chore(deps): bump the minor-and-patch group with 3 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates: io.projectreactor.netty:reactor-netty-http, org.jsoup:jsoup and org.apache.maven.plugins:maven-enforcer-plugin.

Updates io.projectreactor.netty:reactor-netty-http from 1.2.8 to 1.3.5

Release notes

Sourced from io.projectreactor.netty:reactor-netty-http's releases.

v1.3.5

Reactor Netty 1.3.5 is part of 2025.0.5 Release Train.

What's Changed

✨ New features and improvements

• Depend on Reactor Core v3.8.5 by @​violetagg in b68dacab12f5ff46575f9009f34ea676a212879d, see release notes
• Depend on Netty v4.2.12.Final by @​violetagg in #4167
• Depend on Netty QUIC Codec v0.0.75.Final by @​violetagg in #4148
• Depend on Brave v6.3.1 by @​dependabot[bot] in #4159
• Optimise uri construction with baseUrl in HttpClientHandler by @​violetagg in #4130
• Optimise UriEndpoint#toSocketAddressStringWithoutDefaultPort by @​violetagg in #4131
• Store resolved SocketAddress in UriEndpoint for absolute URLs by @​violetagg in #4132
• Lazily compute HttpClientOperations#resourceUrl by @​violetagg in #4135
• Pre-compute path in UriEndpoint when URI is provided by @​violetagg in #4136
• Cleanup HTTP/2 WebSocket extension handlers by @​violetagg in #4152
• Optimise Flux body accumulation for GET/HEAD/DELETE requests by @​violetagg in #4164
• Fix HTTP/3 connection pool max streams handling by @​violetagg in #4182

🐞 Bug fixes

• Ensure connection concurrency and acquired counters are updated before delivering the slot by @​violetagg in #4179
• Fix StackOverflowError in ServerTransport graceful shutdown by @​violetagg in #4181
• Fix invalidated connection reuse in Http2Pool by @​violetagg in #4180

New Contributors

• @​Junuu made their first contribution in #4137

Full Changelog: reactor/reactor-netty@v1.3.4...v1.3.5

v1.3.4

Reactor Netty 1.3.4 is part of 2025.0.4 Release Train.

What's Changed

✨ New features and improvements

• Depend on Reactor Core v3.8.4 by @​chemicL in 53e8319e6fc66e101c3b52fc3a1267a891d1aeff, see release notes
• Avoid DefaultChannelId generation for DisposedChannel by @​violetagg in #4095
• Push-based maxConcurrentStreams update via SETTINGS frame handler by @​violetagg in #4106
• Add configurable maxLifeTime with per-resource variance by @​violetagg in #4111
• Add Http2AllocationStrategy#streamBatchSize for batched stream dispatching by @​violetagg in #4114
• Override isSharable() explicitly to avoid annotation lookup by @​violetagg in #4120
• Add fast-path short-circuit for is100ContinueExpected check by @​violetagg in #4123
• Cache resolved HttpHeadersFactory instances to avoid repeated allocation by @​violetagg in #4124

🐞 Bug fixes

• Add FlushConsolidationHandler to H2C upgrade pipeline by @​violetagg in #4097
• Fix Http2Pool returning connection to the pool before H2C upgrade completes by @​violetagg in #4098
• Fix Http2Pool ACQUIRED counter not rolled back when deliver is rejected by @​violetagg in #4099

... (truncated)

Commits

• b68daca [release] Prepare and release 1.3.5
• f8fc51b Merge-ignore release 1.2.17 into 1.3.5
• 4cffaf0 [release] Back to snapshots, next is 1.2.18-SNAPSHOT
• 3f6ae4c Defer asciidoctor-pdf check to execution time
• 9f6f3e0 [release] Prepare and release 1.2.17
• 7b2c429 Merge #4190 into 1.3.5
• 6225c6d Bump ruby/setup-ruby from 1.299.0 to 1.301.0 (#4190)
• f4f9b50 Bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 (#4191)
• 5b344dc Merge #4187 into 1.3.5
• e177f39 Bump @​springio/antora-extensions from 1.14.10 to 1.14.11 in /docs (#4187)
• Additional commits viewable in compare view

Updates org.jsoup:jsoup from 1.22.1 to 1.22.2

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.2

jsoup 1.22.2 is out now, with fixes and refinements across the library. It makes editing the DOM during traversal more predictable, refreshes the default HTML tag definitions with newer elements and better text boundaries, and improves reliability in parsing and HTTP transport. The release also fixes a number of edge cases in cleaning, stream parsing, XML doctype handling, and Android packaging.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

• Expanded and clarified NodeTraversor support for in-place DOM rewrites during NodeVisitor.head(). Current-node edits such as remove, replace, and unwrap now recover more predictably, while traversal stays within the original root subtree. This makes single-pass tree cleanup and normalization visitors easier to write, for example when unwrapping presentational elements or replacing text nodes as you walk the DOM. #2472
• Documentation: clarified that a configured Cleaner may be reused across concurrent threads, and that shared Safelist instances should not be mutated while in use. #2473
• Updated the default HTML TagSet for current HTML elements: added dialog, search, picture, and slot; made ins, del, button, audio, video, and canvas inline by default (Tag#isInline(), aligned to phrasing content in the spec); and added readable Element.text() boundaries for controls and embedded objects via the new Tag.TextBoundary option. This improves pretty-printing and keeps normalized text from running adjacent words together. #2493

Bug Fixes

• Android (R8/ProGuard): added a rule to ignore the optional re2j dependency when not present. #2459
• Fixed a NodeTraversor regression in 1.21.2 where removing or replacing the current node during head() could revisit the replacement node and loop indefinitely. The traversal docs now also clarify which inserted nodes are visited in the current pass. #2472
• Parsing during charset sniffing no longer fails if an advisory available() call throws IOException, as seen on JDK 8 HttpURLConnection. #2474
• Cleaner no longer makes relative URL attributes in the input document absolute when cleaning or validating a Document. URL normalization now applies only to the cleaned output, and Safelist.isSafeAttribute() is side effect free. #2475
• Cleaner no longer duplicates enforced attributes when the input Document preserves attribute case. A case-variant source attribute is now replaced by the enforced attribute in the cleaned output. #2476
• If a per-request SOCKS proxy is configured, jsoup now avoids using the JDK HttpClient, because the JDK would silently ignore that proxy and attempt to connect directly. Those requests now fall back to the legacy HttpURLConnection transport instead, which does support SOCKS. #2468
• Connection.Response.streamParser() and DataUtil.streamParser(Path, ...) could fail on small inputs without a declared charset, if the initial 5 KB charset sniff fully consumed the input and closed it before the stream parse began. #2483
• In XML mode, doctypes with an internal subset, such as <!DOCTYPE root [<!ENTITY name "value">]>, now round-trip correctly. The subset is preserved as raw text only; entities are not expanded and external DTDs are not loaded. #2486

Build Changes

• Migrated the integration test server from Jetty to Netty, which actively maintains support for our minimum JDK target (8). #2491

---

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.2 (2026-Apr-20)

Improvements

• Expanded and clarified NodeTraversor support for in-place DOM rewrites during NodeVisitor.head(). Current-node edits such as remove, replace, and unwrap now recover more predictably, while traversal stays within the original root subtree. This makes single-pass tree cleanup and normalization visitors easier to write, for example when unwrapping presentational elements or replacing text nodes as you walk the DOM. #2472
• Documentation: clarified that a configured Cleaner may be reused across concurrent threads, and that shared Safelist instances should not be mutated while in use. #2473
• Updated the default HTML TagSet for current HTML elements: added dialog, search, picture, and slot; made ins, del, button, audio, video, and canvas inline by default (Tag#isInline(), aligned to phrasing content in the spec); and added readable Element.text() boundaries for controls and embedded objects via the new Tag.TextBoundary option. This improves pretty-printing and keeps normalized text from running adjacent words together. #2493

Bug Fixes

• Android (R8/ProGuard): added a rule to ignore the optional re2j dependency when not present. #2459
• Fixed a NodeTraversor regression in 1.21.2 where removing or replacing the current node during head() could revisit the replacement node and loop indefinitely. The traversal docs now also clarify which inserted nodes are visited in the current pass. #2472
• Parsing during charset sniffing no longer fails if an advisory available() call throws IOException, as seen on JDK 8 HttpURLConnection. #2474
• Cleaner no longer makes relative URL attributes in the input document absolute when cleaning or validating a Document. URL normalization now applies only to the cleaned output, and Safelist.isSafeAttribute() is side effect free. #2475
• Cleaner no longer duplicates enforced attributes when the input Document preserves attribute case. A case-variant source attribute is now replaced by the enforced attribute in the cleaned output. #2476
• If a per-request SOCKS proxy is configured, jsoup now avoids using the JDK HttpClient, because the JDK would silently ignore that proxy and attempt to connect directly. Those requests now fall back to the legacy HttpURLConnection transport instead, which does support SOCKS. #2468
• Connection.Response.streamParser() and DataUtil.streamParser(Path, ...) could fail on small inputs without a declared charset, if the initial 5 KB charset sniff fully consumed the input and closed it before the stream parse began. #2483
• In XML mode, doctypes with an internal subset, such as <!DOCTYPE root [<!ENTITY name "value">]>, now round-trip correctly. The subset is preserved as raw text only; entities are not expanded and external DTDs are not loaded. #2486

Build Changes

• Migrated the integration test server from Jetty to Netty, which actively maintains support for our minimum JDK target (8). #2491

Commits

• ac28afe [maven-release-plugin] prepare release jsoup-1.22.2
• 52f2cd3 Improve entity example in changelog
• cf6ffe0 Add Tag#TextBoundary option; bring TagSet to spec (#2493)
• 2be739c Bump github/codeql-action from 4 to 4.35.1 (#2492)
• 45de7cb Migrate integration test server from Jetty to Netty (#2491)
• 1df14ed Preserve XML doctype internal subset
• 06fa52d Adding Contribution Guide
• d4a8941 Simplify the test; doesn't need the buffer
• 823709f Don't reuse a fully read sniffed doc for StreamParser
• e1b0df5 NodeFilter javadoc tweak
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.5.0 to 3.6.2

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.2

🐛 Bug Fixes

• Use SessionData for cache storage (#930) @​slawekjaranowski

📝 Documentation updates

• Update Version Ranges link in site.xml (#926) @​ctubbsii
• Fix formatting typo in dependencyConvergence.apt.vm (#928) @​ascopes
• Correct support parameters documentation for banned repositories rule (#922) @​Harmelodic

👻 Maintenance

• Fixes #920 - Remove usage of Stack (#921) @​khmarbaise
• feat: enable prevent branch protection rules (#925) @​sebtiem
• Fixes #917 - Remove usage of Hashtable (#918) @​khmarbaise

📦 Dependency updates

• Bump m-invoker-p to 3.9.1 (#935) @​slawekjaranowski
• Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#933) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#932) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#931) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0 (#923) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#919) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.18.0 to 1.19.0 (#915) @dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#914) @dependabot[bot]
• Bump mavenVersion from 3.9.10 to 3.9.11 (#912) @dependabot[bot]

3.6.1

🚀 New features and improvements

• Improve performance of transitive dependency checks (#904) @​harrisric

🐛 Bug Fixes

• Fix NPE when a classifier part is specified in bannedDependencies (#905) @​harrisric

📝 Documentation updates

• Move contributing information into README (#911) @​slawekjaranowski
• Rewrite CONTRIBUTING.md to use the Github issue tracker instead of JIRA (#898) @​elharo

👻 Maintenance

• Remove unused javax.annotations dependency (#899) @​elharo
• Remove unused methods (#900) @​elharo
• Remove the from parameter names (#901) @​elharo

... (truncated)

Commits

• 82ba770 [maven-release-plugin] prepare release enforcer-3.6.2
• 5313c70 Bump m-invoker-p to 3.9.1
• ee5abee Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0
• 6c5a152 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6
• 89ccb70 Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#931)
• 03ed82d Update Version Ranges link in site.xml (#926)
• d282dc4 Fixes #920 - Remove usage of Stack
• 27e1f46 Use SessionData for cache storage (#930)
• a1bac9b Fix formatting typo in dependencyConvergence.apt.vm
• 870a1ed Correct support parameters documentation for banned repositories rule
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: chore. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

pom.xml

Package	Version	License	Issue Type
io.projectreactor.netty:reactor-netty-http	1.3.5	Null	Unknown License
org.jsoup:jsoup	1.22.2	Null	Unknown License

Denied Licenses:

GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
maven/io.projectreactor.netty:reactor-netty-http	1.3.5	🟢 7.6	Details Check Score Reason Code-Review ⚠️ 0 Found 2/25 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Binary-Artifacts 🟢 9 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits
maven/org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	🟢 5.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 6 Found 9/14 approved changesets -- score normalized to 6 Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/org.jsoup:jsoup	1.22.2	Unknown	Unknown

Scanned Files

• pom.xml

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.