fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.jacoco:jacoco-maven-plugin (source)	0.8.13 → 0.8.14
org.apache.maven.plugins:maven-gpg-plugin (source)	3.2.7 → 3.2.8
org.sonatype.central:central-publishing-maven-plugin (source)	0.7.0 → 0.10.0
org.apache.maven.plugins:maven-surefire-plugin (source)	3.5.3 → 3.5.4
org.apache.maven.plugins:maven-failsafe-plugin (source)	3.5.3 → 3.5.4
com.github.spotbugs:spotbugs (source)	4.9.3 → 4.9.8
com.github.spotbugs:spotbugs-maven-plugin (source)	4.9.3.0 → 4.9.8.2
com.spotify.fmt:fmt-maven-plugin	2.27 → 2.29
org.webjars.npm:bootstrap (source)	5.3.6 → 5.3.8
net.logstash.logback:logstash-logback-encoder	7.3 → 7.4
com.github.spotbugs:spotbugs-annotations (source)	4.9.3 → 4.9.8

---

Release Notes

jacoco/jacoco (org.jacoco:jacoco-maven-plugin)

v0.8.14: 0.8.14

Compare Source

New Features

• JaCoCo now officially supports Java 25 (GitHub #​1950).
• Experimental support for Java 26 class files (GitHub #​1870).
• Branches added by the Kotlin compiler for default argument number 33 or higher are filtered out during generation of report (GitHub #​1655).
• Part of bytecode generated by the Kotlin compiler for elvis operator that follows safe call operator is filtered out during generation of report (GitHub #​1814, #​1954).
• Part of bytecode generated by the Kotlin compiler for more cases of chained safe call operators is filtered out during generation of report (GitHub #​1956).
• Part of bytecode generated by the Kotlin compiler for invocations of suspendCoroutineUninterceptedOrReturn intrinsic is filtered out during generation of report (GitHub #​1929).
• Part of bytecode generated by the Kotlin compiler for suspending lambdas with parameters is filtered out during generation of report (GitHub #​1945).
• Part of bytecode generated by the Kotlin compiler for suspending functions and lambdas with suspension points that return inline value class is filtered out during generation of report (GitHub #​1871).
• Part of bytecode generated by the Kotlin Compose compiler plugin for pausable composition is filtered out during generation of report (GitHub #​1911).
• Methods generated by the Kotlin serialization compiler plugin are filtered out (GitHub #​1885, #​1970, #​1971).

Fixed bugs

• Fixed handling of implicit else clause of when with String subject in Kotlin (GitHub #​1813, #​1940).
• Fixed handling of implicit default clause of switch by String in Java when compiled by ECJ (GitHub #​1813, #​1940).
  Fixed handling of exceptions in chains of safe call operators in Kotlin (GitHub #​1819).

Non-functional Changes

• JaCoCo now depends on ASM 9.9 (GitHub #​1965).

spotbugs/spotbugs (com.github.spotbugs:spotbugs)

v4.9.8

Compare Source

Fixed

• Maven plugin reporting issue if -adjustPriority is not set (#​3774)

v4.9.7

Compare Source

Fixed

• Fix Eclipse not always using latest preferences file state (#​3740)
• Fix exception throw when singleton implementing Cloneable has no clone() method (#​3727)
• Fix for missing -adjustPriority parameter in Eclipse preferences (#​3687)
• Documentation of -adjustPriority parameter
• Functionality from DetectorFactory setEnabledButNonReporting(), getPriorityAdjustment() methods and BugInstance.adjustForDetector() is deprecated and moved to PriorityAdjuster (#​3753)
• Improved FindNakedNotify to handle the case when the lock is loaded from a field (#​3634)

Changed

• Support for fully qualified class names for detectors in -adjustPriority parameter
• Support for numerical and absolute priority adjustments
• Bump up Apache Commons BCEL to the version 6.11.0 (#​3569)

Deprecated

• Add back and deprecate edu.umd.cs.findbugs.io.IO.close(InputStream) method. (#​3756)

Build

• Allow our GA builds to work with JDK 25 (and drop support for JDK 24) (#​3564)

v4.9.6

Compare Source

Fixed

• Fix exception throw when analyzing jakarta.servlet.http.HttpServletRequest method calls (#​3711)

v4.9.5

Compare Source

Fixed

• Fix for an error when a record method has the @SuppressFBWarnings annotation (#​3622)
• Fix SF_SWITCH_FALLTHROUGH false positive when continuing a loop (#​3617)
• CWO_CLOSED_WITHOUT_OPENED false positive (#​3616)
• SF_SWITCH_NO_DEFAULT false positive fix for switch-arrow (#​3645)
• Fix the issue with BCEL logging Duplicating value: ... (#​3621)
• Add missing jakarta support for servlets / pre/post destroy (#​3694)

Added

• Add 'java.nio.file.Path.of' to known types for path traversal checks (#​3699)

Cleanup

• S1481: Unused local variables should be removed (#​3654)
• Moved test libraries to jakarta namespace including switching off jsr305 where possible for jakarta.annotation (#​3695)

v4.9.4

Compare Source

Changed

• AnnotationMatcher can now ignore bugs if annotation is also applied on methods or fields. Previously only annotations on classes were considered.
• Add relevant CWE ids to bugs and refer the CWEs in the bug messages (#​3354).
• Replace LOCAL_VARIABLE_UNKNOWN with exact method name for NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE (#​3485)

Fixed

• Widen main method recognition according to JEP 445. (#​3371)
• Do not report US_USELESS_SUPPRESSION_ON_* on methods, fields, parameters, packages or classes with an *.Generated annotation with retention >= class (#​3350)(#​3409)
• Rewrite some member in ResourceValueFrame.java to Enum (#​2061)
• Ignore non-interpreted text when looking for FS_BAD_DATE_FORMAT_FLAG_COMBO (#​3387)
• Fix IllegalArgumentException thrown from FindNoSideEffectMethods detector (#​3320)
• Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a Mockito doAnswer(), doCallRealMethod(), doNothing(), doThrow() or doReturn() call (#​3334)
• Fix CT_CONSTRUCTOR_THROW false positive with public and private constructors in specific order of methods (#​3417)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE, AT_NONATOMIC_64BIT_PRIMITIVE and AT_STALE_THREAD_WRITE_OF_PRIMITIVE FP when the relevant code is in private method, which is only called with proper synchronization (#​3428)
• Do not report RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT when part of a BDDMockito call (#​3441)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE when field of a local variable is set. (#​3459)
• Fix AT_NONATOMIC_OPERATIONS_ON_SHARED_VARIABLE FP when there was no compound operation (#​3363)
• Fix NM_FIELD_NAMING_CONVENTION crash in the TestASM detector (#​3489)
• Do not report UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR for fields initialized in JUnit 3/4 setUp() method. (#​3169)
• Fix US_USELESS_SUPPRESSION_ON_FIELD/UUF_UNUSED_FIELD false positive (#​3496)
• Make the osgi manifest of the annotations jar Java 8 compatible (#​3498) (#​3500)
• TextUICommandLine supports all options encoded in Eclipse preferences file (#​3520)
• Unnecessary suppressions fix for records headers (#​3471)
• Dead store fix when switch case contains loops (#​3530) (#​3449)
• Consider PUTFIELD and PUTSTATIC when looking for assertions with side effects (#​3463)
• Detect cases when equals() unconditionally returns true or false (#​3528)
• Do not report that an Iterator does not throw NoSuchElementException when hasNext() returns true (#​3501)
• Detect random value cast to int when stored in temporary variable (#​3461)
• Look for interfaces default methods when searching uncalled private methods (#​1988)
• Fixed field self assignment false positive (#​2258)
• Fixed DMI_INVOKING_TOSTRING_ON_ARRAY on newer JDK (#​1147)
• Fix NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE false positive with Objects.requireNonNull (#​2965) (#​3573)
• Track inner classes access methods to correctly report the bugs (#​2029)
• SF_SWITCH_NO_DEFAULT false positive fix (#​1148) (#​3572)

Added

• Added the unnecessary annotation to the US_USELESS_SUPPRESSION_ON_* messages (#​3395)
• Multi-threaded code checks can be skipped with @NotThreadSafe (#​3390)
• New bug type CWO_CLOSED_WITHOUT_OPENED for locks that might be released without even being acquired. (See SEI CERT rule LCK08-J) (#​2055)
  • Breaking change: changed values and new items in ResourceValueFrame.
• Inline access method for method. (#​3481)
• Added DMI_MISLEADING_SUBSTRING for calling subString(0) on a StringBuffer/StringBuilder (#​1928)

Signing

• Signing for Eclipse plugin has been removed at the current time due to signing keys being expired. The expired key produced a warning during install, the same is true without signing.

spotify/fmt-maven-plugin (com.spotify.fmt:fmt-maven-plugin)

v2.29

Compare Source

v2.28

Compare Source

twbs/bootstrap (org.webjars.npm:bootstrap)

v5.3.8

Compare Source

What's Changed

• Streamline release prep script by @​mdo in #​41539
• Docs: restore local dev port to 9001 by @​chalin in #​41545
• Docs: use Example shortcode instead of divs with only .bd-example class by @​julien-deramond in #​41556
• Docs: fix scss autorecompile in dev mode by @​MaxLardenois in #​41574
• Fix color-contrast() function for WCAG 2.1 compliance by @​julien-deramond in #​41585
• OSSF Scorecard by @​mdo in #​41571
• Workflows: Use SHA-1 for third-party actions by @​julien-deramond in #​41595
• Docs: unminify downloadable example HTML files by @​julien-deramond in #​41637
• Docs: Add tooltips to buttons when <Example> is used, not just <Code> by @​louismaximepiton in #​41582
• Set cursor pointer on input search cancel button by @​mdo in #​41639
• CSS: Prevent spinner distortion in flex containers with multiline content by @​julien-deramond in #​41654
• Migrate MyGet script to GH actions by @​supergibbs in #​41583
• Revert "Attempt to return focus explicitly to dropdown trigger" by @​mdo in #​41668
• docs: Minor range example code optimization by @​coliff in #​41665
• Remove Themes from docs by @​mdo in #​41671
• Release v5.3.8 by @​mdo in #​41669

Dependencies

• Build(deps-dev): Bump the development-dependencies group with 3 updates by @​julien-deramond in #​41540
• Build(deps-dev): Bump the development-dependencies group with 2 updates by @​julien-deramond in #​41544
• Build(deps-dev): Bump stylelint-config-twbs-bootstrap from 16.0.0 to 16.1.0 by @​julien-deramond in #​41546
• Build(deps-dev): Bump the development-dependencies group with 5 updates by @​julien-deramond in #​41552
• Build(deps-dev): Bump the development-dependencies group with 4 updates by @​julien-deramond in #​41560
• Build(deps-dev): Bump the development-dependencies group with 3 updates by @​julien-deramond in #​41566
• Build(deps): Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​dependabot[bot] in #​41594
• Build(deps-dev): Bump the development-dependencies group with 4 updates by @​julien-deramond in #​41599
• Build(deps-dev): Bump the development-dependencies group with 2 updates by @​julien-deramond in #​41609
• Build(deps): Bump github/codeql-action from 3.29.2 to 3.29.3 by @​dependabot[bot] in #​41611
• Build(deps): Bump streetsidesoftware/cspell-action from 7.1.1 to 7.1.2 by @​dependabot[bot] in #​41610
• Build(deps-dev): Bump the development-dependencies group with 4 updates by @​julien-deramond in #​41621
• Build(deps): Bump streetsidesoftware/cspell-action from 7.1.2 to 7.2.0 by @​dependabot[bot] in #​41625
• Build(deps): Bump actions-cool/issues-helper from 3.6.0 to 3.6.2 by @​dependabot[bot] in #​41623
• Build(deps): Bump github/codeql-action from 3.29.3 to 3.29.4 by @​dependabot[bot] in #​41624
• Build(deps-dev): Bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​41626
• Build(deps): Bump github/codeql-action from 3.29.4 to 3.29.5 by @​dependabot[bot] in #​41640
• Build(deps): Bump tmp from 0.2.3 to 0.2.4 by @​dependabot[bot] in #​41649
• Build(deps): Bump github/codeql-action from 3.29.7 to 3.29.8 by @​dependabot[bot] in #​41657
• Build(deps): Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​41655
• Build(deps): Bump github/codeql-action from 3.29.8 to 3.29.10 by @​dependabot[bot] in #​41664

New Contributors

• @​chalin made their first contribution in #​41545

Full Changelog: twbs/bootstrap@v5.3.7...v5.3.8

v5.3.7

Compare Source

📚 Documentation

• Fixed broken "View on GitHub" URLs
• Corrected HTML <head> content generated by the "Download examples" button
• Refined sanitizer documentation for clarity and completeness
• Improved accessibility in the "On this page" table of contents and section heading anchor links
• Relocated ads to the right sidebar to minimize content reflow
• Added a new section on the Download page for the Intelissence extension
• Clarified the "Via JavaScript" usage example for Accordion Collapse
• Made internal documentation improvements to support future maintenance (no visible user impact)
• Mention CDN integrity and crossorigin attributes in introduction page
• Enhance floating labels placeholder usage description
• Add example of showing dynamic range value with output

🎨 Sass

• Consolidated multiple 'none' values in the box-shadow Sass mixin for cleaner output

🤖 JavaScript

• Fixed popover and tooltip behavior with a trigger: "hover click" configuration

🤝 Contributions

• Added recommended VSCode extensions and settings configuration to the repository

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.