Skip to content

Bump the gradle-deps group across 1 directory with 8 updates#3818

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/gradle-deps-d36529f933
Open

Bump the gradle-deps group across 1 directory with 8 updates#3818
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/gradle-deps-d36529f933

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026
edited
Loading

Bumps the gradle-deps group with 8 updates in the / directory:

Package From To
org.slf4j:slf4j-api 2.0.17 2.0.18
ch.qos.logback:logback-classic 1.5.32 1.5.34
org.junit:junit-bom 6.0.3 6.1.0
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.21.3 2.21.4
com.fasterxml.jackson.datatype:jackson-datatype-jsr310 2.21.3 2.22.0
com.diffplug.spotless 8.4.0 8.6.0
com.gradleup.shadow 9.4.1 9.4.2
gradle-wrapper 9.5.0 9.5.1

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

Updates org.junit:junit-bom from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-yaml from 2.21.3 to 2.21.4

Commits
  • 95debb7 [maven-release-plugin] prepare release jackson-dataformats-text-2.21.4
  • c426a04 Prep for 2.21.4 release
  • 6350258 Merge branch '2.20' into 2.21
  • bdcc3eb Merge branch '2.19' into 2.20
  • 48242e9 Merge branch '2.18' into 2.19
  • 6d9da0d Post-release dep version bump
  • fd07764 [maven-release-plugin] prepare for next development iteration
  • 906a1ba [maven-release-plugin] prepare release jackson-dataformats-text-2.18.8
  • 673d805 Prep for 2.18.8 release
  • 3f9b8be Merge branch '2.20' into 2.21
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson.datatype:jackson-datatype-jsr310 from 2.21.3 to 2.22.0

Updates com.diffplug.spotless from 8.4.0 to 8.6.0

Updates com.gradleup.shadow from 9.4.1 to 9.4.2

Release notes

Sourced from com.gradleup.shadow's releases.

9.4.2

Changed

  • Update jdependency to support Java 27. (#2033)
Commits

Updates gradle-wrapper from 9.5.0 to 9.5.1

Release notes

Sourced from gradle-wrapper's releases.

9.5.1

The Gradle team is excited to announce Gradle 9.5.1.

Here are the highlights of this release:

  • Task provenance in reports and failure messages
  • Type-safe accessors for precompiled Kotlin Settings plugins

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: atm1020, mataha, Adam, Attila Kelemen, Benedikt Ritter, Björn Kautler, Caro Silva Rode, CHANHAN, Dmitry Nezavitin, Eng Zer Jun, KugelLibelle, Madalin Valceleanu, Markus Gaisbauer, Oliver Kopp, Philip Wedemann, ploober, Roberto Perez Alcolea, Rohit Anand, Suvrat Acharya, Ujwal Suresh Vanjare, Victor Merkulov

Upgrade instructions

Switch your build to use Gradle 9.5.1 by updating your wrapper:

./gradlew wrapper --gradle-version=9.5.1 && ./gradlew wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

Commits
  • fd78213 Update Documentation Infrastructure: Fix scrolling issue in user manual (#37861)
  • 7758437 fix scroll
  • 2fd605f Only try to run as worker thread in DefaultBuildOperationQueue (#37845)
  • af69849 Release notes for Gradle 9.5.1 (#37853)
  • f4d9d03 Release notes for Gradle 9.5.1
  • 01eda3a Address review feedback on worker-lease retry changes
  • 7024e15 Revert enrich file visitor with size info on release branch (#37848)
  • d51476f Fix tryRunAsWorkerThread null-return test to match contract
  • 090ebab Revert "Add getLength() to FilePropertyVisitor.VisitState"
  • bceab24 Revert "Fix annotation"
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
com.diffplug.spotless [>= 6.17.a, < 6.18]
com.diffplug.spotless [>= 6.18.a, < 6.19]
com.diffplug.spotless [>= 6.19.a, < 6.20]
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml [>= 2.22.a, < 2.23]

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file Java Pull requests that update Java code labels Jun 3, 2026
@wadoon
Copy link
Copy Markdown
Member

wadoon commented Jun 3, 2026

@dependabot ignore com.fasterxml.jackson.dataformat:jackson-dataformat-yaml minor version
@dependabot ignore com.fasterxml.jackson.datatype:jackson-datatype-jsr310 minor version

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Jun 3, 2026

OK, I won't notify you about version 2.22.x of com.fasterxml.jackson.dataformat:jackson-dataformat-yaml again, unless you unignore it.

@dependabot dependabot Bot changed the title Bump the gradle-deps group with 8 updates Bump the gradle-deps group across 1 directory with 8 updates Jun 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/gradle/gradle-deps-d36529f933 branch from bac43fa to 9bd1655 Compare June 3, 2026 08:31
@dependabot
Bump the gradle-deps group across 1 directory with 8 updates
e54c466 
Bumps the gradle-deps group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| org.slf4j:slf4j-api | `2.0.17` | `2.0.18` |
| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` |
| [org.junit:junit-bom](https://github.com/junit-team/junit-framework) | `6.0.3` | `6.1.0` |
| [com.fasterxml.jackson.dataformat:jackson-dataformat-yaml](https://github.com/FasterXML/jackson-dataformats-text) | `2.21.3` | `2.21.4` |
| com.fasterxml.jackson.datatype:jackson-datatype-jsr310 | `2.21.3` | `2.22.0` |
| com.diffplug.spotless | `8.4.0` | `8.6.0` |
| [com.gradleup.shadow](https://github.com/GradleUp/shadow) | `9.4.1` | `9.4.2` |
| [gradle-wrapper](https://github.com/gradle/gradle) | `9.5.0` | `9.5.1` |



Updates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18

Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

Updates `org.junit:junit-bom` from 6.0.3 to 6.1.0
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.0.3...r6.1.0)

Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.21.3 to 2.21.4
- [Commits](FasterXML/jackson-dataformats-text@jackson-dataformats-text-2.21.3...jackson-dataformats-text-2.21.4)

Updates `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.21.3 to 2.22.0

Updates `com.diffplug.spotless` from 8.4.0 to 8.6.0

Updates `com.gradleup.shadow` from 9.4.1 to 9.4.2
- [Release notes](https://github.com/GradleUp/shadow/releases)
- [Commits](GradleUp/shadow@9.4.1...9.4.2)

Updates `gradle-wrapper` from 9.5.0 to 9.5.1
- [Release notes](https://github.com/gradle/gradle/releases)
- [Commits](gradle/gradle@v9.5.0...v9.5.1)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gradle-deps
- dependency-name: com.diffplug.spotless
  dependency-version: 8.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-deps
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-deps
- dependency-name: com.fasterxml.jackson.datatype:jackson-datatype-jsr310
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-deps
- dependency-name: com.gradleup.shadow
  dependency-version: 9.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gradle-deps
- dependency-name: gradle-wrapper
  dependency-version: 9.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gradle-deps
- dependency-name: org.junit:junit-bom
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gradle-deps
- dependency-name: org.slf4j:slf4j-api
  dependency-version: 2.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gradle-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/gradle/gradle-deps-d36529f933 branch from 9bd1655 to e54c466 Compare June 3, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file Java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wadoon