fix(deps): update all non-major dependencies (main)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actionlint		patch	1.7.9 → 1.7.11
java		patch	25.0.1+8.0.LTS → 25.0.2+10.0.LTS
com.sap.cloud:neo-java-web-api (source)	provided	minor	[3.71.8,5.38.0) → [3.71.8,5.40.4)
com.fasterxml.jackson:jackson-bom	import	minor	2.20.1 → 2.21.1
com.diffplug.spotless:spotless-maven-plugin	build	minor	3.1.0 → 3.2.1
org.springframework.boot:spring-boot-maven-plugin (source)	build	patch	3.5.9 → 3.5.11
org.junit.jupiter:junit-jupiter (source)	test	patch	6.0.1 → 6.0.3
org.assertj:assertj-core (source)	test	patch	3.27.6 → 3.27.7
com.sap.cloud.sdk.datamodel:odata-generator (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk.s4hana:rfc (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk.s4hana:s4hana-connectivity (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk:sdk-core (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk:sdk-bom (source)	import	minor	5.25.0 → 5.26.0
io.camunda.connector:element-template-generator-maven-plugin	build	patch	8.8.4 → 8.8.7
io.camunda.connector:connector-test	test	patch	8.8.4 → 8.8.7
io.camunda.connector:element-template-generator-core	optional	patch	8.8.4 → 8.8.7
io.camunda.connector:spring-boot-starter-camunda-connectors	compile	patch	8.8.4 → 8.8.7
io.camunda.connector:spring-boot-starter-camunda-connectors	test	patch	8.8.4 → 8.8.7
io.camunda.connector:connector-runtime-test	test	patch	8.8.4 → 8.8.7
io.camunda.connector:connector-validation	provided	patch	8.8.4 → 8.8.7
io.camunda.connector:connector-core	provided	patch	8.8.4 → 8.8.7
ch.qos.logback:logback-classic (source, changelog)	compile	patch	1.5.23 → 1.5.32
ch.qos.logback:logback-core (source, changelog)	compile	patch	1.5.23 → 1.5.25
org.springframework.boot:spring-boot-dependencies (source)	import	patch	3.5.9 → 3.5.11

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-1225

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

---

Release Notes

rhysd/actionlint (actionlint)

v1.7.11

Compare Source

• Support the case() function in ${{ }} expressions which was recently added to GitHub Actions. (#​612, #​614, thanks @​heppu)

  env:
    # ERROR: case() requires an odd number of arguments
    ENVIRONMENT: |-
      ${{ case(
        github.ref == 'refs/heads/main', 'production',
        github.ref == 'refs/heads/staging', 'staging'
      ) }}

• Support new macos-26-large and windows-2025-vs2026 runner labels. See the GitHub's announce for more details. (#​615, thanks @​hugovk and @​muzimuzhi)
• Enable Artifact attestations for the released binaries. From v1.7.11 gh command can verify the integrity of the downloaded binaries as follows. The verification is highly recommended in terms of supply chain security. (#​608, thanks @​takaram)

  $ gh release download --repo rhysd/actionlint --pattern '*_darwin_amd64.tar.gz' v1.7.11
  $ gh attestation verify --repo rhysd/actionlint actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded digest sha256:17ffc17fed8f0258ef6ad4aed932d3272464c7ef7d64e1cb0d65aa97c9752107 for file://actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded 1 attestation from GitHub API
  
  The following policy criteria will be enforced:
  - Predicate type must match:................ https://slsa.dev/provenance/v1
  - Source Repository Owner URI must match:... https://github.com/rhysd
  - Source Repository URI must match:......... https://github.com/rhysd/actionlint
  - Subject Alternative Name must match regex: (?i)^https://github.com/rhysd/actionlint/
  - OIDC Issuer must match:................... https://token.actions.githubusercontent.com
  
  ✓ Verification succeeded!
  
  The following 1 attestation matched the policy criteria
  
  - Attestation #​1
    - Build repo:..... rhysd/actionlint
    - Build workflow:. .github/workflows/release.yaml@refs/tags/v1.7.11
    - Signer repo:.... rhysd/actionlint
    - Signer workflow: .github/workflows/release.yaml@refs/tags/v1.7.11

• Report path filters with ./ because they never match anything. (#​521)

  on:
    push:
      paths:
        # ERROR: This never matches anything. `foo/bar.txt` is correct.
        - ./foo/bar.txt

• Fix comparing matrix items when an item is a super set of another item. (#​523, #​613, thanks @​michaelgruenewald)
• Fix stack overflow crash by a recursive anchor in matrix items. (#​610)
• Fix a unassigned variable false positive from shellcheck by disabling SC2153 rule. (#​573)
• Reduce the number of memory allocations on resolving anchors.
• Update the popular actions data set to the latest.
• Update Go dependencies to the latest.
• Remove legacy Homebrew formula in rhysd/actionlint repository in favor of the cask package. Note that this change does not affect Homebrew's official formula.
• Add a link to the release page of the version in the playground.

[Changes][v1.7.11]

v1.7.10

Compare Source

• Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#​133, thanks @​srz-zumix for the initial implementation at #​568 and @​alexaandru for trying another approach at #​557)

  jobs:
    test:
      runs-on: ubuntu-latest
      services:
        nginx:
          image: nginx:latest
          credentials: &credentials
            username: ${{ secrets.user }}
            password: ${{ secrets.password }}
      steps:
        - run: ./download.sh
          # OK: Valid alias to &credentials
          env: *credentials
        - run: ./check.sh
          # ERROR: Undefined anchor 'credential'
          env: *credential
        - run: ./upload.sh
          # ERROR: Unused anchor 'credentials'
          env: &credentials

• Remove support for *-xl macOS runner labels because they were dropped. (#​592, thanks @​muzimuzhi)
• Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#​593, thanks @​muzimuzhi)
  • macos-13
  • macos-13-large
  • macos-13-xlarge
• Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#​598, thanks @​Haegi)
• Support artifact-metadata permission for workflow permissions. (#​602, thanks @​martincostello)
• Detect more complicated constants at if: conditions as error. See the rule document for more details.
• Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
• Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
• Detect an invalid value at type in workflow call inputs as error.
• Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
• Check available contexts in expressions at jobs.<job_id>.snapshot.if.

  snapshot:
    image-name: my-custom-image
    # ERROR: `env` context is not allowed here
    if: ${{ env.USE_SNAPSHOT == 'true' }}

• Fix the instruction to install actionlint with mise in the installation document. (#​591, thanks @​risu729)
• Update the popular actions data set to the latest to include new major versions of the actions.

[Changes][v1.7.10]

diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)

v3.2.0

Added

• Support for idea (#​2020, #​2535)
• Add support for removing wildcard imports via removeWildcardImports step. (#​2517)
• scalafmt: enforce version consistency between the version configured in Spotless and the version declared in Scalafmt config file (#​2460)

Fixed

• SortPom disable expandEmptyElements, to avoid empty body warnings. (#​2520)
• Fix biome formatter for new major release 2.x of biome (#​2537)
• Make sure npm-based formatters use the correct node_modules directory when running in parallel. (#​2542)

Changed

• Bump internal dependencies for npm-based formatters (#​2542)

spring-projects/spring-boot (org.springframework.boot:spring-boot-maven-plugin)

v3.5.11

Compare Source

🐞 Bug Fixes

• Whitespace can be incorrectly removed when spring-boot-configuration-processor runs on multi-line javadoc #​49039
• server.jetty.threads.max is ignored when using virtual threads #​48982
• Docker credential helpers with file extensions cannot be executed on Windows #​48965

📔 Documentation

• Couchbase and Kafka are incorrectly listed as supporting SSL with Docker Compose #​49211
• Document that use of non idiomatic format for '@Value' still apply for environment variables #​49054
• Document naming convention for custom test-scoped starters #​49014
• LICENSE.txt and NOTICE.txt files have the wrong content in the latest releases #​48996
• ApplicationContextAssert documents a non-existent assertion in getFailure() #​48973
• Highlight the importance of the preStop hook when configuring Kubernetes probes #​48936

🔨 Dependency Upgrades

• Upgrade to AssertJ 3.27.7 #​49075
• Upgrade to Groovy 4.0.30 #​49076
• Upgrade to Hibernate 6.6.42.Final #​49077
• Upgrade to Jaybird 6.0.4 #​49078
• Upgrade to JBoss Logging 3.6.2.Final #​49079
• Upgrade to Jetty 12.0.32 #​49080
• Upgrade to jOOQ 3.19.30 #​49081
• Upgrade to Logback 1.5.32 #​49243
• Upgrade to Micrometer 1.15.9 #​49064
• Upgrade to Micrometer Tracing 1.5.9 #​49065
• Upgrade to MySQL 9.6.0 #​49083
• Upgrade to Netty 4.1.131.Final #​49165
• Upgrade to Postgresql 42.7.10 #​49201
• Upgrade to Reactor Bom 2024.0.15 #​49066
• Upgrade to Spring Authorization Server 1.5.6 #​49067
• Upgrade to Spring Data Bom 2025.0.9 #​49068
• Upgrade to Spring Framework 6.2.16 #​49069
• Upgrade to Spring GraphQL 1.4.5 #​49070
• Upgrade to Spring Integration 6.5.7 #​49071
• Upgrade to Spring Kafka 3.3.13 #​49244
• Upgrade to Spring LDAP 3.3.6 #​49072
• Upgrade to Spring Pulsar 1.2.15 #​49073
• Upgrade to Spring Security 6.5.8 #​49225
• Upgrade to Spring Session 3.5.5 #​49074
• Upgrade to Tomcat 10.1.52 #​49084
• Upgrade to Undertow 2.3.23.Final #​49166

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dsyer, @​linkian209, @​nosan, @​quaff, @​scordio, and @​srt

v3.5.10

Compare Source

🐞 Bug Fixes

• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #​48836
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #​48835
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #​48810
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #​48702
• Application JAR created by extract command is not reproductible #​48664
• AOT processing of tests should not be disabled when 'skipTests' is set #​48661
• Fix zero-length byte buffer in InspectedContent #​48649

📔 Documentation

• Update documentation for Buildpack's AOT Cache support #​48768
• Document support for configuring arguments passed to Docker Compose #​48657
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #​48634
• Fix grammar and typos in the reference guide #​48596

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #​48775
• Upgrade to Hibernate 6.6.41.Final #​48881
• Upgrade to HttpClient5 5.5.2 #​48777
• Upgrade to Logback 1.5.25 #​48882
• Upgrade to Micrometer 1.15.8 #​48705
• Upgrade to Micrometer Tracing 1.5.8 #​48706
• Upgrade to Pooled JMS 3.1.9 #​48779
• Upgrade to Postgresql 42.7.9 #​48883
• Upgrade to R2DBC MSSQL 1.0.4.RELEASE #​48847
• Upgrade to Reactor Bom 2024.0.14 #​48707
• Upgrade to REST Assured 5.5.7 #​48884
• Upgrade to Spring AMQP 3.2.9 #​48909
• Upgrade to Spring Data Bom 2025.0.8 #​48708
• Upgrade to Spring Integration 6.5.6 #​48921
• Upgrade to Spring Kafka 3.3.12 #​48709
• Upgrade to Spring Pulsar 1.2.14 #​48710
• Upgrade to Undertow 2.3.22.Final #​48848
• Upgrade to WebJars Locator Lite 1.1.3 #​48780

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GaoSSR, @​izeye, and @​ngocnhan-tran1996

camunda/connectors (io.camunda.connector:element-template-generator-maven-plugin)

v8.8.7

Compare Source

🐛 Bug Fixes

• a36f070 - ETG: Fix group generation for element templates (PR #​6179 by @​sbuettner)
  • ↘️ fixes issue #​6178 opened by @​sbuettner
• b4983b0 - operation: Fix exception ConnectorException handling (#​6201) (PR #​6204 by @​team-connectors-int-automation[bot])
• 1c1c3c8 - remove @​FEEL from Bearer token attribute (PR #​6206 by @​johnBgood)

🔧 Chores

• 3f1cd65 - dependencies: Clean up feel engine scala 3 dependency (commit by @​sbuettner)

v8.8.6

Compare Source

🐛 Bug Fixes

• 338f88a - ci: transform release branch names to base branch for Helm chart lookup (commit by @​vringar)
• f34ba8c - ci: use stable/ prefix in helm-git-refs.json for branch lookup (commit by @​vringar)
• f570d93 - ci: add explicit image-source parameter to INTEGRATION_TEST workflow (PR #​6021 by @​vringar)
• fff9fa9 - include exception details in activity error logs (PR #​6097 by @​vringar)
• 41d6a95 - agentic-ai: Always create user message when handling events (#​6105) (PR #​6119 by @​team-connectors-int-automation[bot])

🔧 Chores

• 42792c5 - Use hardened Docker base images from Minimus to reduce CVEs (commit by @​cmur2)

v8.8.5

Compare Source

✨ New Features

• dac44f6 - agentic-ai: Provide default model call timeout to agentic ai task/subprocess (PR #​5966 by @​nikonovd)

🐛 Bug Fixes

• 9c87f3a - textract: Make textract connector usable (PR #​5490 by @​ztefanie)
  • ↘️ fixes issue #​5341 opened by @​ztefanie
  • ↘️ fixes issue #​5489 opened by @​ztefanie
• 928654c - response-expression: Allow result expression evaluation with null response body (#​5862) (PR #​5873 by @​team-connectors-int-automation[bot])
• b109d3d - GHA: CI improvements for self-hosted runners (PR #​6017 by @​vringar)
• 4096182 - ci: transform release branch names to base branch for Helm chart lookup (commit by @​vringar)
• 99881e9 - ci: use stable/ prefix in helm-git-refs.json for branch lookup (commit by @​vringar)

🔧 Chores

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Europe/Berlin, Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Europe/Berlin.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.