Skip to content

Bump the all-maven-dependencies group across 2 directories with 6 updates#50

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/maven/all-maven-dependencies-2fd3a62285
Closed

Bump the all-maven-dependencies group across 2 directories with 6 updates#50
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/maven/all-maven-dependencies-2fd3a62285

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-maven-dependencies group with 6 updates in the / directory:

Package From To
com.sap.cds:cds-services-bom 4.9.0 5.0.0
com.sap.cds:cds-maven-plugin 4.9.0 5.0.0
org.springframework.boot:spring-boot-dependencies 3.5.15 3.5.16
org.springframework.boot:spring-boot-maven-plugin 3.5.15 3.5.16
com.sap.cloud.security:java-bom 3.7.3 3.7.4
com.diffplug.spotless:spotless-maven-plugin 3.6.0 3.7.0

Bumps the all-maven-dependencies group with 6 updates in the /srv directory:

Package From To
com.sap.cds:cds-maven-plugin 4.9.0 5.0.0
com.sap.cds:cds-services-bom 4.9.0 5.0.0
org.springframework.boot:spring-boot-maven-plugin 3.5.15 3.5.16
org.springframework.boot:spring-boot-dependencies 3.5.15 3.5.16
com.sap.cloud.security:java-bom 3.7.3 3.7.4
com.diffplug.spotless:spotless-maven-plugin 3.6.0 3.7.0

Updates com.sap.cds:cds-services-bom from 4.9.0 to 5.0.0

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-dependencies from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings
Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.1.0

  • Update dependencies:
    • Spring Boot: 4.0.6 → 4.1.0
    • Spring Framework: 7.0.7 → 7.0.8
    • Spring Security: 7.0.5 → 7.1.0
    • Jetty: 12.1.9 → 12.1.10
    • Reactor: 3.8.2 → 3.8.6
    • JUnit: 6.0.3 → 6.1.0
    • SpotBugs annotations: 4.9.8 → 4.10.2
    • SpotBugs Maven Plugin: 4.9.8.3 → 4.10.2.0
    • org.json: 20251224 → 20260522
    • logcaptor: 2.12.2 → 2.12.6
    • assertj-core (samples): 3.24.2 → 3.27.7
    • maven-surefire-plugin: 3.5.5 → 3.5.6
    • jacoco-maven-plugin: 0.8.14 → 0.8.15
    • central-publishing-maven-plugin: 0.10.0 → 0.11.0
  • Fix junit-bom import in the root pom — entry was missing <type>pom</type><scope>import</scope>, so JUnit platform/jupiter versions were silently resolved through Spring Boot's BOM. Now correctly imported and ordered ahead of spring-boot-dependencies so junit-bom wins for all JUnit 6 artifacts.

4.0.7

  • Fix mTLS handshake regression in SSLContextFactory
    • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
  • Add missing no-arg constructor to DefaultOAuth2TokenService
    • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
    • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
    • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility
    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider

... (truncated)

Commits
  • 9d34661 chore: Release 3.7.4
  • 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
  • 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
  • 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
  • See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.7.0

Fixed

  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • <toggleOffOn> no longer disables lint-only steps such as <forbidWildcardImports>. (#2962)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • <flexmark> step now supports arbitrary formatter options via <formatterOptions>. (#2968)
Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.7.0] - 2026-06-16

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • flexmark step now supports arbitrary formatter options via a formatterOptions map. (#2968)

Fixed

  • FenceStep.preserveWithin now forwards lints from nested steps while still suppressing lints inside preserved blocks. (#2962)
  • Support ktfmt 0.63 and use its new builder API for formatting options to better avoid future breaking changes.
  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Changes

  • Bump default greclipse version to latest 4.35 -> 4.39. (#2924)

[4.6.2] - 2026-05-27

Fixed

  • P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
  • forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
  • versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

  • EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
  • Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
  • expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

  • LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

  • scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
  • Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
  • Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

  • Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
  • Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

  • Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)

... (truncated)

Commits
  • ef7703a Published maven/3.7.0
  • 91113e0 Published gradle/8.7.0
  • 611b48e Published lib/4.7.0
  • 5f3a85f ci(deploy): use base64 -w0 so the auth header has no embedded newline
  • f84f025 ci(deploy): force HTTP/1.1 on git fetch origin main
  • 780f0f6 fix(spotless/gradle-plugin): Fix StringIndexOutOfBoundsException in scenari...
  • b0328c8 Update plugin rewrite to v7.34.0 (#2972)
  • 9a502ce Update plugin com.gradle.develocity to v4.4.2 (#2971)
  • b4d9ec0 Revert the changes to assertUnchanged() and use assertTransform() when ne...
  • 787819d Remove unneeded debug comments
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates com.sap.cds:cds-services-bom from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-dependencies from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings
Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.1.0

  • Update dependencies:
    • Spring Boot: 4.0.6 → 4.1.0
    • Spring Framework: 7.0.7 → 7.0.8
    • Spring Security: 7.0.5 → 7.1.0
    • Jetty: 12.1.9 → 12.1.10
    • Reactor: 3.8.2 → 3.8.6
    • JUnit: 6.0.3 → 6.1.0
    • SpotBugs annotations: 4.9.8 → 4.10.2
    • SpotBugs Maven Plugin: 4.9.8.3 → 4.10.2.0
    • org.json: 20251224 → 20260522
    • logcaptor: 2.12.2 → 2.12.6
    • assertj-core (samples): 3.24.2 → 3.27.7
    • maven-surefire-plugin: 3.5.5 → 3.5.6
    • jacoco-maven-plugin: 0.8.14 → 0.8.15
    • central-publishing-maven-plugin: 0.10.0 → 0.11.0
  • Fix junit-bom import in the root pom — entry was missing <type>pom</type><scope>import</scope>, so JUnit platform/jupiter versions were silently resolved through Spring Boot's BOM. Now correctly imported and ordered ahead of spring-boot-dependencies so junit-bom wins for all JUnit 6 artifacts.

4.0.7

  • Fix mTLS handshake regression in SSLContextFactory
    • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
  • Add missing no-arg constructor to DefaultOAuth2TokenService
    • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
    • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
    • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility
    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider

... (truncated)

Commits
  • 9d34661 chore: Release 3.7.4
  • 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
  • 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
  • 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
  • See full diff in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.7.0

Fixed

  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • <toggleOffOn> no longer disables lint-only steps such as <forbidWildcardImports>. (#2962)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • <flexmark> step now supports arbitrary formatter options via <formatterOptions>. (#2968)
Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.7.0] - 2026-06-16

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • flexmark step now supports arbitrary formatter options via a formatterOptions map. (#2968)

Fixed

  • FenceStep.preserveWithin now forwards lints from nested steps while still suppressing lints inside preserved blocks. (#2962)
  • Support ktfmt 0.63 and use its new builder API for formatting options to better avoid future breaking changes.
  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Changes

  • Bump default greclipse version to latest 4.35 -> 4.39. (#2924)

[4.6.2] - 2026-05-27

Fixed

  • P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
  • forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
  • versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

  • EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
  • Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
  • expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

  • LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

  • scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
  • Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
  • Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

  • Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
  • Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

  • Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)

... (truncated)

Commits
  • ef7703a Published maven/3.7.0
  • 91113e0 Published gradle/8.7.0
  • 611b48e Published lib/4.7.0
  • 5f3a85f ci(deploy): use base64 -w0 so the auth header has no embedded newline
  • f84f025 ci(deploy): force HTTP/1.1 on git fetch origin main
  • 780f0f6 fix(spotless/gradle-plugin): Fix StringIndexOutOfBoundsException in scenari...
  • b0328c8 Update plugin rewrite to v7.34.0 (#2972)
  • 9a502ce Update plugin com.gradle.develocity to v4.4.2 (#2971)
  • b4d9ec0 Revert the changes to assertUnchanged() and use assertTransform() when ne...
  • 787819d Remove unneeded debug comments
  • Additional commits viewable in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates com.sap.cds:cds-services-bom from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings
Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.1.0

  • Update dependencies:
    • Spring Boot: 4.0.6 → 4.1.0
    • Spring Framework: 7.0.7 → 7.0.8
    • Spring Security: 7.0.5 → 7.1.0
    • Jetty: 12.1.9 → 12.1.10
    • Reactor: 3.8.2 → 3.8.6
    • JUnit: 6.0.3 → 6.1.0
    • SpotBugs annotations: 4.9.8 → 4.10.2
    • SpotBugs Maven Plugin: 4.9.8.3 → 4.10.2.0
    • org.json: 20251224 → 20260522
    • logcaptor: 2.12.2 → 2.12.6
    • assertj-core (samples): 3.24.2 → 3.27.7
    • maven-surefire-plugin: 3.5.5 → 3.5.6
    • jacoco-maven-plugin: 0.8.14 → 0.8.15
    • central-publishing-maven-plugin: 0.10.0 → 0.11.0
  • Fix junit-bom import in the root pom — entry was missing <type>pom</type><scope>import</scope>, so JUnit platform/jupiter versions were silently resolved through Spring Boot's BOM. Now correctly imported and ordered ahead of spring-boot-dependencies so junit-bom wins for all JUnit 6 artifacts.

4.0.7

  • Fix mTLS handshake regression in SSLContextFactory
    • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
  • Add missing no-arg constructor to DefaultOAuth2TokenService
    • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
    • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
    • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility
    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider

... (truncated)

Commits
  • 9d34661 chore: Release 3.7.4
  • 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
  • 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
  • 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
  • See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.16

🔨 Dependency Upgrades

Commits
  • 0566f69 Release v3.5.16
  • 93edd16 Next development version (v3.5.16-SNAPSHOT)
  • 5bafd0a Upgrade to Spring Integration 6.5.10
  • baf3290 Upgrade to Spring AMQP 3.2.12
  • 2c5964a Upgrade to Spring Data Bom 2025.0.13
  • dbb08aa Upgrade Antora dependencies
  • 9b281d5 Upgrade to actions/checkout 7.0.0
  • a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
  • fc236ae Start building against Spring Integration 6.5.10 snapshots
  • 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
  • Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.7.0

Fixed

  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • <toggleOffOn> no longer disables lint-only steps such as <forbidWildcardImports>. (#2962)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • <flexmark> step now supports arbitrary formatter options via <formatterOptions>. (

…ates

Bumps the all-maven-dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| com.sap.cds:cds-services-bom | `4.9.0` | `5.0.0` |
| com.sap.cds:cds-maven-plugin | `4.9.0` | `5.0.0` |
| [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) | `3.5.15` | `3.5.16` |
| [org.springframework.boot:spring-boot-maven-plugin](https://github.com/spring-projects/spring-boot) | `3.5.15` | `3.5.16` |
| [com.sap.cloud.security:java-bom](https://github.com/SAP/cloud-security-xsuaa-integration) | `3.7.3` | `3.7.4` |
| [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | `3.6.0` | `3.7.0` |

Bumps the all-maven-dependencies group with 6 updates in the /srv directory:

| Package | From | To |
| --- | --- | --- |
| com.sap.cds:cds-maven-plugin | `4.9.0` | `5.0.0` |
| com.sap.cds:cds-services-bom | `4.9.0` | `5.0.0` |
| [org.springframework.boot:spring-boot-maven-plugin](https://github.com/spring-projects/spring-boot) | `3.5.15` | `3.5.16` |
| [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) | `3.5.15` | `3.5.16` |
| [com.sap.cloud.security:java-bom](https://github.com/SAP/cloud-security-xsuaa-integration) | `3.7.3` | `3.7.4` |
| [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | `3.6.0` | `3.7.0` |



Updates `com.sap.cds:cds-services-bom` from 4.9.0 to 5.0.0

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cloud.security:java-bom` from 3.7.3 to 3.7.4
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.3...3.7.4)

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.6.0...maven/3.7.0)

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `com.sap.cds:cds-services-bom` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cloud.security:java-bom` from 3.7.3 to 3.7.4
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.3...3.7.4)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.6.0...maven/3.7.0)

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `com.sap.cds:cds-services-bom` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cloud.security:java-bom` from 3.7.3 to 3.7.4
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.3...3.7.4)

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.6.0...maven/3.7.0)

Updates `org.springframework.boot:spring-boot-maven-plugin` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cds:cds-maven-plugin` from 4.9.0 to 5.0.0

Updates `com.sap.cds:cds-services-bom` from 4.9.0 to 5.0.0

Updates `org.springframework.boot:spring-boot-dependencies` from 3.5.15 to 3.5.16
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.5.15...v3.5.16)

Updates `com.sap.cloud.security:java-bom` from 3.7.3 to 3.7.4
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.7.3...3.7.4)

Updates `com.diffplug.spotless:spotless-maven-plugin` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.6.0...maven/3.7.0)

---
updated-dependencies:
- dependency-name: com.sap.cds:cds-services-bom
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-services-bom
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-services-bom
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-maven-plugin
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cds:cds-services-bom
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-maven-dependencies
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.sap.cloud.security:java-bom
  dependency-version: 3.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-maven-dependencies
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-maven-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jun 29, 2026
Comment thread pom.xml Outdated
@beckermarc beckermarc closed this Jul 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/maven/all-maven-dependencies-2fd3a62285 branch July 3, 2026 11:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant