Skip to content

Bump the dependencies group with 4 updates#15

Merged
SentryMan merged 1 commit into
mainfrom
dependabot/maven/main/dependencies-7c782e179c
May 2, 2026
Merged

Bump the dependencies group with 4 updates#15
SentryMan merged 1 commit into
mainfrom
dependabot/maven/main/dependencies-7c782e179c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Copy link
Copy Markdown

Bumps the dependencies group with 4 updates: io.avaje:avaje-jex-parent, com.auth0:java-jwt, com.github.slugify:slugify and org.postgresql:postgresql.

Updates io.avaje:avaje-jex-parent from 3.4 to 3.5

Updates com.auth0:java-jwt from 4.5.1 to 4.5.2

Release notes

Sourced from com.auth0:java-jwt's releases.

4.5.2

Added

Changelog

Sourced from com.auth0:java-jwt's changelog.

4.5.2 (2026-04-29)

Full Changelog

Added

Commits
  • 695fd2b Release 4.5.2 (#765)
  • 4ac3178 Release 4.5.2
  • d056a79 Bump com.fasterxml.jackson.core:jackson-databind from 2.21.2 to 2.21.3 in /li...
  • 37f195a Bump com.fasterxml.jackson.core:jackson-databind in /lib
  • dba4c93 Chore: Bump update commons-beanutils dependency (#761)
  • 84d4c8f Merge branch 'master' into chore/bump-commons-beanutils
  • 5c923d4 Chore: Add SCA scan workflow (#762)
  • 09a4da5 Merge branch 'master' into chore/add-sca-scan
  • ef47e64 Chore: Add SCA scan workflow
  • 3fcfbcb Chore: Bump update commons-beanutils dependency
  • Additional commits viewable in compare view

Updates com.github.slugify:slugify from 3.0.7 to 4.0.0

Changelog

Sourced from com.github.slugify:slugify's changelog.

[4.0.0] - 2026-04-25

Added

  • SLF4J error logging when an IOException occurs while loading a language bundle
  • Javadoc step in the CI check workflow to enforce -Xdoclint:all at build time
  • PMD design rule category added to the ruleset
  • JMH benchmarks for the transliterator and custom replacements code paths

Changed

  • Class.getResourceAsStream() replaces context ClassLoader for resource loading, ensuring compatibility with JPMS in OSGi and application server environments
  • Transliterator instance is now cached per Slugify instance instead of being created on every slugify() call (~3.7× performance improvement in transliterator mode)
  • Slugify class is now declared final
  • Checkstyle configured to fail the build on any warning (maxWarnings = 0)
  • Java 21 or higher is now required
  • Gradle configuration cache enabled
  • GitHub Actions pinned to commit SHAs for supply-chain security
  • Dropped dependency-check plugin (replaced by Renovate; was also incompatible with Gradle configuration cache, see dependency-check-gradle#339)
  • Dropped versions plugin (replaced by Renovate; was also incompatible with Gradle configuration cache, see gradle-versions-plugin#666)
  • Switched to Gradle Java Toolchain for explicit JDK version pinning
  • Migrated publishing to Central Publisher Portal via nmcp
  • Addressed Gradle 10.0 deprecations for forward compatibility

Fixed

  • Leading and trailing underscores are now trimmed when using underscore separator mode
  • Removed @SuppressWarnings("PMD.UnitTestShouldIncludeAssert") made obsolete by the PMD 7.24.0 fix for false positives in lambda assertions (pmd#4272)
  • Removed unused slugify.properties base file left over from a prior ResourceBundle.getBundle() approach
Commits
  • 9ce6b5f build: migrate signing properties to providers.gradleProperty
  • be85fa5 build: switch nmcp to project plugin with providers.gradleProperty credentials
  • 0becfb5 ci: use providers.environmentVariable for nmcp credentials to fix configurati...
  • 65677b3 ci: move Central Portal credentials to job-level env
  • 99eaadd ci: add javadoc step to publish workflow
  • b578404 build: migrate publishing to Central Publisher Portal via nmcp
  • 4f1d7e4 docs(changelog): release 4.0.0
  • bc1b9f1 docs: unify @​param descriptions in Slugify constructor to concise 'Sets wheth...
  • 3739ded docs(changelog): add missing unreleased entries for toolchain, OSSRH and Grad...
  • 17855ba docs(readme): document that custom replacements take precedence over built-in...
  • Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.7.10 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

  • fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

🐛 Bug Fixes

  • fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
  • fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
  • fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
  • fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
  • fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
  • fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
  • fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

  • fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

Changed

Fixed

Commits
  • 78e261f fix: Add sources and javadocs to shaded published lib generation
  • 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
  • d479fa5 Fix scram fix location in changelog and update published artifact developer l...
  • b04fc46 docs: Add scram max iters fix to changelog
  • cf54822 test: Disable scram test on older version without scram_iterations GUC
  • 7dbcc79 test: Add SCRAM max iteration tests
  • c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
  • a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
  • 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
  • 23af03b chore(deps): update actions/checkout action to v6
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dependencies group with 4 updates: io.avaje:avaje-jex-parent, [com.auth0:java-jwt](https://github.com/auth0/java-jwt), [com.github.slugify:slugify](https://github.com/slugify/slugify) and [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc).


Updates `io.avaje:avaje-jex-parent` from 3.4 to 3.5

Updates `com.auth0:java-jwt` from 4.5.1 to 4.5.2
- [Release notes](https://github.com/auth0/java-jwt/releases)
- [Changelog](https://github.com/auth0/java-jwt/blob/master/CHANGELOG.md)
- [Commits](auth0/java-jwt@4.5.1...4.5.2)

Updates `com.github.slugify:slugify` from 3.0.7 to 4.0.0
- [Changelog](https://github.com/slugify/slugify/blob/master/CHANGELOG.md)
- [Commits](slugify/slugify@3.0.7...4.0.0)

Updates `org.postgresql:postgresql` from 42.7.10 to 42.7.11
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.7.10...REL42.7.11)

---
updated-dependencies:
- dependency-name: io.avaje:avaje-jex-parent
  dependency-version: '3.5'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: com.auth0:java-jwt
  dependency-version: 4.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: com.github.slugify:slugify
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions github-actions Bot enabled auto-merge May 1, 2026 11:37
@SentryMan SentryMan disabled auto-merge May 2, 2026 02:47
@SentryMan SentryMan merged commit d067ac7 into main May 2, 2026
1 check passed
@SentryMan SentryMan deleted the dependabot/maven/main/dependencies-7c782e179c branch May 2, 2026 02:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant