Bump the gradle-dependencies group with 21 updates #324

dependabot · 2025-12-02T02:03:57Z

Bumps the gradle-dependencies group with 21 updates:

Package	From	To
org.bouncycastle:bcprov-jdk18on	`1.82`	`1.83`
org.apache.commons:commons-lang3	`3.19.0`	`3.20.0`
com.google.errorprone:error_prone_core	`2.43.0`	`2.45.0`
com.google.errorprone:error_prone_annotations	`2.43.0`	`2.45.0`
com.google.googlejavaformat:google-java-format	`1.31.0`	`1.32.0`
io.grpc:grpc-bom	`1.76.0`	`1.77.0`
org.apache.jackrabbit:oak-core	`1.86.0`	`1.88.0`
com.palantir.javapoet:javapoet	`0.7.0`	`0.9.0`
com.code-intelligence:jazzer-junit	`0.26.0`	`0.27.0`
org.junit.support:testng-engine	`1.0.6`	`1.1.0`
com.uber.nullaway:nullaway	`0.12.11`	`0.12.12`
com.uber.nullaway:nullaway-annotations	`0.12.11`	`0.12.12`
com.squareup.okhttp3:okhttp-bom	`5.3.0`	`5.3.2`
com.squareup.okio:okio-bom	`3.16.2`	`3.16.4`
com.google.protobuf:protobuf-java	`4.33.0`	`4.33.1`
com.mebigfatguy.sb-contrib:sb-contrib	`7.6.15`	`7.7.1`
org.tukaani:xz	`1.10`	`1.11`
org.owasp.dependencycheck	`12.1.8`	`12.1.9`
dev.sigstore.sign	`2.0.0-rc2`	`2.0.0`
org.sonarqube	`7.0.1.6134`	`7.1.0.6387`
com.github.spotbugs	`6.4.4`	`6.4.7`

Updates org.bouncycastle:bcprov-jdk18on from 1.82 to 1.83

Changelog

Sourced from org.bouncycastle:bcprov-jdk18on's changelog.

2.1.1 Version Release: 1.83 Date: 2025, November 27th.

2.2.1 Version Release: 1.82 Date: 2025, 17th September.

... (truncated)

Commits

See full diff in compare view

Updates org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0

Updates com.google.errorprone:error_prone_core from 2.43.0 to 2.45.0

Release notes

Sourced from com.google.errorprone:error_prone_core's releases.

Error Prone 2.45.0

Changes:

Improved compatibility with latest JDK 26 EA builds.

New checks:

AssertSameIncompatible: Detect calls to assertSame and similar assertions, where the calls are guaranteed to either succeed or fail.

FormatStringShouldUsePlaceholders: Suggests using a format string instead of string concatenation operations on format methods

Closed issues: #5335

Full changelog: google/error-prone@v2.44.0...v2.45.0

Error Prone 2.44.0

Changes

The default severity for LabelledBreakTarget is now an error

Update dependency on Guava (#5108)

Closed issues: #5218, #5278

Full changelog: google/error-prone@v2.43.0...v2.44.0

Commits

c862815 Release Error Prone 2.45.0
7027d9f Add negative test cases for AlwaysThrows with non-literal arguments.
8669adb Fix parameter name handling of enum constructor arguments
679c4ac Update end position handling
dc1279e AssertSameIncompatible: flag calls to assertSame/etc where the calls are guar...
24387de Internal change
5300dc6 Disable an InvalidLink test for a javadoc bug on JDK >= 26
75dcd53 Fix the Optional wrapping in the description of NonCanonicalStaticMemberImport.
10f5424 FormatStringShouldUsePlaceholders shouldn't rewrite calls with a pass-through...
3ef3d79 The verb form of "recursion" is "to recur", not "to recurse". Quoting my CS p...
Additional commits viewable in compare view

Updates com.google.errorprone:error_prone_annotations from 2.43.0 to 2.45.0

Release notes

Sourced from com.google.errorprone:error_prone_annotations's releases.

Error Prone 2.45.0

Changes:

Improved compatibility with latest JDK 26 EA builds.

New checks:

AssertSameIncompatible: Detect calls to assertSame and similar assertions, where the calls are guaranteed to either succeed or fail.

FormatStringShouldUsePlaceholders: Suggests using a format string instead of string concatenation operations on format methods

Closed issues: #5335

Full changelog: google/error-prone@v2.44.0...v2.45.0

Error Prone 2.44.0

Changes

The default severity for LabelledBreakTarget is now an error

Update dependency on Guava (#5108)

Closed issues: #5218, #5278

Full changelog: google/error-prone@v2.43.0...v2.44.0

Commits

c862815 Release Error Prone 2.45.0
7027d9f Add negative test cases for AlwaysThrows with non-literal arguments.
8669adb Fix parameter name handling of enum constructor arguments
679c4ac Update end position handling
dc1279e AssertSameIncompatible: flag calls to assertSame/etc where the calls are guar...
24387de Internal change
5300dc6 Disable an InvalidLink test for a javadoc bug on JDK >= 26
75dcd53 Fix the Optional wrapping in the description of NonCanonicalStaticMemberImport.
10f5424 FormatStringShouldUsePlaceholders shouldn't rewrite calls with a pass-through...
3ef3d79 The verb form of "recursion" is "to recur", not "to recurse". Quoting my CS p...
Additional commits viewable in compare view

Updates com.google.errorprone:error_prone_annotations from 2.43.0 to 2.45.0

Release notes

Sourced from com.google.errorprone:error_prone_annotations's releases.

Error Prone 2.45.0

Changes:

Improved compatibility with latest JDK 26 EA builds.

New checks:

AssertSameIncompatible: Detect calls to assertSame and similar assertions, where the calls are guaranteed to either succeed or fail.

FormatStringShouldUsePlaceholders: Suggests using a format string instead of string concatenation operations on format methods

Closed issues: #5335

Full changelog: google/error-prone@v2.44.0...v2.45.0

Error Prone 2.44.0

Changes

The default severity for LabelledBreakTarget is now an error

Update dependency on Guava (#5108)

Closed issues: #5218, #5278

Full changelog: google/error-prone@v2.43.0...v2.44.0

Commits

c862815 Release Error Prone 2.45.0
7027d9f Add negative test cases for AlwaysThrows with non-literal arguments.
8669adb Fix parameter name handling of enum constructor arguments
679c4ac Update end position handling
dc1279e AssertSameIncompatible: flag calls to assertSame/etc where the calls are guar...
24387de Internal change
5300dc6 Disable an InvalidLink test for a javadoc bug on JDK >= 26
75dcd53 Fix the Optional wrapping in the description of NonCanonicalStaticMemberImport.
10f5424 FormatStringShouldUsePlaceholders shouldn't rewrite calls with a pass-through...
3ef3d79 The verb form of "recursion" is "to recur", not "to recurse". Quoting my CS p...
Additional commits viewable in compare view

Updates com.google.googlejavaformat:google-java-format from 1.31.0 to 1.32.0

Release notes

Sourced from com.google.googlejavaformat:google-java-format's releases.

v1.32.0

Changes:

Add support for AOSP formatting in the Eclipse plugin (#179)

Full Changelog: google/google-java-format@v1.31.0...v1.32.0

Commits

20fbee0 Release google-java-format 1.32.0
60a00f2 Add support for AOSP formatting in the Eclipse plugin
b723942 Update the IntelliJ plugin to gjf 1.31.0.
See full diff in compare view

Updates io.grpc:grpc-bom from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-bom's releases.

v1.77.0

API Changes

binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception

core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables

okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings

xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.

xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.

xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)

android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)

binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)

binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)

xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative

xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out

googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap

alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)

binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)

opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)

xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)

xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials

rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)

alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code

Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@panchenko @benjaminp @HyunSangHan @becomeStar @ZachChuba @oliviamariacodes @kssumin @laz-canva

... (truncated)

Commits

251dfbb Bump version to 1.77.0
5de8e93 Update README etc to reference 1.77.0
155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
498f717 alts: Metadata server address modification to account for default port
9ac12ef alts: Override metadata server address with env variable
246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
5e8af56 core: Fix NPE during address update with Happy Eyeballs
Additional commits viewable in compare view

Updates org.apache.jackrabbit:oak-core from 1.86.0 to 1.88.0

Updates com.palantir.javapoet:javapoet from 0.7.0 to 0.9.0

Release notes

Sourced from com.palantir.javapoet:javapoet's releases.

0.9.0

💡 Improvements

Validate class name when constructing a ClassName. (#368)

0.8.0

🐛 Fixes

Produce correct annotations when ParameterizedTypeName.annotated is called repeatedly. (#359)

Commits

1654c63 Release 0.9.0
50517eb Check that class name is valid (#368)
4fbbf1e Excavator: Upgrades Baseline to the latest version (#367)
e1f6a2e Excavator: Format Java files (#366)
e9c7720 Excavator: Upgrades Baseline to the latest version (#365)
9ad2d1c Excavator: Upgrades Baseline to the latest version (#362)
b3649ea Excavator: Upgrades Baseline to the latest version (#361)
dc41cb9 Release 0.8.0
b8717ae Fix repeated use of annotated on ParameterizedTypeName (#359)
f19f11e Excavator: Add the gradle-idea-configuration plugin to the build (#357)
Additional commits viewable in compare view

Updates com.code-intelligence:jazzer-junit from 0.26.0 to 0.27.0

Release notes

Sourced from com.code-intelligence:jazzer-junit's releases.

v0.27.0

What's Changed

chore: update bazel dependencies by @simonresch in CodeIntelligenceTesting/jazzer#987

fix: guard against malformed corpus entries in protobuf mutator by @simonresch in CodeIntelligenceTesting/jazzer#989

chore: update maven dependencies by @simonresch in CodeIntelligenceTesting/jazzer#988

fix: fixes for sanitizer handling in honeypot class by @simonresch in CodeIntelligenceTesting/jazzer#991

feat: add guidance hook for SpEL injection by @simonresch in CodeIntelligenceTesting/jazzer#990

feat: add big decimal sanitizer by @florianGla in CodeIntelligenceTesting/jazzer#992

BREAKING: remove Spring API fuzz test helpers by @florianGla in CodeIntelligenceTesting/jazzer#993

chore(deps): update github workflows by @simonresch in CodeIntelligenceTesting/jazzer#997

chore: update bazel dependencies by @simonresch in CodeIntelligenceTesting/jazzer#998

fix: fuzz test invocation with referring protobufs by @simonresch in CodeIntelligenceTesting/jazzer#995

chore: exclude potentially dangerous tests by default by @simonresch in CodeIntelligenceTesting/jazzer#996

fix: assertion failure when fuzzing proto strings by @simonresch in CodeIntelligenceTesting/jazzer#1002

feat: add hooks for additional EL evaluation methods by @florianGla in CodeIntelligenceTesting/jazzer#994

chore: upgrade to bazel 8 by @simonresch in CodeIntelligenceTesting/jazzer#1001

feat: add support for proto maps with enum values by @simonresch in CodeIntelligenceTesting/jazzer#1006

dependency updates by @simonresch in CodeIntelligenceTesting/jazzer#1000

feat: add jexl expression guidance hook by @florianGla in CodeIntelligenceTesting/jazzer#1003

feat: MVEL guidance hook by @simonresch in CodeIntelligenceTesting/jazzer#1005

feat: add ognl expression guidance hook by @florianGla in CodeIntelligenceTesting/jazzer#1004

feat: add xml parser guidance hook by @simonresch in CodeIntelligenceTesting/jazzer#999

feat: set mutator by @oetr in CodeIntelligenceTesting/jazzer#955

Mention Set in WithSize Javadoc & slightly improve test by @Marcono1234 in CodeIntelligenceTesting/jazzer#1010

refactor: improve readability of util function by @simonresch in CodeIntelligenceTesting/jazzer#1011

feat: add freemarker template injection guidance hook by @florianGla in CodeIntelligenceTesting/jazzer#1007

fix: properly instrument nested records by @oetr in CodeIntelligenceTesting/jazzer#1009

docs: document seed input sources for @FuzzTest by @simonresch in CodeIntelligenceTesting/jazzer#1012

chore(deps): update maven deps by @simonresch in CodeIntelligenceTesting/jazzer#1014

Full Changelog: CodeIntelligenceTesting/jazzer@v0.26.0...v0.27.0

Commits

2d78a82 chore: update the release instructions
118fbef chore: automatically deploy to Maven Central and create a GH release
8ad3c12 chore: making local bundle doesn't need Sonatype usename or password
068587e chore(deps): update maven deps
85ae9d1 docs: document seed input sources for @FuzzTest
94ea994 fix: instrumention of nested records, and records with annotated fields
761cc11 feat: add freemarker template injection guidance hook
196391d chore: suppress unused params in XmlParserSsrfGuidance
57628a7 refactor: improve readability of util function
65f0722 chore: improve ArgumentsMutatorFuzzTest
Additional commits viewable in compare view

Updates org.junit.support:testng-engine from 1.0.6 to 1.1.0

Release notes

Sourced from org.junit.support:testng-engine's releases.

1.1.0

What's Changed

Provide cancellation support for JUnit 6.0 by @marcphilipp in junit-team/testng-engine#232

Full Changelog: junit-team/testng-engine@r1.0.6...r1.1.0

Commits

78e7569 Release 1.1.0
9bbe532 Use JUnit 6.0.1
d1f9686 Update github/codeql-action action to v4.31.2
73dcc9d Update Gradle to v9.2.0
a70eb48 Update github/codeql-action action to v4.31.0
67c620f Add security policy
2758398 Update github/codeql-action action to v4.30.9
740dad4 Update plugin com.gradle.develocity to v4.2.2
0e1e5d7 Update github/codeql-action action to v4.30.8
44bbdbe Update github/codeql-action action to v4
Additional commits viewable in compare view

Updates com.uber.nullaway:nullaway from 0.12.11 to 0.12.12

Release notes

Sourced from com.uber.nullaway:nullaway's releases.

NullAway 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Changelog

Sourced from com.uber.nullaway:nullaway's changelog.

Version 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Commits

27a029c Prepare for release 0.12.12.
77c85a6 Address severe performance regression in dataflow analysis (#1328)
38a7561 Stop passing -processorpath to CompilationTestHelper in NullAway tests (#...
334479c Fix test args for SuggestedFixesTests (#1324)
7923ea2 Prepare next development version.
See full diff in compare view

Updates com.uber.nullaway:nullaway-annotations from 0.12.11 to 0.12.12

Release notes

Sourced from com.uber.nullaway:nullaway-annotations's releases.

NullAway 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Changelog

Sourced from com.uber.nullaway:nullaway-annotations's changelog.

Version 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Commits

27a029c Prepare for release 0.12.12.
77c85a6 Address severe performance regression in dataflow analysis (#1328)
38a7561 Stop passing -processorpath to CompilationTestHelper in NullAway tests (#...
334479c Fix test args for SuggestedFixesTests (#1324)
7923ea2 Prepare next development version.
See full diff in compare view

Updates com.uber.nullaway:nullaway-annotations from 0.12.11 to 0.12.12

Release notes

Sourced from com.uber.nullaway:nullaway-annotations's releases.

NullAway 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Changelog

Sourced from com.uber.nullaway:nullaway-annotations's changelog.

Version 0.12.12

This release fixes a severe performance regression introduced in NullAway 0.12.11 and we encourage all users of 0.12.11 to upgrade.

Address severe performance regression in dataflow analysis (#1328)

Maintenance

Fix test args for SuggestedFixesTests (#1324)

Stop passing -processorpath to CompilationTestHelper in NullAway tests (#1326)

Commits

27a029c Prepare for release 0.12.12.
77c85a6 Address severe performance regression in dataflow analysis (#1328)
38a7561 Stop passing -processorpath to CompilationTestHelper in NullAway tests (#...
334479c Fix test args for SuggestedFixesTests (#1324)
7923ea2 Prepare next development version.
See full diff in compare view

Updates com.squareup.okhttp3:okhttp-bom from 5.3.0 to 5.3.2

Changelog

Sourced from com.squareup.okhttp3:okhttp-bom's changelog.

Version 5.3.2

2025-11-18

Fix: Don't delay triggering timeouts. In Okio 3.16.0 we introduced a regression that caused timeouts to fire later than they were supposed to.

Upgrade: [Okio 3.16.4][okio_3_16_4].

Version 5.3.1

2025-11-16

This release is the same as 5.3.0. Okio 3.16.3 didn't have a necessary fix!

Upgrade: [Okio 3.16.3][okio_3_16_3].

Commits

75b9c26 Prepare for release 5.3.2.
ab48e5d Okio 3.16.4 (#9200)
a9a4638 Prepare next development version.
ef72228 Prepare for release 5.3.1.
6747167 Update com.squareup.okio to v3.16.3 (#9197)
See full diff in compare view

Updates com.squareup.okio:okio-bom from 3.16.2 to 3.16.4

Changelog

Sourced from com.squareup.okio:okio-bom's changelog.

Version 3.16.4

2025-11-17

Fix: Don't delay triggering timeouts. In 3.16.0 we introduced a regression that caused timeouts to fire later than they were supposed to.

Version 3.16.3

2025-11-14

This release is the same as 3.16.2. We forgot to cherry-pick a commit before we released!

Commits

74b87c8 Prepare for release 3.16.4.
5cffb11 Fix compareTo function for priority queue in Asynctimeout (#1738)
c869a7b Prepare next development version.
06289cc Prepare for release 3.16.3.
See full diff in compare view

Updates com.google.protobuf:protobuf-java from 4.33.0 to 4.33.1

Commits

See full diff in compare view

Updates com.mebigfatguy.sb-contrib:sb-contrib from 7.6.15 to 7.7.1

Commits

See full diff in compare view

Updates org.tukaani:xz from 1.10 to 1.11

Changelog

Sourced from org.tukaani:xz's changelog.

1.11 (2025-11-19)
Fix a data corruption bug when encoding with the rarely-used option LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a write call must cross an offset that is a multiple of 65536 bytes. For example, one write of 70000 bytes or two write calls of 50000 bytes each would trigger the bug. The bug isn't triggered if there are ten write calls of 8192 bytes each followed by one 123-byte write.

If encoding to a .xz file, a decoder would catch the issue because the integrity check wouldn't match.
The binaries of 1.10 in the Maven Central require Java 8 and contain optimized classes for Java >= 9 as multi-release JAR. They were built with OpenJDK 21.0.9 on GNU/Linux and can be reproduced using the following command:
SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven

Commits

eec2ad9 Bump the version number to 1.11
cd59206 Update NEWS.md for 1.11
afd20a2 Omit the .github directory from releases
061ba5d CI: Add Coverity Scan
cc7ea2e UncompressedLZMA2OutputStream: Don't mention ResettableArrayCache
6dd6e27 LZMACoder: Fix a copy-paste error
d010bdf IA64.code: Silence a false positive from Coverity
2ff3ec5 REUSE.toml: Bump REUSE spec version from 3.2 to 3.3
14c7102 REUSE.toml: Add SHA256SUMS
74e42f4 Avoid an unneeded arraycopy in UncompressedLZMA2OutputStream
Additional commits viewable in compare view

Updates org.owasp.dependencycheck from 12.1.8 to 12.1.9

Updates dev.sigstore.sign from 2.0.0-rc2 to 2.0.0

Updates org.sonarqube from 7.0.1.6134 to 7.1.0.6387

Updates com.github.spotbugs from 6.4.4 to 6.4.7

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the gradle-dependencies group with 21 updates: | Package | From | To | | --- | --- | --- | | [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) | `1.82` | `1.83` | | org.apache.commons:commons-lang3 | `3.19.0` | `3.20.0` | | [com.google.errorprone:error_prone_core](https://github.com/google/error-prone) | `2.43.0` | `2.45.0` | | [com.google.errorprone:error_prone_annotations](https://github.com/google/error-prone) | `2.43.0` | `2.45.0` | | [com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format) | `1.31.0` | `1.32.0` | | [io.grpc:grpc-bom](https://github.com/grpc/grpc-java) | `1.76.0` | `1.77.0` | | org.apache.jackrabbit:oak-core | `1.86.0` | `1.88.0` | | [com.palantir.javapoet:javapoet](https://github.com/palantir/javapoet) | `0.7.0` | `0.9.0` | | [com.code-intelligence:jazzer-junit](https://github.com/CodeIntelligenceTesting/jazzer) | `0.26.0` | `0.27.0` | | [org.junit.support:testng-engine](https://github.com/junit-team/testng-engine) | `1.0.6` | `1.1.0` | | [com.uber.nullaway:nullaway](https://github.com/uber/NullAway) | `0.12.11` | `0.12.12` | | [com.uber.nullaway:nullaway-annotations](https://github.com/uber/NullAway) | `0.12.11` | `0.12.12` | | [com.squareup.okhttp3:okhttp-bom](https://github.com/square/okhttp) | `5.3.0` | `5.3.2` | | [com.squareup.okio:okio-bom](https://github.com/square/okio) | `3.16.2` | `3.16.4` | | [com.google.protobuf:protobuf-java](https://github.com/protocolbuffers/protobuf) | `4.33.0` | `4.33.1` | | [com.mebigfatguy.sb-contrib:sb-contrib](https://github.com/mebigfatguy/fb-contrib) | `7.6.15` | `7.7.1` | | [org.tukaani:xz](https://github.com/tukaani-project/xz-java) | `1.10` | `1.11` | | org.owasp.dependencycheck | `12.1.8` | `12.1.9` | | dev.sigstore.sign | `2.0.0-rc2` | `2.0.0` | | org.sonarqube | `7.0.1.6134` | `7.1.0.6387` | | com.github.spotbugs | `6.4.4` | `6.4.7` | Updates `org.bouncycastle:bcprov-jdk18on` from 1.82 to 1.83 - [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html) - [Commits](https://github.com/bcgit/bc-java/commits) Updates `org.apache.commons:commons-lang3` from 3.19.0 to 3.20.0 Updates `com.google.errorprone:error_prone_core` from 2.43.0 to 2.45.0 - [Release notes](https://github.com/google/error-prone/releases) - [Commits](google/error-prone@v2.43.0...v2.45.0) Updates `com.google.errorprone:error_prone_annotations` from 2.43.0 to 2.45.0 - [Release notes](https://github.com/google/error-prone/releases) - [Commits](google/error-prone@v2.43.0...v2.45.0) Updates `com.google.errorprone:error_prone_annotations` from 2.43.0 to 2.45.0 - [Release notes](https://github.com/google/error-prone/releases) - [Commits](google/error-prone@v2.43.0...v2.45.0) Updates `com.google.googlejavaformat:google-java-format` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/google/google-java-format/releases) - [Commits](google/google-java-format@v1.31.0...v1.32.0) Updates `io.grpc:grpc-bom` from 1.76.0 to 1.77.0 - [Release notes](https://github.com/grpc/grpc-java/releases) - [Commits](grpc/grpc-java@v1.76.0...v1.77.0) Updates `org.apache.jackrabbit:oak-core` from 1.86.0 to 1.88.0 Updates `com.palantir.javapoet:javapoet` from 0.7.0 to 0.9.0 - [Release notes](https://github.com/palantir/javapoet/releases) - [Commits](palantir/javapoet@0.7.0...0.9.0) Updates `com.code-intelligence:jazzer-junit` from 0.26.0 to 0.27.0 - [Release notes](https://github.com/CodeIntelligenceTesting/jazzer/releases) - [Commits](CodeIntelligenceTesting/jazzer@v0.26.0...v0.27.0) Updates `org.junit.support:testng-engine` from 1.0.6 to 1.1.0 - [Release notes](https://github.com/junit-team/testng-engine/releases) - [Commits](junit-team/testng-engine@r1.0.6...r1.1.0) Updates `com.uber.nullaway:nullaway` from 0.12.11 to 0.12.12 - [Release notes](https://github.com/uber/NullAway/releases) - [Changelog](https://github.com/uber/NullAway/blob/master/CHANGELOG.md) - [Commits](uber/NullAway@v0.12.11...v0.12.12) Updates `com.uber.nullaway:nullaway-annotations` from 0.12.11 to 0.12.12 - [Release notes](https://github.com/uber/NullAway/releases) - [Changelog](https://github.com/uber/NullAway/blob/master/CHANGELOG.md) - [Commits](uber/NullAway@v0.12.11...v0.12.12) Updates `com.uber.nullaway:nullaway-annotations` from 0.12.11 to 0.12.12 - [Release notes](https://github.com/uber/NullAway/releases) - [Changelog](https://github.com/uber/NullAway/blob/master/CHANGELOG.md) - [Commits](uber/NullAway@v0.12.11...v0.12.12) Updates `com.squareup.okhttp3:okhttp-bom` from 5.3.0 to 5.3.2 - [Changelog](https://github.com/square/okhttp/blob/master/CHANGELOG.md) - [Commits](square/okhttp@parent-5.3.0...parent-5.3.2) Updates `com.squareup.okio:okio-bom` from 3.16.2 to 3.16.4 - [Changelog](https://github.com/square/okio/blob/master/CHANGELOG.md) - [Commits](square/okio@3.16.2...parent-3.16.4) Updates `com.google.protobuf:protobuf-java` from 4.33.0 to 4.33.1 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `com.mebigfatguy.sb-contrib:sb-contrib` from 7.6.15 to 7.7.1 - [Commits](https://github.com/mebigfatguy/fb-contrib/commits) Updates `org.tukaani:xz` from 1.10 to 1.11 - [Release notes](https://github.com/tukaani-project/xz-java/releases) - [Changelog](https://github.com/tukaani-project/xz-java/blob/master/NEWS.md) - [Commits](tukaani-project/xz-java@v1.10...v1.11) Updates `org.owasp.dependencycheck` from 12.1.8 to 12.1.9 Updates `dev.sigstore.sign` from 2.0.0-rc2 to 2.0.0 Updates `org.sonarqube` from 7.0.1.6134 to 7.1.0.6387 Updates `com.github.spotbugs` from 6.4.4 to 6.4.7 --- updated-dependencies: - dependency-name: org.bouncycastle:bcprov-jdk18on dependency-version: '1.83' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: org.apache.commons:commons-lang3 dependency-version: 3.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.google.errorprone:error_prone_core dependency-version: 2.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.google.errorprone:error_prone_annotations dependency-version: 2.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.google.errorprone:error_prone_annotations dependency-version: 2.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.google.googlejavaformat:google-java-format dependency-version: 1.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: io.grpc:grpc-bom dependency-version: 1.77.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: org.apache.jackrabbit:oak-core dependency-version: 1.88.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.palantir.javapoet:javapoet dependency-version: 0.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.code-intelligence:jazzer-junit dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: org.junit.support:testng-engine dependency-version: 1.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.uber.nullaway:nullaway dependency-version: 0.12.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.uber.nullaway:nullaway-annotations dependency-version: 0.12.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.uber.nullaway:nullaway-annotations dependency-version: 0.12.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.squareup.okhttp3:okhttp-bom dependency-version: 5.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.squareup.okio:okio-bom dependency-version: 3.16.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.google.protobuf:protobuf-java dependency-version: 4.33.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: com.mebigfatguy.sb-contrib:sb-contrib dependency-version: 7.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: org.tukaani:xz dependency-version: '1.11' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: org.owasp.dependencycheck dependency-version: 12.1.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: dev.sigstore.sign dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies - dependency-name: org.sonarqube dependency-version: 7.1.0.6387 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gradle-dependencies - dependency-name: com.github.spotbugs dependency-version: 6.4.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gradle-dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Dec 2, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the gradle-dependencies group with 21 updates #324

Bump the gradle-dependencies group with 21 updates #324

Uh oh!

dependabot bot commented on behalf of github Dec 2, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Bump the gradle-dependencies group with 21 updates #324

Are you sure you want to change the base?

Bump the gradle-dependencies group with 21 updates #324

Uh oh!

Conversation

dependabot bot commented on behalf of github Dec 2, 2025

Error Prone 2.45.0

Error Prone 2.44.0

Error Prone 2.45.0

Error Prone 2.44.0

Error Prone 2.45.0

Error Prone 2.44.0

v1.32.0

v1.77.0

API Changes

Bug Fixes

Improvements

New Features

Dependencies

Thanks to

0.9.0

💡 Improvements

0.8.0

🐛 Fixes

v0.27.0

What's Changed

1.1.0

What's Changed

NullAway 0.12.12

Version 0.12.12

NullAway 0.12.12

Version 0.12.12

NullAway 0.12.12

Version 0.12.12

Version 5.3.2

Version 5.3.1

Version 3.16.4

Version 3.16.3

1.11 (2025-11-19)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant