build(deps): bump the low-risk group across 1 directory with 25 updates

[dependabot]

Bumps the low-risk group with 25 updates in the /api-tests directory:

Package	From	To
com.google.code.gson:gson	2.13.1	2.13.2
ch.qos.logback:logback-classic	1.5.18	1.5.32
io.cucumber:cucumber-java	7.33.0	7.34.2
io.cucumber:cucumber-junit-platform-engine	7.33.0	7.34.2
org.assertj:assertj-core	3.27.4	3.27.7
net.bytebuddy:byte-buddy	1.17.6	1.18.5
com.fasterxml.jackson.core:jackson-core	2.19.2	2.21
com.fasterxml.jackson.core:jackson-databind	2.19.2	2.21
com.fasterxml.jackson.core:jackson-annotations	2.19.2	2.21
io.netty:netty-codec-http	4.2.8.Final	4.2.10.Final
io.netty:netty-codec-http2	4.2.3.Final	4.2.10.Final
io.netty:netty-transport-native-epoll	4.2.3.Final	4.2.10.Final
com.google.guava:guava	33.4.8-jre	33.5.0-jre
org.projectlombok:lombok	1.18.38	1.18.42
org.apache.httpcomponents.client5:httpclient5	5.5	5.6
commons-codec:commons-codec	1.19.0	1.21.0
com.github.spotbugs:spotbugs	4.9.4	4.9.8
org.owasp:dependency-check-maven	12.1.9	12.2.0
org.codehaus.mojo:exec-maven-plugin	3.5.1	3.6.3
org.apache.maven.plugins:maven-surefire-plugin	3.5.3	3.5.5
org.apache.maven.plugins:maven-failsafe-plugin	3.5.3	3.5.5
org.apache.maven.plugins:maven-compiler-plugin	3.14.0	3.15.0
au.com.dius.pact.provider:maven	4.6.17	4.6.20
org.apache.maven.plugins:maven-pmd-plugin	3.27.0	3.28.0
com.github.spotbugs:spotbugs-maven-plugin	4.9.3.2	4.9.8.2

Updates com.google.code.gson:gson from 2.13.1 to 2.13.2

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.13.2

The main changes in this release are just newer dependencies.

What's Changed

• Improved packaging of JPMS module declaration in Gson jar
  This fixes an issue where Eclipse and VS Code users could not refer to the Gson module name com.google.gson. See issue google/gson#2679.
• Remove internal class GsonPreconditions by @​Marcono1234 in google/gson#2879
• Switch to using central-publishing-maven-plugin by @​eamonnmcmanus in google/gson#2900

New Contributors

• @​MukjepScarlet made their first contribution in google/gson#2852
• @​ChrisCraik made their first contribution in google/gson#2856

Full Changelog: google/gson@gson-parent-2.13.1...gson-parent-2.13.2

Commits

• 686fad7 [maven-release-plugin] prepare release gson-parent-2.13.2
• c2d252a Switch to using central-publishing-maven-plugin. (#2900)
• 69cb755 Bump the github-actions group with 5 updates (#2894)
• ea552c2 Bump the maven group across 1 directory with 3 updates (#2898)
• fdc616d Set top-level permissions for CodeQL workflow (#2889)
• 9334715 Create scorecard.yml (#2888)
• f7de5c2 Bump the maven group with 8 updates (#2885)
• 8c23cd3 Update sources to satisfy a new Error Prone check. (#2887)
• 5eab3ed Bump the github-actions group with 2 updates (#2886)
• 5f5c200 Bump the maven group across 1 directory with 10 updates (#2872)
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.32

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.32

2026-02-16 Release of logback version 1.5.32

• In DefaultProcessor, fixed incorrect check for dependencies contained within a parent model. Previous only the direct children were scanned. This fixes logback-access/issues/34.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e807335a67535b4eacce94e942c0bcb649665d93 associated with the tag v_1.5.32. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.31

2026-02-14 Release of logback version 1.5.31

• Fixed missing META-INF/services directory in logback-classic.jar. This issue rendered logback-classic version 1.5.30 unusable with SLF4J.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 168e42f9f9a18a3ffdf31eb2bfe80a71e33ecd8b associated with the tag v_1.5.31. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.30

2026-02-14 Release of logback version 1.5.30

• In this version, logback-classic.jar was missing the META-INF/services directory, making it unusable with SLF4J. Version 1.5.31 (released later on the same day) fixes this issue.

• Fix scanning issue when an included file becomes available at a later time. This problem was reported in issues/1021 by Sergey Nazarov.

• Standardized code for version checking across modules.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 44164f10ca3fb44ce0e68519f13564b87e3aca61 associated with the tag v_1.5.30. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.29

2026-02-09 Release of logback version 1.5.29

• In response to issues/1017, appender names and appender references are once again subject to variable substitution, reverting the change introduced in version 1.5.28.

Logback 1.5.28

2026-02-06 Release of logback version 1.5.28

• Appender names or appender references are no longer subject to variable substitution.

• Fixed issue with configurations with conditionals encompassing appenders. This was reported in issues/1016 reported by Sergey Sazonov.

• The element now admits a 'scan' attribute which can be used to override the 'scan' attribute in the element.

• Fixed NullPointerException thrown by VersionUtil.checkForVersionEquality method occurring with GraalVM Native Images. This issue was reported in issues/1014.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e7a1855ab562bb102333f754603ff89359bf3cfc associated with the tag v_1.5.28. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.27

2026-01-30 Release of logback version 1.5.27

• Updated license to Eclipse Public License version 2.0 from version 1.0, retaining the GPL 2.1 dual-license.

• Fixed missing MDC data transmitted by SocketAppender reported in issues/1010 by Lars Vogel.

... (truncated)

Commits

• e807335 prepare release 1.5.32
• dc35d55 fix logback-access/issues/34 by checking if dependency is a sub-model of the ...
• 8e32278 added simple test for appender definitiob via file inclusion
• 834dbed start work on 1.5.32-SNAPSHOT
• 168e42f add test to check that Logback SLF4J provider can be activated
• ed45362 prepare release 1.5.31
• 609dae7 fix missing META-INF directory
• 7739739 start work on 1.5.31-SNAPSHOT
• 44164f1 prepare release 1.5.30
• 9874f06 test for top-file as a resource, introduced new module logback-classic-misc
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-java from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-java's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-java's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-junit-platform-engine from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-junit-platform-engine's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-junit-platform-engine's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates io.cucumber:cucumber-junit-platform-engine from 7.33.0 to 7.34.2

Release notes

Sourced from io.cucumber:cucumber-junit-platform-engine's releases.

v7.34.2

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

v7.34.1

Fixed

• Ensure dependencies converge (#3157

v7.34.0

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Changelog

Sourced from io.cucumber:cucumber-junit-platform-engine's changelog.

[7.34.2] - 2026-01-29

Fixed

• [Core] Reverted: Early filtering of anonymous classes for glue (#3158)

[7.34.1] - 2026-01-28

Fixed

• Ensure dependencies converge (#3157

[7.34.0] - 2026-01-28

Added

• [Core] Hide successful hooks by default in HTML report (cucumber/react-components#415)
• [Java] Support Provider instances with Pico Container (#2879, #3128 Stefan Gasterstädt)
• [Java] Add Step info to @BeforeStep and @AfterStep hooks (#3139, Menelaos Mamouzellos)

Changed

• [Core] Refactor internals to use messages-ndjson for serialization (#3138)
• [Core] Early filtering of anonymous classes for glue (#3150, Julien Kronegg)

Fixed

• [Core] Ignore all potential class loading issues (#3135, Christoph Läubrich)

Commits

• b5292ab Prepare release v7.34.2
• 3f97272 Revert "Avoid scanning anonymous classes (#3150)" (#3158)
• 26a7afa Update Revapi supressions (#3159)
• 2a1a3d6 Prepare for the next development iteration
• 88372a3 Prepare release v7.34.1
• 142b589 Ensure dependencies converge pt2
• 9e77642 Ensure dependencies converge
• 4d9dd93 Prepare for the next development iteration
• d16903c Prepare release v7.34.0
• 7948150 Update CHANGELOG
• Additional commits viewable in compare view

Updates org.assertj:assertj-core from 3.27.4 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

• Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)
  • See GHSA-rqfh-9r24-8c9r for details; many thanks to @​wxt201 and @​Song-Li for responsibly reporting it!

🚫 Deprecated

Core

• Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

• Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

• Upgrade to Byte Buddy 1.18.3
• Upgrade to JUnit BOM 5.14.1

Guava

• Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

• Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@​duponter

v3.27.5

⚡ Improvements

Core

• ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

• e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
• 85ca7eb Deprecate XmlStringPrettyFormatter
• 77081dc Merge commit from fork
• b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
• 0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
• d393ef1 Abort tests when symbolic links cannot be created (#3788)
• 2212433 Add IntelliJ custom inspection for test class names
• 5717d02 Update JetBrains icon
• a8ec20b Add icon for JetBrains products
• c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
• Additional commits viewable in compare view

Updates net.bytebuddy:byte-buddy from 1.17.6 to 1.18.5

Release notes

Sourced from net.bytebuddy:byte-buddy's releases.

Byte Buddy 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Byte Buddy 1.18.4

• Add support for new build description in Android 9.

Byte Buddy 1.18.3

• Avoid using Class File API when Byte Buddy is loaded on the boot loader where multi-release jars are not available.
• Add additional safety when processing class files with illegally formed parameters.
• Update to latest ASM.

Byte Buddy 1.18.2

• Support modifiers for value classes in Valhalla builds.
• Improve use of build cache in Gradle.

Byte Buddy 1.18.1

• Fix generated module-info to include new package.

Byte Buddy 1.18.0

• Add support for module-info class files and ModuleDescriptions.
• Allow for manipulating module information using the ByteBuddy API.

Byte Buddy 1.17.8

• Avoid use of types that are deprecated as of Java 26.
• Include ASM 9.9 that offers ASM support for Java 26.
• Make sure that generated code internal to Byte Buddy supports CDS if available.
• Update version of ASM to JDK Class File API bridge to fix some minor bugs related to type annotations.

Byte Buddy 1.17.7

• Specify correct JVM environment for Android builds when using the Gradle plugin.
• Avoid recomputing the size of a parameter list for performance reasons after measuring the significant impact.
• Correct validation of JVM names to avoid breaking when Java names are not allowed while JVM names are, with Kotlin and others.

Changelog

Sourced from net.bytebuddy:byte-buddy's changelog.

15. February 2026: version 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

16. January 2026: version 1.18.4

• Add support for new build description in Android 9.

26. November 2025: version 1.18.3

• Avoid using Class File API when Byte Buddy is loaded on the boot loader where multi-release jars are not available.
• Add additional safety when processing class files with illegally formed parameters.
• Update to latest ASM.

26. November 2025: version 1.18.2

• Support modifiers for value classes in Valhalla builds.
• Improve use of build cache in Gradle.

12. November 2025: version 1.18.1

• Fix generated module-info to include new package.

11. November 2025: version 1.18.0

• Add support for module-info class files and ModuleDescriptions.
• Allow for manipulating module information using the ByteBuddy API.

8. October 2025: version 1.17.8

• Avoid use of types that are deprecated as of Java 26.
• Include ASM 9.9 that offers ASM support for Java 26.
• Make sure that generated code internal to Byte Buddy supports CDS if available.
• Update version of ASM to JDK Class File API bridge to fix some minor bugs related to type annotations.

17. August 2025: version 1.17.7

• Specify correct JVM environment for Android builds when using the Gradle plugin.
• Avoid recomputing the size of a parameter list for performance reasons after measuring the significant impact.
• Correct validation of JVM names to avoid breaking when Java names are not allowed while JVM names are, with Kotlin and others.

Commits

• e01d09a [maven-release-plugin] prepare release byte-buddy-1.18.5
• 0cef4be [release] Release new version
• c880bab Fix hashcode equals generation.
• 05dc85e Instana attachpid file removal handling (#1884)
• 71448e3 Add ASM URL for copyright note.
• 9689261 Update checksums and internal Byte Buddy.
• 87c1368 [maven-release-plugin] prepare for next development iteration
• c080180 [maven-release-plugin] prepare release byte-buddy-1.18.4
• 3e40080 [release] Release new version
• e94974f [release] Release new version
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.19.2 to 2.21

Updates com.fasterxml.jackson.core:jackson-databind from 2.19.2 to 2.21

Updates com.fasterxml.jackson.core:jackson-annotations from 2.19.2 to 2.21

Commits

• See full diff in compare view

Updates io.netty:netty-codec-http from 4.2.8.Final to 4.2.10.Final

Commits

• 4cc9873 [maven-release-plugin] prepare release netty-4.2.10.Final
• 54b8663 Remove unnecessary allocations and abstractions in HttpContentCompressor (#16...
• 961f427 Update to netty-tcnative 2.0.75.Final (#16227)
• 3007ba9 Use recommanded finalize chain pattern when override finalize() method (#16212)
• b918042 Update some dependencies (#16198) (#16215)
• 874c995 Reduce allocations on DefaultHeaders::containsValue (#15843)
• e0fe794 Remove unnecessary null check in WebSocketServerExtensionHandler (#16201)
• 1b0636b Move default compression options into static variable in HttpContentCompresso...
• 85a3a0e codec-http2: move the accessors from Http2Headers to DefaultHttp2Headers (#16...
• f44a88d Improve chunk picking for the large-size buddy allocator (#16179)
• Additional commits viewable in compare view

Updates io.netty:netty-codec-http2 from 4.2.3.Final to 4.2.10.Final

Commits

• 4cc9873 [maven-release-plugin] prepare release netty-4.2.10.Final
• 54b8663 Remove unnecessary allocations and abstractions in HttpContentCompressor (#16...
• 961f427 Update to netty-tcnative 2.0.75.Final (#16227)
• 3007ba9 Use recommanded finalize chain pattern when override finalize() method (#16212)
• b918042 Update some dependencies (#16198) (#16215)
• 874c995 Reduce allocations on DefaultHeaders::containsValue (#15843)
• e0fe794 Remove unnecessary null check in WebSocketServerExtensionHandler (#16201)
• 1b0636b Move default compression options into static variable in HttpContentCompresso...
• 85a3a0e codec-http2: move the accessors from Http2Headers to DefaultHttp2Headers (#16...
• f44a88d Improve chunk picking for the large-size buddy allocator (#16179)
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-epoll from 4.2.3.Final to 4.2.10.Final

Commits

• 4cc9873 [maven-release-plugin] prepare release netty-4.2.10.Final
• 54b8663 Remove unnecessary allocations and abstractions in HttpContentCompressor (#16...
• 961f427 Update to netty-tcnative 2.0.75.Final (#16227)
• 3007ba9 Use recommanded finalize chain pattern when override finalize() method (#16212)
• b918042 Update some dependencies (#16198) (#16215)
• 874c995 Reduce allocations on DefaultHeaders::containsValue (#15843)
• e0fe794 Remove unnecessary null check in WebSocketServerExtensionHandler (#16201)
• 1b0636b Move default compression options into static variable in HttpContentCompresso...
• 85a3a0e codec-http2: move the accessors from Http2Headers to DefaultHttp2Headers (#16...
• f44a88d Improve chunk picking for the large-size buddy allocator (#16179)
• Additional commits viewable in compare view

Updates com.google.guava:guava from 33.4.8-jre to 33.5.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.5.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.5.0-jre</version>
  <!-- or, for Android: -->
  <version>33.5.0-android</version>
</dependency>

Jar files

• 33.5.0-jre.jar
• 33.5.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.3.jar

Javadoc

• 33.5.0-jre
• 33.5.0-android

JDiff

• 33.5.0-jre vs. 33.4.8-jre
• 33.5.0-android vs. 33.4.8-android
• 33.5.0-android vs. 33.5.0-jre

Changelog

• Restored the Automatic-Module-Name to guava-android. (It, unlike, guava-jre, is not a proper module.) (7a04a8a955)
• For users of guava-gwt: Google has moved off GWT internally. We plan to continue to release guava-gwt for users of GWT and J2CL, but the artifact is no longer tested for GWT-specific issues, and we have limited resources to fix any unexpected issues that might arise. While we do not anticipate any specific problems, we can't guarantee how long support will continue.
• Increased our Android minSdkVersion to 23 (Marshmallow). This follows the minimum of Google's foundational Android libraries, and we expect it to have no practical impact on users. (5c23347cc1)
• Listed the JSpecify annotations as an optional dependency in our OSGi metadata. (2dfd572981)
• cache: Improved the handling of exceptions from compute functions in Cache.asMap(). (We do still recommend using Caffeine rather than com.google.common.cache.) (087f2c4a80)
• collect: Improved Iterators.mergeSorted() to preserve stability for equal elements. (4dc93be9a8)
• math: Added saturatedAbs methods to IntMath and LongMath. (ed0e518f20)
• net: Added image/avif to MediaType. (53344caba6)
• testing: Made CollectorTester available to Android users. (294c251079)
• util.concurrent: Added Striped.custom. (1586eb271d)

Commits

• See full diff in compare view

Updates org.projectlombok:lombok from 1.18.38 to 1.18.42

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.42 (September 18th, 2025)

• FEATURE: All the various @Log annotations now allow you to change their access level (they still default to private). #2280. Thanks to new contributor Liam Pace!
• BUGFIX: Javadoc parsing was broken in Netbeans and ErrorProne for JDK25 #3940.

v1.18.40 (September 4th, 2025)

• PLATFORM: JDK25 support added #3859.
• BUGFIX: Recent versions of eclipse (or the eclipse-based java lang server for VSCode) caused java.lang.IllegalArgumentException: Document does not match the AST. [Issue #3886](projectlombok/lombok#3886).
• PERFORMANCE: @ExtensionMethod is now significantly faster [Issue #3866](projectlombok/lombok#3866).
• BUGFIX: the command line config tool would emit incorrect output for nullity annotations. [Issue #3931](projectlombok/lombok#3931).
• FEATURE: @Jacksonized @Accessors(fluent=true) automatically creates the relevant annotations such that Jackson correctly identifies fluent accessors. [Issue #3265](projectlombok/lombok#3265), [Issue #3270](projectlombok/lombok#3270).
• IMPROBABLE BREAKING CHANGE: From versions 1.18.16 to 1.18.38, lombok automatically copies certain Jackson annotations (e.g., @JsonProperty) from fields to the corresponding accessors (getters/setters). However, it turned out to be harmful in certain situations. Thus, Lombok does not automatically copy those annotations any more. You can restore the old behavior using the config key lombok.copyJacksonAnnotationsToAccessors = true.

Commits

• 2031eb0 [release] pre-release version bump for v1.18.42
• c95a6c1 Merge branch 'logger-access'
• 71d85ca #2280 Add delivery of this 'access for logging' to the changelog.
• 99ba3e3 [trivial] Slightly reworded the javadoc on each @Log annotation's `access()...
• e9cf11e [trivial][style]
• a6d5568 [deprecation] Marked AccessLevel.MODULE as deprecated. It was written for a...
• 492011d Refactored to use Javac/Eclipse utility function
• c1f7f66 Update copyright in logger files
• f63f40a Add myself to AUTHORS
• 9152c34 Fix failing tests
• Additional commits viewable in compare view

Updates org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates commons-codec:commons-codec from 1.19.0 to 1.21.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.21.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.21.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

• CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats. Thanks to Aleksandr Beliakov, Gary Gregory.

Fixed Bugs

•         Fix oak leaf icon references in overview.html when running `mvn clean javadoc:javadoc`. Thanks to Gary Gregory.
  

•         Fix Apache RAT plugin console warnings. Thanks to Gary Gregory.
  

•         Fix malformed Javadoc comments. Thanks to Gary Gregory.
  

Changes

•         Bump org.apache.commons:commons-parent from 91 to 96 [#415](https://github.com/apache/commons-codec/issues/415), [#418](https://github.com/apache/commons-codec/issues/418). Thanks to Gary Gregory, Dependabot.
  

•         Bump commons-io:commons-io from 2.20.0 to 2.21.0. Thanks to Gary Gregory.
  

•         Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0. Thanks to Gary Gregory, Dependabot.
  

For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website: