Bump the all-maven-dependencies group across 2 directories with 7 updates

[dependabot]

Bumps the all-maven-dependencies group with 7 updates in the / directory:

Package	From	To
com.sap.cds:cds-services-bom	4.8.0	4.9.0
com.sap.cds:cds-maven-plugin	4.8.0	4.9.0
org.springframework.boot:spring-boot-dependencies	3.5.11	3.5.14
org.springframework.boot:spring-boot-maven-plugin	3.5.11	3.5.14
com.sap.cloud.security:java-bom	3.6.8	4.0.5
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
com.diffplug.spotless:spotless-maven-plugin	3.3.0	3.5.1

Bumps the all-maven-dependencies group with 7 updates in the /srv directory:

Package	From	To
com.sap.cds:cds-maven-plugin	4.8.0	4.9.0
com.sap.cds:cds-services-bom	4.8.0	4.9.0
org.springframework.boot:spring-boot-maven-plugin	3.5.11	3.5.14
org.springframework.boot:spring-boot-dependencies	3.5.11	3.5.14
com.sap.cloud.security:java-bom	3.6.8	4.0.5
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
com.diffplug.spotless:spotless-maven-plugin	3.3.0	3.5.1

Updates com.sap.cds:cds-services-bom from 4.8.0 to 4.9.0

Updates com.sap.cds:cds-maven-plugin from 4.8.0 to 4.9.0

Updates org.springframework.boot:spring-boot-dependencies from 3.5.11 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.5

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

improve domain validation handling

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

... (truncated)

Commits

• 2f9e42e Feature/restore httpclientfactory services (#1948)
• eddb3a9 Bugfix/add app tid to id token exchange (#1949)
• acb1d15 improve domain validation handling (#1945)
• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• Additional commits viewable in compare view

Updates com.sap.cds:cds-maven-plugin from 4.8.0 to 4.9.0

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.3

🚀 New features and improvements

• Make bannedDependencies report root and transitive dependency in case both are banned. (#940) @​hvoynov
• Add enforceBytecodeVersion rule based on mojohaus (#968) @​cstamas
• Improve formatting of deprecated API warning (#951) @​mthmulders

🐛 Bug Fixes

• Fix handling of Java versions like 21.0.10.0.1 (#967) @​parttimenerd
• Add null checks for modelId in PluginWrapper (#974) @​cpfeiffer

📝 Documentation updates

• Document the banMavenDefaults option for the requirePluginVersions rule. (#936) @​rpkrajewski

👻 Maintenance

• PlexusStringUtils Refaster recipes (#943) @​slachiewicz
• JUnit Jupiter migration from JUnit 4.x (#941) @​slachiewicz

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-core from 2.25.3 to 2.25.4 in /maven-enforcer-plugin/src/it/projects/MENFORCER-434 (#970) @dependabot[bot]
• Deps: Parent POM 48 and align deps (#979) @​cstamas
• Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#973) @dependabot[bot]
• Bump mavenVersion from 3.9.13 to 3.9.14 (#965) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.13 (#964) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#963) @dependabot[bot]
• Update log4j in test to avoid CVE (#961) @​Bukama
• Bump commons-codec:commons-codec from 1.20.0 to 1.21.0 (#962) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#960) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#959) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 46 to 47 (#958) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#957) @dependabot[bot]
• Update to 46 including fixes (#955) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.5.0 (#956) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#948) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#947) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#946) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#945) @dependabot[bot]

Commits

• c7daff3 [maven-release-plugin] prepare release enforcer-3.6.3
• ee46e78 Make bannedDependencies report root and transitive dependency in case both ar...
• 0806924 Document the banMavenDefaults option for the requirePluginVersions rule. (#936)
• 8e4f5b9 Add better enforceBytecodeVersion rule based on mojohaus (#968)
• fd4b148 Add fix for 21.0.10.0.1 issue (#967)
• f32d597 Deps: Parent POM 48 and align deps (#979)
• df0f2a6 Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976)
• 2da7a68 Add null checks for modelId in PluginWrapper
• 91eb4d9 Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975)
• b622245 Bump mavenVersion from 3.9.14 to 3.9.15 (#973)
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.5.1

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.5.1

Fixed

• <licenseHeader> with <yearMode>SET_FROM_GIT</yearMode> no longer runs git log through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.
• Bump transitive plexus-utils 4.0.2 -> 4.0.3 to address CVE-2025-67030. (#2919)

Maven Plugin v3.5.0

Added

• <scalafmt> now reads the version from the version field in the scalafmt config file when no <version> is explicitly set, falling back to the built-in default only if neither is available. (#2922)
• Add <toml> format type with <versionCatalog> step for formatting and sorting Gradle version catalog files. (#2916)
• Add <javaparserVersion> option to <cleanthat>, allowing users to override the JavaParser version pulled in transitively by Cleanthat. (#2903)
• Add a expandWildcardImports API for java (#2829)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• The -Dspotless.ratchetFrom=... user property now takes priority over <ratchetFrom> configured in the plugin or in individual formatters, instead of being overridden by them. (#2896, fixes #2842)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

Changes

• Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)

[4.6.1] - 2026-05-15

Fixed

• LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

• scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
• Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)
• Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (#2920)
• Bump default cleanthat version 2.24 -> 2.25. (#2903)
• Bump default eclipse-jdt version from 4.35 to 4.39. (#2912)

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

• Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
• [fix] ConcurrentModificationException in expandWildcardImports (#2830)

[4.3.0] - 2026-01-27

Added

• Add P2Provisioner interface in lib-extra to enable build-tool-specific caching strategies for Eclipse P2 dependencies, fixing OutOfMemoryError in large multi-project builds. (#2788)

Fixed

... (truncated)

Commits

• 0c48edf Published maven/3.5.1
• c1595c8 Published gradle/8.5.1
• b26b570 Published lib/4.6.1
• ac3f6f1 Bump plexus-utils to 4.0.3 to address CVE-2025-67030 (#2932)
• f5039f6 Bump plexus-utils to 4.0.3 to address CVE-2025-67030
• 0e77837 Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode (#2931)
• 84f6423 Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode
• b87eb75 Published maven/3.5.0
• 97c3baf Published gradle/8.5.0
• 3dd1a96 Published lib/4.6.0
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.