Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.diffplug.spotless:spotless-maven-plugin	3.1.0 → 3.2.1
org.apache.maven.plugins:maven-compiler-plugin (source)	3.14.1 → 3.15.0
org.assertj:assertj-db	3.0.1 → 3.0.2
org.springframework.boot:spring-boot-starter-parent (source)	4.0.1 → 4.0.3

---

Release Notes

diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)

v3.2.0

Added

• Support for idea (#​2020, #​2535)
• Add support for removing wildcard imports via removeWildcardImports step. (#​2517)
• scalafmt: enforce version consistency between the version configured in Spotless and the version declared in Scalafmt config file (#​2460)

Fixed

• SortPom disable expandEmptyElements, to avoid empty body warnings. (#​2520)
• Fix biome formatter for new major release 2.x of biome (#​2537)
• Make sure npm-based formatters use the correct node_modules directory when running in parallel. (#​2542)

Changed

• Bump internal dependencies for npm-based formatters (#​2542)

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v4.0.3

Compare Source

⭐ New Features

• Add TWENTY_SIX to JavaVersion enum #​49193

🐞 Bug Fixes

• Jackson properties may not be applied correctly to RestClients #​49223
• ClassNotFoundException when using Actuator without spring-boot-health #​49196
• Using the OTel and Zipkin starters together creates invalid configuration #​49183
• Whitespace can be incorrectly removed when spring-boot-configuration-processor runs on multi-line javadoc #​49060
• Jackson2HttpMessageConvertersConfiguration uses ConditionOn Jackson3 XMLMapper class #​49015
• server.jetty.threads.max is ignored when using virtual threads #​48989
• Slice test includes fail to load when using spring-boot-starter-test-classic #​48981
• Docker credential helpers with file extensions cannot be executed on Windows #​48979
• Java version requirement check for native image is confusing if AOT didn't run #​48963
• TestPropertyValues.Pair.fromMapEntry(Entry<String, String>) does not comply with its nullability contract #​48948

📔 Documentation

• Couchbase and Kafka are incorrectly listed as supporting SSL with Docker Compose #​49212
• Document that use of non idiomatic format for '@Value' still apply for environment variables #​49109
• Document naming convention for custom test-scoped starters #​49017
• Delay removal of Jackson 2 support until 4.3 at the earliest #​49010
• LICENSE.txt and NOTICE.txt files have the wrong content in the latest releases #​49003
• ApplicationContextAssert documents a non-existent assertion in getFailure() #​48977
• Highlight the importance of the preStop hook when configuring Kubernetes probes #​48946

🔨 Dependency Upgrades

• Upgrade to AssertJ 3.27.7 #​49095
• Upgrade to Elasticsearch Client 9.2.5 #​49184
• Upgrade to Groovy 5.0.4 #​49097
• Upgrade to Hibernate 7.2.3.Final #​49098
• Upgrade to Hibernate 7.2.4.Final #​49167
• Upgrade to Jaybird 6.0.4 #​49099
• Upgrade to JBoss Logging 3.6.2.Final #​49100
• Upgrade to Jersey 4.0.2 #​49101
• Upgrade to Jetty 12.1.6 #​49102
• Upgrade to jOOQ 3.19.30 #​49103
• Upgrade to JUnit Jupiter 6.0.3 #​49233
• Upgrade to Logback 1.5.29 #​49169
• Upgrade to Logback 1.5.32 #​49245
• Upgrade to Micrometer 1.16.3 #​49111
• Upgrade to Micrometer Tracing 1.6.3 #​49112
• Upgrade to MongoDB 5.6.3 #​49105
• Upgrade to MySQL 9.6.0 #​49106
• Upgrade to Netty 4.2.10.Final #​49107
• Upgrade to Postgresql 42.7.10 #​49202
• Upgrade to Reactor Bom 2025.0.3 #​49087
• Upgrade to Spring Data Bom 2025.1.3 #​49088
• Upgrade to Spring Framework 7.0.5 #​49216
• Upgrade to Spring Integration 7.0.3 #​49217
• Upgrade to Spring Kafka 4.0.3 #​49090
• Upgrade to Spring LDAP 4.0.2 #​49091
• Upgrade to Spring Pulsar 2.0.3 #​49092
• Upgrade to Spring Security 7.0.3 #​49093
• Upgrade to Spring Session 4.0.2 #​49094
• Upgrade to Tomcat 11.0.18 #​49108

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GaetanoCerciello, @​dsyer, @​linkian209, @​nosan, @​quaff, @​scordio, and @​srt

v4.0.2

Compare Source

⚠️ Noteworthy Changes

• The dependency on org.eclipse.jetty.ee11:jetty-ee11-servlets has been removed from spring-boot-jetty as it was unnecessary and unused. If your application code depends on a class from jetty-ee11-servlets, declare a dependency on it in your build configuration. #​48677

🐞 Bug Fixes

• No TransactionAutoConfiguration with spring-boot-starter-kafka for Spring Boot 4 #​48880
• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #​48840
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #​48838
• SessionAutoConfiguration creates a DefaultCookieSerializer with a default SameSite of null instead of Lax #​48830
• Setting graphql schema location to "classpath*:graphql/**/" causes failure due to incorrectly packaged test resource #​48829
• Message interpolation by MVC and WebFlux's Validators does not work correctly in a native image #​48828
• CloudFoundry integration fails in Servlet-based web app without a dependency on spring-boot-starter-restclient #​48826
• RestTestClientAutoConfiguration and TestRestTemplateAutoConfiguration should be package-private #​48820
• SSL metrics are no longer auto-configured #​48819
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #​48812
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #​48703
• The spring-boot-cloudfoundry module should only have an optional dependency on spring-boot-security #​48685
• Application JAR created by extract command is not reproductible #​48678
• AOT processing of tests should not be disabled when 'skipTests' is set #​48662
• @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) is no longer applied to the management server #​48653
• Fix zero-length byte buffer in InspectedContent #​48650
• Can no longer override JacksonJsonHttpMessageConverter with ServerHttpMessageConvertersCustomizer #​48635
• HttpServiceClientProperties incorrectly uses the @ConfigurationProperties annotation on a LinkedHashMap class #​48616
• spring-boot-micrometer-tracing-opentelemetry fails if spring-boot-opentelemetry isn't there #​48585
• App fails to start with starter-webmvc and starter-zipkin #​48581
• Micrometer test modules should have an api dependency on micrometer-observation-test #​48386

📔 Documentation

• Fix typo in REST client documentation #​48907
• Remove duplicate word #​48874
• Document support for configuring arguments passed to Docker Compose #​48806
• The documentation related to EnvironmentPostProcessor links to deprecated interface #​48803
• Update documentation for Buildpack's AOT Cache support #​48769
• Correct docs to use new location for error handling configuration properties #​48767
• Document spring-boot-starter-cloudfoundry on Cloud Foundry Support Page #​48675
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #​48659
• Example using excludeDevtools property should document that optional dependencies should be enabled #​48641
• Fix grammar and typos in the reference guide #​48601
• Update Tracing section for Spring Boot 4's modularity #​48576

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #​48783
• Upgrade to Elasticsearch Client 9.2.3 #​48721
• Upgrade to Hibernate 7.2.1.Final #​48857
• Upgrade to HttpClient5 5.5.2 #​48784
• Upgrade to Jackson 2 Bom 2.20.2 #​48910
• Upgrade to Jackson Bom 3.0.4 #​48931
• Upgrade to JUnit Jupiter 6.0.2 #​48785
• Upgrade to Lettuce 6.8.2.RELEASE #​48859
• Upgrade to Logback 1.5.24 #​48786
• Upgrade to Logback 1.5.25 #​48885
• Upgrade to Micrometer 1.16.2 #​48712
• Upgrade to Micrometer Tracing 1.6.2 #​48713
• Upgrade to Native Build Tools Plugin 0.11.4 #​48911
• Upgrade to Pooled JMS 3.1.9 #​48787
• Upgrade to Postgresql 42.7.9 #​48886
• Upgrade to R2DBC MSSQL 1.0.4.RELEASE #​48858
• Upgrade to Reactor Bom 2025.0.2 #​48714
• Upgrade to Spring AMQP 4.0.2 #​48832
• Upgrade to Spring Batch 6.0.2 #​48715
• Upgrade to Spring Data Bom 2025.1.2 #​48716
• Upgrade to Spring Framework 7.0.3 #​48717
• Upgrade to Spring GraphQL 2.0.2 #​48718
• Upgrade to Spring HATEOAS 3.0.2 #​48834
• Upgrade to Spring Integration 7.0.2 #​48833
• Upgrade to Spring Kafka 4.0.2 #​48719
• Upgrade to Spring Pulsar 2.0.2 #​48720
• Upgrade to WebJars Locator Lite 1.1.3 #​48788
• Upgrade to XML Maven Plugin 1.2.1 #​48887

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GaoSSR, @​ShaunHaldane, @​Zuohuang-Cai, @​izeye, @​mspiess, @​ngocnhan-tran1996, and @​philipbolting

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

pom.xml

Package	Version	License	Issue Type
com.diffplug.spotless:spotless-maven-plugin	3.2.1	Null	Unknown License
org.apache.maven.plugins:maven-compiler-plugin	3.15.0	Null	Unknown License

Allowed Licenses:

CC0-1.0, CC-BY-4.0, Unlicense, WTFPL, 0BSD, MIT, Apache-2.0, ISC, BSD-2-Clause, BSD-3-Clause, Zlib, MPL-1.1, MPL-2.0, CDDL-1.0, EPL-1.0, EPL-2.0, CECILL-2.1, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, EUPL-1.0, EUPL-1.1, EUPL-1.2, AAL, AFL-3.0, Apache-1.1, APL-1.0, APSL-2.0, Artistic-1.0-Perl, Artistic-2.0, BSL-1.0, CATOSL-1.1, CPAL-1.0, CUA-OPL-1.0, ECL-2.0, EFL-2.0, Entessa, EUDatagrid, Fair, LPPL-1.3c, LPL-1.02, MirOS, Motosoto, Multics, NASA-1.3, NCSA, NTP, Naumen, Nokia, PostgreSQL, PSF-2.0, RPSL-1.0, RSCPL, SimPL-2.0, Sleepycat, SPL-1.0, VSL-1.0, W3C, W3C-20150513, Xnet, ZPL-2.0

Excluded from license check:

pkg:githubactions/trufflesecurity/trufflehog

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.diffplug.spotless:spotless-maven-plugin	3.2.1	🟢 6.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 4/10 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
maven/org.apache.maven.plugins:maven-compiler-plugin	3.15.0	🟢 5.8	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 15/20 approved changesets -- score normalized to 7 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
maven/org.assertj:assertj-db	3.0.2	Unknown	Unknown

Scanned Files

• pom.xml