Bump the dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dependencies group with 10 updates in the / directory:

Package	From	To
de.fraunhofer.iosb.ilt:Configurable	0.37	0.38
de.fraunhofer.iosb.ilt:FROST-Client	0.45	0.46
ch.qos.logback:logback-classic	1.5.27	1.5.34
commons-io:commons-io	2.21.0	2.22.0
org.geotools:gt-epsg-hsql	34.2	34.4
org.geotools:gt-referencing	34.2	34.4
org.slf4j:slf4j-api	2.0.17	2.0.18
com.diffplug.spotless:spotless-maven-plugin	3.4.0	3.6.0
org.apache.maven.plugins:maven-shade-plugin	3.6.1	3.6.2
io.github.git-commit-id:git-commit-id-maven-plugin	9.0.2	10.0.0

Updates de.fraunhofer.iosb.ilt:Configurable from 0.37 to 0.38

Changelog

Sourced from de.fraunhofer.iosb.ilt:Configurable's changelog.

Version 0.38

Updates

• [FX] Hide options dropdown in map (class) editor when its empty.
• Updated dependencies.

Commits

• fd42353 Release v0.38
• 1f4410d [FX] Hide options dropdown in map (class) editor when its empty
• 5edf948 Bump the dependencies group across 1 directory with 7 updates (#178)
• e54d5f6 Bump the dependencies group across 1 directory with 2 updates (#173)
• 0b1d067 Bump the dependencies group with 2 updates (#165)
• 5e3654a Bump the dependencies group across 1 directory with 7 updates (#170)
• 26df65e Bump the dependencies group across 1 directory with 2 updates (#164)
• 5d7485b Bumped dependencies
• af77ab1 Prepare for next development iteration
• See full diff in compare view

Updates de.fraunhofer.iosb.ilt:FROST-Client from 0.45 to 0.46

Changelog

Sourced from de.fraunhofer.iosb.ilt:FROST-Client's changelog.

Version 0.46

Updates

• Updated Jackson to version 3.
• Added automatic code formatting with spotless.

Commits

• c5a281e Release v0.46
• 40f4510 [CI] Switch release plugin
• bffcda8 Bump the dependencies group across 1 directory with 11 updates (#332)
• 1321e4b Bump the dependencies group across 1 directory with 2 updates (#322)
• 345080e Auto-formatted all source code
• 602fa83 Added autoformat rules and spotless integration
• ea37738 1 jackson upgrade (#329)
• 15b8469 Bumped Jackson version to 2.21.1
• d36000b Bump the dependencies group across 1 directory with 5 updates (#313)
• 7f13b7b [CI] Updated build scripts
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.27 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.32

2026-02-16 Release of logback version 1.5.32

• In DefaultProcessor, fixed incorrect check for dependencies contained within a parent model. Previous only the direct children were scanned. This fixes logback-access/issues/34.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit e807335a67535b4eacce94e942c0bcb649665d93 associated with the tag v_1.5.32. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.31

2026-02-14 Release of logback version 1.5.31

• Fixed missing META-INF/services directory in logback-classic.jar. This issue rendered logback-classic version 1.5.30 unusable with SLF4J.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 168e42f9f9a18a3ffdf31eb2bfe80a71e33ecd8b associated with the tag v_1.5.31. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.30

2026-02-14 Release of logback version 1.5.30

• In this version, logback-classic.jar was missing the META-INF/services directory, making it unusable with SLF4J. Version 1.5.31 (released later on the same day) fixes this issue.

• Fix scanning issue when an included file becomes available at a later time. This problem was reported in issues/1021 by Sergey Nazarov.

• Standardized code for version checking across modules.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 44164f10ca3fb44ce0e68519f13564b87e3aca61 associated with the tag v_1.5.30. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.29

2026-02-09 Release of logback version 1.5.29

• In response to issues/1017, appender names and appender references are once again subject to variable substitution, reverting the change introduced in version 1.5.28.

Logback 1.5.28

2026-02-06 Release of logback version 1.5.28

• Appender names or appender references are no longer subject to variable substitution.

... (truncated)

Commits

• e62272a prepare release 1.5.34
• 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
• 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
• 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
• f7a0654 prevent resolveProxyClass bypass
• 249b81f docs are no longer distributed
• 1c3b26a start work on 1.5.34-SNAPSHOT
• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• Additional commits viewable in compare view

Updates commons-io:commons-io from 2.21.0 to 2.22.0

Updates org.geotools:gt-epsg-hsql from 34.2 to 34.4

Updates org.geotools:gt-referencing from 34.2 to 34.4

Updates org.geotools:gt-referencing from 34.2 to 34.4

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates com.diffplug.spotless:spotless-maven-plugin from 3.4.0 to 3.6.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.6.0

Added

• Add <cacheDirectory> to <eclipse>, <greclipse>, and <eclipseCdt> for the Equo/Solstice P2 cache. (#2944)
• EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)

Fixed

• <versionCatalog> no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)
• spotless:apply no longer aborts on the first file with lints; it now formats all files and reports a single aggregated lint failure across every file, matching the Gradle plugin's behavior. (#2937)
• <greclipse> and <eclipseCdt> now default P2 data to the Maven local repository. (#2944)
• forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)

Changes

• Improved formatting performance by eliminating redundant per-step line-ending normalization in the core formatter loop. (#2934)

Maven Plugin v3.5.1

Fixed

• <licenseHeader> with <yearMode>SET_FROM_GIT</yearMode> no longer runs git log through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.
• Bump transitive plexus-utils 4.0.2 -> 4.0.3 to address CVE-2025-67030. (#2919)

Maven Plugin v3.5.0

Added

• <scalafmt> now reads the version from the version field in the scalafmt config file when no <version> is explicitly set, falling back to the built-in default only if neither is available. (#2922)
• Add <toml> format type with <versionCatalog> step for formatting and sorting Gradle version catalog files. (#2916)
• Add <javaparserVersion> option to <cleanthat>, allowing users to override the JavaParser version pulled in transitively by Cleanthat. (#2903)
• Add a expandWildcardImports API for java (#2829)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• The -Dspotless.ratchetFrom=... user property now takes priority over <ratchetFrom> configured in the plugin or in individual formatters, instead of being overridden by them. (#2896, fixes #2842)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

Commits

• 71a433c Published maven/3.6.0
• 3a0f101 Published gradle/8.6.0
• 007e9d8 Published lib/4.6.2
• a074d53 Allow setting the local P2 cache dir in the Spotless Gradle plugin (#2944)
• a266fc2 Merge branch 'main' into add-cache-directory-dsl
• e0d466e Fix: sort members treats record declarations as types (#2942)
• 3936b6f Merge branch 'main' into main
• 278765f fix: expandWildcardImports support pom type dependency, fix #2839 (#2935)
• a18ddec Remove maxLineLength from versionCatalog step (#2949)
• b91ad87 Add changelog entries for versionCatalog maxLineLength removal
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2

Release notes

Sourced from org.apache.maven.plugins:maven-shade-plugin's releases.

3.6.2

🐛 Bug Fixes

• Bug: Extra JARs and Artifacts were not subjected to filtering (#785) @​cstamas

👻 Maintenance

• Drop excessive dependencies (#786) @​cstamas
• chore: remove junit3 reference (#762) @​sparsick
• Exclude Java 25 (#773) @​slachiewicz
• Update site descriptor, use site configuration from parent (#755) @​slawekjaranowski

📦 Dependency updates

• Drop unneeded dependencies (#788) @​cstamas
• Update to parent POM v 47 (#781) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#782) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#780) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.0 (#778) @dependabot[bot]
• Bump asmVersion from 9.9 to 9.9.1 (#774) @dependabot[bot]
• Update invoker plugin to 3.9.1 to Support Java 25 (#769) @​Bukama
• Bump asmVersion from 9.8 to 9.9 (#761) @dependabot[bot]
• Bump org.xmlunit:xmlunit-legacy from 2.10.3 to 2.11.0 (#763) @dependabot[bot]
• Bump org.apache.maven.plugin-tools:maven-plugin-annotations from 3.15.1 to 3.15.2 (#764) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.4.0 (#768) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0 (#758) @dependabot[bot]

Commits

• ad8de59 [maven-release-plugin] prepare release maven-shade-plugin-3.6.2
• 8eb19dc Drop unneeded dependencies (#788)
• 397b2cd Drop excessive dependencies (#786)
• eca6398 Bug: Extra JARs and Artifacts were not subjected to filtering (#785)
• 7edce17 Update to parent POM v 47 (#781)
• 3171a34 Mockito improvements (#783)
• 678844b Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness (#782)
• 73ec909 Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#780)
• 5f7a877 Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness (#778)
• 73c5247 chore: remove junit3 reference (#762)
• Additional commits viewable in compare view

Updates io.github.git-commit-id:git-commit-id-maven-plugin from 9.0.2 to 10.0.0

Release notes

Sourced from io.github.git-commit-id:git-commit-id-maven-plugin's releases.

Version 10.0.0 is finally there and includes various bug-fixes and improvements :-)

⚠️ This is a potentially breaking release. Read the release-notes carefully ⚠️

Potential Breaking changes:

The main key-aspects that might cause a breakage when migrating to the new version:

• #913 / #914: Require Maven 3.9.0 [Maven 3.6.3 is EOL] ⚠️

Getting the latest release

The plugin is available from Maven Central (see here), so you don't have to configure any additional repositories to use this plugin. All you need to do is to configure it inside your project as dependency:

<dependency>
    <groupId>io.github.git-commit-id</groupId>
    <artifactId>git-commit-id-maven-plugin</artifactId>
    <version>10.0.0</version>
</dependency>

Getting the latest snapshot (build automatically)

If you can't wait for the next release, you can also get the latest snapshot version from sonatype, that is being deployed automatically by github actions:

<pluginRepositories>
    <pluginRepository>
        <id>sonatype-snapshots</id>
        <name>Sonatype Snapshots</name>
         <url>https://s01.oss.sonatype.org/content/repositories/snapshots/</url>
    </pluginRepository>
</pluginRepositories>

Even though the github actions will only deploy a new snapshot once all tests have finished, it is recommended to rely on the released and more stable version.

Known Issues / Limitations:

• This plugin is unfortunately not working with Heroku which is due to the fact how Heroku works. In summary Heroku does not copy over the .git-repository but in order to determine the git properties this plugin relies on the fact that it has access to the git-repository. A somewhat workaround to get some information is outlined in ktoso/maven-git-commit-id-plugin#279
• Using maven's plugin prefix resolution (e.g. mvn com.test.plugins:myPlugin:myMojo) might result in unresolved properties even with <injectAllReactorProjects>true</injectAllReactorProjects>. Please refer to git-commit-id/maven-git-commit-id-plugin#287 or git-commit-id/maven-git-commit-id-plugin#413 for details and potential workarounds

Reporting Problems

If you find any problem with this plugin, feel free to report it here

Full Changelog: git-commit-id/git-commit-id-maven-plugin@v9.2.0...v10.0.0

Version 9.2.0 is finally there and includes various bug-fixes and improvements :-)

New Features / Bug-Fixes:

The main key-aspects that have been improved or being worked on are the following:

• bump several plugins
  • bump io.github.git-commit-id:git-commit-id-plugin-core from 6.1.5 to 6.2.0
    • replace org.eclipse.jgit.ssh.jsch with org.eclipse.jgit:org.eclipse.jgit.ssh.apache (see https://github.com/eclipse-jgit/jgit/blob/master/org.eclipse.jgit.ssh.jsch/README.md)

... (truncated)

Commits

• 2cd9c8b Bump version: 9.2.0 → 10.0.0
• fbfc066 Merge pull request #914 from git-commit-id/maven_3_9_0
• 3d51706 git-commit-id/git-commit-id-maven-plugin#913: Requi...
• fd9a262 update to the latest version available
• 0163ad6 Bump version: 9.1.0 → 9.2.0
• d8fdbb3 Merge pull request #912 from git-commit-id/plugin-core_6_2_0
• 8a33505 bump io.github.git-commit-id:git-commit-id-plugin-core from 6.1.5 to 6.2.0
• 4aefc60 update to the latest version in readme
• 743c415 update links to git-commit-id-maven-plugin (we are not in the core module :-)
• 16bad75 Bump version: 9.0.2 → 9.1.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions