chore(deps): bump the maven-minor group across 1 directory with 24 updates

[dependabot]

Bumps the maven-minor group with 24 updates in the / directory:

Package	From	To
org.junit:junit-bom	6.0.1	6.0.2
org.jboss.weld.servlet:weld-servlet-core	6.0.3.Final	6.0.4.Final
org.primefaces:primefaces	15.0.10	15.0.12
com.twelvemonkeys.servlet:servlet	3.12.0	3.13.0
com.twelvemonkeys.imageio:imageio-bmp	3.12.0	3.13.0
com.twelvemonkeys.imageio:imageio-jpeg	3.12.0	3.13.0
com.twelvemonkeys.imageio:imageio-tiff	3.12.0	3.13.0
com.twelvemonkeys.imageio:imageio-hdr	3.12.0	3.13.0
com.twelvemonkeys.imageio:imageio-webp	3.12.0	3.13.0
org.mariadb.jdbc:mariadb-java-client	3.5.6	3.5.7
org.apache.solr:solr-solrj	9.10.0	9.10.1
org.apache.logging.log4j:log4j-api	2.25.2	2.25.3
org.apache.logging.log4j:log4j-core	2.25.2	2.25.3
org.apache.logging.log4j:log4j-jcl	2.25.2	2.25.3
org.apache.logging.log4j:log4j-slf4j2-impl	2.25.2	2.25.3
org.apache.logging.log4j:log4j-jakarta-web	2.25.2	2.25.3
io.sentry:sentry-log4j2	8.28.0	8.32.0
org.jsoup:jsoup	1.21.2	1.22.1
org.commonmark:commonmark	0.27.0	0.27.1
org.eclipse.jetty.ee11:jetty-ee11-cdi	12.1.5	12.1.6
org.eclipse.jetty.ee11:jetty-ee11-maven-plugin	12.1.5	12.1.6
org.apache.maven.plugins:maven-compiler-plugin	3.14.1	3.15.0
org.codehaus.mojo:versions-maven-plugin	2.20.1	2.21.0
org.apache.maven.plugins:maven-dependency-plugin	3.9.0	3.10.0

Updates org.junit:junit-bom from 6.0.1 to 6.0.2

Release notes

Sourced from org.junit:junit-bom's releases.

JUnit 6.0.2 = Platform 6.0.2 + Jupiter 6.0.2 + Vintage 6.0.2

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.0.1...r6.0.2

Commits

• c5c5de5 Release 6.0.2
• 98b6f78 Add missing checkout step
• 732dc27 Finalize 6.0.2 release notes
• 6a25736 Finalize 5.14.2 release notes
• 33e66bf Move release notes for #5238 entry to 6.1.0-M2
• 11f0f82 Update copyright headers
• 6ce1265 Consistently add license header to all java source files
• 4d454ee Update dependency @​antora/lunr-extension to v1.0.0-alpha.12
• faf4a58 Use --since feature of Javadoc
• 5cc8b05 Mark new recommended APIs as "maintained" rather than "experimental"
• Additional commits viewable in compare view

Updates org.jboss.weld.servlet:weld-servlet-core from 6.0.3.Final to 6.0.4.Final

Updates org.primefaces:primefaces from 15.0.10 to 15.0.12

Release notes

Sourced from org.primefaces:primefaces's releases.

15.0.12

What's Changed

Defects 🐞

• Fix #14414: 15.0.12 Organigram extraneous character by @​melloware in primefaces/primefaces#14566
• Fix #14560: 15.0.12 Messages fatal icon CSS by @​melloware in primefaces/primefaces#14569
• Fix #14514: 15.0.12 TextEditor fix OL and UL elements in HtmlSanitizer by @​melloware in primefaces/primefaces#14573

Full Changelog: primefaces/primefaces@v15.0.11...v15.0.12

15.0.11

What's Changed

Breaking Changes 💥

• Fix #14395: 15.0.11 Datatable/TreeTable endsWithLengthUnit handle CSS calc() function by @​melloware in primefaces/primefaces#14398

New Features & Enhancements 🎉

• Fix #14519: 15.0.11 PrimeFaces.version() return the value by @​melloware in primefaces/primefaces#14521

Accessibility ♿

• Fix #14353: 15.0.10 Picklist remove aria-required by @​melloware in primefaces/primefaces#14354
• Fix #14389: 15.0.11 SelectOneRadio remove unnecessary aria-checked by @​melloware in primefaces/primefaces#14391
• Fix #14509: 15.0.11 TextEditor ARIA role="textbox" by @​melloware in primefaces/primefaces#14511

Defects 🐞

• Fix #14367: 15.0.11 PanelMenu fix collapseAll/expandAll widget methods by @​melloware in primefaces/primefaces#14369
• Fix #14403: 15.0.11 KeyFilter add Apple meta key for preventPaste by @​melloware in primefaces/primefaces#14410
• Fix #14400: 15.0.11 Picklist enable/disable reordering buttons by @​melloware in primefaces/primefaces#14401
• Fix #14387: 15.0.11 Datatable scrollable with table-layout:auto by @​melloware in primefaces/primefaces#14409
• Fix #14414: 15.0.11 Organigram extraneous character by @​melloware in primefaces/primefaces#14415
• Fix #14390: 15.0.11 Video controls by @​melloware in primefaces/primefaces#14422
• Fix #14429: 15.0.11 TableExporter NPE on columnVisible by @​melloware in primefaces/primefaces#14432
• Fix #14390: 15.0.11 Passthrough attribute String "false" should be treated like boolean false by @​melloware in primefaces/primefaces#14442
• Fix #14424: 15.0.11 AjaxSource oncomplete is always invoked when using EL by @​melloware in primefaces/primefaces#14441
• Fix #14445: 15.0.11 InputTextArea this.items is undefined console error by @​melloware in primefaces/primefaces#14446
• Fix #14448: 15.0.11 DE, IT translations for unexpectedError by @​melloware in primefaces/primefaces#14454
• Fix #14478 / #14482 : 15.X Croatian locale fixes by @​melloware in primefaces/primefaces#14484
• Fix #14480: 15.0.11 Safari not respecting filter clear X. by @​melloware in primefaces/primefaces#14489
• Fix #14477: 15.0.11 TextEditor blur fix for Safari by @​melloware in primefaces/primefaces#14492
• Fix #14514: 15.0.11 TextEditor QuillJS ordered list patch by @​melloware in primefaces/primefaces#14528
• Fix #14055: 15.0.11 headers update after column dropping, duplicate columntoggler state by @​melloware in primefaces/primefaces#14533
• Fix #14523: 15.0.11 FloatLabel do not bleed outside of input by @​melloware in primefaces/primefaces#14541
• Fix #14515: 15.0.11 TreeNode uses wrong var in styleClass by @​melloware in primefaces/primefaces#14552

Full Changelog: primefaces/primefaces@v15.0.10...v15.0.11

Commits

• a7e2c58 Release version 15.0.12
• 2bb15ca Escape contextPath for JavaScript in HeadRenderer
• 1964176 Fix #14514: 15.0.12 TextEditor fix OL and UL elements in HtmlSanitizer (#14573)
• cf96da1 Fix #14560: 15.0.12 Messages fatal icon CSS (#14569)
• cd9dcc4 Fix #14414: 15.0.12 Organigram extraneous character (#14566)
• 8e328fe Prepare for next development version
• e0e9d75 Release version 15.0.11
• d86b0db Update OWASP Java HTML Sanitizer 20260101.1
• 4a6f363 Fix #14515: 15.0.11 TreeNode uses wrong var in styleClass (#14552)
• 5046513 Fix #14523: 15.0.11 FloatLabel do not bleed outside of input (#14541)
• Additional commits viewable in compare view

Updates com.twelvemonkeys.servlet:servlet from 3.12.0 to 3.13.0

Release notes

Sourced from com.twelvemonkeys.servlet:servlet's releases.

TwelveMonkeys ImageIO 3.13.0 release notes

What's Changed

New features

• PICT: Several Improvements in read support by @​rolfhowarth in haraldk/TwelveMonkeys#1115, haraldk/TwelveMonkeys#1118, haraldk/TwelveMonkeys#1124, haraldk/TwelveMonkeys#1129, @​rolfhowarth in haraldk/TwelveMonkeys#1130 and haraldk/TwelveMonkeys#1131
• TIFF: Fix CCITT T.4/T.6 metadata compression names in haraldk/TwelveMonkeys#1155
• JPEG: Fix for JDK 25 Exif thumbnail support in haraldk/TwelveMonkeys#1197
• JPEG: Handle lossless JPEG with non-zero point transform by @​zcronix in haraldk/TwelveMonkeys#1183
• SVG: Support for namespace prefix by @​don-vip in haraldk/TwelveMonkeys#1212
• WebP: Fix decoding using source region without subsampling by @​don-vip in haraldk/TwelveMonkeys#1220
• DDS: DXT10 compression support by @​KhanhPham05 in haraldk/TwelveMonkeys#1230

Dependencies upgraded

• Batik upgraded from 1.17 to 1.19 in haraldk/TwelveMonkeys#1038, haraldk/TwelveMonkeys#1139
• commons-io upgadeded from 2.18.0 to 2.19.0 in haraldk/TwelveMonkeys#1135
• Unit tests upgraded to JUnit 5 by @​vyshakputhusseri in haraldk/TwelveMonkeys#1050

Other

• Add readme section about working with damaged images by @​SamStephens in haraldk/TwelveMonkeys#1061

New Contributors

• @​vyshakputhusseri made their first contribution in haraldk/TwelveMonkeys#1050
• @​SamStephens made their first contribution in haraldk/TwelveMonkeys#1061
• @​rolfhowarth made their first contribution in haraldk/TwelveMonkeys#1115
• @​zcronix made their first contribution in haraldk/TwelveMonkeys#1183
• @​KhanhPham05 made their first contribution in haraldk/TwelveMonkeys#1230

Full Changelog: haraldk/TwelveMonkeys@twelvemonkeys-3.12.0...twelvemonkeys-3.13.0

Commits

• 47e90a6 [maven-release-plugin] prepare release twelvemonkeys-3.13.0
• bdd8b2f #1198: Fix snapshot URL
• 8d08c95 Fix JavaDoc error
• c11f61d #1198: Re-enable snapshot builds
• e6b38cb #1198: Migrate from ossrh to central
• e11d888 Bump actions/upload-artifact from 5.0.0 to 6.0.0 in /.github/workflows
• 46a399f DDS DXT10 support, with some certain supported DXGI Formats only. (#1230)
• a09629b Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1
• 57fb1ca Bump actions/setup-java from 5.0.0 to 5.1.0 in /.github/workflows
• c9063ca add unit test
• Additional commits viewable in compare view

Updates com.twelvemonkeys.imageio:imageio-bmp from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-jpeg from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-tiff from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-hdr from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-webp from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-bmp from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-jpeg from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-tiff from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-hdr from 3.12.0 to 3.13.0

Updates com.twelvemonkeys.imageio:imageio-webp from 3.12.0 to 3.13.0

Updates org.mariadb.jdbc:mariadb-java-client from 3.5.6 to 3.5.7

Release notes

Sourced from org.mariadb.jdbc:mariadb-java-client's releases.

MariaDB Connector/Java 3.5.7

3.5.7 (Dec 2025)

Full Changelog

Key Enhancements

• CONJ-1282 - Added TLS SNI (Server Name Indication) support
• CONJ-1271 - Added MariaDbDataTruncation exception that includes MariaDB error code and error message

Issues Resolved

• CONJ-1291 - Fixed ConnectionPoolDataSource incompatibility and connection leaks due to internal ConnectionEventListener in MariaDB Connector/J 3.5.x
• CONJ-1286 - Fixed MariaDbPoolPinnedConnection thread-safety issue
• CONJ-1283 - Fixed rewriteBatchedStatements introduced in 3.5.6 bug when having parentesis after VALUES parts
• CONJ-1287 - Fixed authentication plugin multi-exchange prefix (0x01) handling introduced in MDEV-37554
• CONJ-1290 - Fixed NullPointerException in MultiPrimaryReplicaClient
• CONJ-1295 - Fixed MariaDbClob compilation with JDK 26+

Changelog

Sourced from org.mariadb.jdbc:mariadb-java-client's changelog.

3.5.7 (Dec 2025)

Full Changelog

Key Enhancements

• CONJ-1282 - Added TLS SNI (Server Name Indication) support
• CONJ-1271 - Added MariaDbDataTruncation exception that includes MariaDB error code and error message

Issues Resolved

• CONJ-1291 - Fixed ConnectionPoolDataSource incompatibility and connection leaks due to internal ConnectionEventListener in MariaDB Connector/J 3.5.x
• CONJ-1286 - Fixed MariaDbPoolPinnedConnection thread-safety issue
• CONJ-1283 - Fixed rewriteBatchedStatements introduced in 3.5.6 bug when having parentesis after VALUES parts
• CONJ-1287 - Fixed authentication plugin multi-exchange prefix (0x01) handling introduced in MDEV-37554
• CONJ-1290 - Fixed NullPointerException in MultiPrimaryReplicaClient
• CONJ-1295 - Fixed MariaDbClob compilation with JDK 26+

Commits

• 46c3a4d [CONJ-1296] ResultSetMetaData.getSchemas() column labels might be returned in...
• 6d9179b bump 3.5.7 version
• 5c9b41c [CONJ-1271] Add MariaDbDataTruncation class to properly handle data truncati...
• 1b48cd0 [CONJ-1283] fix INSERT rewrite detection when VALUES clause has trailing pare...
• 6c0fb70 Merge branch 'fork/necposs/fix/conj-1286' into develop
• efd77b1 [CONJ-1290] fix syncNewState to use previous client state when switching betw...
• 0559d02 [CONJ-1291] PooledConnection behavior clarification.
• 995eecd [CONJ-1293] add unit test
• 52e5e20 [misc] micro optimization
• ae3704d [misc] code style correction: fix IPUtility
• Additional commits viewable in compare view

Updates org.apache.solr:solr-solrj from 9.10.0 to 9.10.1

Updates org.apache.logging.log4j:log4j-api from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-core from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-jcl from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-slf4j2-impl from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-jakarta-web from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-core from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-jcl from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-slf4j2-impl from 2.25.2 to 2.25.3

Updates org.apache.logging.log4j:log4j-jakarta-web from 2.25.2 to 2.25.3

Updates io.sentry:sentry-log4j2 from 8.28.0 to 8.32.0

Release notes

Sourced from io.sentry:sentry-log4j2's releases.

8.32.0

Features

• Add installGroupsOverride parameter and installGroups property to Build Distribution SDK (#5062)
• Update Android targetSdk to API 36 (Android 16) (#5016)
• Add AndroidManifest support for Spotlight configuration via io.sentry.spotlight.enable and io.sentry.spotlight.url (#5064)
• Collect database transaction spans (BEGIN, COMMIT, ROLLBACK) (#5072)
  • To enable creation of these spans, set options.enableDatabaseTransactionTracing to true
  • enable-database-transaction-tracing=true when using sentry.properties
  • For Spring Boot, use sentry.enable-database-transaction-tracing=true in application.properties or in application.yml:

    sentry:
      enable-database-transaction-tracing: true

• Add support for collecting native crashes using Tombstones (#4933, #5037)
  • Added Tombstone integration that detects native crashes using ApplicationExitInfo.REASON_CRASH_NATIVE on Android 12+
  • Crashes enriched with Tombstones contain more crash details and detailed thread info
  • Tombstone and NDK integrations are now automatically merged into a single crash event, eliminating duplicate reports
  • To enable it, add the integration in your Sentry initialization:

    SentryAndroid.init(context, options -> {
        options.isTombstoneEnabled = true
    })

    or in the AndroidManifest.xml using:

    <meta-data android:name="io.sentry.tombstone.enable" android:value="true" />

Fixes

• Extract SpotlightIntegration to separate sentry-spotlight module to prevent insecure HTTP URLs from appearing in release APKs (#5064)
  • Breaking: Users who enable Spotlight must now add the io.sentry:sentry-spotlight dependency:

    dependencies {
        debugImplementation("io.sentry:sentry-spotlight:<version>")
    }

• Fix scroll target detection for Jetpack Compose (#5017)
• No longer fork Sentry Scopes for reactor-kafka consumer poll Runnable (#5080)
  • This was causing a memory leak because reactor-kafka's poll event reschedules itself infinitely, and each invocation of SentryScheduleHook created forked scopes with a parent reference, building an unbounded chain that couldn't be garbage collected.
• Fix cold/warm app start type detection for Android devices running API level 34+ (#4999)

Internal

• Establish new native exception mechanisms to differentiate events generated by sentry-native from ApplicationExitInfo. (#5052)
• Set write permission for statuses in the changelog preview GHA workflow. (#5053)

Dependencies

... (truncated)

Changelog

Sourced from io.sentry:sentry-log4j2's changelog.

8.32.0

Features

• Add installGroups property to Build Distribution SDK (#5062)
• Update Android targetSdk to API 36 (Android 16) (#5016)
• Add AndroidManifest support for Spotlight configuration via io.sentry.spotlight.enable and io.sentry.spotlight.url (#5064)
• Collect database transaction spans (BEGIN, COMMIT, ROLLBACK) (#5072)
  • To enable creation of these spans, set options.enableDatabaseTransactionTracing to true
  • enable-database-transaction-tracing=true when using sentry.properties
  • For Spring Boot, use sentry.enable-database-transaction-tracing=true in application.properties or in application.yml:

    sentry:
      enable-database-transaction-tracing: true

• Add support for collecting native crashes using Tombstones (#4933, #5037)
  • Added Tombstone integration that detects native crashes using ApplicationExitInfo.REASON_CRASH_NATIVE on Android 12+
  • Crashes enriched with Tombstones contain more crash details and detailed thread info
  • Tombstone and NDK integrations are now automatically merged into a single crash event, eliminating duplicate reports
  • To enable it, add the integration in your Sentry initialization:

    SentryAndroid.init(context, options -> {
        options.isTombstoneEnabled = true
    })

    or in the AndroidManifest.xml using:

    <meta-data android:name="io.sentry.tombstone.enable" android:value="true" />

Fixes

• Extract SpotlightIntegration to separate sentry-spotlight module to prevent insecure HTTP URLs from appearing in release APKs (#5064)
  • Breaking: Users who enable Spotlight must now add the io.sentry:sentry-spotlight dependency:

    dependencies {
        debugImplementation("io.sentry:sentry-spotlight:<version>")
    }

• Fix scroll target detection for Jetpack Compose (#5017)
• No longer fork Sentry Scopes for reactor-kafka consumer poll Runnable (#5080)
  • This was causing a memory leak because reactor-kafka's poll event reschedules itself infinitely, and each invocation of SentryScheduleHook created forked scopes with a parent reference, building an unbounded chain that couldn't be garbage collected.
• Fix cold/warm app start type detection for Android devices running API level 34+ (#4999)

Internal

• Establish new native exception mechanisms to differentiate events generated by sentry-native from ApplicationExitInfo. (#5052)
• Set write permission for statuses in the changelog preview GHA workflow. (#5053)

Dependencies

... (truncated)

Commits

• 4d366b0 release: 8.32.0
• 3636c81 feat: merge tombstone and native sdk events (#5037)
• 319f256 fix(android): Fix cold/warm app start type detection for Android devices runn...
• 4c173df fix(tests): Make test harness more resilient (#5081)
• e873777 No longer fork Sentry Scopes for reactor-kafka consumer poll Runnable (...
• dc4cc7a Collect database transaction spans (BEGIN, COMMIT, ROLLBACK) (#5072)
• 8687935 build(deps): bump github/codeql-action from 4.31.11 to 4.32.0 (#5067)
• c700906 build(deps): bump gradle/actions from 5.0.0 to 5.0.1 (#5068)
• c2ac671 build(deps): bump getsentry/craft from 2.20.0 to 2.20.1 (#5069)
• 0eaac1e feat(spotlight): Extract SpotlightIntegration to separate module (#5064)
• Additional commits viewable in compare view

Updates org.jsoup:jsoup from 1.21.2 to 1.22.1

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.1

jsoup 1.22.1 is out now, adding support for the re2j regular expression engine for regex-based CSS selectors, a configurable maximum parser depth, and numerous bug fixes and improvements.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via Parser.setMaxDepth(). #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

---

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.1 (2026-Jan-01)

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling org.jsoup.helper.Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via org.jsoup.parser.Parser#setMaxDepth. #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

Commits

• 8dd66fe [maven-release-plugin] prepare release jsoup-1.22.1
• d924385 Changelog prep for v1.22.1
• 0f3100c Bump actions/upload-artifact from 5 to 6 (#2457)
• cf6ac20 Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1 (#2455)
• 6bef938 Fix parsing of SVG foreignObject in paragraphs
• 9b1c0fc Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.0 (#2450)
• 1415e64 Bump actions/checkout from 5 to 6 (#2451)
• 0e99fd9 Isolate TagSet copies to prevent shared mutation (#2453)
• 90019cb Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.24.2 to 0.25.0 (#2...
• 9395269 Don't preemptively close
• Additional commits viewable in compare view

Updates org.commonmark:commonmark from 0.27.0 to 0.27.1

Release notes

Sourced from org.commonmark:commonmark's releases.

commonmark-java 0.27.1

Fixed

• Line(s) after a hard line break would sometimes also get an unwanted hard line break, e.g. if they ended in emphasis or other non-text inlines (#415)
• TextContentRenderer (for plain text): Fix nested lists on the same line (#413)
• Fix minor performance regression with pathological input (deeply nested brackets) that was introduced in version 0.23.0.

Changelog

Sourced from org.commonmark:commonmark's changelog.

[0.27.1] - 2026-01-14

Fixed

• Line(s) after a hard line break would sometimes also get an unwanted hard line break, e.g. if they ended in emphasis or other non-text inlines (#415)
• TextContentRenderer (for plain text): Fix nested lists on the same line (#413)
• Fix minor performance regression with pathological input (deeply nested brackets) that was introduced in version 0.23.0.

Commits

• cded1b1 [maven-release-plugin] prepare release commonmark-parent-0.27.1
• eb7bac0 Prepare CHANGELOG for version 0.27.1
• 582855d Merge pull request #417 from commonmark/issue-413
• fc23e49 Merge pull request #418 from commonmark/fix-parse-brackets-opt
• c946bfe Make nested brackets optimization more effective again
• 67f8405 Make list holder classes innner classes
• 2753bf2 TextContentRenderer: Fix nested lists on the same line
• 353278c Merge pull request #416 from commonmark/issue-415
• fd33435 Fix line break parsing after hard line break
• 0418c83 Merge pull request #409 from zapek/patch-1
• Additional commits viewable in compare view

Updates org.eclipse.jetty.ee11:jetty-ee11-cdi from 12.1.5 to 12.1.6

Updates org.eclipse.jetty.ee11:jetty-ee11-maven-plugin from 12.1.5 to 12.1.6

Updates org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0

Release notes

Sourced from