fix(deps): update all non-major dependencies (release/8.7)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actionlint		patch	1.7.9 → 1.7.11
java		patch	21.0.9+10.0.LTS → 21.0.10+7.0.LTS
com.diffplug.spotless:spotless-maven-plugin	build	minor	3.1.0 → 3.2.1
org.springframework.boot:spring-boot-maven-plugin (source)	build	patch	3.5.9 → 3.5.10
org.junit.jupiter:junit-jupiter (source)	test	patch	5.14.1 → 5.14.3
org.assertj:assertj-core (source)	test	patch	3.27.6 → 3.27.7
com.sap.cloud.sdk.datamodel:odata-generator (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk.s4hana:rfc (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk.s4hana:s4hana-connectivity (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk:sdk-core (source)	compile	minor	5.25.0 → 5.26.0
com.sap.cloud.sdk:sdk-bom (source)	import	minor	5.25.0 → 5.26.0
com.fasterxml.jackson:jackson-bom	import	minor	2.20.1 → 2.21.0
ch.qos.logback:logback-classic (source, changelog)	compile	patch	1.5.23 → 1.5.32
ch.qos.logback:logback-core (source, changelog)	compile	patch	1.5.23 → 1.5.25
org.springframework.boot:spring-boot-dependencies (source)	import	patch	3.5.9 → 3.5.10

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-1225

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

---

Release Notes

rhysd/actionlint (actionlint)

v1.7.11

Compare Source

• Support the case() function in ${{ }} expressions which was recently added to GitHub Actions. (#​612, #​614, thanks @​heppu)

  env:
    # ERROR: case() requires an odd number of arguments
    ENVIRONMENT: |-
      ${{ case(
        github.ref == 'refs/heads/main', 'production',
        github.ref == 'refs/heads/staging', 'staging'
      ) }}

• Support new macos-26-large and windows-2025-vs2026 runner labels. See the GitHub's announce for more details. (#​615, thanks @​hugovk and @​muzimuzhi)
• Enable Artifact attestations for the released binaries. From v1.7.11 gh command can verify the integrity of the downloaded binaries as follows. The verification is highly recommended in terms of supply chain security. (#​608, thanks @​takaram)

  $ gh release download --repo rhysd/actionlint --pattern '*_darwin_amd64.tar.gz' v1.7.11
  $ gh attestation verify --repo rhysd/actionlint actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded digest sha256:17ffc17fed8f0258ef6ad4aed932d3272464c7ef7d64e1cb0d65aa97c9752107 for file://actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded 1 attestation from GitHub API
  
  The following policy criteria will be enforced:
  - Predicate type must match:................ https://slsa.dev/provenance/v1
  - Source Repository Owner URI must match:... https://github.com/rhysd
  - Source Repository URI must match:......... https://github.com/rhysd/actionlint
  - Subject Alternative Name must match regex: (?i)^https://github.com/rhysd/actionlint/
  - OIDC Issuer must match:................... https://token.actions.githubusercontent.com
  
  ✓ Verification succeeded!
  
  The following 1 attestation matched the policy criteria
  
  - Attestation #​1
    - Build repo:..... rhysd/actionlint
    - Build workflow:. .github/workflows/release.yaml@refs/tags/v1.7.11
    - Signer repo:.... rhysd/actionlint
    - Signer workflow: .github/workflows/release.yaml@refs/tags/v1.7.11

• Report path filters with ./ because they never match anything. (#​521)

  on:
    push:
      paths:
        # ERROR: This never matches anything. `foo/bar.txt` is correct.
        - ./foo/bar.txt

• Fix comparing matrix items when an item is a super set of another item. (#​523, #​613, thanks @​michaelgruenewald)
• Fix stack overflow crash by a recursive anchor in matrix items. (#​610)
• Fix a unassigned variable false positive from shellcheck by disabling SC2153 rule. (#​573)
• Reduce the number of memory allocations on resolving anchors.
• Update the popular actions data set to the latest.
• Update Go dependencies to the latest.
• Remove legacy Homebrew formula in rhysd/actionlint repository in favor of the cask package. Note that this change does not affect Homebrew's official formula.
• Add a link to the release page of the version in the playground.

[Changes][v1.7.11]

v1.7.10

Compare Source

• Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#​133, thanks @​srz-zumix for the initial implementation at #​568 and @​alexaandru for trying another approach at #​557)

  jobs:
    test:
      runs-on: ubuntu-latest
      services:
        nginx:
          image: nginx:latest
          credentials: &credentials
            username: ${{ secrets.user }}
            password: ${{ secrets.password }}
      steps:
        - run: ./download.sh
          # OK: Valid alias to &credentials
          env: *credentials
        - run: ./check.sh
          # ERROR: Undefined anchor 'credential'
          env: *credential
        - run: ./upload.sh
          # ERROR: Unused anchor 'credentials'
          env: &credentials

• Remove support for *-xl macOS runner labels because they were dropped. (#​592, thanks @​muzimuzhi)
• Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#​593, thanks @​muzimuzhi)
  • macos-13
  • macos-13-large
  • macos-13-xlarge
• Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#​598, thanks @​Haegi)
• Support artifact-metadata permission for workflow permissions. (#​602, thanks @​martincostello)
• Detect more complicated constants at if: conditions as error. See the rule document for more details.
• Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
• Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
• Detect an invalid value at type in workflow call inputs as error.
• Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
• Check available contexts in expressions at jobs.<job_id>.snapshot.if.

  snapshot:
    image-name: my-custom-image
    # ERROR: `env` context is not allowed here
    if: ${{ env.USE_SNAPSHOT == 'true' }}

• Fix the instruction to install actionlint with mise in the installation document. (#​591, thanks @​risu729)
• Update the popular actions data set to the latest to include new major versions of the actions.

[Changes][v1.7.10]

diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)

v3.2.0

Added

• Support for idea (#​2020, #​2535)
• Add support for removing wildcard imports via removeWildcardImports step. (#​2517)
• scalafmt: enforce version consistency between the version configured in Spotless and the version declared in Scalafmt config file (#​2460)

Fixed

• SortPom disable expandEmptyElements, to avoid empty body warnings. (#​2520)
• Fix biome formatter for new major release 2.x of biome (#​2537)
• Make sure npm-based formatters use the correct node_modules directory when running in parallel. (#​2542)

Changed

• Bump internal dependencies for npm-based formatters (#​2542)

spring-projects/spring-boot (org.springframework.boot:spring-boot-maven-plugin)

v3.5.10

Compare Source

🐞 Bug Fixes

• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #​48836
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #​48835
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #​48810
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #​48702
• Application JAR created by extract command is not reproductible #​48664
• AOT processing of tests should not be disabled when 'skipTests' is set #​48661
• Fix zero-length byte buffer in InspectedContent #​48649

📔 Documentation

• Update documentation for Buildpack's AOT Cache support #​48768
• Document support for configuring arguments passed to Docker Compose #​48657
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #​48634
• Fix grammar and typos in the reference guide #​48596

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #​48775
• Upgrade to Hibernate 6.6.41.Final #​48881
• Upgrade to HttpClient5 5.5.2 #​48777
• Upgrade to Logback 1.5.25 #​48882
• Upgrade to Micrometer 1.15.8 #​48705
• Upgrade to Micrometer Tracing 1.5.8 #​48706
• Upgrade to Pooled JMS 3.1.9 #​48779
• Upgrade to Postgresql 42.7.9 #​48883
• Upgrade to R2DBC MSSQL 1.0.4.RELEASE #​48847
• Upgrade to Reactor Bom 2024.0.14 #​48707
• Upgrade to REST Assured 5.5.7 #​48884
• Upgrade to Spring AMQP 3.2.9 #​48909
• Upgrade to Spring Data Bom 2025.0.8 #​48708
• Upgrade to Spring Integration 6.5.6 #​48921
• Upgrade to Spring Kafka 3.3.12 #​48709
• Upgrade to Spring Pulsar 1.2.14 #​48710
• Upgrade to Undertow 2.3.22.Final #​48848
• Upgrade to WebJars Locator Lite 1.1.3 #​48780

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GaoSSR, @​izeye, and @​ngocnhan-tran1996

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Europe/Berlin, Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Europe/Berlin.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.