException from AuthenticatingIMAPClient.auth(AUTH_METHOD, String, String) never throws, it's not thrown. Thanks to Gary Gregory. o Remove InvalidKeySpecException from AuthenticatingIMAPClient.authenticate(AUTH_METHOD, String, String) never throws, it's not thrown. Thanks to Gary Gregory. o Remove InvalidKeySpecException from ExtendedPOP3Client.auth(AUTH_METHOD, String, String) never throws, it's not thrown. Thanks to Gary Gregory. o Remove InvalidKeySpecException from org.apache.commons.net.smtp.AuthenticatingSMTPClient.auth(AUTH_METHOD, String, String) never throws, it's not thrown. Thanks to Gary Gregory. o Fix SpotBugs RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in SSLSocketUtils. Thanks to Gary Gregory. o Fix PMD UnnecessaryFullyQualifiedName. Thanks to Gary Gregory. o Fix PMD UnusedFormalParameter. Thanks to Gary Gregory. o Fix PMD AvoidBranchingStatementAsLastInLoop in org.apache.commons.net.bsd.RCommandClient. Thanks to Gary Gregory.

... (truncated)

Commits

• bb741d0 Prepare for the release candidate 3.12.0 RC1
• bfaf5d2 Prepare for the next release candidate
• 91baa6f Add module-info.class in the JAR file instead of an
• 6a49728 Merge pull request #355 from apache/dependabot/github_actions/github/codeql-a...
• de4990b Bump github/codeql-action from 3.29.2 to 3.29.4
• 078c17d Merge some string literals
• 200dccd Format nit
• f84d393 Format nit
• 7cfdadf Format nit
• 1213ed8 Update the GitHub pull request template for AI
• Additional commits viewable in compare view

Updates org.apache.commons:commons-lang3 from 3.17.0 to 3.20.0

Updates org.projectlombok:lombok from 1.18.38 to 1.18.42

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.42 (September 18th, 2025)

• FEATURE: All the various @Log annotations now allow you to change their access level (they still default to private). #2280. Thanks to new contributor Liam Pace!
• BUGFIX: Javadoc parsing was broken in Netbeans and ErrorProne for JDK25 #3940.

v1.18.40 (September 4th, 2025)

• PLATFORM: JDK25 support added #3859.
• BUGFIX: Recent versions of eclipse (or the eclipse-based java lang server for VSCode) caused java.lang.IllegalArgumentException: Document does not match the AST. [Issue #3886](projectlombok/lombok#3886).
• PERFORMANCE: @ExtensionMethod is now significantly faster [Issue #3866](projectlombok/lombok#3866).
• BUGFIX: the command line config tool would emit incorrect output for nullity annotations. [Issue #3931](projectlombok/lombok#3931).
• FEATURE: @Jacksonized @Accessors(fluent=true) automatically creates the relevant annotations such that Jackson correctly identifies fluent accessors. [Issue #3265](projectlombok/lombok#3265), [Issue #3270](projectlombok/lombok#3270).
• IMPROBABLE BREAKING CHANGE: From versions 1.18.16 to 1.18.38, lombok automatically copies certain Jackson annotations (e.g., @JsonProperty) from fields to the corresponding accessors (getters/setters). However, it turned out to be harmful in certain situations. Thus, Lombok does not automatically copy those annotations any more. You can restore the old behavior using the config key lombok.copyJacksonAnnotationsToAccessors = true.

Commits

• 2031eb0 [release] pre-release version bump for v1.18.42
• c95a6c1 Merge branch 'logger-access'
• 71d85ca #2280 Add delivery of this 'access for logging' to the changelog.
• 99ba3e3 [trivial] Slightly reworded the javadoc on each @Log annotation's `access()...
• e9cf11e [trivial][style]
• a6d5568 [deprecation] Marked AccessLevel.MODULE as deprecated. It was written for a...
• 492011d Refactored to use Javac/Eclipse utility function
• c1f7f66 Update copyright in logger files
• f63f40a Add myself to AUTHORS
• 9152c34 Fix failing tests
• Additional commits viewable in compare view

Updates dnsjava:dnsjava from 3.6.3 to 3.6.4

Release notes

Sourced from dnsjava:dnsjava's releases.

v3.6.4

• Fix Zone-class serialization (#391)
• Avoid Double DNS Lookup for Names with Labels >= ndots (#388)
• Prevent NPE when calling Message#getTSIG() on DNS request with bad header (#384)
• Unwrap an exception in the legacy callback-based async interface (#383)
• Prevent ConcurrentModificationException in NIO clients (#379, @​bhaveshthakker)
• Handle null in all setSearchPath overloads equally (#157)
• Reduce warning level of invalid hosts file entries (#371)
• Remove a lock on the hot-path in the hosts file parser (#371)
• DoH Resolver makes use of the Multi-Release jar and tests are executed for Java 8 and 11+ implementations (#385)
• Fix DoH Resolver initial request delay (#385)

Full Changelog: dnsjava/dnsjava@v3.6.3...v3.6.4

Changelog

Sourced from dnsjava:dnsjava's changelog.

01/18/2026

• 3.6.4 released
• Fix Zone-class serialization (#391)
• Avoid Double DNS Lookup for Names with Labels >= ndots (#388)
• Prevent NPE when calling Message#getTSIG() on DNS request with bad header (#384)
• Unwrap an exception in the legacy callback-based async interface (#383)
• Prevent ConcurrentModificationException in NIO clients (#379, @​bhaveshthakker)
• Handle null in all setSearchPath overloads equally (#157)
• Reduce warning level of invalid hosts file entries (#371)
• Remove a lock on the hot-path in the hosts file parser (#371)
• DoH Resolver makes use of the Multi-Release jar and tests are executed for Java 8 and 11+ implementations (#385)
• Fix DoH Resolver initial request delay (#385)

01/26/2025

• 3.6.3 released
• Support custom hosts file size (@​flaming-archer, #349)
• Fix origin handling in zone loaded from file or stream (#346)
• Prevent TCP port leak when closing IO (#351)
• Fix confusing parameter name in CNAMERecord (@​chkal, #354)
• Optionally disable ShutdownHook in NioClient (@​SvenssonWeb, #359)
• TSIG algorithm names from RFC 8945
• Message.toWire can exceed MAXLENGTH (#355)
• TCP query might fail if the shared buffer is full (#357)
• Dynamic updates silently truncates records (#356)
• Fix DoH initial request using recommended nanoTime calculation (@​LinZong, #345)

09/21/2024

• 3.6.2 released
• Add new IANA Trust Anchor (@​technolord, #337)
• Fix Zone handling with signed SOA (@​frankarinnet, #335)

07/28/2024

• 3.6.1 released
• Properly fix LookupSession doesn't cache CNAMEs (#316)
• Move JEP-418 SPI to Java 18 to support EOL workflows (#329)

07/21/2024

• 3.6.0 released
• Fix CVE-2024-25638 (GHSA-cfxw-4h78-h7fw) Lookup and LookupSession do not sanitize input properly, allowing to smuggle additional responses, even with DNSSEC. I would like to thank Thomas Bellebaum from Fraunhofer AISEC (@​bellebaum) and Martin Schanzenbach (@​schanzen) for reporting and assisting me with this issue.
• Fix CVE-2023-50387 (GHSA-crjg-w57m-rqqf) Denial-of-Service Algorithmic Complexity Attacks (KeyTrap)

... (truncated)

Commits

• 71fc443 Release v3.6.4
• 7b7c929 Downgrade/Upgrade spotless for various Java versions
• 6f65a36 Replace defunct Maven Central badge
• f660842 Update dependencies, support Java 25 builds
• 34ba40e Prevent NPE during shutdown when the hook is already released
• 865240c Fix and validate Zone serialization via Java objects
• 6a0a1d7 Prevent identical queries for names exceeding ndots
• 4b84d92 Migrate ossrh to central publisher portal
• 5ac65c2 Remove deprecated Maven flags
• 793cd22 Improve log message
• Additional commits viewable in compare view

Updates org.apache.httpcomponents.client5:httpclient5 from 5.4.3 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates org.apache.httpcomponents.client5:httpclient5-fluent from 5.4.4 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5-fluent's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates org.apache.httpcomponents.client5:httpclient5-fluent from 5.4.4 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5-fluent's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.25

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

• Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

• Fixed XMLLayout thread safety issue reported in LOGBACK-427.

• Removed superfluous buffering in Zip, GZ and XZ compression code.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit fed6f37ffe3449e40f6a9fffe050936a33116bd1 associated with the tag v_1.5.21. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.20

2025-10-19 Release of logback version 1.5.20

• Due to potential vulnerabilities associated with dynamic, i.e. runtime, java code compilation and execution (using Janino), the 'condition' attribute within the <if> element is deprecated and will be removed in 2027.

An online migration service is provided to help with the transition.

... (truncated)

Commits

• f426e00 prepare release of 1.5.25
• d28931f restrict object creation to expected supertype
• aa264f7 test default variable values in appender-ref ref attribute
• 8fb403a adjust copyright year
• b294a12 check optionList in start()
• b65040a Add EpochConverter for milliseconds/seconds since epoch (related to issue #96...
• 0690174 cla for Duncan Jauncey
• 71dc2af Removed email address for Tony.
• 1f97ae1 check for undeclared by referenced appenders
• b07355e Move the artifact version checking code to VersionUtil in logback-core.
• Additional commits viewable in compare view

Updates org.bouncycastle:bcprov-jdk18on from 1.80 to 1.83

Changelog

Sourced from org.bouncycastle:bcprov-jdk18on's changelog.

2.1.1 Version Release: 1.84 Date:      TBD

2.2.1 Version Release: 1.83 Date:      2025, November 27th.

... (truncated)

Commits

• See full diff in compare view

Updates org.bouncycastle:bcpkix-jdk18on from 1.80 to 1.83

Changelog

Sourced from org.bouncycastle:bcpkix-jdk18on's changelog.

2.1.1 Version Release: 1.84 Date:      TBD

2.2.1 Version Release: 1.83 Date:      2025, November 27th.

... (truncated)

Commits

• See full diff in compare view

Updates org.bouncycastle:bcpkix-jdk18on from 1.80 to 1.83

Changelog

Sourced from org.bouncycastle:bcpkix-jdk18on's changelog.

2.1.1 Version Release: 1.84 Date:      TBD

2.2.1 Version Release: 1.83 Date:      2025, November 27th.

... (truncated)

Commits

• See full diff in compare view

Updates com.ibm.icu:icu4j from 77.1 to 78.2

Release notes

Sourced from com.ibm.icu:icu4j's releases.

ICU 78.2

We are pleased to announce the release of Unicode® ICU 78.2. It updates to CLDR 48.1. These are maintenance releases for ICU 78 and CLDR 48, with limited sets of bug fixes and no API or structural changes.

ICU 78.2 also includes a small number of bug fixes, as well as a minor update for time zone data (tzdata) version 2025c (2025-dec) ICU-23296.

• List of tickets fixed in ICU 78.2

Changes in ICU 78.2:

• C++ ucasemap_setLocale() better handles errors in reading uninitialized memory from a bogus locale ID
• Java & C++ yield the correct long time zone name for Europe/Dublin
• C++ fixes a build issue on the clang-cl compiler related to the 'dllexport' attribute
• C++ fixes a build issue when operator+ on UnicodeString is used with non-ICU code when ICU headers are included
• List of all tickets fixed in ICU 78.2

For details, please see https://unicode-org.github.io/icu/download/78.html.

ICU 78.1

We are pleased to announce the release of Unicode® ICU 78. It updates to Unicode 17 (blog), including new characters and scripts, emoji, collation & IDNA changes, and corresponding APIs and implementations.

It also updates to CLDR 48 (beta blog) locale data with new locales, and various additions and corrections.

• Details: ICU 78.
• Download: releases/tag/release-78.1
• Maven: com.ibm.icu / icu4j / version 78.1

In Java, there is a draft new Segmenter API which is easier and safer to use than BreakIterator. In C++, there is a new set of APIs for Unicode string (UTF-8/16/32) code point iteration that works seamlessly with modern C++ iterators and ranges.

The Java implementation of the CLDR MessageFormat 2.0 specification has been updated to CLDR 48. The core API has been upgraded to “draft”, while the Data Model API remains in technology preview.

The C++ implementation of MessageFormat 2.0 is at CLDR 47 level and remains in technology preview.

ICU 78 and CLDR 48 are major releases, including a new version of Unicode and major locale data improvements.

ICU 78 RC

We are pleased to announce the release candidate for Unicode® ICU 78. It ...

Description has been truncated

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.