Unblock Dependabot security updates by bumping MINA to 2.2.7 and removing stale config-level ignore

[Copilot]

Dependabot security updates for org.apache.mina:mina-core were failing with all_versions_ignored due to a historical PR-comment ignore (>=2.2.0,<2.3) combined with a temporary config ignore (<=2.2.4). This change moves QuickFIX/J to a patched MINA release and restores dependabot.yml to a clean state so security updates are no longer blocked by repo config.

• Dependency version update

  • In root pom.xml, bumped apache.mina.version from 2.2.4 to 2.2.7 (latest stable patched 2.2.x on Maven Central).

• Dependabot config cleanup

  • Removed the temporary ignore entry for org.apache.mina:mina-core from .github/dependabot.yml.
  • Maven and GitHub Actions update blocks remain in their original minimal form.

• Resulting config delta (illustrative)

  <!-- pom.xml -->
  <apache.mina.version>2.2.7</apache.mina.version>

  # .github/dependabot.yml (maven block)
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.quickfixj.org
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-base/target/surefire/surefirebooter-20260507081655017_9.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-base/target/surefire 2026-05-07T08-16-47_621-jvmRun1 surefire-20260507081655017_7tmp surefire_1-20260507081655017_8tmp (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-base/target/surefire/surefirebooter-20260507081745802_9.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-base/target/surefire 2026-05-07T08-17-37_188-jvmRun1 surefire-20260507081745802_7tmp surefire_1-20260507081745802_8tmp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Problem

The Dependabot security job is failing with all_versions_ignored because:

1. A stored @dependabot ignore this minor version command (from PR Bump mina-core from 2.1.5 to 2.2.1 #509, Nov 2022) blocks all mina-core >= 2.2.0, < 2.3 versions.
2. This ignore rule cannot be cleared via the closed PR.

The current mina-core version in pom.xml is 2.2.4 (via the apache.mina.version property).

Required Changes

1. Update pom.xml: Look up the latest stable mina-core version available on Maven Central (https://mvnrepository.com/artifact/org.apache.mina/mina-core) and update the apache.mina.version property accordingly. As of the time of writing, check for the latest 2.2.x or newer patch release beyond 2.2.4.

2. Update .github/dependabot.yml: Remove the ignore block for org.apache.mina:mina-core that was recently added (it contains versions: ["<= 2.2.4"]), reverting it back to its original clean state:

version: 2
updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10

Context

• apache.mina.version property is defined in the root pom.xml around line 96
• The Dependabot security advisory requires a version of mina-core newer than 2.2.4
• The ignore rule stored from the old PR comment covers >= 2.2.0, < 2.3, so if the fix is in 2.2.x, we need to either move to 2.3.x+ or the specific patched 2.2.x version

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: I'll grab the job logs right away!

Assistant: The job failed with an all_versions_ignored error. This means Dependabot found a dependency with available security updates, but all candidate versions are being ignored, so it has nothing to propose.

Your .github/dependabot.yml has no ignore: rules defined, so the ignore rules were most likely added via a @dependabot ignore comment on a previous pull request (e.g., @dependabot ignore this major version). These rules are stored in Dependabot's backend, not in the config file.

---

How to Fix

Option 1 — Unignore via a PR comment

Find the previously closed/merged Dependabot PR for the affected dependency and post:

@dependabot unignore

Or to unignore a specific version:

@dependabot unignore <dependency-name>

Option 2 — Add explicit ignore rules to dependabot.yml (if you intentionally want to skip certain versions but not all)

updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
    ignore:
      - dependency-name: "com.example:some-dependency"
        versions: ["1.x"]   # Only ignore specific versions, not all

Option 3 — Review ignored dependencies via the GitHub UI

Navigate to:

Insights → Dependency graph → Dependabot → [the affected update]

From there you can see and clear any stored ignore rules for individual dependencies.

---

Root Cause Summary

Error	Cause	Fix
all_versions_ignored	A prior @dependabot ignore command blocked all available versions of a dependency	Use @dependabot unignore or clear via the GitHub Dependabot UI

Since this is a security update job ("command": "security"), it's especially important to resolve this so critical vulnerabilities aren't silently skipped.

User: dependabot can't perform the requested action because the pull request was closed over about 2 years ago.
i cannot see any ignore rules under dependency graph -> dependabot

Assistant: Now I have the full picture. Here's exactly what happened and how to fix it:

Root Cause: In November 2022, @dependabot ignore this minor version was used on PR #509, which blocked all mina-core 2.2.x updates. The repo's mina-core is currently at 2.2.4, and there's now a security advisory requiring a newer 2.2.x patch — but Dependabot's stored ignore rule is still blocking those versions. Since the PR is >2 years old, @dependabot unignore on it doesn't work.

Solution: GitHub's docs state that ignore conditions in dependabot.yml completely override any stored PR-comment-based ignores for that dependency. You can use this to clear the stale ignore by adding an entry that only blocks already-installed-or-older versions, freeing up any newer fix:

version: 2
updates:
  - package-ecosystem: "m...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>