Skip to content

fix(deps): bump the prod-deps group across 1 directory with 9 updates#144

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-90128ad41d
Open

fix(deps): bump the prod-deps group across 1 directory with 9 updates#144
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/prod-deps-90128ad41d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the prod-deps group with 9 updates in the / directory:

Package From To
org.apache.logging.log4j:log4j-bom 2.20.0 2.26.0
io.vertx:vertx-stack-depchain 5.0.8 5.1.1
org.apache.httpcomponents.client5:httpclient5 5.2.1 5.6.1
commons-codec:commons-codec 1.17.1 1.22.0
com.sun.xml.bind:jaxb-impl 2.3.9 4.0.9
org.apache.commons:commons-lang3 3.12.0 3.20.0
javax.ws.rs:javax.ws.rs-api 2.0.1 2.1.1
org.folio:util 35.2.2 36.0.0
org.folio.okapi:okapi-common 7.0.0 7.0.4

Updates org.apache.logging.log4j:log4j-bom from 2.20.0 to 2.26.0

Release notes

Sourced from org.apache.logging.log4j:log4j-bom's releases.

2.26.0

This minor release delivers all the fixes in the [2.25.0, 2.25.4] version range, plus some new fixes, and several other improvements and features.

Added

  • Add a new ConfigurationFactory::getConfiguration method accepting multiple URIs (#3775, #3921)
  • Add and export org.apache.logging.log4j.core.pattern.NamedInstantPattern enabling users to programmatically access named date & time patterns supported by Pattern Layout (#3789)
  • Add log4j.plugin.processor.minAllowedMessageKind annotation processor option to PluginProcessor to filter diagnostic messages by severity. This allows builds that treat compiler notes as errors (e.g. Maven with -Werror) to suppress informational notes emitted during normal plugin processing. (apache/logging-log4j2#3380, #4063)
  • Add missing setters to Rfc5424LayoutBuilder

Changed

  • Ensure scripts in the global Scripts element have explicit names by throwing a ConfigurationException for unnamed ones. (#3176)
  • Simplify file manager registry factory methods (#3968)

Deprecated

  • Deprecated withers in builder classes in favor of setters. This change improves API consistency with Log4j Core 3 and helps users adapt to the upcoming changes. (#3750)

Fixed

  • Fix script resolution failure when the Scripts element is placed after a ScriptRef in the configuration. (#3336)
  • Fix ArrayIndexOutOfBoundsException thrown by ThrowableStackTraceRenderer when the stack trace is modified concurrently (#3940, #3955)
  • Fix SLF4JLogger.atFatal() returning atLevel(Level.TRACE) instead of atLevel(Level.FATAL). This was causing FATAL-level log events to be silently discarded when using the fluent API through the log4j-to-slf4j bridge. (#4068, #4089)
  • Fix Javadoc references across module boundaries (i.e., cross-references) (#4099, #4100)
  • Fix header write in RollingRandomAccessFileManager that was being incorrectly skipped if append=true and the file didn't exist before
  • Fix a properties file configuration regression caused by not referenced loggers, appenders, and filters (#4036, #4069)

Removed

  • Remove the jvmrunargs lookup. (#3874)

Updated

  • Update org.junit:junit-bom to version 5.13.4 (#3850)
  • Update org.mongodb:bson to version 5.6.1 (#3961)
  • Update org.xerial.snappy:snappy-java to version 1.1.10.8 (#3841)

2.25.4

This patch release delivers fixes for configuration inconsistencies and formatting issues across several layouts.

  • Restores alignment between documented and actual configuration attributes.
  • Fixes formatting and sanitization issues in XML and RFC5424 layouts.
  • Improves handling of invalid characters and non-standard values.

The authoritative list of recognized configuration attributes is available in the PluginReference.

Fixed

  • Don't issue warnings if extra argument in parameterized logging is null. (#3975, #4014)

... (truncated)

Commits
  • c1ad2a6 Update the project.build.outputTimestamp property
  • 8b3a799 Set version to 2.26.0
  • 96486eb Merge remote-tracking branch 'origin/2.x' into release/2.26.0
  • 8243257 Add documentation for MessageRewritePolicy (#4042)
  • 2a15414 Add documentation pointer to the Async HTTP Appender of more-log4j2 (#4062)
  • b178cb1 Switch CI to gha/v0 and remove Develocity (#4108)
  • 23321de Remove changelog entries for already released changes
  • def55fc Add .release.xml and .release-notes.adoc.ftl
  • 0e019f2 Move changelog entries
  • a487a5d Tidy up changelog
  • Additional commits viewable in compare view

Updates io.vertx:vertx-stack-depchain from 5.0.8 to 5.1.1

Updates org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.6.1

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5's changelog.

Release 5.6.1

This is a maintenance release disables experimental SCRAM auth scheme by default and fixes SCRAM final response handling. The SCRAM auth scheme can be re-enabled by choosing a custom auth scheme preference sequence that explicitly includes SCRAM auth.

Change Log

  • Fix SCRAM final response handling. Contributed by Arturo Bernal

  • Auth challenge parsing code improvement. Contributed by Oleg Kalnichevski

  • Add missing Javadoc for ConnectionConfig (#820). Contributed by Gary Gregory

  • Bug fix: Corrected async message exchange cancellation logic in InternalHttpAsyncExecRuntime. Contributed by Oleg Kalnichevski

  • HTTPCLIENT-2417: Honor TlsConfig attachment in async connect path. Contributed by Arturo Bernal

  • HTTPCLIENT-2414: Fix Basic auth cache scoping across path prefixes (#802). Contributed by Arturo Bernal

  • HTTPCLIENT-2415: Normalize CookieOrigin path for cookie matching (#803). Contributed by Arturo Bernal

  • Bug fix: Corrected sleep time calculation in IdleConnectionEvictor; use 1 minute sleep time by default. Contributed by Oleg Kalnichevski

  • DefaultManagedHttpClientConnection: Restore original socket timeout. Contributed by Ryan Schmitt

  • HTTPCLIENT-2411: Use standard HTTP-date format for synthesized Date header (#775). Contributed by Arturo Bernal

  • Fix NPE in connection evictor setup (#774). Contributed by Arturo Bernal

Release 5.6

... (truncated)

Commits
  • 4f86ca6 HttpClient 5.6.1 release
  • 1b2bafe Updated release notes for HttpClient 5.6.1 release
  • 1acf00b Fix SCRAM final response handling
  • 49549ab Auth challenge parsing code improvement
  • fa6b6d7 Add missing Javadoc for ConnectionConfig (#820)
  • 3de8ad5 Fixed DefaultClientTlsStrategy test failures on MacOS
  • c69f38f Bug-fix: corrects message exchange cancellation logic in InternalHttpAsyncExe...
  • 30386d3 HTTPCLIENT-2417 Honor TlsConfig attachment in async connect path
  • 9cc45f6 HTTPCLIENT-2414 - Fix Basic auth cache scoping across path prefixes (#802)
  • 1e01a48 HTTPCLIENT-2415: Normalize CookieOrigin path for cookie matching (#803)
  • Additional commits viewable in compare view

Updates commons-codec:commons-codec from 1.17.1 to 1.22.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.22.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.22.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

  • CODEC-326: Add Base58 support. Thanks to Inkeet, Gary Gregory, Wolff Bock von Wuelfingen.
  •         Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[]). Thanks to Gary Gregory.
    
  • CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers. Thanks to Piotr P. Karwasz, Gary Gregory.

Fixed Bugs

  • CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423. Thanks to Shalu Jha, Andrey, Gary Gregory.
  • CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases. Thanks to DRUser123, Shalu Jha, Gary Gregory.
  •         Add boundary tests for BinaryCodec.fromAscii partial-bit inputs [#425](https://github.com/apache/commons-codec/issues/425). Thanks to fancying, Gary Gregory.
    
  • CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter. Thanks to Partha Paul, Gary Gregory.

Changes

  •         Bump org.apache.commons:commons-parent from 96 to 98. Thanks to Gary Gregory.
    

For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website:

https://commons.apache.org/proper/commons-codec/

Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi


Apache Commons Codec 1.21.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.21.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a

... (truncated)

Commits

Updates com.sun.xml.bind:jaxb-impl from 2.3.9 to 4.0.9

Updates org.apache.commons:commons-lang3 from 3.12.0 to 3.20.0

Updates javax.ws.rs:javax.ws.rs-api from 2.0.1 to 2.1.1

Commits

Updates org.folio:util from 35.2.2 to 36.0.0

Release notes

Sourced from org.folio:util's releases.

v36.0.0

Trillium (2026 R1) release, see upgrade notes.

  • RMB-1025 Create schema even if role already exists
  • RMB-1028 readonly custom field should delete property
  • RMB-785 Replace GenerateRunner with domain-models-maven-plugin in README.md
  • RMB-1027 Migrate Vert.x from 4 to 5
  • RMB-1031 validate module_to which will be stored in DB
  • RMB-1023 Remove/Reduce Ineffective/Verbose Log Lines For CQL2PgJSON
  • RMB-1032 Add futurized TenantAPI.postTenantSync
  • RMB-1033 RestRouting null removal: allow array in path
  • FAT-22537 Added upgrading note about ServicesResourceTransformer to avoid race condition during FolioLocal initialization
  • RMB-1036 Initialize loggers before setting log level
  • RMB-1029 TRUNCATE rmb_internal_analyze; ERROR: canceling statement due to lock timeout (55P03)
  • RMB-1026 DB_MAX_LIFETIME option with default of 30 minutes
  • RMB-1040 Don't "WARN TenantLoading TenantLoading.perform No X-Okapi-Url-to header"
  • RMB-1041 HttpStatus, HttpHeaders - drop-in replacement of httpcomponents
  • RMB-1042 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection request smuggling
  • RMB-1045 upgrade to test-containers 2.0.3
  • RMB-1046 Avoid regex in .replaceAll(" +[*]", "")
  • RMB-1047 Fix polynomial runtime regex in PgUtil - Support ) and = in error message fields
  • RMB-1030 CachedConnectionManager "permission denied": Better recovery from error state, warn about buggy DB_MAXSHAREDPOOLSIZE
  • RMB-1051 Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
  • RMB-1052 ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
  • RMB-1048 Enable maven workflows, disable Jenkins workflow

v35.4.2

Vert.x compatibility

Restrictions when using RMB's or Vert.x' Postgres client:

  • RMB >= 35.4.2 requires Vert.x >= 4.5.23.
  • RMB 35.4.0 and 35.4.1 require Vert.x <= 4.5.22.

v35.4.1

v35.4.0

Sunflower (2025 R1) release.

  • RMB-1010: PostgreSQLContainer withStartupAttempts(3)
  • RMB-1011: Timeout when trying to connect to DB_HOST:DB_PORT
  • RMB-1013: make helper functions public in PgUtil class
  • RMB-1021: Upgrade Java from 17 to 21
  • RMB-1022, RMB-1014: Vert.x 4.5.13, other dep upgrades for Sunflower

... (truncated)

Changelog

Sourced from org.folio:util's changelog.

36.0.0 2026-04-09

Trillium (2026 R1) release, see upgrade notes.

  • RMB-1025 Create schema even if role already exists
  • RMB-1028 readonly custom field should delete property
  • RMB-785 Replace GenerateRunner with domain-models-maven-plugin in README.md
  • RMB-1027 Migrate Vert.x from 4 to 5
  • RMB-1031 validate module_to which will be stored in DB
  • RMB-1023 Remove/Reduce Ineffective/Verbose Log Lines For CQL2PgJSON
  • RMB-1032 Add futurized TenantAPI.postTenantSync
  • RMB-1033 RestRouting null removal: allow array in path
  • FAT-22537 Added upgrading note about ServicesResourceTransformer to avoid race condition during FolioLocal initialization
  • RMB-1036 Initialize loggers before setting log level
  • RMB-1029 TRUNCATE rmb_internal_analyze; ERROR: canceling statement due to lock timeout (55P03)
  • RMB-1026 DB_MAX_LIFETIME option with default of 30 minutes
  • RMB-1040 Don't "WARN TenantLoading TenantLoading.perform No X-Okapi-Url-to header"
  • RMB-1041 HttpStatus, HttpHeaders - drop-in replacement of httpcomponents
  • RMB-1042 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection request smuggling
  • RMB-1045 upgrade to test-containers 2.0.3
  • RMB-1046 Avoid regex in .replaceAll(" +[*]", "")
  • RMB-1047 Fix polynomial runtime regex in PgUtil - Support ) and = in error message fields
  • RMB-1030 CachedConnectionManager "permission denied": Better recovery from error state, warn about buggy DB_MAXSHAREDPOOLSIZE
  • RMB-1051 Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
  • RMB-1052 ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
  • RMB-1048 Enable maven workflows, disable Jenkins workflow

35.4.0 2025-02-28

Sunflower (2025 R1) release, see upgrade notes.

  • RMB-1010: PostgreSQLContainer withStartupAttempts(3)
  • RMB-1011: Timeout when trying to connect to DB_HOST:DB_PORT
  • RMB-1013: make helper functions public in PgUtil class
  • RMB-1021: Upgrade Java from 17 to 21
  • RMB-1022, RMB-1014: Vert.x 4.5.13, other dep upgrades for Sunflower

35.3.0 2024-10-14

Ramsons (2024 R2) release, see upgrade notes.

New features:

  • RMB-993 Set db connection application_name for Postgres' pg_stat_activity
  • RMB-994 Cache loading of schema.json in CQL2PgJSON
  • RMB-997 Avoid left(...,600) for sqlExpression/sqlExpressionQuery
  • RMB-998, RMB-1007 Upgrade dependencies for Ramsons; add license
  • RMB-985 Avoid SET ROLE/SET SCHEMA in Shared Pool
  • RMB-1000 Provide ObjectMapperTool.valueAsString
  • RMB-975 Define DB_HOST_ASYNC_READER, DB_PORT_ASYNC_READER
  • RMB-1003 Replace deprecated io.vertx.core.logging.Logger by org.apache.logging.log4j.Logger

... (truncated)

Commits
  • fe9bccc [maven-release-plugin] prepare release v36.0.0
  • c21ab01 NEWS for Trillium release 36.0.0
  • 3c202f5 Merge pull request #1230 from folio-org/RMB-1052
  • 428d058 Merge branch 'master' into RMB-1052
  • 431d87a Merge pull request #1231 from folio-org/RMB-1048-workflows-maven
  • cdc1b9d Enable maven workflows RMB-1048
  • fa87407 RMB-1052: ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
  • 347df22 Merge pull request #1229 from folio-org/RMB-1051
  • 39262ac RMB-1051: Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
  • a670973 RMB-1030: CachedConnectionManager can return permission denied for schema (#1...
  • Additional commits viewable in compare view

Updates org.folio.okapi:okapi-common from 7.0.0 to 7.0.4

Release notes

Sourced from org.folio.okapi:okapi-common's releases.

v7.0.4

v7.0.3

v7.0.2

v7.0.1

Changelog

Sourced from org.folio.okapi:okapi-common's changelog.

7.0.4 2026-05-21

7.0.3 2026-04-01

7.0.2 2026-02-11

7.0.1 2025-11-13

Commits
  • 927b275 [maven-release-plugin] prepare release v7.0.4
  • e929b02 NEWS for 7.0.4
  • 6910a08 Merge pull request #1445 from folio-org/OKAPI-1245
  • 0ba2295 OKAPI-1245: Trillium: Vertx 5.0.12 fixing Netty vulns
  • 6e6b6eb Merge pull request #1442 from folio-org/OKAPI-1243
  • edf18e0 Fix code smells: underscore in variable name, assertFalse+equals
  • 7ce4e84 Merge branch 'master' into OKAPI-1243
  • f717777 Merge pull request #1443 from folio-org/release-7.0.3
  • 49fdc97 [maven-release-plugin] prepare for next development iteration
  • 742baee [maven-release-plugin] prepare release v7.0.3
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Apr 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/maven/prod-deps-90128ad41d branch from 65c7f24 to 9ad9462 Compare April 19, 2026 01:53
Bumps the prod-deps group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [org.apache.logging.log4j:log4j-bom](https://github.com/apache/logging-log4j2) | `2.20.0` | `2.26.0` |
| io.vertx:vertx-stack-depchain | `5.0.8` | `5.1.1` |
| [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) | `5.2.1` | `5.6.1` |
| [commons-codec:commons-codec](https://github.com/apache/commons-codec) | `1.17.1` | `1.22.0` |
| com.sun.xml.bind:jaxb-impl | `2.3.9` | `4.0.9` |
| org.apache.commons:commons-lang3 | `3.12.0` | `3.20.0` |
| [javax.ws.rs:javax.ws.rs-api](https://github.com/eclipse-ee4j/jaxrs-api) | `2.0.1` | `2.1.1` |
| [org.folio:util](https://github.com/folio-org/raml-module-builder) | `35.2.2` | `36.0.0` |
| [org.folio.okapi:okapi-common](https://github.com/folio-org/okapi) | `7.0.0` | `7.0.4` |



Updates `org.apache.logging.log4j:log4j-bom` from 2.20.0 to 2.26.0
- [Release notes](https://github.com/apache/logging-log4j2/releases)
- [Changelog](https://github.com/apache/logging-log4j2/blob/2.x/RELEASE-NOTES.adoc)
- [Commits](apache/logging-log4j2@rel/2.20.0...rel/2.26.0)

Updates `io.vertx:vertx-stack-depchain` from 5.0.8 to 5.1.1

Updates `org.apache.httpcomponents.client5:httpclient5` from 5.2.1 to 5.6.1
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.6.1/RELEASE_NOTES.txt)
- [Commits](apache/httpcomponents-client@rel/v5.2.1...rel/v5.6.1)

Updates `commons-codec:commons-codec` from 1.17.1 to 1.22.0
- [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt)
- [Commits](apache/commons-codec@rel/commons-codec-1.17.1...rel/commons-codec-1.22.0)

Updates `com.sun.xml.bind:jaxb-impl` from 2.3.9 to 4.0.9

Updates `org.apache.commons:commons-lang3` from 3.12.0 to 3.20.0

Updates `javax.ws.rs:javax.ws.rs-api` from 2.0.1 to 2.1.1
- [Release notes](https://github.com/eclipse-ee4j/jaxrs-api/releases)
- [Commits](https://github.com/eclipse-ee4j/jaxrs-api/commits/2.1.1)

Updates `org.folio:util` from 35.2.2 to 36.0.0
- [Release notes](https://github.com/folio-org/raml-module-builder/releases)
- [Changelog](https://github.com/folio-org/raml-module-builder/blob/master/NEWS.md)
- [Commits](folio-org/raml-module-builder@v35.2.2...v36.0.0)

Updates `org.folio.okapi:okapi-common` from 7.0.0 to 7.0.4
- [Release notes](https://github.com/folio-org/okapi/releases)
- [Changelog](https://github.com/folio-org/okapi/blob/master/NEWS.md)
- [Commits](folio-org/okapi@v7.0.0...v7.0.4)

---
updated-dependencies:
- dependency-name: com.sun.xml.bind:jaxb-impl
  dependency-version: 4.0.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: prod-deps
- dependency-name: commons-codec:commons-codec
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: io.vertx:vertx-stack-depchain
  dependency-version: 5.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: javax.ws.rs:javax.ws.rs-api
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.apache.commons:commons-lang3
  dependency-version: 3.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: '5.6'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.apache.logging.log4j:log4j-bom
  dependency-version: 2.25.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: org.folio.okapi:okapi-common
  dependency-version: 7.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
- dependency-name: org.folio:util
  dependency-version: 36.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: prod-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/prod-deps-90128ad41d branch from 9ad9462 to 4008a57 Compare June 7, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants