Skip to content

Bump the maven group across 2 directories with 6 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/maven/maven-e7189c4ca5
Open

Bump the maven group across 2 directories with 6 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/maven/maven-e7189c4ca5

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 5, 2025

Bumps the maven group with 6 updates in the / directory:

Package From To
com.vaadin:vaadin-bom 8.12.3 8.13.0
com.cronutils:cron-utils 9.1.3 9.1.6
org.jsoup:jsoup 1.11.2 1.15.3
org.springframework.boot:spring-boot-starter-web 2.3.7.RELEASE 2.5.12
com.google.guava:guava 25.0-jre 32.0.0-jre
io.github.classgraph:classgraph 4.8.90 4.8.112

Bumps the maven group with 1 update in the /hawkbit-repository/hawkbit-repository-jpa directory: io.github.classgraph:classgraph.

Updates com.vaadin:vaadin-bom from 8.12.3 to 8.13.0

Updates com.cronutils:cron-utils from 9.1.3 to 9.1.6

Commits
  • d78d40b pom.xml -> 9.1.6
  • 9c73298 Update pom.xml towards JDK8, for a compatible release.
  • 528fcae Issue #493: update code towards one of the proposed solutions.
  • cfd2880 Merge pull request #494 from NielsDoucet/RCE-fix
  • d670750 Merge pull request #493 from pwntester/patch-1
  • 6f91560 Merge branch 'hibnico-fix-interval-mapping'
  • d95759b Fix mapping of interval for the day of week
  • 9c93c17 Resolve RCE vulnerability.
  • d7c6e3c Update CronValidator.java
  • 2cf9697 Merge pull request #492 from albertotn/description-italian
  • Additional commits viewable in compare view

Updates org.jsoup:jsoup from 1.11.2 to 1.15.3

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.15.3

jsoup 1.15.3 is out now, and includes a security fix for potential XSS attacks, along with other bug fixes and improvements, including more descriptive validation error messages.

Details:

jsoup 1.15.2 is out now with a bunch of improvements and bug fixes.

jsoup 1.15.1 is out now with a bunch of improvements and bug fixes.

jsoup 1.14.3

jsoup 1.14.3 is out now, adding native XPath selector support, improved \<template> support, and also includes a bunch of bug fixes, improvements, and performance enhancements.

See the release announcement for the full changelog.

jsoup 1.14.2

Caught by the fuzz! jsoup 1.14.2 is out now, and includes a set of parser bug fixes and improvements for handling rough HTML and XML, as identified by the Jazzer JVM fuzzer. This release also includes other fixes and improvements.

See the release announcement for the full changelog.

jsoup 1.14.1

jsoup 1.14.1 is out now, with simple request session management, increased parse robustness, and a ton of other improvements, speed-ups, and bug fixes.

See the full announcement for all the details on what's changed.

jsoup 1.13.1

See the release notes.

<dependency>
  <!-- jsoup HTML parser library @ https://jsoup.org/ -->
  <groupId>org.jsoup</groupId>
  <artifactId>jsoup</artifactId>
  <version>1.13.1</version>
</dependency>

jsoup-1.12.2

No release notes provided.

Changelog

Sourced from org.jsoup:jsoup's changelog.

jsoup changelog

Release 1.15.3 [2022-Aug-24]

  • Security: fixed an issue where the jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled. GHSA-gp7f-rwcx-9369

  • Improvement: the Cleaner will preserve the source position of cleaned elements, if source tracking is enabled in the original parse.

  • Improvement: the error messages output from Validate are more descriptive. Exceptions are now ValidationExceptions (extending IllegalArgumentException). Stack traces do not include the Validate class, to make it simpler to see where the exception originated. Common validation errors including malformed URLs and empty selector results have more explicit error messages.

  • Bugfix: the DataUtil would incorrectly read from InputStreams that emitted reads less than the requested size. This lead to incorrect results when parsing from chunked server responses, for e.g. jhy/jsoup#1807

  • Build Improvement: added implementation version and related fields to the jar manifest. jhy/jsoup#1809

*** Release 1.15.2 [2022-Jul-04]

  • Improvement: added the ability to track the position (line, column, index) in the original input source from where a given node was parsed. Accessible via Node.sourceRange() and Element.endSourceRange(). jhy/jsoup#1790

  • Improvement: added Element.firstElementChild(), Element.lastElementChild(), Node.firstChild(), Node.lastChild(), as convenient accessors to those child nodes and elements.

  • Improvement: added Element.expectFirst(cssQuery), which is just like Element.selectFirst(), but instead of returning a null if there is no match, will throw an IllegalArgumentException. This is useful if you want to simply abort processing if an expected match is not found.

  • Improvement: when pretty-printing HTML, doctypes are emitted on a newline if there is a preceding comment. jhy/jsoup#1664

  • Improvement: when pretty-printing, trim the leading and trailing spaces of textnodes in block tags when possible, so that they are indented correctly. jhy/jsoup#1798

  • Improvement: in Element#selectXpath(), disable namespace awareness. This makes it possible to always select elements by their simple local name, regardless of whether an xmlns attribute was set. jhy/jsoup#1801

  • Bugfix: when using the readToByteBuffer method, such as in Connection.Response.body(), if the document has not already been parsed and must be read fully, and there is any maximum buffer size being applied, only the default internal buffer size is read. jhy/jsoup#1774

... (truncated)

Commits
  • c596417 [maven-release-plugin] prepare release jsoup-1.15.3
  • d2d9ac3 Changelog for URL cleaner improvement
  • 4ea768d Strip control characters from URLs when resolving absolute URLs
  • 985f1fe Include help link for malformed URLs
  • 6b67d05 Improved Validate error messages
  • 653da57 Normalized API doc link
  • 5ed84f6 Simplified the Test Server startup
  • c58112a Set the read size correctly when capped
  • fa13c80 Added jar manifest default implementation entries.
  • 5b19390 Bump maven-resources-plugin from 3.2.0 to 3.3.0 (#1814)
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-web from 2.3.7.RELEASE to 2.5.12

Commits
  • 35105a0 Release v2.5.12
  • 17936b8 Polish
  • 94c40c7 Upgrade to Spring Framework 5.3.18
  • 2e90fd2 Upgrade CI to Docker 20.10.14
  • 6cded5b Upgrade Java 18 version in CI image
  • 06c5e26 Upgrade to Jackson Bom 2.12.6.20220326
  • c0c32d8 Merge pull request #30456 from candrews
  • 8cb11b7 Polish "Make MustacheViewResolver bean back off without Spring MVC"
  • 7101b50 Make MustacheViewResolver bean back off without Spring MVC
  • 05b7bef Fix javadoc of ResolveMainClassName setClasspath(Object)
  • Additional commits viewable in compare view

Updates com.google.guava:guava from 25.0-jre to 32.0.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

32.0.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.0-jre</version>
  <!-- or, for Android: -->
  <version>32.0.0-android</version>
</dependency>

Jar files

Guava requires one runtime dependency, which you can download here:

Javadoc

JDiff

Changelog

Security fixes

While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.

Incompatible changes

Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava artifact.

One change could cause issues for Widows users, and a few other changes could cause issues for users in more usual situations:

  • The new implementations of Files.createTempDir and FileBackedOutputStream throw an exception under Windows. This is fixed in 32.0.1. Sorry for the trouble.
  • guava-gwt now requires GWT 2.10.0.
  • This release makes a binary-incompatible change to a @Beta API in the separate artifact guava-testlib. Specifically, we changed the return type of TestingExecutors.sameThreadScheduledExecutor to ListeningScheduledExecutorService. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e435)

... (truncated)

Commits

Updates io.github.classgraph:classgraph from 4.8.90 to 4.8.112

Release notes

Sourced from io.github.classgraph:classgraph's releases.

classgraph-4.8.112

  • Added a secure version of DocumentBuilderFactory and XPATHFactory to prevent XXE (XML External Entity) attack when reading pom.xml file (#539, thanks to @​kshitizg for the pull request!).

classgraph-4.8.111

Allow globs when accepting/rejecting specific classes, e.g. new ClassGraph().acceptClasses("*.*Suffix") (#536, thanks to @​cushon for the request!)

classgraph-4.8.110

Add method AnnotationInfo#getParameterValues(boolean includeDefaultValues) so that defaults don't have to be included (#535, thanks to @​zerikv for requesting).

classgraph-4.8.109

Add support for Quarkus 1.13's new classloader. Thanks to @​itmrat01 for the code contribution! (#531, #532).

classgraph-4.8.108

JDK 11 classfile format compatibility fix (JDK 11 added a constant pool tag, and the classfile can't be read without knowing how long the corresponding constant pool entry is expected to be). (#527, thanks to @​haoyuf for reporting.)

classgraph-4.8.107

Fix classloader detection for TomEE JAX-RS endpoints (#515, thanks to @​Restage for detailed assistance in debugging this weird issue!).

classgraph-4.8.106

  • Support TomEE classloaders for JAX-RS endpoints (#515, thanks to @​Restage for the request)
  • Don't try reading user.dir (the current directory) unless it's on the classpath, since some security environments can't read the current directory (#520, thanks to @​elkman for the bug report).

classgraph-4.8.105

  • Fix potential NPE in verbose logging
  • Fix for zipfiles between 2GB and 4GB in size, when a zip entry's start position was past the 2GB point in the file (#514, thanks to @​cwmccann for the bug report)

classgraph-4.8.104

Improved verbose logging to include types of methods and fields.

Added a couple of missing methods to ClassInfoList for GraphViz visualization of inter-class dependency graphs.

classgraph-4.8.103

Fixed issue with duplication of automatic package roots (e.g. myjar.jar!/BOOT-INF/classes/BOOT-INF/classes/path/to/resource). (#505, thanks to @​michael-simons for the bug report and reproducer code.)

Also fixed an issue where closing the InputStream returned by Resource#open() wasn't marking the Resource as closed (which meant the resource couldn't be opened a second time).

classgraph-4.8.102

Further improvements in robustness to invalid type signatures that may be generated by the Scala compiler. (#495, thanks to @​jbracker.)

classgraph-4.8.101

Made type signature parsing more robust to errors -- the Scala compiler can generate illegal type signatures. (#495, thanks to @​jbracker for the report.)

classgraph-4.8.99

  • Fixed parsing of type parameters and type variables in Scala (these can contain a $ character in Scala, but you don't see that in Java). (#495, thanks to @​jbracker for the report and for submitting a minimal testcase.)
  • Fixed a couple of possible exceptions that could be thrown when parsing type annotations for type descriptors.

classgraph-4.8.98

Fix NPE in hashCode() and equals() methods of TypeArgument (#491, thanks to @​Tagakov for the fix!).

classgraph-4.8.97

... (truncated)

Commits

Updates io.github.classgraph:classgraph from 4.8.90 to 4.8.112

Release notes

Sourced from io.github.classgraph:classgraph's releases.

classgraph-4.8.112

  • Added a secure version of DocumentBuilderFactory and XPATHFactory to prevent XXE (XML External Entity) attack when reading pom.xml file (#539, thanks to @​kshitizg for the pull request!).

classgraph-4.8.111

Allow globs when accepting/rejecting specific classes, e.g. new ClassGraph().acceptClasses("*.*Suffix") (#536, thanks to @​cushon for the request!)

classgraph-4.8.110

Add method AnnotationInfo#getParameterValues(boolean includeDefaultValues) so that defaults don't have to be included (#535, thanks to @​zerikv for requesting).

classgraph-4.8.109

Add support for Quarkus 1.13's new classloader. Thanks to @​itmrat01 for the code contribution! (#531, #532).

classgraph-4.8.108

JDK 11 classfile format compatibility fix (JDK 11 added a constant pool tag, and the classfile can't be read without knowing how long the corresponding constant pool entry is expected to be). (#527, thanks to @​haoyuf for reporting.)

classgraph-4.8.107

Fix classloader detection for TomEE JAX-RS endpoints (#515, thanks to @​Restage for detailed assistance in debugging this weird issue!).

classgraph-4.8.106

  • Support TomEE classloaders for JAX-RS endpoints (#515, thanks to @​Restage for the request)
  • Don't try reading user.dir (the current directory) unless it's on the classpath, since some security environments can't read the current directory (#520, thanks to @​elkman for the bug report).

classgraph-4.8.105

  • Fix potential NPE in verbose logging
  • Fix for zipfiles between 2GB and 4GB in size, when a zip entry's start position was past the 2GB point in the file (#514, thanks to @​cwmccann for the bug report)

classgraph-4.8.104

Improved verbose logging to include types of methods and fields.

Added a couple of missing methods to ClassInfoList for GraphViz visualization of inter-class dependency graphs.

classgraph-4.8.103

Fixed issue with duplication of automatic package roots (e.g. myjar.jar!/BOOT-INF/classes/BOOT-INF/classes/path/to/resource). (#505, thanks to @​michael-simons for the bug report and reproducer code.)

Also fixed an issue where closing the InputStream returned by Resource#open() wasn't marking the Resource as closed (which meant the resource couldn't be opened a second time).

classgraph-4.8.102

Further improvements in robustness to invalid type signatures that may be generated by the Scala compiler. (#495, thanks to @​jbracker.)

classgraph-4.8.101

Made type signature parsing more robust to errors -- the Scala compiler can generate illegal type signatures. (#495, thanks to @​jbracker for the report.)

classgraph-4.8.99

  • Fixed parsing of type parameters and type variables in Scala (these can contain a $ character in Scala, but you don't see that in Java). (#495, thanks to @​jbracker for the report and for submitting a minimal testcase.)
  • Fixed a couple of possible exceptions that could be thrown when parsing type annotations for type descriptors.

classgraph-4.8.98

Fix NPE in hashCode() and equals() methods of TypeArgument (#491, thanks to @​Tagakov for the fix!).

classgraph-4.8.97

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the maven group across 2 directories with 6 updates
ac6697c 
Bumps the maven group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| com.vaadin:vaadin-bom | `8.12.3` | `8.13.0` |
| [com.cronutils:cron-utils](https://github.com/jmrozanec/cron-utils) | `9.1.3` | `9.1.6` |
| [org.jsoup:jsoup](https://github.com/jhy/jsoup) | `1.11.2` | `1.15.3` |
| [org.springframework.boot:spring-boot-starter-web](https://github.com/spring-projects/spring-boot) | `2.3.7.RELEASE` | `2.5.12` |
| [com.google.guava:guava](https://github.com/google/guava) | `25.0-jre` | `32.0.0-jre` |
| [io.github.classgraph:classgraph](https://github.com/classgraph/classgraph) | `4.8.90` | `4.8.112` |

Bumps the maven group with 1 update in the /hawkbit-repository/hawkbit-repository-jpa directory: [io.github.classgraph:classgraph](https://github.com/classgraph/classgraph).


Updates `com.vaadin:vaadin-bom` from 8.12.3 to 8.13.0

Updates `com.cronutils:cron-utils` from 9.1.3 to 9.1.6
- [Release notes](https://github.com/jmrozanec/cron-utils/releases)
- [Commits](jmrozanec/cron-utils@9.1.3...9.1.6)

Updates `org.jsoup:jsoup` from 1.11.2 to 1.15.3
- [Release notes](https://github.com/jhy/jsoup/releases)
- [Changelog](https://github.com/jhy/jsoup/blob/jsoup-1.15.3/CHANGES)
- [Commits](jhy/jsoup@jsoup-1.11.2...jsoup-1.15.3)

Updates `org.springframework.boot:spring-boot-starter-web` from 2.3.7.RELEASE to 2.5.12
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.3.7.RELEASE...v2.5.12)

Updates `com.google.guava:guava` from 25.0-jre to 32.0.0-jre
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

Updates `io.github.classgraph:classgraph` from 4.8.90 to 4.8.112
- [Release notes](https://github.com/classgraph/classgraph/releases)
- [Commits](classgraph/classgraph@classgraph-4.8.90...classgraph-4.8.112)

Updates `io.github.classgraph:classgraph` from 4.8.90 to 4.8.112
- [Release notes](https://github.com/classgraph/classgraph/releases)
- [Commits](classgraph/classgraph@classgraph-4.8.90...classgraph-4.8.112)

---
updated-dependencies:
- dependency-name: com.vaadin:vaadin-bom
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: com.cronutils:cron-utils
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.jsoup:jsoup
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework.boot:spring-boot-starter-web
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: io.github.classgraph:classgraph
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: io.github.classgraph:classgraph
  dependency-type: direct:production
  dependency-group: maven
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants