Skip to content

Update all non-major dependencies (branch_9x)#4586

Merged
janhoy merged 2 commits into
apache:branch_9xfrom
solrbot:renovate-9x/all-non-major-dependencies
Jul 2, 2026
Merged

Update all non-major dependencies (branch_9x)#4586
janhoy merged 2 commits into
apache:branch_9xfrom
solrbot:renovate-9x/all-non-major-dependencies

Conversation

@solrbot

@solrbot solrbot commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change Status
org.carrot2:carrot2-core dependencies minor 4.5.14.8.6 Held at 4.5.1 — 4.8.6 is compiled for Java 21
org.apache.hadoop:hadoop-common dependencies minor 3.4.13.5.0 Held at 3.4.1 — 3.5.0 is compiled for Java 17
org.apache.hadoop:hadoop-client-runtime dependencies minor 3.4.13.5.0 Held at 3.4.1 — see above
org.apache.hadoop:hadoop-client-api dependencies minor 3.4.13.5.0 Held at 3.4.1 — see above
org.apache.hadoop:hadoop-auth dependencies minor 3.4.13.5.0 Held at 3.4.1 — see above
org.apache.hadoop:hadoop-annotations dependencies minor 3.4.13.5.0 Held at 3.4.1 — see above
dev.langchain4j:langchain4j-* (open-ai, mistral-ai, hugging-face, core, cohere) dependencies minor 0.35.00.36.2 Held at 0.35.0 — 0.36.0 moved to a "Java 17 baseline"
com.palantir.consistent-versions plugin minor 2.32.02.37.0 Held at 2.32.0 — 2.37.0 is compiled for Java 17
com.google.errorprone:error_prone_annotations dependencies minor 2.31.02.50.0 Held at 2.31.0 — Error Prone ≥2.32 requires JDK 17; the build also hard-pins 2.31.0 for JDK 11
org.owasp.dependencycheck plugin minor 12.1.312.2.2 Applied — needed a one-line build tweak (suppressionFile now takes a String, not a File)
com.github.spotbugs:spotbugs-annotations dependencies minor 4.8.64.10.2 Applied — 4.10.2 explicitly restored Java 11 compatibility

Release Notes

langchain4j/langchain4j (dev.langchain4j:langchain4j-open-ai)

v0.36.2

Compare Source

What's Changed

v0.36.1

Compare Source

Fixes
What's Changed

Full Changelog: langchain4j/langchain4j@0.36.0...0.36.1

v0.36.0

Compare Source

Core Features/Updates
New Integrations
Notable Updates
Other Changes
New Contributors

Full Changelog: langchain4j/langchain4j@0.35.0...0.36.0

google/error-prone (com.google.errorprone:error_prone_annotations)

v2.50.0: Error Prone 2.50.0

New checks:

Closed issues: #​5553, #​5649, #​5778

Full changelog: google/error-prone@v2.49.0...v2.50.0

v2.49.0: Error Prone 2.49.0

This release includes several changes to Matcher APIs, and removed some deprecated or problematic APIs:

  • Remove deprecated MethodMatchers.withSignature API, which relies on fragile toString behaviour. Alternatives for matching on method signatures with varargs and type parameters were added in a98a1c5.
  • Removed variableType(Matcher) API. Matchers.variableType(Matcher) uses VariableTree#getType to match variable types, which own't work for lambda parameters with inferred types after JDK-8268850. The recommended replacement is variableType(TypePredicate).
  • Make enclosingPackage return an optional. Module elements are not enclosed by a package, checks using enclosingPackage shouldn't assume an enclosing package exists when processing arbitrary elements.
  • New FieldMatchers API, similar to MethodMatchers (1dd9c3a).

New checks:

Closed issues: #​2283, #​3503, #​5210, #​5289, #​5548, #​5548, #​5554, #​5609, #​5614, #​5656

Full changelog: google/error-prone@v2.48.0...v2.49.0

v2.48.0: Error Prone 2.48.0

Changes:

  • Added support for passing flags with command-line argument files (@-files) (8e84edf)

New checks:

Closed issues: #​5529, #​5537, #​5522, #​5521

Full changelog: google/error-prone@v2.47.0...v2.48.0

v2.47.0: Error Prone 2.47.0

New checks:

Closed issues: #​1811, #​4168, #​5459, #​5460

Full changelog: google/error-prone@v2.46.0...v2.47.0

v2.46.0: Error Prone 2.46.0

Changes:

New checks:

Full changelog: google/error-prone@v2.45.0...v2.46.0

v2.45.0: Error Prone 2.45.0

Changes:

  • Improved compatibility with latest JDK 26 EA builds.

New checks:

Closed issues: #​5335

Full changelog: google/error-prone@v2.44.0...v2.45.0

v2.44.0: Error Prone 2.44.0

Changes

Closed issues: #​5218, #​5278

Full changelog: google/error-prone@v2.43.0...v2.44.0

v2.43.0: Error Prone 2.43.0

The minimum supported JDK version to run Error Prone is now JDK 21 (#​4867).

Changes:

  • -XepPatchChecks now skips disabled checks (#​4943)
  • AndroidJdkLibsChecker has been removed, the recommended replacement for Android code is Android Lint's NewApi check

New checks:

Closed issues: #​4943, #​5102, #​5107, #​5121, #​5158, #​5217, #​5239

Full changelog: google/error-prone@v2.42.0...v2.43.0

v2.42.0: Error Prone 2.42.0

New checks:

Changes:

  • The return type of ASTHelpers.asFlagSet has changed. The previous type was EnumSet<Flags.Flag>, where Flags.Flag is an enum in the javac class Flags. A recent JDK change has replaced that enum with a new top-level enum called FlagsEnum. It is not possible to change ASTHelpers.asFlagSet in a way that would be type-safe and compatible with the enums from JDKs both before and after the change. Instead, the method now returns ImmutableSet<String>, where the strings come from the toString() of the enum constants. That means they are "native", "abstract", etc.
  • Flag IO.print[ln]() in SystemOut.

Full changelog: google/error-prone@v2.41.0...v2.42.0

v2.41.0: Error Prone 2.41.0

New checks:

  • EffectivelyPrivate: Detect declarations that have public or protected modifiers, but are effectively private

Changes:

  • Skip BooleanLiteral findings if the target type is boxed (#​5134)

Full changelog: google/error-prone@v2.40.0...v2.41.0

v2.40.0: Error Prone 2.40.0

Changes:

Full changelog: google/error-prone@v2.39.0...v2.40.0

v2.39.0: Error Prone 2.39.0

Changes:

  • Temporarily downgrade to Guava 33.4.0 (#​5108)

Checks:

  • BooleanLiteral: Prefer true to Boolean.TRUE
  • ExpensiveLenientFormatString: Renamed from PreconditionsExpensiveString, detects unnecessary calls to String.format in the arguments of lenient formatting methods.
  • UnnecessaryQualifier: Detects @Qualifier or @BindingAnnotation annotations that have no effect, and can be removed

Issues: #​4996, #​5045

Full changelog: google/error-prone@v2.38.0...v2.39.0

v2.38.0: Error Prone 2.38.0

New checks:

Closed issues: #​4924, #​4897, #​4995

Full changelog: google/error-prone@v2.37.0...v2.38.0

v2.37.0: Error Prone 2.37.0

Changes:

  • The annotations that were previously in error_prone_type_annotations have been been merged into error_prone_annotations. error_prone_type_annotations is now deprecated, and will be removed in a future release.

New checks:

  • AssignmentExpression - The use of an assignment expression can be surprising and hard to read; consider factoring out the assignment to a separate statement.
  • IntFloatConversion - Detect calls to scalb that should be using the double overload instead
  • InvalidSnippet - Detects snippets which omit the : required for inline code.
  • JUnit4EmptyMethods - Detects empty JUnit4 @Before, @After, @BeforeClass, and @AfterClass methods.
  • MockIllegalThrows - Detects cases where Mockito is configured to throw checked exception types which are impossible.
  • NegativeBoolean - Prefer positive boolean names.
  • RuleNotRun - Detects TestRules not annotated with @Rule, that won't be run.
  • StringConcatToTextBlock - Replaces concatenated multiline strings with text blocks.
  • TimeInStaticInitializer - Detects accesses of the system time in static contexts.

Closed issues:

  • Propagate check flags in patch mode (#​4699)
  • Fixes a crash in ComputeIfAbsentAmbiguousReference (#​4736)
  • Show the field name in HidingField diagnostics (#​4775)
  • Add support for jakarta annotations to some checks (#​4782)
  • FloatingPointAssertionWithinEpsilonTest depends on default locale (#​4815)
  • @InlineMe patching of Strings.repeat produces broken code (#​4819)
  • Fix a crash in IdentifierName on unnamed (_) variables (#​4847)
  • Fix a crash in ArgumentParameterSwap (#​490)

Full changelog: google/error-prone@v2.36.0...v2.37.0

v2.36.0: Error Prone 2.36.0

Changes:

  • Add new matcher interfaces to ErrorProneScanner for AST nodes introduced after Java 11 (e5fd194)
  • Fix compatibility with latest JDK 24 EA builds (d67bc15)
  • Check that --should-stop=ifError=FLOW is set when using the -Xplugin integration (e71db1f)

New checks:

Closed issues: #​4633, #​4646

Full changelog: google/error-prone@v2.35.1...v2.36.0

v2.35.1: Error Prone 2.35.1

Error Prone's dependency on protobuf has been downgraded to 3.25.5 for this release.

Version 3.25.5 of protobuf still fixes CVE-2024-7254. This release is provided for users who aren't ready to update to 4.x, see also #​4584 and #​4634. Future versions of Error Prone will upgrade back to protobuf 4.x.

Full changelog: google/error-prone@v2.35.0...v2.35.1

v2.35.0: Error Prone 2.35.0

Changes:

  • Fix handling of \s before the trailing delimiter in MisleadingEscapedSpace
  • TimeUnitMismatch improvements: handle binary trees, consider trees like fooSeconds * 1000 to have units of millis

New checks:

Full changelog: google/error-prone@v2.34.0...v2.35.0

v2.34.0: Error Prone 2.34.0

Changes:

  • Passing the javac flag --should-stop=ifError=FLOW is now required when running Error Prone (#​4595)
  • The MemberName check was renamed to IdentifierName

New checks:

Closed issues: #​4595, #​4598, #​4620

Full changelog: google/error-prone@v2.33.0...v2.34.0

v2.33.0: Error Prone 2.33.0

Similar to release 2.32.0, the minimum supported JDK version to run Error Prone is JDK 17 (#​3803). Using Error Prone to compile code that is deployed to earlier versions is still fully supported, but will require using JDK 17 or newer for compilation and setting --release or -source/-target/-bootclasspath.

Changes:

New checks:

Full changelog: google/error-prone@v2.32.0...v2.33.0

v2.32.0: Error Prone 2.32.0

The minimum support JDK version to run Error Prone is now JDK 17 (#​3803).

Using Error Prone to compile code that is deployed to earlier versions is still fully supported, but will requires using JDK 17 or newer for compilation and setting --release or -source/-target/-bootclasspath.

Full changelog: google/error-prone@v2.31.0...v2.32.0

spotbugs/spotbugs (com.github.spotbugs:spotbugs-annotations)

v4.10.2

Compare Source

Build
  • Add release protection to ensure version released matches the tag and that snapshot has been removed. (#​4156)
  • Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#​4159)
  • Add binary check to the gradle build to ensure compatibility remains. (#​4159)

v4.10.1

Compare Source

Build
  • 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

v4.9.8

Compare Source

Fixed
  • Maven plugin reporting issue if -adjustPriority is not set (#​3774)

v4.9.7

Compare Source

Fixed
  • Fix Eclipse not always using latest preferences file state (#​3740)
  • Fix exception throw when singleton implementing Cloneable has no clone() method (#​3727)
  • Fix for missing -adjustPriority parameter in Eclipse preferences (#​3687)
  • Documentation of -adjustPriority parameter
  • Functionality from DetectorFactory setEnabledButNonReporting(), getPriorityAdjustment() methods and BugInstance.adjustForDetector() is deprecated and moved to PriorityAdjuster (#​3753)
  • Improved FindNakedNotify to handle the case when the lock is loaded from a field (#​3634)
Changed
  • Support for fully qualified class names for detectors in -adjustPriority parameter
  • Support for numerical and absolute priority adjustments
  • Bump up Apache Commons BCEL to the version 6.11.0 (#​3569)
Deprecated
  • Add back and deprecate edu.umd.cs.findbugs.io.IO.close(InputStream) method. (#​3756)
Build
  • Allow our GA builds to work with JDK 25 (and drop support for JDK 24) (#​3564)

v4.9.6

Compare Source

Fixed
  • Fix exception throw when analyzing jakarta.servlet.http.HttpServletRequest method calls (#​3711)

v4.9.5

Compare Source

Fixed

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Every minute (* * * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot

@solrbot solrbot added the exempt-stale Prevent a PR from going stale label Jul 1, 2026
@solrbot

solrbot commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: build.gradle
Command failed: ./gradlew -Dorg.gradle.jvmargs=-Xms512m -Xmx512m --console=plain --dependency-verification lenient -q :dependencies :solr:dependencies :solr:api:dependencies :solr:benchmark:dependencies :solr:core:dependencies :solr:cross-dc-manager:dependencies :solr:distribution:dependencies :solr:docker:dependencies :solr:documentation:dependencies :solr:example:dependencies :solr:modules:dependencies :solr:packaging:dependencies :solr:prometheus-exporter:dependencies :solr:server:dependencies :solr:solr-ref-guide:dependencies :solr:solrj:dependencies :solr:solrj-streaming:dependencies :solr:solrj-zookeeper:dependencies :solr:test-framework:dependencies :solr:webapp:dependencies :solr:modules:analysis-extras:dependencies :solr:modules:analytics:dependencies :solr:modules:clustering:dependencies :solr:modules:cross-dc:dependencies :solr:modules:extraction:dependencies :solr:modules:gcs-repository:dependencies :solr:modules:hadoop-auth:dependencies :solr:modules:hdfs:dependencies :solr:modules:jaegertracer-configurator:dependencies :solr:modules:jwt-auth:dependencies :solr:modules:langid:dependencies :solr:modules:llm:dependencies :solr:modules:ltr:dependencies :solr:modules:opentelemetry:dependencies :solr:modules:s3-repository:dependencies :solr:modules:scripting:dependencies :solr:modules:sql:dependencies --update-locks org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin,com.palantir.consistent-versions:com.palantir.consistent-versions.gradle.plugin

FAILURE: Build completed with 2 failures.

1: Task failed with an exception.
-----------
* Where:
Script '/tmp/renovate/repos/github/apache/solr/gradle/validation/owasp-dependency-check.gradle' line: 31

* What went wrong:
A problem occurred evaluating script.
> Cannot set the value of extension 'dependencyCheck' property 'suppressionFile' of type java.lang.String using an instance of type java.io.File.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

2: Task failed with an exception.
-----------
* Where:
Build file '/tmp/renovate/repos/github/apache/solr/solr/core/build.gradle' line: 28

* What went wrong:
A problem occurred evaluating project ':solr:core'.
> Could not find method permitUnusedDeclared() for arguments [com.github.spotbugs:spotbugs-annotations] on object of type org.gradle.api.internal.artifacts.dsl.dependencies.DefaultDependencyHandler.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

BUILD FAILED in 19s

File name: undefined
Command failed: ./gradlew --write-locks

FAILURE: Build completed with 2 failures.

1: Task failed with an exception.
-----------
* Where:
Script '/tmp/renovate/repos/github/apache/solr/gradle/validation/owasp-dependency-check.gradle' line: 31

* What went wrong:
A problem occurred evaluating script.
> Cannot set the value of extension 'dependencyCheck' property 'suppressionFile' of type java.lang.String using an instance of type java.io.File.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

2: Task failed with an exception.
-----------
* Where:
Build file '/tmp/renovate/repos/github/apache/solr/solr/core/build.gradle' line: 28

* What went wrong:
A problem occurred evaluating project ':solr:core'.
> Could not find method permitUnusedDeclared() for arguments [com.github.spotbugs:spotbugs-annotations] on object of type org.gradle.api.internal.artifacts.dsl.dependencies.DefaultDependencyHandler.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

BUILD FAILED in 8s

File name: undefined
Command failed: ./gradlew updateLicenses

FAILURE: Build completed with 2 failures.

1: Task failed with an exception.
-----------
* Where:
Script '/tmp/renovate/repos/github/apache/solr/gradle/validation/owasp-dependency-check.gradle' line: 31

* What went wrong:
A problem occurred evaluating script.
> Cannot set the value of extension 'dependencyCheck' property 'suppressionFile' of type java.lang.String using an instance of type java.io.File.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

2: Task failed with an exception.
-----------
* Where:
Build file '/tmp/renovate/repos/github/apache/solr/solr/core/build.gradle' line: 28

* What went wrong:
A problem occurred evaluating project ':solr:core'.
> Could not find method permitUnusedDeclared() for arguments [com.github.spotbugs:spotbugs-annotations] on object of type org.gradle.api.internal.artifacts.dsl.dependencies.DefaultDependencyHandler.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

BUILD FAILED in 8s

The bulk renovate PR bumped several dependencies whose new releases dropped
Java 11 support, breaking the branch_9x build (which targets Java 11):

- com.palantir.consistent-versions 2.37.0 -> 2.32.0 (2.37.0 needs Java 17)
- org.carrot2:carrot2-core 4.8.6 -> 4.5.1 (4.8.6 needs Java 21)
- org.apache.hadoop 3.5.0 -> 3.4.1 (3.5.0 needs Java 17)
- dev.langchain4j 0.36.2 -> 0.35.0 (0.36.2 needs Java 17)
- com.google.errorprone 2.50.0 -> 2.31.0 (build hard-pins 2.31.0 for JDK11)

Pin these in the branch_9x renovate.json overlay so they are not re-proposed.

Keep org.owasp.dependencycheck 12.2.2 and adapt owasp-dependency-check.gradle
to pass suppressionFile as a String (the newer plugin rejects a File).

Regenerated versions.lock and licenses accordingly.
@github-actions github-actions Bot added dependencies Dependency upgrades tool:build labels Jul 2, 2026
@janhoy

janhoy commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

CI fix: several bumps in this PR dropped Java 11 support

The gradle check failure here isn't a flaky test — it's a configuration-time failure that masked a larger issue. branch_9x builds on Java 11, but several dependencies in this bulk upgrade have moved their minimum runtime to Java 17 (and one to Java 21). CI aborted on the first one, hiding the rest.

I reproduced locally with Temurin 11 and confirmed each by inspecting the class-file versions in the resolved jars:

Dependency Bumped to Requires Reverted to
com.palantir.consistent-versions 2.37.0 Java 17 (cf 61) 2.32.0
org.carrot2:carrot2-core 4.8.6 Java 21 (cf 65) 4.5.1
org.apache.hadoop:* 3.5.0 Java 17 (cf 61) 3.4.1
dev.langchain4j:* 0.36.2 Java 17 (cf 61) 0.35.0
com.google.errorprone:* 2.50.0 conflicts with the build's hard strictly 2.31.0 pin 2.31.0

What I pushed

  • Reverted the five deps above in versions.props / build.gradle, regenerated versions.lock and licenses.
  • Added packageRules to the branch_9x renovate.json overlay pinning all five, so they aren't re-proposed on this Java 11 branch.
  • Kept org.owasp.dependencycheck at 12.2.2 — it's Java 11 compatible; it just needed suppressionFile passed as a String instead of a File (the newer plugin rejects File).

Verification

./gradlew check -x test -Ptask.times=true --continue on Java 11 → BUILD SUCCESSFUL (verifyLocks, checkDanglingLicenseFiles, checkOverbroadConstraints all green). Also confirmed Error Prone (enabled in CI, skipped locally) resolves and runs at 2.31.0.

Net effect: the safe upgrades (jersey, swagger, jackson, spotbugs-annotations, owasp, …) are retained; only the four that can't run on Java 11 are held back.

Note: the push updated the PR branch, so CI will re-run on this new commit.

@janhoy janhoy merged commit 2263149 into apache:branch_9x Jul 2, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency upgrades exempt-stale Prevent a PR from going stale tool:build

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants