build(deps): bump the maven-minor-patch group across 1 directory with 35 updates

[dependabot]

Bumps the maven-minor-patch group with 35 updates in the / directory:

Package	From	To
org.mockito:mockito-core	5.15.2	5.23.0
org.mockito:mockito-junit-jupiter	5.15.2	5.23.0
net.bytebuddy:byte-buddy	1.18.4	1.18.10
net.bytebuddy:byte-buddy-agent	1.18.4	1.18.10
com.github.spotbugs:spotbugs	4.9.8	4.10.2
com.github.spotbugs:spotbugs-annotations	4.9.8	4.10.2
net.sourceforge.pmd:pmd-core	7.22.0	7.25.0
net.sourceforge.pmd:pmd-java	7.22.0	7.25.0
org.pitest:pitest-junit5-plugin	1.2.1	1.2.3
org.apache.maven.plugins:maven-enforcer-plugin	3.4.1	3.6.3
org.apache.maven.plugins:maven-compiler-plugin	3.11.0	3.15.0
org.apache.maven.plugins:maven-surefire-plugin	3.1.2	3.5.6
org.apache.maven.plugins:maven-failsafe-plugin	3.1.2	3.5.6
org.apache.maven.plugins:maven-jar-plugin	3.3.0	3.5.0
org.apache.maven.plugins:maven-source-plugin	3.3.0	3.4.0
org.apache.maven.plugins:maven-javadoc-plugin	3.6.0	3.12.0
org.apache.maven.plugins:maven-resources-plugin	3.3.1	3.5.0
org.apache.maven.plugins:maven-clean-plugin	3.3.1	3.5.0
org.apache.maven.plugins:maven-install-plugin	3.1.1	3.1.4
org.apache.maven.plugins:maven-deploy-plugin	3.1.1	3.1.4
org.apache.maven.plugins:maven-checkstyle-plugin	3.3.0	3.6.0
com.github.spotbugs:spotbugs-maven-plugin	4.9.8.2	4.10.2.0
org.jacoco:jacoco-maven-plugin	0.8.14	0.8.15
org.pitest:pitest-maven	1.22.0	1.25.4
org.codehaus.mojo:exec-maven-plugin	3.1.0	3.6.3
org.codehaus.mojo:flatten-maven-plugin	1.6.0	1.7.3
org.apache.maven.plugins:maven-gpg-plugin	3.1.0	3.2.8
org.sonatype.central:central-publishing-maven-plugin	0.7.0	0.10.0
com.googlecode.maven-download-plugin:download-maven-plugin	1.7.1	1.13.0
org.apache.maven.plugins:maven-antrun-plugin	3.1.0	3.2.0
com.fasterxml.jackson.core:jackson-databind	2.21.2	2.22.0
com.fasterxml.jackson.datatype:jackson-datatype-jsr310	2.21.2	2.22.0
com.code-intelligence:jazzer-api	0.22.1	0.30.0
com.code-intelligence:jazzer-junit	0.22.1	0.30.0
org.apache.maven.plugins:maven-shade-plugin	3.5.1	3.6.2

Updates org.mockito:mockito-core from 5.15.2 to 5.23.0

Release notes

Sourced from org.mockito:mockito-core's releases.

v5.23.0

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #3788 for more details.

---

Changelog generated by Shipkit Changelog Gradle Plugin

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline [(#3792)](mockito/mockito#3792)
• Fix StackOverflowError with AbstractList after using mockSingleton [(#3790)](mockito/mockito#3790)
• Mark parameters of Mockito.when @Nullable [(#3503)](mockito/mockito#3503)

v5.22.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.22.0

• 2026-02-27 - 6 commit(s) by Joshua Selbo, NiMv1, Rafael Winterhalter, dependabot[bot], eunbin son
• Avoid mocking of internal static utilities [(#3785)](mockito/mockito#3785)
• Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 [(#3780)](mockito/mockito#3780)
• Static mocking of UUID.class corrupted under JDK 25 [(#3778)](mockito/mockito#3778)
• Bump actions/upload-artifact from 5 to 6 [(#3774)](mockito/mockito#3774)
• docs: clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) [(#3773)](mockito/mockito#3773)
• Add tests for Sets utility class [(#3771)](mockito/mockito#3771)
• Add core API to enable Kotlin singleton mocking [(#3762)](mockito/mockito#3762)
• Stubbing Kotlin object singletons [(#3652)](mockito/mockito#3652)
• Incorrect documentation for RETURNS_MOCKS [(#3285)](mockito/mockito#3285)

v5.21.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 [(#3768)](mockito/mockito#3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 [(#3767)](mockito/mockito#3767)
• Bump actions/checkout from 5 to 6 [(#3765)](mockito/mockito#3765)
• Adds output of matchers to potential mismatch; Fixes #2468 [(#3760)](mockito/mockito#3760)
• Forbid mocking WeakReference with inline mock maker [(#3759)](mockito/mockito#3759)
• StackOverflowError when mocking WeakReference [(#3758)](mockito/mockito#3758)
• Bump actions/upload-artifact from 4 to 5 [(#3756)](mockito/mockito#3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 [(#3755)](mockito/mockito#3755)
• Support primitives in GenericArrayReturnType. [(#3753)](mockito/mockito#3753)
• ClassNotFoundException when stubbing array of primitive type on Android [(#3752)](mockito/mockito#3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 [(#3744)](mockito/mockito#3744)
• Bump gradle/actions from 4 to 5 [(#3743)](mockito/mockito#3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 [(#3738)](mockito/mockito#3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 [(#3735)](mockito/mockito#3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 [(#3734)](mockito/mockito#3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 [(#3733)](mockito/mockito#3733)

... (truncated)

Commits

• a231205 Fix StackOverflowError with AbstractList after using mockSingleton (#3790)
• f6a91a6 Replace mockito-android mock maker implementation with dexmaker-mockito-inlin...
• aa2298a fix: make spotless happy
• a6729d6 chore: update BDDMockito with jspecify annotation
• bb83c92 chore: move jspecify as a compile only dependency
• 47a4695 chore: add jspecify with minimal change. Fixes #3503
• 25f1395 Add core API to enable Kotlin singleton mocking (#3762)
• ef9ee55 Avoids mocking private static methods, as well as package-private static meth...
• d16fcfc Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#3780)
• 27eb8a3 Clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#3773)
• Additional commits viewable in compare view

Updates org.mockito:mockito-junit-jupiter from 5.15.2 to 5.23.0

Release notes

Sourced from org.mockito:mockito-junit-jupiter's releases.

v5.23.0

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #3788 for more details.

---

Changelog generated by Shipkit Changelog Gradle Plugin

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline [(#3792)](mockito/mockito#3792)
• Fix StackOverflowError with AbstractList after using mockSingleton [(#3790)](mockito/mockito#3790)
• Mark parameters of Mockito.when @Nullable [(#3503)](mockito/mockito#3503)

v5.22.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.22.0

• 2026-02-27 - 6 commit(s) by Joshua Selbo, NiMv1, Rafael Winterhalter, dependabot[bot], eunbin son
• Avoid mocking of internal static utilities [(#3785)](mockito/mockito#3785)
• Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 [(#3780)](mockito/mockito#3780)
• Static mocking of UUID.class corrupted under JDK 25 [(#3778)](mockito/mockito#3778)
• Bump actions/upload-artifact from 5 to 6 [(#3774)](mockito/mockito#3774)
• docs: clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) [(#3773)](mockito/mockito#3773)
• Add tests for Sets utility class [(#3771)](mockito/mockito#3771)
• Add core API to enable Kotlin singleton mocking [(#3762)](mockito/mockito#3762)
• Stubbing Kotlin object singletons [(#3652)](mockito/mockito#3652)
• Incorrect documentation for RETURNS_MOCKS [(#3285)](mockito/mockito#3285)

v5.21.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 [(#3768)](mockito/mockito#3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 [(#3767)](mockito/mockito#3767)
• Bump actions/checkout from 5 to 6 [(#3765)](mockito/mockito#3765)
• Adds output of matchers to potential mismatch; Fixes #2468 [(#3760)](mockito/mockito#3760)
• Forbid mocking WeakReference with inline mock maker [(#3759)](mockito/mockito#3759)
• StackOverflowError when mocking WeakReference [(#3758)](mockito/mockito#3758)
• Bump actions/upload-artifact from 4 to 5 [(#3756)](mockito/mockito#3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 [(#3755)](mockito/mockito#3755)
• Support primitives in GenericArrayReturnType. [(#3753)](mockito/mockito#3753)
• ClassNotFoundException when stubbing array of primitive type on Android [(#3752)](mockito/mockito#3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 [(#3744)](mockito/mockito#3744)
• Bump gradle/actions from 4 to 5 [(#3743)](mockito/mockito#3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 [(#3738)](mockito/mockito#3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 [(#3735)](mockito/mockito#3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 [(#3734)](mockito/mockito#3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 [(#3733)](mockito/mockito#3733)

... (truncated)

Commits

• a231205 Fix StackOverflowError with AbstractList after using mockSingleton (#3790)
• f6a91a6 Replace mockito-android mock maker implementation with dexmaker-mockito-inlin...
• aa2298a fix: make spotless happy
• a6729d6 chore: update BDDMockito with jspecify annotation
• bb83c92 chore: move jspecify as a compile only dependency
• 47a4695 chore: add jspecify with minimal change. Fixes #3503
• 25f1395 Add core API to enable Kotlin singleton mocking (#3762)
• ef9ee55 Avoids mocking private static methods, as well as package-private static meth...
• d16fcfc Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#3780)
• 27eb8a3 Clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#3773)
• Additional commits viewable in compare view

Updates org.mockito:mockito-junit-jupiter from 5.15.2 to 5.23.0

Release notes

Sourced from org.mockito:mockito-junit-jupiter's releases.

v5.23.0

NOTE: Breaking change for Android

The mockito-android artifact has a breaking change: tests now require a device or emulator based on API 28+ (Android P). This is to enable new support for mocking Kotlin classes. See #3788 for more details.

---

Changelog generated by Shipkit Changelog Gradle Plugin

5.23.0

• 2026-03-11 - 6 commit(s) by Brice Dutheil, Joshua Selbo, Philippe Kernevez
• Replace mockito-android mock maker implementation with dexmaker-mockito-inline [(#3792)](mockito/mockito#3792)
• Fix StackOverflowError with AbstractList after using mockSingleton [(#3790)](mockito/mockito#3790)
• Mark parameters of Mockito.when @Nullable [(#3503)](mockito/mockito#3503)

v5.22.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.22.0

• 2026-02-27 - 6 commit(s) by Joshua Selbo, NiMv1, Rafael Winterhalter, dependabot[bot], eunbin son
• Avoid mocking of internal static utilities [(#3785)](mockito/mockito#3785)
• Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 [(#3780)](mockito/mockito#3780)
• Static mocking of UUID.class corrupted under JDK 25 [(#3778)](mockito/mockito#3778)
• Bump actions/upload-artifact from 5 to 6 [(#3774)](mockito/mockito#3774)
• docs: clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) [(#3773)](mockito/mockito#3773)
• Add tests for Sets utility class [(#3771)](mockito/mockito#3771)
• Add core API to enable Kotlin singleton mocking [(#3762)](mockito/mockito#3762)
• Stubbing Kotlin object singletons [(#3652)](mockito/mockito#3652)
• Incorrect documentation for RETURNS_MOCKS [(#3285)](mockito/mockito#3285)

v5.21.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.21.0

• 2025-12-09 - 17 commit(s) by Giulio Longfils, Joshua Selbo, Woongi9, Zylox, dependabot[bot]
• Bump graalvm/setup-graalvm from 1.4.3 to 1.4.4 [(#3768)](mockito/mockito#3768)
• Bump graalvm/setup-graalvm from 1.4.2 to 1.4.3 [(#3767)](mockito/mockito#3767)
• Bump actions/checkout from 5 to 6 [(#3765)](mockito/mockito#3765)
• Adds output of matchers to potential mismatch; Fixes #2468 [(#3760)](mockito/mockito#3760)
• Forbid mocking WeakReference with inline mock maker [(#3759)](mockito/mockito#3759)
• StackOverflowError when mocking WeakReference [(#3758)](mockito/mockito#3758)
• Bump actions/upload-artifact from 4 to 5 [(#3756)](mockito/mockito#3756)
• Bump graalvm/setup-graalvm from 1.4.1 to 1.4.2 [(#3755)](mockito/mockito#3755)
• Support primitives in GenericArrayReturnType. [(#3753)](mockito/mockito#3753)
• ClassNotFoundException when stubbing array of primitive type on Android [(#3752)](mockito/mockito#3752)
• Bump graalvm/setup-graalvm from 1.4.0 to 1.4.1 [(#3744)](mockito/mockito#3744)
• Bump gradle/actions from 4 to 5 [(#3743)](mockito/mockito#3743)
• Bump org.graalvm.buildtools.native from 0.11.0 to 0.11.1 [(#3738)](mockito/mockito#3738)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.2.1 to 8.0.0 [(#3735)](mockito/mockito#3735)
• Bump graalvm/setup-graalvm from 1.3.7 to 1.4.0 [(#3734)](mockito/mockito#3734)
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 [(#3733)](mockito/mockito#3733)

... (truncated)

Commits

• a231205 Fix StackOverflowError with AbstractList after using mockSingleton (#3790)
• f6a91a6 Replace mockito-android mock maker implementation with dexmaker-mockito-inlin...
• aa2298a fix: make spotless happy
• a6729d6 chore: update BDDMockito with jspecify annotation
• bb83c92 chore: move jspecify as a compile only dependency
• 47a4695 chore: add jspecify with minimal change. Fixes #3503
• 25f1395 Add core API to enable Kotlin singleton mocking (#3762)
• ef9ee55 Avoids mocking private static methods, as well as package-private static meth...
• d16fcfc Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#3780)
• 27eb8a3 Clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#3773)
• Additional commits viewable in compare view

Updates net.bytebuddy:byte-buddy from 1.18.4 to 1.18.10

Release notes

Sourced from net.bytebuddy:byte-buddy's releases.

Byte Buddy 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

Byte Buddy 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

Byte Buddy 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

Byte Buddy 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Changelog

Sourced from net.bytebuddy:byte-buddy's changelog.

3. June 2026: version 1.18.10

• Delay change of default for unsage use to Java 26 and improve error message.

1. June 2026: version 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

1. April 2026: version 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

1. March 2026: version 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

27. February 2026: version 1.18.6

Accidental release during rework of release pipeline. Functional, but with incorrect suffices.

15. February 2026: version 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Commits

• e85623d [publish] Releasing Byte Buddy 1.18.10
• e3bfa68 [release] Release new version
• 5821ccc Delay disabling of unsafe by default to Java 26 and improve on error message.
• 9d7d4fa Add fuzzing module.
• 5d5dc06 Fix checksum
• d6371aa Add missing checksums.
• 7e47481 Update release notes and checksums.
• cb36b3f [publish] Start next development iteration 1.18.10-SNAPSHOT
• 3d8e72d [publish] Releasing Byte Buddy 1.18.9
• 3525602 [release] Release new version
• Additional commits viewable in compare view

Updates net.bytebuddy:byte-buddy-agent from 1.18.4 to 1.18.10

Release notes

Sourced from net.bytebuddy:byte-buddy-agent's releases.

Byte Buddy 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

Byte Buddy 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

Byte Buddy 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

Byte Buddy 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Changelog

Sourced from net.bytebuddy:byte-buddy-agent's changelog.

3. June 2026: version 1.18.10

• Delay change of default for unsage use to Java 26 and improve error message.

1. June 2026: version 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

1. April 2026: version 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

1. March 2026: version 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

27. February 2026: version 1.18.6

Accidental release during rework of release pipeline. Functional, but with incorrect suffices.

15. February 2026: version 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Commits

• e85623d [publish] Releasing Byte Buddy 1.18.10
• e3bfa68 [release] Release new version
• 5821ccc Delay disabling of unsafe by default to Java 26 and improve on error message.
• 9d7d4fa Add fuzzing module.
• 5d5dc06 Fix checksum
• d6371aa Add missing checksums.
• 7e47481 Update release notes and checksums.
• cb36b3f [publish] Start next development iteration 1.18.10-SNAPSHOT
• 3d8e72d [publish] Releasing Byte Buddy 1.18.9
• 3525602 [release] Release new version
• Additional commits viewable in compare view

Updates net.bytebuddy:byte-buddy-agent from 1.18.4 to 1.18.10

Release notes

Sourced from net.bytebuddy:byte-buddy-agent's releases.

Byte Buddy 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

Byte Buddy 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

Byte Buddy 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

Byte Buddy 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Changelog

Sourced from net.bytebuddy:byte-buddy-agent's changelog.

3. June 2026: version 1.18.10

• Delay change of default for unsage use to Java 26 and improve error message.

1. June 2026: version 1.18.9

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

1. April 2026: version 1.18.8

• Improve support for repeatable builds.
• Fix reordering of exception table in type initializers when instrumenting.

1. March 2026: version 1.18.7

• Introduce new versioning concept with -jdk5 suffix for backwards-compatible jar and Java 8 baseline for regular jar.

27. February 2026: version 1.18.6

Accidental release during rework of release pipeline. Functional, but with incorrect suffices.

15. February 2026: version 1.18.5

• Eagerly resolve of canonical files during attach emulation to avoid failure when process ends before file can be deleted.
• Add super classes to hash code / equals computation in Advice that were missing.

Commits

• e85623d [publish] Releasing Byte Buddy 1.18.10
• e3bfa68 [release] Release new version
• 5821ccc Delay disabling of unsafe by default to Java 26 and improve on error message.
• 9d7d4fa Add fuzzing module.
• 5d5dc06 Fix checksum
• d6371aa Add missing checksums.
• 7e47481 Update release notes and checksums.
• cb36b3f [publish] Start next development iteration 1.18.10-SNAPSHOT
• 3d8e72d [publish] Releasing Byte Buddy 1.18.9
• 3525602 [release] Release new version
• Additional commits viewable in compare view

Updates com.github.spotbugs:spotbugs from 4.9.8 to 4.10.2

Release notes

Sourced from com.github.spotbugs:spotbugs's releases.

4.10.2

SpotBugs 4.10.2

CHANGELOG

Build

• Add release protection to ensure version released matches the tag and that snapshot has been removed. (#4156)
• Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#4159)
• Add binary check to the gradle build to ensure compatibility remains. (#4159)

CHECKSUM

file	checksum (sha256)
spotbugs-4.10.2-javadoc.jar	97bf36f386f75cecacbb7663700266d65176f8544c6f62bc7f21e0ecfb868444
spotbugs-4.10.2-sources.jar	76476f61ce6dc0eb0c38801e21da44e77043ba21226aef6c1b9d21df06d2395a
spotbugs-4.10.2.tgz	63d7687c35fba12cbc8e55ec2a889a2bbf1b9be299dea91f2b0d351dc285308a
spotbugs-4.10.2.zip	d5c9ad825cd015fc943802f5c96d89c515fd9a6f7fbbd9ddc7d0aa24b13664df
spotbugs-annotations-4.10.2-javadoc.jar	a948f311281429a3060e4870d5a60e8508372113ce678c7e1e04b58ba07a2ec2
spotbugs-annotations-4.10.2-sources.jar	87974d23caffbc8c6e66c567747627267b5ed06573cee966d7af6d236b8d65bd
spotbugs-annotations.jar	5335e5107c74cdd62ef96a7908066c51abb3de63b1ebf99dc953c2c7d0747678
spotbugs-ant-4.10.2-javadoc.jar	6e016db4c2929c0319c9f973ec1c76724d9ba17d26cd7b87136a8dbf0731cecb
spotbugs-ant-4.10.2-sources.jar	91477d93b1fd1bebae35d318427b5238fb458e726478dc1a8ac41ce74838a1e6
spotbugs-ant.jar	22f2fa397e86663adcd4828cc1c91e63aa6cc2bfc56832885b749a86fac5c784
spotbugs.jar	46f5c9524c08d027cf96cda2704e5d8ded633626b94a19dc9ced3ae67595d80b
test-harness-4.10.2-javadoc.jar	ec93ddaa099a27c8fdb0522d8c0b24a3d696e10aaf7d71a5d8426a643c00f1b2
test-harness-4.10.2-sources.jar	805d2d124b0d4ea513ee9262d4ad6027c3471d45defd80fd7d20e23425d17df7
test-harness-4.10.2.jar	bd10d1f11a1b93e4ca4db4d27772f611bd3407f9452dbbd2d1ba62584ddc171f
test-harness-core-4.10.2-javadoc.jar	a9782f2a1ecb26d561b4601c46f2dbcfbe4045d587c6ce545ae830cd61399118
test-harness-core-4.10.2-sources.jar	043a55d99a517c0d9cf702b0c183b4afd3f03af9eff4a86d59bb37df1b35b532
test-harness-core-4.10.2.jar	1f9a0ee8f150dd71f960ca4f59dcf7912a45d0e9e6aefc4585fd44b975454bc0
test-harness-jupiter-4.10.2-javadoc.jar	eb18358668b3f2099ddcfe21e817210d34ee969eb7fecc6f697c6eecca803846
test-harness-jupiter-4.10.2-sources.jar	17144f315686bfd01c02fa4ae7c916060c41de8eed58d5b8470416fa08f46ced
test-harness-jupiter-4.10.2.jar	a91146da3e993479cfefd2690781cbd102c6360ecc63a96d88995be3bd60fcbb

4.10.1

SpotBugs 4.10.1

Note

SpotBugs 4.10.0 was superseded by 4.10.1 due to a release issue. Users should use 4.10.1. See the discussion below for additional details:

spotbugs/spotbugs#4155

CHANGELOG

Build

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

CHECKSUM

file	checksum (sha256)
spotbugs-4.10.1-javadoc.jar	582dc49e95b080333b1025dc23e76630e5f6f1648b2f9fa71ee34918f6d9dd2c

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs's changelog.

4.10.2 - 2026-06-09

Build

• Add release protection to ensure version released matches the tag and that snapshot has been removed. (#4156)
• Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#4159)
• Add binary check to the gradle build to ensure compatibility remains. (#4159)

4.10.1 - 2026-06-08

Build

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

4.10.0 - 2026-06-07

Refactor

• Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (#3858)
• Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (#3861)
• Renamed methods from edu.umd.cs.findbugs.SwitchHandler to reflect that they return a PC, not an offset (#3869)
• Make the progress bar more visually appealing by adding some borders (#3896)
• Reuse DismantleBytecode.isIf introduced in (#3869)

Added

• Add partial support for org.jspecify.annotations.Nullable, org.jspecify.annotations.NonNull, org.jspecify.annotations.NullUnmarked and org.jspecify.annotations.NullMarked annotations. These are aliased to the closest existing SpotBugs nullness annotations. This is not a complete implementation of the JSpecify spec; scope-level semantics of @NullMarked and @NullUnmarked are not yet supported. (#3996)
• Recognize jakarta.annotation.Nonnull and jakarta.annotation.Nullable (#3780)
• Detect use of sun.misc.Unsafe and jdk.internal.misc.Unsafe (#3804)
• New bug type is introduced: NCR_NOT_PROPERLY_CHECKED_READ. Improper validation of the return value from the read() method in InputStream and Reader classes may result in an array not being fully filled. (#3766)
• New detector FindImproperSynchronization and introduced new bug types:
  • USO_UNSAFE_METHOD_SYNCHRONIZATION is reported when using synchronized methods with the class' accessible intrinsic lock,
  • USO_UNSAFE_STATIC_METHOD_SYNCHRONIZATION is reported when using static synchronized methods with the class' exposed intrinsic lock,
  • USO_UNSAFE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is visible from the outside,
  • USO_UNSAFE_ACCESSIBLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is made accessible, with methods that update or return the lock, to the outside,
  • USO_UNSAFE_INHERITABLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is can be altered by subclasses,
  • USO_UNSAFE_EXPOSED_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is later exposed in the subclasses.
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_BACKING_COLLECTION is reported when the backing collection of a lock is visible from the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_ACCESSIBLE_BACKING_COLLECTION is reported when the backing collection of a lock is made accessible, with methods that update or return the lock, to the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_INHERITABLE_BACKING_COLLECTION is reported when the backing collection of a lock can be altered by subclasses. (See SEI CERT rule LCK00-J and SEI CERT rule LCK04-J)
• New detector FindIncreasedAccessibilityOfMethods for new bug type IAOM_DO_NOT_INCREASE_METHOD_ACCESSIBILITY. This detector reports a bug if a class increases the accessibility of overridden or hidden methods. (See SEI CERT rule MET04-J)

Fixed

• Fix DM_STRING_TOSTRING false negative when toString() is chained before a method call (e.g., s.toString().toLowerCase()); multiple occurrences in the same method are now all reported (#3966)
• Stop exposing JUnit BOM as a transitive dependency to consumers (#3908)
• Fix incorrect bug counts and sizes when unioning reports (#3721)
• Classes containing only methods throwing UnsupportedOperationException with setter-like names are no longer considered as mutable (#1601)
• Enhanced SARIF output with full description sections - adding markdown is still an open issue (#2339)
• Added missing null check to MultipleInstantiationsOfSingletons detector (#3823)
• Fix invalid syntax in findbugsfilter.xsd (#3832)
• Fix CT_CONSTRUCTOR_THROW FP with public and private constructors (#3822)
• Fix tool name in usage info, (#3847)
• Fix the building of relative chains of ./././ in filenames in fbp files (#3852)
• Fix IllegalArgumentException initializing spotbugs when inside a fat jar on Java 25 (#3875)
• Do not report DM_DEFAULT_ENCODING for classes compiled with target >= 18 (#3866)
• Fix FS_BAD_DATE_FORMAT_FLAG_COMBO not suppressed by field-level annotation (#3838)

... (truncated)

Commits

• 9efccc9 release v4.10.2
• 205d91b Check binary compatibility (#4159)
• a177422 Update spring core to v7.0.8 (#4158)
• 2d6857f update sonatype link in RELEASE_PROCEDURE.md (#4157)
• 32d4fb9 chore(build): Add verification on tag release that version matches the tag (#...
• 6657922 prepare for next release
• 7460889 release v4.10.1
• f6c4597 prepare for next release
• 6e64d99 release v4.10.0

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.