Update all patch/minor versions (master)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
io.sentry:sentry-logback	8.42.0 → 8.43.2
ch.qos.logback:logback-access (source, changelog)	1.5.32 → 1.5.34
ch.qos.logback:logback-classic (source, changelog)	1.5.32 → 1.5.34
net.sf.jasperreports:jasperreports-pdf (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports-jdt (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports-json (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports-functions (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports-fonts (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports-excel-poi (source)	7.0.6 → 7.0.7
net.sf.jasperreports:jasperreports (source)	7.0.6 → 7.0.7
com.mchange:c3p0 (source)	0.13.0 → 0.14.1
io.hypersistence:hypersistence-utils-hibernate-63	3.15.2 → 3.15.3
org.hibernate:hibernate-core (source)	6.6.51.Final → 6.6.53.Final
org.springframework.security:spring-security-web (source)	7.0.5 → 7.1.0
org.springframework.security:spring-security-config (source)	7.0.5 → 7.1.0
org.springframework:spring-test	7.0.7 → 7.0.8
org.springframework:spring-tx	7.0.7 → 7.0.8
org.springframework:spring-jdbc	7.0.7 → 7.0.8
org.springframework:spring-orm	7.0.7 → 7.0.8
org.springframework:spring-aspects	7.0.7 → 7.0.8
org.springframework:spring-webmvc	7.0.7 → 7.0.8
org.springframework:spring-web	7.0.7 → 7.0.8
org.springframework:spring-core	7.0.7 → 7.0.8
org.springframework:spring-context	7.0.7 → 7.0.8
spotbugs (source)	4.9.8 → 4.10.2
org.springframework:spring-beans	7.0.7 → 7.0.8
com.github.spotbugs	6.5.5 → 6.5.6

---

Release Notes

getsentry/sentry-java (io.sentry:sentry-logback)

v8.43.2

Compare Source

Improvements

• Improve SDK init performance by replacing java.net.URI with custom string parsing for DSN (#​5448)
• Remove unnecessary boxing to improve performance (#​5520)

Fixes

• Session Replay: Fix VerifyError in Compose masking under DexGuard/R8 obfuscation (#​5507)
• Session Replay: Fix Compose view masking not working on obfuscated/minified builds (#​5503)

v8.43.1

Compare Source

Fixes

• Session Replay: Fix replay recording freezing on screens with continuous animations (#​5489)
• Session Replay: Populate trace_ids in replay events to enable searching replays by trace ID (#​5473)

v8.43.0

Compare Source

Features

• Session Replay: Add ReplayFrameObserver for observing captured replay frames (#​5386)

  SentryAndroid.init(context) { options ->
    options.sessionReplay.frameObserver =
      SentryReplayOptions.ReplayFrameObserver { hint, frameTimestamp, screenName ->
        val bitmap = hint.getAs(TypeCheckHint.REPLAY_FRAME_BITMAP, Bitmap::class.java)
        if (bitmap != null) {
          try {
            // Process the masked replay frame
            myAnalyzer.processFrame(bitmap, frameTimestamp, screenName)
          } finally {
            bitmap.recycle()
          }
        }
      }
  }

• Parse ART memory and garbage collector info from ANR tombstones into ART context (#​5428)

Jaspersoft/jasperreports (net.sf.jasperreports:jasperreports-pdf)

v7.0.7

Compare Source

• add deserialization class filter to fix the CVE-2026-6009 security vulnerability;

• introduce URL whitelist filter for controlling repository resources access;

• new keepTogether flag for crosstab row groups;

• various fixes made to the PDF exporter to better support the PDF/UA (accessibility)
  and PDF/A (archiving) standards;

• new OSGi and Spring Boot samples;

• support for versioning in the Jackson JRXML writer;

• various dependencies upgrades including: Spring 6.2.18, Jackson 2.18.6, Bouncy Castle 1.84,
  Jetty 12.0.35 and Apache Log4J 2.25.4;

• minor bug fixes and improvements;

vladmihalcea/hypersistence-utils (io.hypersistence:hypersistence-utils-hibernate-63)

v3.15.3

================================================================================

Add support for Hibernate 7.4 #​852

Small improvements to BatchSequenceGenerator 850

Add support for Optional attributes using @​Type(JsonType.class) #​849

Update the hsqldb version to 2.7.4 #​848

Fix merge method JavaDocs #​846

Add support for Update and Delete statements in SQLExtractor #​845

Upgrade Testcontainers to the 2.0.4 version #​844

Fix broken Javadoc {@​code} tags in JsonType #​842

Add Envers generic‑type handling for JSON collections #​838

hibernate/hibernate-orm (org.hibernate:hibernate-core)

v6.6.53.Final

Compare Source

v6.6.52.Final

Compare Source

spring-projects/spring-security (org.springframework.security:spring-security-web)

v7.1.0

Compare Source

🪲 Bug Fixes

• Opaque token introspectors should not allow empty credentials #​19201

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.11 to 1.14.12 in /docs #​19235
• Bump actions/checkout from 6.0.2 to 6.0.3 #​19271
• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #​19181
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.33 #​19228
• Bump ch.qos.logback:logback-classic from 1.5.33 to 1.5.34 #​19268
• Bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 #​19133
• Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0 #​19246
• Bump com.google.code.gson:gson from 2.13.2 to 2.14.0 #​19125
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.1 #​19157
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.2 #​19195
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #​19148
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #​19263
• Bump gradle-wrapper from 9.4.1 to 9.5.0 #​19135
• Bump gradle-wrapper from 9.5.0 to 9.5.1 #​19171
• Bump io-micrometer from 1.16.5 to 1.17.0 #​19287
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #​19244
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #​19296
• Bump org-jetbrains-kotlin from 2.3.20 to 2.3.21 #​19126
• Bump org-jetbrains-kotlin from 2.3.21 to 2.4.0 #​19264
• Bump org-opensaml5 from 5.2.1 to 5.2.2 #​19176
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #​19190
• Bump org.apereo.cas.client:cas-client-core from 4.1.0 to 4.1.1 #​19200
• Bump org.hibernate.orm:hibernate-core from 7.3.1.Final to 7.3.2.Final #​19119
• Bump org.hibernate.orm:hibernate-core from 7.3.2.Final to 7.3.3.Final #​19149
• Bump org.hibernate.orm:hibernate-core from 7.3.3.Final to 7.3.4.Final #​19165
• Bump org.hibernate.orm:hibernate-core from 7.3.4.Final to 7.3.5.Final #​19191
• Bump org.hibernate.orm:hibernate-core from 7.3.5.Final to 7.3.6.Final #​19211
• Bump org.hibernate.orm:hibernate-core from 7.3.6.Final to 7.4.0.Final #​19226
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.2 to 1.11.0 #​19166
• Bump org.junit:junit-bom from 6.0.3 to 6.1.0 #​19197
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #​19169
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #​19290
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.1.0 #​19291
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #​19285
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #​19179
• Bump tools.jackson:jackson-bom from 3.1.2 to 3.1.3 #​19147
• Bump tools.jackson:jackson-bom from 3.1.3 to 3.1.4 #​19245
• Bump tools.jackson:jackson-bom from 3.1.4 to 3.2.0 #​19286
• Update to spring-data-bom 2026.0.0 #​19303

🔩 Build Updates

• Release 7.1.0 #​19218

v7.0.6

Compare Source

🪲 Bug Fixes

• FormPostRedirectStrategy should not emit percent-encoded values into hidden form inputs #​19137
• AbstractAuthenticationFilterConfigurer should not automatically pick up servlet path #​19128
• Principal Extractor should select the left-most RDN attribute value #​19254

🔨 Dependency Upgrades

• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #​19184
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 #​19266
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #​19151
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #​19265
• Bump gradle-wrapper from 8.14.4 to 8.14.5 #​19160
• Bump io-micrometer from 1.16.5 to 1.16.6 #​19292
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #​19247
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #​19298
• Bump org-bouncycastle from 1.80 to 1.80.2 #​19193
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #​19192
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #​19174
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #​19294
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.0.4 #​19289
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #​19288
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #​19182
• Update to Micrometer 1.16.5 #​19225

🔩 Build Updates

• Release 7.0.6 #​19239

spring-projects/spring-framework (org.springframework:spring-test)

v7.0.8

Compare Source

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Include zone ID in CronTrigger's equals/hashCode implementations #​36871
• Expose ClassLoader from DefaultDeserializer #​36833
• Use immutable map for SEPARATORS static field in DefaultPathContainer #​36821
• Track operations during SpEL expression evaluation #​36801
• Ensure getters have non-void return types in SpEL #​36800
• Avoid too many character access attempts in AntPathMatcher #​36799
• Refine default view name resolution #​36793
• Refine Jackson JMS converters #​36791
• Improve ABNF rule checks in RfcUriParser #​36787
• Restrict SpringVersion.getVersion() to "major.minor.patch" format #​36785
• Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #​36784
• Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #​36777
• Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #​36763
• Improve error messages in SpEL #​36756
• Improve pattern caching in SpEL #​36755
• Avoid ResolvableType#forType contention for implicit cache cleanup #​36745
• Switch to JdkIdGenerator for WebSocket Sessions #​36740
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #​36727
• LiteWebJarsResourceResolver does not resolve directories #​36726
• Warn against unsafe static resource locations in MVC and WebFlux #​36692
• Consistent compatibility with Woodstox as an alternative to Xerces #​36682
• Improve principal checks for SockJS session #​36681
• Set host header consistently in STOMP relay CONNECT frames #​36673
• Support Micrometer context propagation in Kotlin Flow #​36667
• Reliable detection of broadcast messages in UserDestinationMessageHandler #​36662

🐞 Bug Fixes

• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #​36869
• Server Sent Event does not support multi-line comments #​36866
• CronExpression skips days on midnight DST gap #​36865
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #​36835
• Preserve generic type info in awaitEntity() #​36834
• Bean Background Bootstrap and Lazy Init #​36844
• Back-off for DefaultMessageListenerContainer with OracleAQ has changed and is very short in SpringBoot 4 #​36809
• Character outside of permitted range in Content Disposition #​36805
• Fix JSP tag processing #​36797
• Fix script processing capabilities #​36795
• Jaxb2XmlEncoder exclusivity prevents JacksonXmlEncoder usage and hinders POJO serialization #​36776
• JacksonXmlEncoder.canEncode incorrectly returns true for String body with application/xml #​36775
• Consistently expose map key quotes in PropertyAccessorUtils #​36765
• Fix fragment parsing for relative URI in RFC URI parser #​36762
• Fix race condition in InMemoryWebSessionStore #​36742
• Parsing failure for MIME type with quoted parameter values #​36730
• Circular dependency between supplier-created beans is silently ignored on startup #​36725
• Data is lost for joined DataBuffer in DataBufferUtils #​36714
• Cache collisions in CachingResourceResolver #​36713
• Unexpected path element removal when resolving versioned resources #​36698
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #​36694
• Regression on value class parameter handling #​36665
• Fix inverted logic for boolean last flag in JettyWebSocketSession when sending binary message #​36650
• Parent traceId is not reused when calling WebClient.awaitExchange function #​36182

📔 Documentation

• Fix broken links to Selenium documentation #​36875
• Fix applicability note on setAutoGrowCollectionLimit #​36863
• Document @Conditional gating of nested @Configuration classes #​36831
• Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #​36826
• Re-structuring of Data Binding Content in Web Sections of Documentation #​36803
• Fix typos for validateExistingTransaction #​36767

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.16.6 #​36883
• Upgrade to Reactor 2025.0.6 #​36884

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​0AndWild, @​Dennis-Mircea, @​cookie-meringue, @​daguimu, @​dmitrysulman, @​kilink, @​kzander91, @​leestana01, @​mguiking, @​quaff, @​seonwooj0810, @​sgerke-1L, @​shenjianeng, @​tianhaocui, @​wushiyuanmaimob, and @​zmovo

spotbugs/spotbugs (spotbugs)

v4.10.2

Compare Source

Build

• Add release protection to ensure version released matches the tag and that snapshot has been removed. (#​4156)
• Drop binary incompatible Saxon-HE back to 12.9 to keep java 11 compatibility. (#​4159)
• Add binary check to the gradle build to ensure compatibility remains. (#​4159)

v4.10.1

Compare Source

Build

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

---

Configuration

📅 Schedule: (in timezone Europe/Zurich)

• Branch creation
  • "after 5pm on the first day of the month,on the first day of the month"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.