Skip to content

chore: [DevOps] bump the production-minor-patch group with 8 updates#1107

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/maven/main/production-minor-patch-aafa9abe15
Closed

chore: [DevOps] bump the production-minor-patch group with 8 updates#1107
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/maven/main/production-minor-patch-aafa9abe15

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 3, 2026
edited
Loading

Bumps the production-minor-patch group with 8 updates:

Package From To
org.assertj:assertj-vavr 0.4.3 0.5.0
org.mockito:mockito-core 5.21.0 5.22.0
org.yaml:snakeyaml 2.5 2.6
io.vavr:vavr 1.0.0 1.0.1
org.checkerframework:checker-qual 3.53.1 3.54.0
com.google.errorprone:error_prone_annotations 2.47.0 2.48.0
io.spiffe:java-spiffe-core 0.8.15 0.8.16
io.spiffe:grpc-netty-linux 0.8.15 0.8.16

Updates org.assertj:assertj-vavr from 0.4.3 to 0.5.0

Release notes

Sourced from org.assertj:assertj-vavr's releases.

v0.5.0

What's Changed

New Contributors

Full Changelog: assertj/assertj-vavr@v0.4.3...v0.5.0

Commits

Updates org.mockito:mockito-core from 5.21.0 to 5.22.0

Release notes

Sourced from org.mockito:mockito-core's releases.

v5.22.0

Changelog generated by Shipkit Changelog Gradle Plugin

5.22.0

Commits
  • 25f1395 Add core API to enable Kotlin singleton mocking (#3762)
  • ef9ee55 Avoids mocking private static methods, as well as package-private static meth...
  • d16fcfc Bump graalvm/setup-graalvm from 1.4.4 to 1.4.5 (#3780)
  • 27eb8a3 Clarify RETURNS_MOCKS behavior with sealed abstract enums (Java 15+) (#3773)
  • 9e5d449 Add tests for Sets utility class (#3771)
  • 8d9a62f Bump actions/upload-artifact from 5 to 6 (#3774)
  • See full diff in compare view

Updates org.yaml:snakeyaml from 2.5 to 2.6

Commits

Updates io.vavr:vavr from 1.0.0 to 1.0.1

Release notes

Sourced from io.vavr:vavr's releases.

v1.0.1

Fixes a native HashMap serialization bug, which serialized the internal HashArrayMappedTrie structure including the pre-computed hash values of keys.

For keys like enums that use Object.hashCode() (non-deterministic across JVM restarts), these stored hash values would differ in another process, causing lookups to fail.

giphy-3

Full Changelog: vavr-io/vavr@v1.0.0...v1.0.1

Commits
  • ee2a57b [maven-release-plugin] prepare release v1.0.1 [ci skip]
  • 9f4e95e update project version to 1.0.1-SNAPSHOT
  • 08e55f4 Added the serialization proxy pattern to HashMap (#3242)
  • See full diff in compare view

Updates org.checkerframework:checker-qual from 3.53.1 to 3.54.0

Release notes

Sourced from org.checkerframework:checker-qual's releases.

Checker Framework 3.54.0

Version 3.54.0 (2026-03-02)

User-visible changes

Command-line arguments:

  • Added -AinferOutputDirectory.
  • Removed long-deprecated -Alint=forbidnonnullarraycomponents.

New command-line argument -Aonelinemsg puts error messages on a single line. This is useful when using a tool that only shows the first line of the error.

The command-line argument -Anomsgtext surrounds the error key with brackets instead of parenthesis. This matches Java error messages.

Implementation details

In AnnotatedTypeFactory, canonicalAnnotation() returns a non-null value.

In AnnotationClassLoader:

  • Renamed hasWellDefinedTargetMetaAnnotation() to isTypeQualifierAnnotation(). The method now returns true for annotations bearing @InvisibleQualifier or @SubtypeOf, in addition to the existing @Target(TYPE_USE) check.

In TestDiagnostic:

  • Renamed field message to key.
  • Added new nullable field message for the full message without the key.

Removed classes and methods that have been deprecated for more than two years.

Closed issues

#6874, #7471, #7475, #7486.

Changelog

Sourced from org.checkerframework:checker-qual's changelog.

Version 3.54.0 (2026-03-02)

User-visible changes

Command-line arguments:

  • Added -AinferOutputDirectory.
  • Removed long-deprecated -Alint=forbidnonnullarraycomponents.

New command-line argument -Aonelinemsg puts error messages on a single line. This is useful when using a tool that only shows the first line of the error.

The command-line argument -Anomsgtext surrounds the error key with brackets instead of parenthesis. This matches Java error messages.

Implementation details

In AnnotatedTypeFactory, canonicalAnnotation() returns a non-null value.

In AnnotationClassLoader:

  • Renamed hasWellDefinedTargetMetaAnnotation() to isTypeQualifierAnnotation(). The method now returns true for annotations bearing @InvisibleQualifier or @SubtypeOf, in addition to the existing @Target(TYPE_USE) check.

In TestDiagnostic:

  • Renamed field message to key.
  • Added new nullable field message for the full message without the key.

Removed classes and methods that have been deprecated for more than two years.

Closed issues

#6874, #7471, #7475, #7486.

Commits
  • a6eff70 new release 3.54.0
  • fd34700 Prep for release.
  • edb6e7a Print error key in brackets (#7525)
  • a79b1de Show details of the error message in test failures (#7513)
  • a5ecc22 Clone the JDK using the same fork and branch as CF (#7491)
  • 2770c52 Update cimg/base Docker tag to v2026.03
  • bba6bc9 Update plugin com-gradleup-shadow to v9.3.2
  • 3a6d4d4 Update error-prone monorepo to v2.48.0
  • 70aa5f3 Update plugin net-ltgt-errorprone to v5.1.0
  • 0dbd3e7 Prepare for javac AST changes
  • Additional commits viewable in compare view

Updates com.google.errorprone:error_prone_annotations from 2.47.0 to 2.48.0

Release notes

Sourced from com.google.errorprone:error_prone_annotations's releases.

Error Prone 2.48.0

Changes:

New checks:

Closed issues: #5529, #5537, #5522, #5521

Full changelog: google/error-prone@v2.47.0...v2.48.0

Commits
  • 7cec0a0 Release Error Prone 2.48.0
  • 01c603a Extend MissingTestCall to check for member references.
  • 3d817b0 Handle var in UnnecessaryBoxedVariable
  • ad26f3e Add ConcurrentHashMap.keys() and ConcurrentHashMap.elements() to `JdkObso...
  • 7926dbc Fix MustBeClosedChecker crash on flexible constructors.
  • d08f003 Check for jakarta annotations in DI checks
  • 171448c Add android internal GuardedBy to ACCEPTED_GUARDED_BY_ANNOTATIONS
  • 5cb6075 Remove the MissingTestCall:MatchGraphVerify flag.
  • ab81681 Improve crash messages for fixes that don't apply
  • fe9bb21 Add a test to confirm that TimeUnitMismatch catches `seconds * 1000 + nanos /...
  • Additional commits viewable in compare view

Updates io.spiffe:java-spiffe-core from 0.8.15 to 0.8.16

Release notes

Sourced from io.spiffe:java-spiffe-core's releases.

v0.8.16

Fixed

  • Require spiffe:// prefix when parsing SPIFFE IDs, tightening scheme validation (#398)
  • Ensure atomic snapshot of X.509 SVID and bundles in DefaultX509Source, preventing torn reads under concurrency (#397)
  • Reject null bundles and empty cached SVID lists in core parsing/cache paths (#399)
  • Validate presence of JWT audience claim during parsing (#399)

Dependency updates

  • Bump grpcVersion from 1.77.0 to 1.79.0 (#392, #402)
  • Bump com.nimbusds:nimbus-jose-jwt from 10.6 to 10.8 (#395, #409)
  • Bump gradle-wrapper from 9.2.1 to 9.3.1 (#400, #401)
Changelog

Sourced from io.spiffe:java-spiffe-core's changelog.

[0.8.16] - 2026-02-25

Fixed

  • Require spiffe:// prefix when parsing SPIFFE IDs, tightening scheme validation (#398)
  • Ensure atomic snapshot of X.509 SVID and bundles in DefaultX509Source, preventing torn reads under concurrency (#397)
  • Reject null bundles and empty cached SVID lists in core parsing/cache paths (#399)
  • Validate presence of JWT audience claim during parsing (#399)

Dependency updates

  • Bump grpcVersion from 1.77.0 to 1.79.0 (#392, #402)
  • Bump com.nimbusds:nimbus-jose-jwt from 10.6 to 10.8 (#395, #409)
  • Bump gradle-wrapper from 9.2.1 to 9.3.1 (#400, #401)

Build

  • Simplify Dependabot config and group coupled Gradle dependencies (#403)
Commits
  • 393a892 chore(release): prepare release 0.8.16 (#407)
  • be7416e chore(deps): bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8 (#409)
  • 4bd0149 chore(ci): bump java-spiffe-helper ci charts versions (#408)
  • 753812a chore(ci): simplify dependabot config and group coupled gradle deps (#403)
  • c616b61 Bump gradle-wrapper from 9.3.0 to 9.3.1 (#401)
  • f8e1695 Bump grpcVersion from 1.78.0 to 1.79.0 (#402)
  • 157d491 Bump gradle-wrapper from 9.2.1 to 9.3.0 (#400)
  • 4d1cee3 fix(core): harden parsing and cache edge cases (#399)
  • 8bf98fb fix(x509source): ensure atomic snapshot of SVID and bundles (#397)
  • f9969c1 fix(spiffeid): require spiffe:// prefix when parsing IDs (#398)
  • Additional commits viewable in compare view

Updates io.spiffe:grpc-netty-linux from 0.8.15 to 0.8.16

Release notes

Sourced from io.spiffe:grpc-netty-linux's releases.

v0.8.16

Fixed

  • Require spiffe:// prefix when parsing SPIFFE IDs, tightening scheme validation (#398)
  • Ensure atomic snapshot of X.509 SVID and bundles in DefaultX509Source, preventing torn reads under concurrency (#397)
  • Reject null bundles and empty cached SVID lists in core parsing/cache paths (#399)
  • Validate presence of JWT audience claim during parsing (#399)

Dependency updates

  • Bump grpcVersion from 1.77.0 to 1.79.0 (#392, #402)
  • Bump com.nimbusds:nimbus-jose-jwt from 10.6 to 10.8 (#395, #409)
  • Bump gradle-wrapper from 9.2.1 to 9.3.1 (#400, #401)
Changelog

Sourced from io.spiffe:grpc-netty-linux's changelog.

[0.8.16] - 2026-02-25

Fixed

  • Require spiffe:// prefix when parsing SPIFFE IDs, tightening scheme validation (#398)
  • Ensure atomic snapshot of X.509 SVID and bundles in DefaultX509Source, preventing torn reads under concurrency (#397)
  • Reject null bundles and empty cached SVID lists in core parsing/cache paths (#399)
  • Validate presence of JWT audience claim during parsing (#399)

Dependency updates

  • Bump grpcVersion from 1.77.0 to 1.79.0 (#392, #402)
  • Bump com.nimbusds:nimbus-jose-jwt from 10.6 to 10.8 (#395, #409)
  • Bump gradle-wrapper from 9.2.1 to 9.3.1 (#400, #401)

Build

  • Simplify Dependabot config and group coupled Gradle dependencies (#403)
Commits
  • 393a892 chore(release): prepare release 0.8.16 (#407)
  • be7416e chore(deps): bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8 (#409)
  • 4bd0149 chore(ci): bump java-spiffe-helper ci charts versions (#408)
  • 753812a chore(ci): simplify dependabot config and group coupled gradle deps (#403)
  • c616b61 Bump gradle-wrapper from 9.3.0 to 9.3.1 (#401)
  • f8e1695 Bump grpcVersion from 1.78.0 to 1.79.0 (#402)
  • 157d491 Bump gradle-wrapper from 9.2.1 to 9.3.0 (#400)
  • 4d1cee3 fix(core): harden parsing and cache edge cases (#399)
  • 8bf98fb fix(x509source): ensure atomic snapshot of SVID and bundles (#397)
  • f9969c1 fix(spiffeid): require spiffe:// prefix when parsing IDs (#398)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore: [DevOps] bump the production-minor-patch group with 8 updates
14e2a19 
Bumps the production-minor-patch group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [org.assertj:assertj-vavr](https://github.com/assertj/assertj-vavr) | `0.4.3` | `0.5.0` |
| [org.mockito:mockito-core](https://github.com/mockito/mockito) | `5.21.0` | `5.22.0` |
| [org.yaml:snakeyaml](https://bitbucket.org/snakeyaml/snakeyaml) | `2.5` | `2.6` |
| [io.vavr:vavr](https://github.com/vavr-io/vavr) | `1.0.0` | `1.0.1` |
| [org.checkerframework:checker-qual](https://github.com/typetools/checker-framework) | `3.53.1` | `3.54.0` |
| [com.google.errorprone:error_prone_annotations](https://github.com/google/error-prone) | `2.47.0` | `2.48.0` |
| [io.spiffe:java-spiffe-core](https://github.com/spiffe/java-spiffe) | `0.8.15` | `0.8.16` |
| [io.spiffe:grpc-netty-linux](https://github.com/spiffe/java-spiffe) | `0.8.15` | `0.8.16` |


Updates `org.assertj:assertj-vavr` from 0.4.3 to 0.5.0
- [Release notes](https://github.com/assertj/assertj-vavr/releases)
- [Commits](assertj/assertj-vavr@v0.4.3...v0.5.0)

Updates `org.mockito:mockito-core` from 5.21.0 to 5.22.0
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.21.0...v5.22.0)

Updates `org.yaml:snakeyaml` from 2.5 to 2.6
- [Commits](https://bitbucket.org/snakeyaml/snakeyaml/branches/compare/snakeyaml-2.6..snakeyaml-2.5)

Updates `io.vavr:vavr` from 1.0.0 to 1.0.1
- [Release notes](https://github.com/vavr-io/vavr/releases)
- [Commits](vavr-io/vavr@v1.0.0...v1.0.1)

Updates `org.checkerframework:checker-qual` from 3.53.1 to 3.54.0
- [Release notes](https://github.com/typetools/checker-framework/releases)
- [Changelog](https://github.com/typetools/checker-framework/blob/master/docs/CHANGELOG.md)
- [Commits](typetools/checker-framework@checker-framework-3.53.1...checker-framework-3.54.0)

Updates `com.google.errorprone:error_prone_annotations` from 2.47.0 to 2.48.0
- [Release notes](https://github.com/google/error-prone/releases)
- [Commits](google/error-prone@v2.47.0...v2.48.0)

Updates `io.spiffe:java-spiffe-core` from 0.8.15 to 0.8.16
- [Release notes](https://github.com/spiffe/java-spiffe/releases)
- [Changelog](https://github.com/spiffe/java-spiffe/blob/main/CHANGELOG.md)
- [Commits](spiffe/java-spiffe@v0.8.15...v0.8.16)

Updates `io.spiffe:grpc-netty-linux` from 0.8.15 to 0.8.16
- [Release notes](https://github.com/spiffe/java-spiffe/releases)
- [Changelog](https://github.com/spiffe/java-spiffe/blob/main/CHANGELOG.md)
- [Commits](spiffe/java-spiffe@v0.8.15...v0.8.16)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-vavr
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: org.yaml:snakeyaml
  dependency-version: '2.6'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: io.vavr:vavr
  dependency-version: 1.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: org.checkerframework:checker-qual
  dependency-version: 3.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: com.google.errorprone:error_prone_annotations
  dependency-version: 2.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: io.spiffe:java-spiffe-core
  dependency-version: 0.8.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: io.spiffe:grpc-netty-linux
  dependency-version: 0.8.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Mar 3, 2026
@bot-sdk-js bot-sdk-js enabled auto-merge (squash) March 3, 2026 10:24
auto-merge was automatically disabled March 3, 2026 10:24

Pull Request is not mergeable

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 3, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Mar 3, 2026
@dependabot dependabot bot deleted the dependabot/maven/main/production-minor-patch-aafa9abe15 branch March 3, 2026 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bot-sdk-js bot-sdk-js bot-sdk-js approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bot-sdk-js