Bump the maven group across 2 directories with 5 updates

[dependabot]

Bumps the maven group with 3 updates in the /PaperSpigot-API directory: com.google.code.gson:gson, org.yaml:snakeyaml and junit:junit.
Bumps the maven group with 3 updates in the /PaperSpigot-Server directory: junit:junit, org.apache.logging.log4j:log4j-core and org.xerial:sqlite-jdbc.

Updates com.google.code.gson:gson from 2.2.4 to 2.8.9

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#1986).
• Prevent Java deserialization of internal classes (#1991).
• Improve number strategy implementation (#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990).
• Support arbitrary Number implementation for Object and Number deserialization (#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#1980).
• Don't exclude static local classes (#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#1959).
• Improve Maven build (#1964).
• Make dependency on java.sql optional (#1707).

Gson 2.8.8

• Fixed issue with recursive types (#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (#1495).

Changelog

Sourced from com.google.code.gson:gson's changelog.

Version 2.8.9

• Make OSGi bundle's dependency on sun.misc optional (google/gson#1993).
• Deprecate Gson.excluder() exposing internal Excluder class (google/gson#1986).
• Prevent Java deserialization of internal classes (google/gson#1991).
• Improve number strategy implementation (google/gson#1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (google/gson#1990).
• Support arbitrary Number implementation for Object and Number deserialization (google/gson#1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (google/gson#1980).
• Don't exclude static local classes (google/gson#1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (google/gson#1959).
• Improve Maven build (google/gson#1964).
• Make dependency on java.sql optional (google/gson#1707).

Version 2.8.8

• Fixed issue with recursive types (google/gson#1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (google/gson#1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (google/gson#1495).

Version 2.8.7

• Fixed ISO8601UtilsTest failing on systems with UTC+X.
• Improved javadoc for JsonStreamParser.
• Updated proguard.cfg (google/gson#1693).
• Fixed IllegalStateException in JsonTreeWriter (google/gson#1592).
• Added JsonArray.isEmpty() (google/gson#1640).
• Added new test cases (google/gson#1638).
• Fixed OSGi metadata generation to work on JavaSE < 9 (google/gson#1603).

Version 2.8.6

2019-10-04 GitHub Diff

• Added static methods JsonParser.parseString and JsonParser.parseReader and deprecated instance method JsonParser.parse
• Java 9 module-info support

Version 2.8.5

2018-05-21 GitHub Diff

• Print Gson version while throwing AssertionError and IllegalArgumentException
• Moved utils.VersionUtils class to internal.JavaVersion. This is a potential backward incompatible change from 2.8.4
• Fixed issue google/gson#1310 by supporting Debian Java 9

Version 2.8.4

2018-05-01 GitHub Diff

• Added a new FieldNamingPolicy, LOWER_CASE_WITH_DOTS that mapps JSON name someFieldName to some.field.name
• Fixed issue google/gson#1305 by removing compile/runtime dependency on sun.misc.Unsafe

Version 2.8.3

2018-04-27 GitHub Diff

• Added a new API, GsonBuilder.newBuilder() that clones the current builder
• Preserving DateFormatter behavior on JDK 9

... (truncated)

Commits

• 6a368d8 [maven-release-plugin] prepare release gson-parent-2.8.9
• ba96d53 Fix missing bounds checks for JsonTreeReader.getPath() (#2001)
• ca1df7f #1981: Optional OSGi bundle's dependency on sun.misc package (#1993)
• c54caf3 Deprecate Gson.excluder() exposing internal Excluder class (#1986)
• e6fae59 Prevent Java deserialization of internal classes (#1991)
• bda2e3d Improve number strategy implementation (#1987)
• cd748df Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990)
• fe30b85 Support arbitrary Number implementation for Object and Number deserialization...
• 1cc1627 Fix incorrect feature request template label (#1982)
• 7b9a283 Bump bnd-maven-plugin from 5.3.0 to 6.0.0 (#1985)
• Additional commits viewable in compare view

Updates org.yaml:snakeyaml from 1.15 to 2.0

Commits

• c98ffba issue 561: add negative test case
• e2ca740 Use Maven wrapper on github
• 49d91a1 Fix target for github
• 19e331d Disable toolchain for github
• 42c7812 Cobertura plugin does not work
• 03c82b5 Rename GlobalTagRejectionTest to be run by Maven
• 6e8cd89 Remove cobertura
• d9b0f48 Improve Javadoc
• 519791a Run install and site goals under docker
• 82f33d2 Merge branch 'master' into add-module-info
• Additional commits viewable in compare view

Updates junit:junit from 4.12 to 4.13.1

Release notes

Sourced from junit:junit's releases.

JUnit 4.13.1

Please refer to the release notes for details.

JUnit 4.13

Please refer to the release notes for details.

JUnit 4.13 RC 2

Please refer to the release notes for details.

JUnit 4.13 RC 1

Please refer to the release notes for details.

JUnit 4.13 Beta 3

Please refer to the release notes for details.

JUnit 4.13 Beta 2

Please refer to the release notes for details.

JUnit 4.13 Beta 1

Please refer to the release notes for details.

Commits

• 1b683f4 [maven-release-plugin] prepare release r4.13.1
• ce6ce3a Draft 4.13.1 release notes
• c29dd82 Change version to 4.13.1-SNAPSHOT
• 1d17486 Add a link to assertThrows in exception testing
• 543905d Use separate line for annotation in Javadoc
• 510e906 Add sub headlines to class Javadoc
• 610155b Merge pull request from GHSA-269g-pwp5-87pp
• b6cfd1e Explicitly wrap float parameter for consistency (#1671)
• a5d205c Fix GitHub link in FAQ (#1672)
• 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
• Additional commits viewable in compare view

Updates junit:junit from 4.11 to 4.13.1

Release notes

Sourced from junit:junit's releases.

JUnit 4.13.1

Please refer to the release notes for details.

JUnit 4.13

Please refer to the release notes for details.

JUnit 4.13 RC 2

Please refer to the release notes for details.

JUnit 4.13 RC 1

Please refer to the release notes for details.

JUnit 4.13 Beta 3

Please refer to the release notes for details.

JUnit 4.13 Beta 2

Please refer to the release notes for details.

JUnit 4.13 Beta 1

Please refer to the release notes for details.

Commits

• 1b683f4 [maven-release-plugin] prepare release r4.13.1
• ce6ce3a Draft 4.13.1 release notes
• c29dd82 Change version to 4.13.1-SNAPSHOT
• 1d17486 Add a link to assertThrows in exception testing
• 543905d Use separate line for annotation in Javadoc
• 510e906 Add sub headlines to class Javadoc
• 610155b Merge pull request from GHSA-269g-pwp5-87pp
• b6cfd1e Explicitly wrap float parameter for consistency (#1671)
• a5d205c Fix GitHub link in FAQ (#1672)
• 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
• Additional commits viewable in compare view

Updates org.apache.logging.log4j:log4j-core from 2.17.0 to 2.17.1

Updates org.xerial:sqlite-jdbc from 3.7.2 to 3.41.2.2

Release notes

Sourced from org.xerial:sqlite-jdbc's releases.

Release 3.41.2.2

Changelog

🚀 Features

jdbc

• add support for LocalDate, LocalTime, LocalDateTime in ResultSet#getObject (1d2ff63)
• implement PreparedStatement getParameterType and getParameterTypeName (bdb3d8a)

native-image

• resource optimization and configuration to export native lib (6f42683)

🐛 Fixes

• use random UUID for external resources (edb4b8a)

🛠 Build

deps

• bump native-maven-plugin from 0.9.21 to 0.9.22 (48e8ebe)
• bump graal-sdk from 22.3.0 to 22.3.2 (128d9b2)
• bump surefire.version from 3.0.0 to 3.1.0 (658e907)
• bump maven-gpg-plugin from 3.0.1 to 3.1.0 (f149f9f)
• bump jreleaser-maven-plugin from 1.5.1 to 1.6.0 (d028636)
• bump native-maven-plugin from 0.9.20 to 0.9.21 (08b5e35)
• bump maven-enforcer-plugin from 3.2.1 to 3.3.0 (3b3af82)
• bump maven-compiler-plugin from 3.10.1 to 3.11.0 (52b7701)
• bump versions-maven-plugin from 2.13.0 to 2.15.0 (a0e0191)
• bump maven-help-plugin from 3.3.0 to 3.4.0 (739a27c)

deps-dev

• bump junit-jupiter from 5.9.2 to 5.9.3 (e64e348)
• bump mockito-core from 5.3.0 to 5.3.1 (6e94e6b)
• bump logback-classic from 1.4.6 to 1.4.7 (5a4f485)
• bump mockito-core from 5.2.0 to 5.3.0 (d0adb0f)
• bump junit-pioneer from 2.0.0 to 2.0.1 (2b00983)
• bump junit-jupiter from 5.9.1 to 5.9.2 (c917e81)
• bump logback-classic from 1.4.5 to 1.4.6 (eab4939)

unscoped

• replace jdk 19 with 20 (0c5a645)
• replace asciidoc variables during release (0053e60)
• run spotless:check during maven verify phase (043efd7)

📝 Documentation

• use markdown for SECURITY.md because Github doesn't support Asciidoc (00e9c3f)
• convert markdown to asciidoc (fb0f263)

Contributors

We'd like to thank the following people for their contributions:

... (truncated)

Commits

• 080c808 chore(release): 3.41.2.2 [skip ci]
• edb4b8a fix: use random UUID for external resources
• 0c5a645 ci: replace jdk 19 with 20
• 48e8ebe build(deps): bump native-maven-plugin from 0.9.21 to 0.9.22
• 00e9c3f docs: use markdown for SECURITY.md because Github doesn't support Asciidoc
• 0053e60 ci: replace asciidoc variables during release
• fb0f263 docs: convert markdown to asciidoc
• 128d9b2 build(deps): bump graal-sdk from 22.3.0 to 22.3.2
• 658e907 build(deps): bump surefire.version from 3.0.0 to 3.1.0
• f149f9f build(deps): bump maven-gpg-plugin from 3.0.1 to 3.1.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Upgraded core dependencies for improved stability and compatibility:
    • Gson updated to 2.8.9
    • SnakeYAML updated to 2.0
    • JUnit updated to 4.13.1
    • Log4j Core updated to 2.17.1
    • SQLite JDBC updated to 3.41.2.2

[coderabbitai]

Walkthrough

Dependency version updates were made in two Maven modules. PaperSpigot-API/pom.xml updates gson, SnakeYAML, and JUnit versions. PaperSpigot-Server/pom.xml updates a JUnit property, Log4j Core, and SQLite JDBC versions. No code or plugin configuration changes were included.

Changes

Cohort / File(s)	Summary
API dependency bumps PaperSpigot-API/pom.xml	Updated dependencies: com.google.code.gson:gson 2.2.4 → 2.8.9, org.yaml:snakeyaml 1.15 → 2.0, junit:junit 4.12 → 4.13.1.
Server dependency bumps PaperSpigot-Server/pom.xml	Updated versions: property junit.version 4.11 → 4.13.1; dependencies org.apache.logging.log4j:log4j-core 2.17.0 → 2.17.1, org.xerial:sqlite-jdbc 3.7.2 → 3.41.2.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through POMs with delicate care,
Nudging versions here and there.
Gson blooms, YAML’s anew,
JUnit, Log4j, SQLite too.
Carrots compiled, builds run bright—
Dependency garden trimmed just right. 🥕✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/maven/PaperSpigot-API/maven-2b94989a48

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[virtualWinter]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

PaperSpigot-Server/pom.xml (1)

72-77: sqlite-jdbc jump (3.7.2 → 3.41.2.2): test native extraction on multiple OSes; watch shaded fat-jar size.

This is a large upgrade spanning many native loader changes. Since the server jar is shaded, validate:

• Driver auto-loading still occurs (JDBC 4) and no “no suitable driver” issues.
• Native extraction works on Linux and Windows (paths and tmp perms can bite CI/containers).

Please smoke-test DB features on Linux and Windows. If you see native extraction issues, consider excluding sqlite-jdbc from shading and loading it on the classpath instead.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f2c8b2b and 836c76e.

📒 Files selected for processing (2)

• PaperSpigot-API/pom.xml (3 hunks)
• PaperSpigot-Server/pom.xml (3 hunks)

🔇 Additional comments (4)

PaperSpigot-Server/pom.xml (2)

14-14: JUnit bump to 4.13.1 looks safe; confirm Surefire compatibility.

Given you’re on maven-surefire-plugin 2.18 (Lines 267-276), JUnit 4.13.1 is supported. No action needed beyond a quick test run.

Please run your unit tests locally to confirm no JUnit rule/assumption changes affect legacy tests.

---

45-49: Please verify Log4j alignment and clean up the stray comment

• The Maven Shade Plugin correctly excludes all org/apache/logging/log4j/** classes from the org.spigotmc:minecraft-server artifact, so your shaded JAR won’t bundle any old Log4j bits.
• You’ve added log4j-core:2.17.1, which transitively pulls in log4j-api:2.17.1, but we can’t run Maven here. On your machine, please run:

  mvn -q -pl PaperSpigot-Server -am dependency:tree | grep -i 'log4j'

  to confirm that both log4j-api and log4j-core resolve to 2.17.1. If you spot any other versions, add an explicit <dependency> on org.apache.logging.log4j:log4j-api:2.17.1 to force alignment.
• Nit: the comment on the SpecialSource plugin version is misleading. In your POM around line 232, update or remove:

  -    <version>1.2.3</version> <!-- paper - bump log4j -->
  +    <version>1.2.3</version> <!-- paper – specialsource-maven-plugin version bump -->

PaperSpigot-API/pom.xml (2)

79-82: Gson 2.8.9 upgrade: OK; watch for subtle serialization differences from 2.2.4.

This brings years of fixes. In rare cases, older custom TypeAdapters/InstanceCreators rely on pre-2.5 behavior. Run API serialization tests to be safe.

If you have JSON golden files, re-run them to confirm no output diffs. If diffs appear, pin a date format via GsonBuilder for stability.

---

105-109: JUnit 4.13.1 for API tests: LGTM.

Brings small fixes without changing test semantics. No additional changes expected.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

SnakeYAML 2.0 can be breaking vs 1.15; scan for old constructors/usages.

2.x tightened/removed some deprecated APIs and encourages configuring LoaderOptions/DumperOptions explicitly. Legacy calls like new Yaml(new Constructor(...)) may need option objects.

Run this repo-wide check to spot likely breakers:

If you hit API breaks, consider upgrading to 1.33 as an interim (last 1.x with many fixes) or update code to pass LoaderOptions explicitly.

---

🏁 Script executed:

#!/bin/bash
# Look for common patterns that changed across 1.x -> 2.x
rg -n -C2 -tjava -e '\bnew\s+Yaml\s*\(' -e '\bnew\s+Constructor\s*\(' -e '\bDumperOptions\b' -e '\bLoaderOptions\b'

Length of output: 4003

---

Address SnakeYAML 2.0 compatibility issues

We’ve verified that upgrading to SnakeYAML 2.0 will break existing code paths that rely on the old constructor overloads and default option behaviors. In particular, the following locations need your attention:

• PaperSpigot-Server/src/main/java/org/bukkit/craftbukkit/CraftServer.java:
– Line 145: new Yaml(new SafeConstructor())
• PaperSpigot-API/src/main/java/org/bukkit/plugin/PluginDescriptionFile.java:
– Line 181: new Yaml(new SafeConstructor() { … })
• PaperSpigot-API/src/main/java/org/bukkit/configuration/file/YamlConfiguration.java:
– Lines 28–30:
• private final DumperOptions yamlOptions = new DumperOptions();
• private final Yaml yaml = new Yaml(new YamlConstructor(), yamlRepresenter, yamlOptions);

These usages rely on lax defaults that 2.x no longer provides. You’ve two paths forward:

1. Revert to the latest 1.x release (e.g. 1.33) to pick up bugfixes without breaking API changes.
2. Modernize your SnakeYAML calls by explicitly creating and passing LoaderOptions and DumperOptions instances configured to mirror the old defaults (or your desired behavior). For example:

   LoaderOptions loaderOpts = new LoaderOptions();
   loaderOpts.setAllowDuplicateKeys(true);
   // …set other options to restore legacy behavior…
   Yaml yaml = new Yaml(new SafeConstructor(loaderOpts), new Representer(), new DumperOptions());

Please update the impacted constructors and option setups before merging this dependency bump, or pin the version back to 1.x until you’ve completed the refactor.

🤖 Prompt for AI Agents

In PaperSpigot-API/pom.xml lines 90-94 and the referenced source files
(PaperSpigot-Server/src/main/java/org/bukkit/craftbukkit/CraftServer.java line
145; PaperSpigot-API/src/main/java/org/bukkit/plugin/PluginDescriptionFile.java
line 181;
PaperSpigot-API/src/main/java/org/bukkit/configuration/file/YamlConfiguration.java
lines 28-30) the project was updated to SnakeYAML 2.0 which changes constructor
overloads and defaults; fix by either reverting the dependency to the latest 1.x
(e.g. 1.33) in pom.xml, or update each Yaml instantiation to explicitly create
and pass LoaderOptions and DumperOptions configured to restore the previous
behavior (e.g., set allowDuplicateKeys and any other legacy flags on
LoaderOptions, construct SafeConstructor/Constructor with that LoaderOptions,
and pass matching DumperOptions/Representer) so the existing code paths keep
their prior semantics before merging.