Bump the dependencies group across 1 directory with 26 updates by dependabot[bot] · Pull Request #2373 · FraunhoferIOSB/FROST-Server

dependabot · 2026-06-08T06:35:11Z

Bumps the dependencies group with 25 updates in the / directory:

Package	From	To
ch.qos.logback:logback-classic	`1.5.32`	`1.5.34`
com.fasterxml.jackson.core:jackson-annotations	`2.21`	`2.22`
com.fasterxml.jackson.core:jackson-core	`2.21.2`	`2.22.0`
com.fasterxml.jackson.dataformat:jackson-dataformat-xml	`2.21.2`	`2.22.0`
com.github.dasniko:testcontainers-keycloak	`4.2.0`	`4.2.1`
commons-io:commons-io	`2.21.0`	`2.22.0`
de.fraunhofer.iosb.ilt:Configurable	`0.37`	`0.38`
io.prometheus:prometheus-metrics-bom	`1.5.1`	`1.7.0`
org.eclipse.jetty.ee10:jetty-ee10-servlet	`12.1.8`	`12.1.10`
org.jooq:jooq	`3.21.2`	`3.21.5`
org.jooq:jooq-codegen	`3.21.2`	`3.21.5`
org.jooq:jooq-meta	`3.21.2`	`3.21.5`
org.junit:junit-bom	`6.0.3`	`6.1.0`
org.junit.platform:junit-platform-suite	`6.0.3`	`6.1.0`
org.postgresql:postgresql	`42.7.10`	`42.7.11`
org.slf4j:jul-to-slf4j	`2.0.17`	`2.0.18`
org.slf4j:slf4j-api	`2.0.17`	`2.0.18`
org.testcontainers:testcontainers-bom	`2.0.4`	`2.0.5`
org.apache.maven.plugins:maven-dependency-plugin	`3.10.0`	`3.11.0`
com.diffplug.spotless:spotless-maven-plugin	`3.4.0`	`3.6.0`
org.owasp:dependency-check-maven	`12.2.1`	`12.2.2`
org.apache.maven.plugins:maven-surefire-plugin	`3.5.5`	`3.5.6`
org.jacoco:jacoco-maven-plugin	`0.8.14`	`0.8.15`
de.fraunhofer.iosb.io.moquette:moquette-broker	`0.18.3`	`0.18.4`
de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus	`0.18.3`	`0.18.4`

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

e62272a prepare release 1.5.34
1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
f7a0654 prevent resolveProxyClass bypass
249b81f docs are no longer distributed
1c3b26a start work on 1.5.34-SNAPSHOT
124e8b4 prepare release 1.5.33
d8fd6f2 escapeTags in message field when printing status messages
95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-annotations from 2.21 to 2.22

Commits

See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.21.2 to 2.22.0

Commits

d763562 [maven-release-plugin] prepare release jackson-core-2.22.0
e5c69fe Re-do 2.22.0 release
0ba6a36 Bump version after release
b106011 [maven-release-plugin] prepare for next development iteration
18a7fe4 [maven-release-plugin] prepare release jackson-core-2.22.0
503a14f Re-do 2.22.0 release
ab95bc0 ...
0a4b8de Post-release dep version bump
719a42f [maven-release-plugin] prepare for next development iteration
9248848 [maven-release-plugin] prepare release jackson-core-2.22.0
Additional commits viewable in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-xml from 2.21.2 to 2.22.0

Commits

4c702ae [maven-release-plugin] prepare release jackson-dataformat-xml-2.22.0
e6a9a50 Prep for 2.22.0 release
80735f2 Merge branch '2.21' into 2.x
5e5f3fa Post-release dep version bump
4c482a6 [maven-release-plugin] prepare for next development iteration
e29dfd9 [maven-release-plugin] prepare release jackson-dataformat-xml-2.21.4
5d81f46 Prep for 2.21.4 release
5db34fe Merge branch '2.20' into 2.21
a12b8df Merge branch '2.19' into 2.20
7ae7fdb Merge branch '2.18' into 2.19
Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.21.2 to 2.22.0

Commits

See full diff in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-xml from 2.21.2 to 2.22.0

Commits

4c702ae [maven-release-plugin] prepare release jackson-dataformat-xml-2.22.0
e6a9a50 Prep for 2.22.0 release
80735f2 Merge branch '2.21' into 2.x
5e5f3fa Post-release dep version bump
4c482a6 [maven-release-plugin] prepare for next development iteration
e29dfd9 [maven-release-plugin] prepare release jackson-dataformat-xml-2.21.4
5d81f46 Prep for 2.21.4 release
5db34fe Merge branch '2.20' into 2.21
a12b8df Merge branch '2.19' into 2.20
7ae7fdb Merge branch '2.18' into 2.19
Additional commits viewable in compare view

Updates com.github.dasniko:testcontainers-keycloak from 4.2.0 to 4.2.1

Release notes

Sourced from com.github.dasniko:testcontainers-keycloak's releases.

v4.2.1

What's Changed

update Keycloak admin client to version 26.0.9

Full Changelog: dasniko/testcontainers-keycloak@v4.2.0...v4.2.1

Commits

7dbffab update Keycloak admin client to version 26.0.9
bdf18fd don't publish generated release notes automatically
See full diff in compare view

Updates commons-io:commons-io from 2.21.0 to 2.22.0

Updates de.fraunhofer.iosb.ilt:Configurable from 0.37 to 0.38

Changelog

Sourced from de.fraunhofer.iosb.ilt:Configurable's changelog.

Version 0.38

Updates

[FX] Hide options dropdown in map (class) editor when its empty.

Updated dependencies.

Commits

fd42353 Release v0.38
1f4410d [FX] Hide options dropdown in map (class) editor when its empty
5edf948 Bump the dependencies group across 1 directory with 7 updates (#178)
e54d5f6 Bump the dependencies group across 1 directory with 2 updates (#173)
0b1d067 Bump the dependencies group with 2 updates (#165)
5e3654a Bump the dependencies group across 1 directory with 7 updates (#170)
26df65e Bump the dependencies group across 1 directory with 2 updates (#164)
5d7485b Bumped dependencies
af77ab1 Prepare for next development iteration
See full diff in compare view

Updates io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0

Release notes

Sourced from io.prometheus:prometheus-metrics-bom's releases.

v1.7.0

1.7.0 (2026-06-03)

Features

Add StableApi marker and API diff check (#2168) (768fd3a)

add typed metric family descriptors (#2114) (9c3b097)

track api-diff baseline via Renovate and store diffs in docs/apidiffs (#2174) (3adb890)

Bug Fixes

deps: update dependency com.github.ben-manes.caffeine:caffeine to v3.2.4 (#2088) (144eb61)

deps: update dependency io.dropwizard.metrics:metrics-core to v4.2.39 (#2139) (5817d13)

deps: update dependency io.dropwizard.metrics5:metrics-core to v5.0.7 (#2140) (261c451)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.0-alpha (#2126) (b62b5d0)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.0-alpha (#2127) (e11ce3d)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.1-alpha (#2132) (b09be38)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.1-alpha (#2133) (a241c16)

deps: update dependency org.apache.tomcat.embed:tomcat-embed-core to v11.0.22 (#2099) (22125c5)

deps: update jetty monorepo to v12.1.10 (#2169) (ddd3991)

deps: update jetty monorepo to v12.1.9 (#2102) (04bee70)

deps: update protobuf (#2129) (320538a)

Reduce allocations for classic histogram buckets (#2081) (edd160a)

restore legacy suffix compatibility (#2100) (b2ae70f)

restore reserved suffix stripping in PrometheusNaming.sanitizeMetricName() (#2124) (2d0f508)

Performance Improvements

Refactored sorting to use optimized sort algorithms (#2161) (25b94fc)

Documentation

clarify downstream adapter validation requirements (#2101) (ef8c75c)

Document OM2 (#2059) (45d753c)

document PushGateway shading workaround (#2106) (8ca0eb8)

v1.6.1

1.6.1 (2026-04-27)

[!WARNING] Wait for next bug fix release to fix prometheus/client_java#2100

Note: With the OM2 metric-name preservation fix in this release, OpenMetrics 2.0 can now be tested. It is still in progress and not ready for general use yet.

Bug Fixes

... (truncated)

Changelog

Sourced from io.prometheus:prometheus-metrics-bom's changelog.

1.7.0 (2026-06-03)

Features

Add StableApi marker and API diff check (#2168) (768fd3a)

add typed metric family descriptors (#2114) (9c3b097)

track api-diff baseline via Renovate and store diffs in docs/apidiffs (#2174) (3adb890)

Bug Fixes

deps: update dependency com.github.ben-manes.caffeine:caffeine to v3.2.4 (#2088) (144eb61)

deps: update dependency io.dropwizard.metrics:metrics-core to v4.2.39 (#2139) (5817d13)

deps: update dependency io.dropwizard.metrics5:metrics-core to v5.0.7 (#2140) (261c451)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.0-alpha (#2126) (b62b5d0)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.0-alpha (#2127) (e11ce3d)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.1-alpha (#2132) (b09be38)

deps: update dependency io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to v2.28.1-alpha (#2133) (a241c16)

deps: update dependency org.apache.tomcat.embed:tomcat-embed-core to v11.0.22 (#2099) (22125c5)

deps: update jetty monorepo to v12.1.10 (#2169) (ddd3991)

deps: update jetty monorepo to v12.1.9 (#2102) (04bee70)

deps: update protobuf (#2129) (320538a)

Reduce allocations for classic histogram buckets (#2081) (edd160a)

restore legacy suffix compatibility (#2100) (b2ae70f)

restore reserved suffix stripping in PrometheusNaming.sanitizeMetricName() (#2124) (2d0f508)

Performance Improvements

Refactored sorting to use optimized sort algorithms (#2161) (25b94fc)

Documentation

clarify downstream adapter validation requirements (#2101) (ef8c75c)

Document OM2 (#2059) (45d753c)

document PushGateway shading workaround (#2106) (8ca0eb8)

1.6.1 (2026-04-27)

Note: With the OM2 metric-name preservation fix in this release, OpenMetrics 2.0 can now be tested. It is still in progress and not ready for general use yet.

Bug Fixes

Preserve original metric names in OM2 output (#2058) (59a7a6d)

Documentation

... (truncated)

Commits

574fb73 chore(main): release 1.7.0 (#2092)
4f4e8a7 test: validate Micrometer typed-descriptor compatibility (#2123)
82d3c46 test: run JMX Exporter quick test configuration (#2178)
ab37635 chore(deps): update actions/checkout action to v6.0.3 (#2175)
9a5d1d5 chore(deps): update grafana monorepo to v13.0.2 (#2176)
3adb890 feat: track api-diff baseline via Renovate and store diffs in docs/apidiffs (...
ddd3991 fix(deps): update jetty monorepo to v12.1.10 (#2169)
5b1b6bd chore(deps): update dependency grafana/docker-otel-lgtm to v0.28.0 (#2172)
6f20381 chore(deps): update github/codeql-action action to v4.36.1 (#2171)
62ce9dc test: validate JMX Exporter compatibility (#2167)
Additional commits viewable in compare view

Updates org.eclipse.jetty.ee10:jetty-ee10-servlet from 12.1.8 to 12.1.10

Updates org.jooq:jooq from 3.21.2 to 3.21.5

Updates org.jooq:jooq-codegen from 3.21.2 to 3.21.5

Updates org.jooq:jooq-meta from 3.21.2 to 3.21.5

Updates org.jooq:jooq-codegen from 3.21.2 to 3.21.5

Updates org.jooq:jooq-meta from 3.21.2 to 3.21.5

Updates org.junit:junit-bom from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

@JarvisCraft made their first contribution in junit-team/junit-framework#5633

@Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

@mariokhoury4 made their first contribution in junit-team/junit-framework#4574

@Ogu1208 made their first contribution in junit-team/junit-framework#5145

@HyungGeun94 made their first contribution in junit-team/junit-framework#5271

@yalishevant made their first contribution in junit-team/junit-framework#5316

@JINU-CHANG made their first contribution in junit-team/junit-framework#5290

@jaschdoc made their first contribution in junit-team/junit-framework#5427

@kawshikbuet17 made their first contribution in junit-team/junit-framework#5561

@msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

@vy made their first contribution in junit-team/junit-framework#5041

@Pankraz76 made their first contribution in junit-team/junit-framework#5006

@arukiidou made their first contribution in junit-team/junit-framework#5066

@laeubi made their first contribution in junit-team/junit-framework#5092

@jihun4452 made their first contribution in junit-team/junit-framework#5088

@TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

0dc3af1 Release 6.1.0
1d13002 Prepare 6.1.0 release notes
072b217 Update plugin spotless to v8.5.0 (#5668)
3a53480 Update Gradle to v9.5.1 (#5666)
0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
0a2634f Update github/codeql-action action to v4.35.5 (#5671)
4dbd556 Restructure workflows to have single "status" job (#5670)
f2194ce Increase timeout to reduce flakiness
5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
Additional commits viewable in compare view

Updates org.junit.platform:junit-platform-suite from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit.platform:junit-platform-suite's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

@JarvisCraft made their first contribution in junit-team/junit-framework#5633

@Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

@mariokhoury4 made their first contribution in junit-team/junit-framework#4574

@Ogu1208 made their first contribution in junit-team/junit-framework#5145

@HyungGeun94 made their first contribution in junit-team/junit-framework#5271

@yalishevant made their first contribution in junit-team/junit-framework#5316

@JINU-CHANG made their first contribution in junit-team/junit-framework#5290

@jaschdoc made their first contribution in junit-team/junit-framework#5427

@kawshikbuet17 made their first contribution in junit-team/junit-framework#5561

@msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

@vy made their first contribution in junit-team/junit-framework#5041

@Pankraz76 made their first contribution in junit-team/junit-framework#5006

@arukiidou made their first contribution in junit-team/junit-framework#5066

@laeubi made their first contribution in junit-team/junit-framework#5092

@jihun4452 made their first contribution in junit-team/junit-framework#5088

@TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

0dc3af1 Release 6.1.0
1d13002 Prepare 6.1.0 release notes
072b217 Update plugin spotless to v8.5.0 (#5668)
3a53480 Update Gradle to v9.5.1 (#5666)
0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
0a2634f Update github/codeql-action action to v4.35.5 (#5671)
4dbd556 Restructure workflows to have single "status" job (#5670)
f2194ce Increase timeout to reduce flakiness
5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.7.10 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

fix: Add sources and javadocs to shaded published lib generation @sehrope (#4043)

update Changelog and website for release of 42.7.11 @davecramer (#4042)

Fix scram fix location in changelog and update published artifact developer list @sehrope (#4041)

Restrict test with scram_iterations to v16+ and release notes @sehrope (#4040)

chore(deps): update ubuntu:24.04 docker digest to 84e77de @renovate-bot (#4017)

test: add tests for QueryExecutor#getTransactionState @vlsi (#4006)

chore(deps): update actions/create-github-app-token action to v2.2.2 @renovate-bot (#3983)

fix: fix flaky CopyBothResponseTest by using WAL flush LSN @vlsi (#3979)

fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @vlsi (#3975)

test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @vlsi (#3974)

chore: replace Appveyor with ikalnytskyi/action-setup-postgres @vlsi (#3966)

test: move test table creation from @BeforeEach to @BeforeAll @vlsi (#3967)

Return jsonb as PGObject fixes Issue #3926 @davecramer (#3956)

Update docker scripts @davecramer (#3958)

implement require_auth, this is pretty much how libpq does this. @davecramer (#3895)

docs: add SCRAM authentication test setup section to TESTING.md @emmaeng700 (#3945)

Add RequireServerVersion annotation for tests @sehrope (#3939)

🐛 Bug Fixes

fix: ensure extended protocol messages end with Sync message @vlsi (#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @vlsi (#3996)

fix: retry with SSL on IOException when sslMode=ALLOW @vlsi (#3973)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @vlsi (#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @vlsi (#3962)

fix: use compareTo for LogSequenceNumber comparison @vlsi (#3961)

fix: release COPY lock on IOException to prevent connection hang (#3957) @vlsi (#3960)

🧰 Maintenance

style: replace @exception with @throws in getBoolean javadoc @vlsi (#4035)

chore: use @vlsi/github-actions-random-matrix npm package @vlsi (#4008)

chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @vlsi (#4007)

chore: bump errorprone to 2.48.0 @vlsi (#4005)

test: add @DisableLogger annotation to suppress expected log warnings in tests @vlsi (#3971)

chore: suppress deprecations in test code to reduce build verbosity @vlsi (#3972)

chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @vlsi (#3970)

chore: use greedy pairwise coverage for CI matrix generation @vlsi (#3965)

chore: use full version tags in GitHub Actions comments @vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)

chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)

fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)

fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)

fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)

fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)

fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)

fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)

fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)

fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)

fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)

fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

Commits

78e261f fix: Add sources and javadocs to shaded published lib generation
1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
d479fa5 Fix scram fix location in changelog and update published artifact developer l...
b04fc46 docs: Add scram max iters fix to changelog
cf54822 test: Disable scram test on older version without scram_iterations GUC

Bumps the dependencies group with 25 updates in the / directory: | Package | From | To | | --- | --- | --- | | [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` | | [com.fasterxml.jackson.core:jackson-annotations](https://github.com/FasterXML/jackson) | `2.21` | `2.22` | | [com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) | `2.21.2` | `2.22.0` | | [com.fasterxml.jackson.dataformat:jackson-dataformat-xml](https://github.com/FasterXML/jackson-dataformat-xml) | `2.21.2` | `2.22.0` | | [com.github.dasniko:testcontainers-keycloak](https://github.com/dasniko/testcontainers-keycloak) | `4.2.0` | `4.2.1` | | commons-io:commons-io | `2.21.0` | `2.22.0` | | [de.fraunhofer.iosb.ilt:Configurable](https://github.com/FraunhoferIOSB/Configurable) | `0.37` | `0.38` | | [io.prometheus:prometheus-metrics-bom](https://github.com/prometheus/client_java) | `1.5.1` | `1.7.0` | | org.eclipse.jetty.ee10:jetty-ee10-servlet | `12.1.8` | `12.1.10` | | org.jooq:jooq | `3.21.2` | `3.21.5` | | org.jooq:jooq-codegen | `3.21.2` | `3.21.5` | | org.jooq:jooq-meta | `3.21.2` | `3.21.5` | | [org.junit:junit-bom](https://github.com/junit-team/junit-framework) | `6.0.3` | `6.1.0` | | [org.junit.platform:junit-platform-suite](https://github.com/junit-team/junit-framework) | `6.0.3` | `6.1.0` | | [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) | `42.7.10` | `42.7.11` | | org.slf4j:jul-to-slf4j | `2.0.17` | `2.0.18` | | org.slf4j:slf4j-api | `2.0.17` | `2.0.18` | | [org.testcontainers:testcontainers-bom](https://github.com/testcontainers/testcontainers-java) | `2.0.4` | `2.0.5` | | [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) | `3.10.0` | `3.11.0` | | [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | `3.4.0` | `3.6.0` | | [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) | `12.2.1` | `12.2.2` | | [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` | | [org.jacoco:jacoco-maven-plugin](https://github.com/jacoco/jacoco) | `0.8.14` | `0.8.15` | | [de.fraunhofer.iosb.io.moquette:moquette-broker](https://github.com/FraunhoferIOSB/moquette) | `0.18.3` | `0.18.4` | | de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus | `0.18.3` | `0.18.4` | Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.32...v_1.5.34) Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.21 to 2.22 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.core:jackson-core` from 2.21.2 to 2.22.0 - [Commits](FasterXML/jackson-core@jackson-core-2.21.2...jackson-core-2.22.0) Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-xml` from 2.21.2 to 2.22.0 - [Commits](FasterXML/jackson-dataformat-xml@jackson-dataformat-xml-2.21.2...jackson-dataformat-xml-2.22.0) Updates `com.fasterxml.jackson.core:jackson-databind` from 2.21.2 to 2.22.0 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-xml` from 2.21.2 to 2.22.0 - [Commits](FasterXML/jackson-dataformat-xml@jackson-dataformat-xml-2.21.2...jackson-dataformat-xml-2.22.0) Updates `com.github.dasniko:testcontainers-keycloak` from 4.2.0 to 4.2.1 - [Release notes](https://github.com/dasniko/testcontainers-keycloak/releases) - [Commits](dasniko/testcontainers-keycloak@v4.2.0...v4.2.1) Updates `commons-io:commons-io` from 2.21.0 to 2.22.0 Updates `de.fraunhofer.iosb.ilt:Configurable` from 0.37 to 0.38 - [Changelog](https://github.com/FraunhoferIOSB/Configurable/blob/master/CHANGELOG.md) - [Commits](FraunhoferIOSB/Configurable@v0.37...v0.38) Updates `io.prometheus:prometheus-metrics-bom` from 1.5.1 to 1.7.0 - [Release notes](https://github.com/prometheus/client_java/releases) - [Changelog](https://github.com/prometheus/client_java/blob/main/CHANGELOG.md) - [Commits](prometheus/client_java@v1.5.1...v1.7.0) Updates `org.eclipse.jetty.ee10:jetty-ee10-servlet` from 12.1.8 to 12.1.10 Updates `org.jooq:jooq` from 3.21.2 to 3.21.5 Updates `org.jooq:jooq-codegen` from 3.21.2 to 3.21.5 Updates `org.jooq:jooq-meta` from 3.21.2 to 3.21.5 Updates `org.jooq:jooq-codegen` from 3.21.2 to 3.21.5 Updates `org.jooq:jooq-meta` from 3.21.2 to 3.21.5 Updates `org.junit:junit-bom` from 6.0.3 to 6.1.0 - [Release notes](https://github.com/junit-team/junit-framework/releases) - [Commits](junit-team/junit-framework@r6.0.3...r6.1.0) Updates `org.junit.platform:junit-platform-suite` from 6.0.3 to 6.1.0 - [Release notes](https://github.com/junit-team/junit-framework/releases) - [Commits](junit-team/junit-framework@r6.0.3...r6.1.0) Updates `org.postgresql:postgresql` from 42.7.10 to 42.7.11 - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.7.10...REL42.7.11) Updates `org.slf4j:jul-to-slf4j` from 2.0.17 to 2.0.18 Updates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18 Updates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18 Updates `org.testcontainers:testcontainers-bom` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@2.0.4...2.0.5) Updates `org.apache.maven.plugins:maven-dependency-plugin` from 3.10.0 to 3.11.0 - [Release notes](https://github.com/apache/maven-dependency-plugin/releases) - [Commits](apache/maven-dependency-plugin@maven-dependency-plugin-3.10.0...maven-dependency-plugin-3.11.0) Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.4.0 to 3.6.0 - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](diffplug/spotless@maven/3.4.0...maven/3.6.0) Updates `org.owasp:dependency-check-maven` from 12.2.1 to 12.2.2 - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](dependency-check/DependencyCheck@v12.2.1...v12.2.2) Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6) Updates `org.jacoco:jacoco-maven-plugin` from 0.8.14 to 0.8.15 - [Release notes](https://github.com/jacoco/jacoco/releases) - [Commits](jacoco/jacoco@v0.8.14...v0.8.15) Updates `de.fraunhofer.iosb.io.moquette:moquette-broker` from 0.18.3 to 0.18.4 - [Changelog](https://github.com/FraunhoferIOSB/moquette/blob/v0.18.x/ChangeLog.txt) - [Commits](FraunhoferIOSB/moquette@v0.18.3...v0.18.4) Updates `de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus` from 0.18.3 to 0.18.4 Updates `de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus` from 0.18.3 to 0.18.4 --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.34 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-version: '2.22' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-version: 2.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-xml dependency-version: 2.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: 2.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-xml dependency-version: 2.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.github.dasniko:testcontainers-keycloak dependency-version: 4.2.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: commons-io:commons-io dependency-version: 2.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: de.fraunhofer.iosb.ilt:Configurable dependency-version: '0.38' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: io.prometheus:prometheus-metrics-bom dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: org.eclipse.jetty.ee10:jetty-ee10-servlet dependency-version: 12.1.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jooq:jooq dependency-version: 3.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jooq:jooq-codegen dependency-version: 3.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jooq:jooq-meta dependency-version: 3.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jooq:jooq-codegen dependency-version: 3.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jooq:jooq-meta dependency-version: 3.21.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.junit:junit-bom dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: org.junit.platform:junit-platform-suite dependency-version: 6.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.slf4j:jul-to-slf4j dependency-version: 2.0.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.slf4j:slf4j-api dependency-version: 2.0.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.slf4j:slf4j-api dependency-version: 2.0.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.testcontainers:testcontainers-bom dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.apache.maven.plugins:maven-dependency-plugin dependency-version: 3.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: org.jacoco:jacoco-maven-plugin dependency-version: 0.8.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: de.fraunhofer.iosb.io.moquette:moquette-broker dependency-version: 0.18.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus dependency-version: 0.18.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: de.fraunhofer.iosb.io.moquette:moquette-metrics-prometheus dependency-version: 0.18.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the dependencies group across 1 directory with 26 updates#2373

Bump the dependencies group across 1 directory with 26 updates#2373
dependabot[bot] wants to merge 1 commit into
v2.6.xfrom
dependabot/maven/v2.6.x/dependencies-aa82b22dfd

dependabot Bot commented on behalf of github Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 8, 2026

Logback 1.5.34

Logback 1.5.33

v4.2.1

What's Changed

Version 0.38

v1.7.0

1.7.0 (2026-06-03)

Features

Bug Fixes

Performance Improvements

Documentation

v1.6.1

1.6.1 (2026-04-27)

Bug Fixes

1.7.0 (2026-06-03)

Features

Bug Fixes

Performance Improvements

Documentation

1.6.1 (2026-04-27)

Bug Fixes

Documentation

New Contributors

New Contributors

New Contributors

New Contributors

New Contributors

New Contributors

v42.7.11

Security

Changes

🐛 Bug Fixes

🧰 Maintenance

⬆️ Dependencies

[42.7.11] (2026-04-28)

Security

Added

Changed

Fixed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants