chore(deps): bump the low-risk group with 10 updates

[dependabot]

Bumps the low-risk group with 10 updates:

Package	From	To
ch.qos.logback:logback-core	1.5.21	1.5.22
ch.qos.logback:logback-classic	1.5.21	1.5.22
org.mockito:mockito-junit-jupiter	5.20.0	5.21.0
io.projectreactor:reactor-bom	2025.0.0	2025.0.1
io.projectreactor.netty:reactor-netty-core	1.3.0	1.3.1
io.netty:netty-codec-http	4.2.7.Final	4.2.8.Final
io.netty:netty-codec	4.2.7.Final	4.2.8.Final
io.netty:netty-common	4.2.7.Final	4.2.8.Final
io.netty:netty-handler	4.2.7.Final	4.2.8.Final
com.puppycrawl.tools:checkstyle	12.2.0	12.3.0

Updates ch.qos.logback:logback-core from 1.5.21 to 1.5.22

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 572379a prepare release 1.5.22
• 39d17ea fix status printing of variable substitution when the variable name contains ...
• 75509a9 fix PR 404, LOGBACK-543
• 8eb9356 remove unused import
• 6131a3a use a slightly more sophisticated guard for printing status messages
• 9efca21 add no-args constructor to support various serialization frameworks
• 1bea580 minor comment edits
• bd07fdd update angus, greenmail versions
• aef993c start work on 1.5.22-SNAPSHOT
• See full diff in compare view

Updates ch.qos.logback:logback-classic from 1.5.21 to 1.5.22

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 572379a prepare release 1.5.22
• 39d17ea fix status printing of variable substitution when the variable name contains ...
• 75509a9 fix PR 404, LOGBACK-543
• 8eb9356 remove unused import
• 6131a3a use a slightly more sophisticated guard for printing status messages
• 9efca21 add no-args constructor to support various serialization frameworks
• 1bea580 minor comment edits
• bd07fdd update angus, greenmail versions
• aef993c start work on 1.5.22-SNAPSHOT
• See full diff in compare view

Updates ch.qos.logback:logback-classic from 1.5.21 to 1.5.22

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 572379a prepare release 1.5.22
• 39d17ea fix status printing of variable substitution when the variable name contains ...
• 75509a9 fix PR 404, LOGBACK-543
• 8eb9356 remove unused import
• 6131a3a use a slightly more sophisticated guard for printing status messages
• 9efca21 add no-args constructor to support various serialization frameworks
• 1bea580 minor comment edits
• bd07fdd update angus, greenmail versions
• aef993c start work on 1.5.22-SNAPSHOT
• See full diff in compare view

Updates org.mockito:mockito-junit-jupiter from 5.20.0 to 5.21.0

Release notes

Sourced from org.mockito:mockito-junit-jupiter's releases.

v5.21.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 [(#3768)](mockito/mockito#3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 [(#3767)](mockito/mockito#3767)
• Bump actions/checkout from 5 to 6 [(#3765)](mockito/mockito#3765)
• Adds output of matchers to potential mismatch; Fixes #2468 [(#3760)](mockito/mockito#3760)
• Forbid mocking WeakReference with inline mock maker [(#3759)](mockito/mockito#3759)
• StackOverflowError when mocking WeakReference [(#3758)](mockito/mockito#3758)
• Bump actions/upload-artifact from 4 to 5 [(#3756)](mockito/mockito#3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 [(#3755)](mockito/mockito#3755)
• Support primitives in GenericArrayReturnType. [(#3753)](mockito/mockito#3753)
• ClassNotFoundException when stubbing array of primitive type on Android [(#3752)](mockito/mockito#3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 [(#3744)](mockito/mockito#3744)
• Bump gradle/actions from 4 to 5 [(#3743)](mockito/mockito#3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 [(#3738)](mockito/mockito#3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 [(#3735)](mockito/mockito#3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 [(#3734)](mockito/mockito#3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 [(#3733)](mockito/mockito#3733)
• Bump errorprone from 2.41.0 to 2.42.0 [(#3732)](mockito/mockito#3732)
• Feat: automatically detect class to mock in mockStatic and mockConstruction [(#3731)](mockito/mockito#3731)
• Return completed futures for unstubbed Future/CompletionStage in ReturnsEmptyValues [(#3727)](mockito/mockito#3727)
• automatically detect class to mock [(#2779)](mockito/mockito#2779)
• Incorrect "has following stubbing(s) with different arguments" message when using Argument Matchers [(#2468)](mockito/mockito#2468)

Commits

• 09d2230 Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 (#3768)
• df3e0cc Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 (#3767)
• 04a6e9f Bump actions/checkout from 5 to 6 (#3765)
• 756a3cf Add description of matchers to potential mismatch (#3760)
• 58ba445 Forbid mocking WeakReference with inline mock maker (#3759)
• 966d600 Bump actions/upload-artifact from 4 to 5 (#3756)
• 632bf7b Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 (#3755)
• 8564b43 Fix primitives support in GenericArrayReturnType for Android (#3753)
• bf3a809 Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 (#3744)
• cffddd4 Bump gradle/actions from 4 to 5 (#3743)
• Additional commits viewable in compare view

Updates io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1

Release notes

Sourced from io.projectreactor:reactor-bom's releases.

2025.0.1

2025.0.1 release train is made of:

• reactor-core 3.8.1
• reactor-pool 1.2.1
• reactor-netty 1.3.1

These artifacts didn't have any changes:

• reactor-addons 3.6.0
• reactor-kotlin-extensions 1.3.0

Commits

• 051dae8 [release] Prepare and release BOM 2025.0.1
• d48ecd5 Merge-ignore release 2024.0.13 into 2025.0.1
• 0f23353 [release] Back to snapshots, next BOM will be SR 14
• f3080c8 [release] Prepare and release BOM 2024.0.13
• efc1811 Merge #772 into 2025.0.1
• 9a84f6f Bump actions/setup-java from 5.0.0 to 5.1.0 (#772)
• 193a8e6 Merge #771 into 2025.0.1
• 4291d6e Bump actions/checkout from 6.0.0 to 6.0.1 (#771)
• 405aac6 Merge #770 into 2025.0.1
• f16710c Bump actions/checkout from 5.0.1 to 6.0.0 (#770)
• Additional commits viewable in compare view

Updates io.projectreactor.netty:reactor-netty-core from 1.3.0 to 1.3.1

Release notes

Sourced from io.projectreactor.netty:reactor-netty-core's releases.

v1.3.1

Reactor Netty 1.3.1 is part of 2025.0.1 Release Train.

What's Changed

✨ New features and improvements

• Depend on Reactor Core v3.8.1 by @​violetagg in 2c05ba7fcc6165daf4c713709a71deb38f9ce842, see release notes
• Support HTTP Authentication in HttpClient by @​raccoonback in #3813 and by @​violetagg in 4c2071fab83b8f97ce169fd407557871bf2a8b62, #4025, #4028

🐞 Bug fixes

• HTTP/3: Fix NullPointerException when configuring HttpClient#responseTimeout by @​violetagg in #3999
• Fix Http3.isHttp3Available() to check for native QUIC library by @​violetagg in #4013
• Enable lazy initialisation of proxy providers with configuration coming from system properties by @​violetagg in #4015

📖 Documentation

• Update HttpServer#compressOptions javadoc by @​violetagg in #4004
• Improve documentation clarity for HttpClient#followRedirect methods by @​violetagg in #4021

Full Changelog: reactor/reactor-netty@v1.3.0...v1.3.1

Commits

• 2c05ba7 [release] Prepare and release 1.3.1
• a2e8f88 Merge-ignore release 1.2.13 into 1.3.1
• bf40a0c [release] Back to snapshots, next is 1.2.14-SNAPSHOT
• bc2fb49 [release] Prepare and release 1.2.13
• 93c11c5 Fix authenticator invoked on redirect after authentication (#4028)
• a1e1e95 Merge #4027 into 1.3.1
• 0f08f5b Bump org.apache.tomcat.embed:tomcat-embed-core from 9.0.112 to 9.0.113 (#4027)
• 4634f6d Merge #4026 into 1.3.1
• 226526d Bump ruby/setup-ruby from 1.268.0 to 1.269.0 (#4026)
• 10f4593 [test] Remove duplications (#4025)
• Additional commits viewable in compare view

Updates io.netty:netty-codec-http from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-codec from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-common from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-handler from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-codec from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-common from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates io.netty:netty-handler from 4.2.7.Final to 4.2.8.Final

Commits

• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• 14fc741 Correct codec-native-quic Fragment-Host (#16015)
• caa07bb Fix Socket reading of abstract unix domain addresses (#16010)
• 640b6b7 Fix - Http3FrameCodec decode fail during unknown settings (#15998)
• 35f6ad1 Prevent ManualEventLoop to block on a racy task submission (#15937)
• 2b29b5e Use exact length when allocating the acceptedAddress byte[] (#15973) (#15984)
• b1182ed Update lz4-java version to 1.10.1 (#15978)
• debdc56 Pcap: Fix possible buffer leak when initializion fails (#15975)
• Additional commits viewable in compare view

Updates com.puppycrawl.tools:checkstyle from 12.2.0 to 12.3.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-12.3.0

Checkstyle 12.3.0 - https://checkstyle.org/releasenotes.html#Release_12.3.0

New:

#18207 - IllegalImport: new property illegalModules to cover module imports #17223 - Google-style: New Check TextBlockGoogleStyleFormattingCheck

Bug fixes:

#18283 - Google style checks should allow _ keyword for anonymous variables

Commits

• 7cd24ce [maven-release-plugin] prepare release checkstyle-12.3.0
• 66da258 doc: release notes for 12.3.0
• f5bcfd8 Issue #18283: allow unnamed variables (_) in naming patterns
• 25322e2 Issue #17882: Update LITERAL_INLINE_TAG AST format
• 98c66e6 Issue #18272: Clone apache/kafka once KAFKA-19809 is merged
• 2cca325 dependency: bump actions/upload-artifact from 5 to 6
• e2c6a48 dependency: bump org.eclipse.jgit:org.eclipse.jgit
• f264b99 dependency: bump actions/cache from 4 to 5
• fbbddc0 Issue #17882: Update LEADING_ASTERISK of Javadoc CommentTokenTypes into AST f...
• 4d23c0b infra: move no-error-trino to no-error-workflow.yml
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[RichardSlater]

Standard change, low risk group.

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud