Skip to content

Bump the minor-java-dependencies group across 1 directory with 6 updates#1146

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/minor-java-dependencies-3e123b7ba0
Open

Bump the minor-java-dependencies group across 1 directory with 6 updates#1146
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/minor-java-dependencies-3e123b7ba0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-java-dependencies group with 6 updates in the / directory:

Package From To
io.netty:netty-bom 4.1.133.Final 4.1.135.Final
io.netty:netty-tcnative-boringssl-static 2.0.77.Final 2.0.80.Final
org.apache.maven.plugins:maven-surefire-plugin 3.5.5 3.5.6
org.sonatype.central:central-publishing-maven-plugin 0.10.0 0.11.0
io.dropwizard.metrics:metrics-core 4.2.38 4.2.39
io.micrometer:micrometer-core 1.16.5 1.17.0

Updates io.netty:netty-bom from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-bom's releases.

netty-4.1.135.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits
  • f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
  • 728c98b Redis: Limit the maximum number of nested arrays (#16882)
  • ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
  • cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
  • 652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
  • bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
  • d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
  • b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
  • 51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
  • db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
  • Additional commits viewable in compare view

Updates io.netty:netty-tcnative-boringssl-static from 2.0.77.Final to 2.0.80.Final

Commits
  • d6bed2e [maven-release-plugin] prepare release netty-tcnative-parent-2.0.80.Final
  • 185daef Fix linux-x86_64 openssl-dynamic to link against OpenSSL 3.x (#989)
  • aa6efe4 [maven-release-plugin] prepare for next development iteration
  • f79687e [maven-release-plugin] prepare release netty-tcnative-parent-2.0.79.Final
  • 47fda99 linux aarch_64 openssl-dynamic link to openssl3.x (#986)
  • a85010b Drop checks on SSL_CREDENTIAL support for older BoringSSL (#980)
  • 02d0d03 Clear certificate chain in setKeyMaterial. (#987)
  • 3885412 [maven-release-plugin] prepare for next development iteration
  • 2f135f1 [maven-release-plugin] prepare release netty-tcnative-parent-2.0.78.Final
  • 9c88fe9 aarch64 release: openssl-dynamic and boringssl-static into single command (#984)
  • Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

  • Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

👻 Maintenance

📦 Dependency updates

Commits
  • 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
  • e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
  • dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
  • 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
  • 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
  • 04ad9a2 Use surefire 3.5.5 by project itself for testing
  • 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
  • a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
  • e838393 deploy 3.5.x branch to nexus
  • Additional commits viewable in compare view

Updates org.sonatype.central:central-publishing-maven-plugin from 0.10.0 to 0.11.0

Commits

Updates io.dropwizard.metrics:metrics-core from 4.2.38 to 4.2.39

Commits
  • 6ecc112 [maven-release-plugin] prepare release v4.2.39
  • 93ec175 ci: remove surplus double quote
  • 7407c79 ci: replace zoispag/action-assign-milestone with GitHub CLI
  • 7b18db2 fix(deps): update jackson monorepo (release/4.2.x) (minor) (#5174)
  • 2d55d65 chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin...
  • ca47350 fix(deps): update dependency org.apache.httpcomponents.client5:httpclient5 to...
  • 9f0f1a1 ci: build with Java 25 (#4964)
  • a0d75ca fix(deps): update log4j2 monorepo to v2.26.0 (#5215)
  • bc71b67 chore(deps): update maven plugins (#5147)
  • a99fac2 fix(deps): update dependency org.glassfish.jersey:jersey-bom to v2.48 (#5194)
  • Additional commits viewable in compare view

Updates io.micrometer:micrometer-core from 1.16.5 to 1.17.0

Release notes

Sourced from io.micrometer:micrometer-core's releases.

1.17.0

See also the 1.17 migration guide and the release notes for 1.17.0-RC1, 1.17.0-M3, 1.17.0-M2, 1.17.0-M1.

🐞 Bug Fixes

  • ArrayIndexOutOfBoundsException when using LongTaskTimer #3877
  • Jetty 12's TimedHandler marks some requests with outcome UNKNOWN #7276
  • MeterRegistry closes HighCardinalityTagsDetector twice if the registry is closed twice #7409
  • Reduce allocation in HTTP server instrumentation #7580
  • Reduce allocation in gRPC server convention #7581

📔 Documentation

  • Clarify time series produced by LongTaskTimer when using Prometheus #6507
  • Document metrics that need to close the MeterBinder #4624
  • Multigauge Documentation lacks overwrite=true #4403

🔨 Dependency Upgrades

  • Bump com.dynatrace.metric.util:dynatrace-metric-utils-java from 2.4.0 to 2.5.0 #7452
  • Bump com.google.auth:google-auth-library-oauth2-http from 1.43.0 to 1.48.0 #7397
  • Bump com.google.cloud:google-cloud-monitoring from 3.89.0 to 3.94.0 #7398
  • Bump com.google.cloud:libraries-bom from 26.79.0 to 26.83.0 #7497
  • Bump com.netflix.spectator:spectator-reg-atlas from 1.9.6 to 1.9.9 #7552
  • Bump dropwizard-metrics from 4.2.38 to 4.2.39 #7527
  • Bump io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0 #7572
  • Bump software.amazon.awssdk:cloudwatch from 2.42.32 to 2.46.4 #7494

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​blaspat, @​codingkiddo, @​izeye, @​jewoodev, and @​schiemon

1.17.0-RC1

⭐ New Features

  • Add meter for ForkJoinPool#getDelayedTaskCount #6381
  • Add support for JDK 26's MemoryPoolMXBean.getTotalGcCpuTime() #7245
  • Clear the state of the ObservationValidator #7337
  • Improve exemplars sizing and add exemplarsSize config #7324
  • Log warning when a registry is added to composite after meter registration #6908
  • Treat OkHttp Request as non-nullable #7388
  • Validate Observation.Scope closing when using TestObservationRegistry #6329

🐞 Bug Fixes

  • Invalid reflection hint in micrometer-core for native GraalVM 25 build #7316
  • ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #7380

... (truncated)

Commits
  • 8466fea Merge branch '1.16.x'
  • fa2ed32 Merge branch '1.15.x' into 1.16.x
  • dc2e5e2 Reduce allocation in gRPC server convention
  • 36da131 Reduce allocation in HTTP server instrumentation
  • 9591cb4 Bump com.uber.nullaway:nullaway from 0.13.5 to 0.13.6 (#7575)
  • 7a92a44 Bump software.amazon.awssdk:cloudwatch from 2.46.3 to 2.46.4 (#7576)
  • e11e7c6 Merge branch '1.16.x'
  • d8e8bcb Merge branch '1.15.x' into 1.16.x
  • cf6ac02 Reduce flakiness of PushMeterRegistryTest (#7574)
  • d74759a Bump com.google.cloud:google-cloud-monitoring from 3.93.0 to 3.94.0 (#7573)
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
io.netty:netty-bom [>= 4.2.a0, < 4.3]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the minor-java-dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [io.netty:netty-bom](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` |
| [io.netty:netty-tcnative-boringssl-static](https://github.com/netty/netty-tcnative) | `2.0.77.Final` | `2.0.80.Final` |
| [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` |
| [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) | `0.10.0` | `0.11.0` |
| [io.dropwizard.metrics:metrics-core](https://github.com/dropwizard/metrics) | `4.2.38` | `4.2.39` |
| [io.micrometer:micrometer-core](https://github.com/micrometer-metrics/micrometer) | `1.16.5` | `1.17.0` |



Updates `io.netty:netty-bom` from 4.1.133.Final to 4.1.135.Final
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final)

Updates `io.netty:netty-tcnative-boringssl-static` from 2.0.77.Final to 2.0.80.Final
- [Release notes](https://github.com/netty/netty-tcnative/releases)
- [Commits](netty/netty-tcnative@netty-tcnative-parent-2.0.77.Final...netty-tcnative-parent-2.0.80.Final)

Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6)

Updates `org.sonatype.central:central-publishing-maven-plugin` from 0.10.0 to 0.11.0
- [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits)

Updates `io.dropwizard.metrics:metrics-core` from 4.2.38 to 4.2.39
- [Release notes](https://github.com/dropwizard/metrics/releases)
- [Commits](dropwizard/metrics@v4.2.38...v4.2.39)

Updates `io.micrometer:micrometer-core` from 1.16.5 to 1.17.0
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](micrometer-metrics/micrometer@v1.16.5...v1.17.0)

---
updated-dependencies:
- dependency-name: io.netty:netty-bom
  dependency-version: 4.1.135.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-java-dependencies
- dependency-name: io.netty:netty-tcnative-boringssl-static
  dependency-version: 2.0.80.Final
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-java-dependencies
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-version: 3.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-java-dependencies
- dependency-name: org.sonatype.central:central-publishing-maven-plugin
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-java-dependencies
- dependency-name: io.dropwizard.metrics:metrics-core
  dependency-version: 4.2.39
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-java-dependencies
- dependency-name: io.micrometer:micrometer-core
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-java-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants