Merge branch 'main' into json-of

Author: MukjepScarlet

.github/dependabot.yml

@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 14
     groups:
       # Name is used for branch name and pull request title
       maven:
@@ -15,6 +17,8 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 14
     groups:
       # Name is used for branch name and pull request title
       github-actions:

.github/workflows/build.yml

@@ -11,6 +11,10 @@ on:
 permissions:
   contents: read #  to fetch code (actions/checkout)
 
+env:
+  # Common Maven arguments
+  MAVEN_ARGS: --show-version --batch-mode --no-transfer-progress
+
 jobs:
   build:
     name: "Build on JDK ${{ matrix.java }}"
@@ -23,7 +27,8 @@ jobs:
           - java: 11
             # Disable Enforcer check which (intentionally) prevents using JDK 11 for building
             # Exclude 'test-graal-native-image' module because JUnit 6 requires >= Java 17
-            extra-mvn-args: -Denforcer.fail=false --projects '!test-graal-native-image'
+            # Exclude 'proto' module because protobuf-maven-plugin requires >= Java 17
+            extra-mvn-args: -Denforcer.fail=false --projects '!test-graal-native-image,!proto'
           - java: 25
             # Disable Enforcer check which (intentionally) prevents using JDK 25 for building
             # Exclude 'test-shrinker' because ProGuard does not support JDK 25 yet, see
@@ -42,7 +47,7 @@ jobs:
           cache: 'maven'
       - name: Build with Maven
         # This also runs javadoc:jar to detect any issues with the Javadoc generated during release
-        run: mvn --batch-mode --no-transfer-progress verify javadoc:jar ${{ matrix.extra-mvn-args || '' }}
+        run: mvn verify javadoc:jar ${{ matrix.extra-mvn-args || '' }}
 
   native-image-test:
     name: "GraalVM Native Image test (JDK ${{ matrix.java }})"
@@ -59,7 +64,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: "Set up GraalVM"
-        uses: graalvm/setup-graalvm@2a2412009026a83f51d179f92dc2b3fd4c8142df  # v1.4.1
+        uses: graalvm/setup-graalvm@eec48106e0bf45f2976c2ff0c3e22395cced8243  # v1.4.2
         with:
           java-version: ${{ matrix.java }}
           distribution: 'graalvm'
@@ -69,7 +74,7 @@ jobs:
       - name: Build and run tests
         # Only run tests in `test-graal-native-image` (and implicitly build and run tests in `gson`),
         # everything else is covered already by regular build job above
-        run: mvn test --batch-mode --no-transfer-progress --activate-profiles native-image-test --projects test-graal-native-image --also-make ${{ matrix.extra-mvn-args || '' }}
+        run: mvn test --activate-profiles native-image-test --projects test-graal-native-image --also-make ${{ matrix.extra-mvn-args || '' }}
 
   verify-reproducible-build:
     name: "Verify reproducible build"
@@ -85,13 +90,13 @@ jobs:
           cache: 'maven'
 
       - name: "Verify no plugin issues"
-        run: mvn artifact:check-buildplan --batch-mode --no-transfer-progress --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
+        run: mvn artifact:check-buildplan --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
 
       - name: "Verify reproducible build"
         # See https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
         run: |
-          mvn clean install --batch-mode --no-transfer-progress -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
+          mvn clean install -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
           # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which
           # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0)
           # See https://issues.apache.org/jira/browse/MARTIFACT-57
-          mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker' -Dbuildinfo.attach=false
+          mvn clean verify artifact:compare -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker' -Dbuildinfo.attach=false

.github/workflows/check-android-compatibility.yml

@@ -15,6 +15,10 @@ on:
 permissions:
   contents: read #  to fetch code (actions/checkout)
 
+env:
+  # Common Maven arguments
+  MAVEN_ARGS: --show-version --batch-mode --no-transfer-progress
+
 jobs:
   check-android-compatibility:
     runs-on: ubuntu-latest
@@ -31,4 +35,4 @@ jobs:
 
       - name: Check Android compatibility
         run: |
-          mvn --batch-mode --no-transfer-progress compile animal-sniffer:check@check-android-compatibility -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
+          mvn compile animal-sniffer:check@check-android-compatibility -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'

.github/workflows/check-api-compatibility.yml

@@ -6,6 +6,10 @@ on: pull_request
 permissions:
   contents: read #  to fetch code (actions/checkout)
 
+env:
+  # Common Maven arguments
+  MAVEN_ARGS: --show-version --batch-mode --no-transfer-progress
+
 jobs:
   check-api-compatibility:
     runs-on: ubuntu-latest
@@ -37,20 +41,20 @@ jobs:
         run: |
           cd gson-old-japicmp
           # Set dummy version
-          mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.16.2:set "-DnewVersion=0.0.0-JAPICMP-OLD"
+          mvn org.codehaus.mojo:versions-maven-plugin:2.16.2:set "-DnewVersion=0.0.0-JAPICMP-OLD"
           # Install artifacts with dummy version in local repository; used later by Maven plugin for comparison
-          mvn --batch-mode --no-transfer-progress install -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
+          mvn install -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
 
       - name: Check out new version
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Check API compatibility
         id: check-compatibility
         run: |
-          mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
+          mvn package japicmp:cmp --fail-at-end -Dmaven.test.skip --projects '!metrics,!test-graal-native-image,!test-jpms,!test-shrinker'
 
       - name: Upload API differences artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         # Run on workflow success (in that case differences report might include added methods and classes)
         # or when API compatibility check failed
         if: success() || ( failure() && steps.check-compatibility.outcome == 'failure' )

.github/workflows/cifuzz.yml

@@ -25,14 +25,14 @@ jobs:
         dry-run: false
         output-sarif: true
     - name: Upload Crash
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
         path: ./out/artifacts
     - name: Upload Sarif
       if: always() && steps.build.outcome == 'success'
-      uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885  # v3.30.6
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee  # v4.31.2
       with:
         # Path to SARIF file relative to the root of the repository
         sarif_file: cifuzz-sarif/results.sarif

.github/workflows/codeql-analysis.yml

@@ -14,6 +14,10 @@ on:
 permissions:
   contents: read #  to fetch code (actions/checkout)
 
+env:
+  # Common Maven arguments
+  MAVEN_ARGS: --show-version --batch-mode --no-transfer-progress
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -45,7 +49,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885  # v3.30.6
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee  # v4.31.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -58,9 +62,9 @@ jobs:
     - name: Compile sources (Java)
       if: ${{ matrix.language == 'java' }}
       run: |
-        mvn compile --batch-mode --no-transfer-progress
+        mvn compile
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885  # v3.30.6
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee  # v4.31.2
       with:
         category: "/language:${{ matrix.language }}"

.github/workflows/scorecard.yml

@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           sarif_file: results.sarif

gson/pom.xml

@@ -50,7 +50,7 @@
     <dependency>
       <groupId>com.google.errorprone</groupId>
       <artifactId>error_prone_annotations</artifactId>
-      <version>2.42.0</version>
+      <version>2.43.0</version>
     </dependency>
 
     <dependency>
@@ -211,12 +211,12 @@
           <dependency>
             <groupId>com.guardsquare</groupId>
             <artifactId>proguard-base</artifactId>
-            <version>7.7.0</version>
+            <version>7.8.0</version>
           </dependency>
           <dependency>
             <groupId>com.guardsquare</groupId>
             <artifactId>proguard-core</artifactId>
-            <version>9.1.10</version>
+            <version>9.2.0</version>
           </dependency>
         </dependencies>
         <configuration>

metrics/pom.xml

@@ -53,7 +53,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.20.0</version>
+      <version>2.20.1</version>
     </dependency>
     <dependency>
       <groupId>com.google.caliper</groupId>

pom.xml

@@ -100,7 +100,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.6.1</version>
+        <version>3.6.2</version>
         <executions>
           <execution>
             <id>enforce-versions</id>
@@ -186,13 +186,10 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-artifact-plugin</artifactId>
-        <version>3.6.0</version>
+        <version>3.6.1</version>
         <executions>
           <execution>
             <goals>
-              <!-- This logs a warning about `source.scm.tag=HEAD`, but this can be ignored;
-                during release Maven Release Plugin temporarily changes the `source.scm.tag`
-                value to the actual Git tag, which will then not cause a warning -->
               <goal>buildinfo</goal>
             </goals>
           </execution>
@@ -296,7 +293,7 @@
               <path>
                 <groupId>com.google.errorprone</groupId>
                 <artifactId>error_prone_core</artifactId>
-                <version>2.42.0</version>
+                <version>2.43.0</version>
               </path>
             </annotationProcessorPaths>
           </configuration>
@@ -412,7 +409,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-antrun-plugin</artifactId>
-          <version>3.1.0</version>
+          <version>3.2.0</version>
           <executions>
             <!-- Replaces version placeholders with the current version; this is mainly useful for
               Javadoc where this allows writing `@since $next-version$` -->
@@ -480,7 +477,7 @@
         <plugin>
           <groupId>com.github.siom79.japicmp</groupId>
           <artifactId>japicmp-maven-plugin</artifactId>
-          <version>0.23.1</version>
+          <version>0.24.2</version>
           <configuration>
             <skip>${gson.isTestModule}</skip>
 
@@ -515,7 +512,7 @@
         <plugin>
           <groupId>org.codehaus.mojo</groupId>
           <artifactId>animal-sniffer-maven-plugin</artifactId>
-          <version>1.24</version>
+          <version>1.26</version>
           <executions>
             <execution>
               <id>check-android-compatibility</id>
@@ -563,11 +560,11 @@
         </plugins>
       </build>
     </profile>
-    <!-- Disable Error Prone before Java 17 -->
+    <!-- Disable Error Prone before Java 21 -->
     <profile>
       <id>disable-error-prone</id>
       <activation>
-        <jdk>[,17)</jdk>
+        <jdk>[,21)</jdk>
       </activation>
       <build>
         <plugins>
@@ -578,6 +575,7 @@
               <compilerArgs combine.self="override">
                 <compilerArg>-Xlint:all,-options</compilerArg>
               </compilerArgs>
+              <annotationProcessorPaths combine.self="override" />
             </configuration>
           </plugin>
         </plugins>