build(deps): bump the low-risk group across 1 directory with 25 updates

[dependabot]

Bumps the low-risk group with 25 updates in the /api-tests directory:

Package	From	To
com.google.code.gson:gson	2.13.1	2.13.2
ch.qos.logback:logback-classic	1.5.18	1.5.27
io.cucumber:cucumber-java	7.33.0	7.34.2
io.cucumber:cucumber-junit-platform-engine	7.33.0	7.34.2
org.assertj:assertj-core	3.27.4	3.27.7
net.bytebuddy:byte-buddy	1.17.6	1.18.4
com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.0
com.fasterxml.jackson.core:jackson-databind	2.19.2	2.21.0
com.fasterxml.jackson.core:jackson-annotations	2.19.2	2.21.0
io.netty:netty-codec-http	4.2.8.Final	4.2.9.Final
io.netty:netty-codec-http2	4.2.3.Final	4.2.9.Final
io.netty:netty-transport-native-epoll	4.2.3.Final	4.2.9.Final
com.google.guava:guava	33.4.8-jre	33.5.0-jre
org.projectlombok:lombok	1.18.38	1.18.42
org.apache.httpcomponents.client5:httpclient5	5.5	5.6
commons-codec:commons-codec	1.19.0	1.21.0
com.github.spotbugs:spotbugs	4.9.4	4.9.8
org.owasp:dependency-check-maven	12.1.9	12.2.0
org.codehaus.mojo:exec-maven-plugin	3.5.1	3.6.3
org.apache.maven.plugins:maven-surefire-plugin	3.5.3	3.5.4
org.apache.maven.plugins:maven-failsafe-plugin	3.5.3	3.5.4
org.apache.maven.plugins:maven-compiler-plugin	3.14.0	3.15.0
au.com.dius.pact.provider:maven	4.6.17	4.6.19
org.apache.maven.plugins:maven-pmd-plugin	3.27.0	3.28.0
com.github.spotbugs:spotbugs-maven-plugin	4.9.3.2	4.9.8.2

Updates com.google.code.gson:gson from 2.13.1 to 2.13.2

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.13.2

The main changes in this release are just newer dependencies.

What's Changed

• Improved packaging of JPMS module declaration in Gson jar
  This fixes an issue where Eclipse and VS Code users could not refer to the Gson module name com.google.gson. See issue google/gson#2679.
• Remove internal class GsonPreconditions by @​Marcono1234 in google/gson#2879
• Switch to using central-publishing-maven-plugin by @​eamonnmcmanus in google/gson#2900

New Contributors

• @​MukjepScarlet made their first contribution in google/gson#2852
• @​ChrisCraik made their first contribution in google/gson#2856

Full Changelog: google/gson@gson-parent-2.13.1...gson-parent-2.13.2

Commits

• 686fad7 [maven-release-plugin] prepare release gson-parent-2.13.2
• c2d252a Switch to using central-publishing-maven-plugin. (#2900)
• 69cb755 Bump the github-actions group with 5 updates (#2894)
• ea552c2 Bump the maven group across 1 directory with 3 updates (#2898)
• fdc616d Set top-level permissions for CodeQL workflow (#2889)
• 9334715 Create scorecard.yml (#2888)
• f7de5c2 Bump the maven group with 8 updates (#2885)
• 8c23cd3 Update sources to satisfy a new Error Prone check. (#2887)
• 5eab3ed Bump the github-actions group with 2 updates (#2886)
• 5f5c200 Bump the maven group across 1 directory with 10 updates (#2872)
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.27

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.27

2026-01-30 Release of logback version 1.5.27

• Updated license to Eclipse Public License version 2.0 from version 1.0, retaining the GPL 2.1 dual-license.

• Fixed missing MDC data transmitted by SocketAppender reported in issues/1010 by Lars Vogel.

• Removed all Receiver classes and components which were already disabled for several years.

• Refactored file scanning code for improved clarity.

• In SizeAndTimeBasedRollingPolicy modified totalSizeCap and maxFileSize comparison to taking into account file compression. This fixes issues/1007.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 3618eb01aad6672f9cd250dccf7546a69cbe982f associated with the tag v_1.5.27. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.26

2026-01-25 Release of logback version 1.5.26

• InsertFromJNDIModelHandler was accessing javax.naming package forcing the inclusion of the optional java.naming module. This problem was raised in issues/1003 by Marius Hanl who also provided the relevant PR.

• In applications using shadow/fat/shade jars, module or package information could be lost. Thus, in the absence of version information, logback-classic would warn about version mismatches. Logback components now ship with properties files containing version information that survive shadow/fat/shade jars. This issue was reporteed in issues/1002 by Christoph Gritschenberger.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 33deb54506bbfaf1ff151f26f3a5f86936011619 associated with the tag v_1.5.26. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

... (truncated)

Commits

• 3618eb0 increase timeout delay to 2000 millis
• db150c3 prepare release 1.5.27
• 0370b13 fix missing MDC transmission in SocketAppender. Fixes issues/1010
• 8100acd remove RemoteAppender*
• 2b67210 remove Receiver related classes
• d84b586 remove ReceiverModelHandler - project still builds indicating no active usage
• 44049ed remove support for receivers in SerializedModelConfigurator and JoranConfigur...
• 56085d8 fix test
• e7764f4 refactor file change scanning for clarity
• e56a12f bump assertj version
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-java from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-java's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-java's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-junit-platform-engine from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-junit-platform-engine's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-junit-platform-engine's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-junit-platform-engine from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-junit-platform-engine's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-junit-platform-engine's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates org.assertj:assertj-core from 3.27.4 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates net.bytebuddy:byte-buddy from 1.17.6 to 1.18.4

Release notes

Sourced from net.bytebuddy:byte-buddy's releases.

Byte Buddy 1.18.4

• Add support for new build description in Android 9.

Byte Buddy 1.18.3

• Avoid using Class File API when Byte Buddy is loaded on the boot loader where multi-release jars are not available.
• Add additional safety when processing class files with illegally formed parameters.
• Update to latest ASM.

Byte Buddy 1.18.2

• Support modifiers for value classes in Valhalla builds.
• Improve use of build cache in Gradle.

Byte Buddy 1.18.1

• Fix generated module-info to include new package.

Byte Buddy 1.18.0

• Add support for module-info class files and ModuleDescriptions.
• Allow for manipulating module information using the ByteBuddy API.

Byte Buddy 1.17.8

• Avoid use of types that are deprecated as of Java 26.
• Include ASM 9.9 that offers ASM support for Java 26.
• Make sure that generated code internal to Byte Buddy supports CDS if available.
• Update version of ASM to JDK Class File API bridge to fix some minor bugs related to type annotations.

Byte Buddy 1.17.7

• Specify correct JVM environment for Android builds when using the Gradle plugin.
• Avoid recomputing the size of a parameter list for performance reasons after measuring the significant impact.
• Correct validation of JVM names to avoid breaking when Java names are not allowed while JVM names are, with Kotlin and others.

Changelog

Sourced from net.bytebuddy:byte-buddy's changelog.

16. January 2026: version 1.18.4

• Add support for new build description in Android 9.

26. November 2025: version 1.18.3

• Avoid using Class File API when Byte Buddy is loaded on the boot loader where multi-release jars are not available.
• Add additional safety when processing class files with illegally formed parameters.
• Update to latest ASM.

26. November 2025: version 1.18.2

• Support modifiers for value classes in Valhalla builds.
• Improve use of build cache in Gradle.

12. November 2025: version 1.18.1

• Fix generated module-info to include new package.

11. November 2025: version 1.18.0

• Add support for module-info class files and ModuleDescriptions.
• Allow for manipulating module information using the ByteBuddy API.

8. October 2025: version 1.17.8

• Avoid use of types that are deprecated as of Java 26.
• Include ASM 9.9 that offers ASM support for Java 26.
• Make sure that generated code internal to Byte Buddy supports CDS if available.
• Update version of ASM to JDK Class File API bridge to fix some minor bugs related to type annotations.

17. August 2025: version 1.17.7

• Specify correct JVM environment for Android builds when using the Gradle plugin.
• Avoid recomputing the size of a parameter list for performance reasons after measuring the significant impact.
• Correct validation of JVM names to avoid breaking when Java names are not allowed while JVM names are, with Kotlin and others.

Commits

• c080180 [maven-release-plugin] prepare release byte-buddy-1.18.4
• 3e40080 [release] Release new version
• e94974f [release] Release new version
• b09ee41 Android 9 (#1881)
• 647b6d0 Update checksums.
• c6169a2 Do not run multi-release target on JDK8 publish.
• e049d8f Add profile for Java 8 release.
• 887ca37 Update internal Byte Buddy
• cdcbb65 [maven-release-plugin] prepare for next development iteration
• 6f358c8 [maven-release-plugin] prepare release byte-buddy-1.18.3
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.19.2 to 2.21.0

Commits

• 80fb536 [maven-release-plugin] prepare release jackson-core-2.21.0
• 9097789 Prep for 2.21.0 release
• d678c69 Javadoc fix for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION (defaults to `...
• 67912b2 Minor improvement to UTF32Reader.read() bounds-checks
• ecf5de2 ...
• dbb1765 Merge branch '2.20' into 2.x
• 66a9467 Merge branch '2.19' into 2.20
• b46c0bd Merge branch '2.18' into 2.19
• fae2542 release notes update
• 70c99ba Update UTF8DataInputJsonParser.java (#1512)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.19.2 to 2.21.0

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-annotations from 2.19.2 to 2.21.0

Updates com.fasterxml.jackson.core:jackson-databind from 2.19.2 to 2.21.0

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-annotations from 2.19.2 to 2.21.0

Updates io.netty:netty-codec-http from 4.2.8.Final to 4.2.9.Final

Commits

• a853a39 [maven-release-plugin] prepare release netty-4.2.9.Final
• 6d29a4f Add missing publishing config for the bom module
• ea911de Optimize HTTP startline validation (#16030)
• d7108a3 LocalChannel: Reduce GC by re-using same Runnable (#16014)
• 207afcb Fix MpscIntQueue bug (#16023)
• 27bfd56 Fix HTTP startline validation (#16022)
• 40ab418 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates io.netty:netty-codec-http2 from 4.2.3.Final to 4.2.9.Final

Commits

• a853a39 [maven-release-plugin] prepare release netty-4.2.9.Final
• 6d29a4f Add missing publishing config for the bom module
• ea911de Optimize HTTP startline validation (#16030)
• d7108a3 LocalChannel: Reduce GC by re-using same Runnable (#16014)
• 207afcb Fix MpscIntQueue bug (#16023)
• 27bfd56 Fix HTTP startline validation (#16022)
• 40ab418 [maven-release-plugin] prepare for next development iteration
• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-epoll from 4.2.3.Final to 4.2.9.Final

Commits

• a853a39 [maven-release-plugin] prepare release netty-4.2.9.Final
• 6d29a4f Add missing publishing config for the bom module
• ea911de Optimize HTTP startline validation (#16030)
• d7108a3 LocalChannel: Reduce GC by re-using same Runnable (#16014)
• 207afcb Fix MpscIntQueue bug (#16023)
• 27bfd56 Fix HTTP startline validation (#16022)
• 40ab418 [maven-release-plugin] prepare for next development iteration
• e2d9d11 [maven-release-plugin] prepare release netty-4.2.8.Final
• 2f2e437 Merge commit from fork
• d011634 Build fixes to allow using the epoll native transport on Android (#16016)
• Additional commits viewable in compare view

Updates com.google.guava:guava from 33.4.8-jre to 33.5.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.5.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.5.0-jre</version>
  <!-- or, for Android: -->
  <version>33.5.0-android</version>
</dependency>

Jar files

• 33.5.0-jre.jar
• 33.5.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.3.jar

Javadoc

• 33.5.0-jre
• 33.5.0-android

JDiff

• 33.5.0-jre vs. 33.4.8-jre
• 33.5.0-android vs. 33.4.8-android
• 33.5.0-android vs. 33.5.0-jre

Changelog

• Restored the Automatic-Module-Name to guava-android. (It, unlike, guava-jre, is not a proper module.) (7a04a8a955)
• For users of guava-gwt: Google has moved off GWT internally. We plan to continue to release guava-gwt for users of GWT and J2CL, but the artifact is no longer tested for GWT-specific issues, and we have limited resources to fix any unexpected issues that might arise. While we do not anticipate any specific problems, we can't guarantee how long support will continue.
• Increased our Android minSdkVersion to 23 (Marshmallow). This follows the minimum of Google's foundational Android libraries, and we expect it to have no practical impact on users. (5c23347cc1)
• Listed the JSpecify annotations as an optional dependency in our OSGi metadata. (2dfd572981)
• cache: Improved the handling of exceptions from compute functions in Cache.asMap(). (We do still recommend using Caffeine rather than com.google.common.cache.) (087f2c4a80)
• collect: Improved Iterators.mergeSorted() to preserve stability for equal elements. (4dc93be9a8)
• math: Added saturatedAbs methods to IntMath and LongMath. (ed0e518f20)
• net: Added image/avif to MediaType. (53344caba6)
• testing: Made CollectorTester available to Android users. (294c251079)
• util.concurrent: Added Striped.custom. (1586eb271d)

Commits

• See full diff in compare view

Updates org.projectlombok:lombok from 1.18.38 to 1.18.42

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.42 (September 18th, 2025)

• FEATURE: All the various @Log annotations now allow you to change their access level (they still default to private). #2280. Thanks to new contributor Liam Pace!
• BUGFIX: Javadoc parsing was broken in Netbeans and ErrorProne for JDK25 #3940.

v1.18.40 (September 4th, 2025)

• PLATFORM: JDK25 support added #3859.
• BUGFIX: Recent versions of eclipse (or the eclipse-based java lang server for VSCode) caused java.lang.IllegalArgumentException: Document does not match the AST. [Issue #3886](projectlombok/lombok#3886).
• PERFORMANCE: @ExtensionMethod is now significantly faster [Issue #3866](projectlombok/lombok#3866).
• BUGFIX: the command line config tool would emit incorrect output for nullity annotations. [Issue #3931](projectlombok/lombok#3931).
• FEATURE: @Jacksonized @Accessors(fluent=true) automatically creates the relevant annotations such that Jackson correctly identifies fluent accessors. [Issue #3265](projectlombok/lombok#3265), [Issue #3270](projectlombok/lombok#3270).
• IMPROBABLE BREAKING CHANGE: From versions 1.18.16 to 1.18.38, lombok automatically copies certain Jackson annotations (e.g., @JsonProperty) from fields to the corresponding accessors (getters/setters). However, it turned out to be harmful in certain situations. Thus, Lombok does not automatically copy those annotations any more. You can restore the old behavior using the config key lombok.copyJacksonAnnotationsToAccessors = true.

Commits

• 2031eb0 [release] pre-release version bump for v1.18.42
• c95a6c1 Merge branch 'logger-access'
• 71d85ca #2280 Add delivery of this 'access for logging' to the changelog.
• 99ba3e3 [trivial] Slightly reworded the javadoc on each @Log annotation's `access()...
• e9cf11e [trivial][style]
• a6d5568 [deprecation] Marked AccessLevel.MODULE as deprecated. It was written for a...
• 492011d Refactored to use Javac/Eclipse utility function
• c1f7f66 Update copyright in logger files
• f63f40a Add myself to AUTHORS
• 9152c34 Fix failing tests
• Additional commits viewable in compare view

Updates org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates commons-codec:commons-codec from 1.19.0 to 1.21.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.21.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.21.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

• CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats. Thanks to Aleksandr Beliakov, Gary Gregory.

Fixed Bugs

•         Fix oak leaf icon references in overview.html when running `mvn clean javadoc:javadoc`. Thanks to Gary Gregory.
  

•         Fix Apache RAT plugin console warnings. Thanks to Gary Gregory.
  

•         Fix malformed Javad...
  Description has been truncated

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[dependabot]

Superseded by #1547.