Bump the maven group across 1 directory with 3 updates

[dependabot]

Bumps the maven group with 3 updates in the / directory: org.springframework.boot:spring-boot-starter-parent, org.tukaani:xz and com.mysql:mysql-connector-j.

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.6 to 4.0.0

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.0

Full release notes for Spring Boot 4.0 are available on the wiki. There is also a migration guide to help you upgrade from Spring Boot 3.5.

⭐ New Features

• Change tomcat and jetty runtime modules to starters #48175
• Rename spring-boot-kotlin-serialization to align with the name of the Kotlinx module that it pulls in #48076

🐞 Bug Fixes

• Error properties are a general web concern and should not be located beneath server.* #48201
• With both Jackson 2 and 3 on the classpath, @JsonTest fails due to duplicate jacksonTesterFactoryBean #48198
• Gradle war task does not exclude starter POMs from lib-provided #48197
• spring.test.webclient.mockrestserviceserver.enabled is not aligned with its module's name #48193
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #48182
• Properties bound in the child management context ignore the parent's environment prefix #48177
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #48171
• Starter for spring-boot-micrometer-metrics is missing #48161
• Elasticsearch client's sniffer functionality should not be enabled by default #48155
• spring-boot-starter-elasticsearch should depend on elasticsearch-java #48141
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #48132
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #48128
• Properties for configuring an isolated JsonMapper or ObjectMapper are incorrectly named #48116
• Buildpack fails with recent Docker installs due to hardcoded version in URL #48103
• Image building may fail when specifying a platform if an image has already been built with a different platform #48099
• Default values of Kotlinx Serialization JSON configuration properties are not documented #48097
• Custom XML converters should override defaults in HttpMessageConverters #48096
• Kotlin serialization is used too aggressively when other JSON libraries are available #48070
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #48059
• Auto-configured JCacheMetrics cannot be customized #48057
• WebSecurityCustomizer beans are excluded by WebMvcTest #48055
• Deprecated EnvironmentPostProcessor does not resolve arguments #48047
• RetryPolicySettings should refer to maxRetries, not maxAttempts #48023
• Devtools Restarter does not work with a parameterless main method #47996
• Dependency management for Kafka should not manage Scala 2.12 libraries #47991
• spring-boot-mail should depend on jakarta.mail:jakarta.mail-api and org.eclipse.angus:angus-mail instead of org.eclipse.angus:jakarta.mail #47983
• spring-boot-starter-data-mongodb-reactive has dependency on reactor-test #47982
• Support for ReactiveElasticsearchClient is in the wrong module #47848

📔 Documentation

• Removed property spring.test.webclient.register-rest-template is still documented #48199
• Mention support for detecting AWS ECS in "Deploying to the Cloud" #48170
• Revise AWS section of "Deploying to the Cloud" in reference manual #48163
• Fix typo in PortInUseException Javadoc #48134
• Correct section about required setters in "Type-safe Configuration Properties" #48131
• Use since attribute in configuration properties deprecation consistently #48122
• Document EndpointJsonMapper and management.endpoints.jackson.isolated-json-mapper #48115
• Document support for configuring servlet context init parameters using properties #48112
• Some configuration properties are not documented in the appendix #48095

... (truncated)

Commits

• 1c0e08b Release v4.0.0
• 3487928 Merge branch '3.5.x'
• 29b8e96 Switch make-default in preparation for Spring Boot 4.0.0
• 88da0dd Merge branch '3.5.x'
• 56feeaa Next development version (v3.5.9-SNAPSHOT)
• 3becdc7 Move server.error properties to spring.web.error
• 2b30632 Merge branch '3.5.x'
• 4f03b44 Merge branch '3.4.x' into 3.5.x
• 3d15c13 Next development version (v3.4.13-SNAPSHOT)
• dc140df Upgrade to Spring Framework 7.0.1
• Additional commits viewable in compare view

Updates org.tukaani:xz from 1.10 to 1.11

Changelog

Sourced from org.tukaani:xz's changelog.

1.11 (2025-11-19)

• Fix a data corruption bug when encoding with the rarely-used option LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a write call must cross an offset that is a multiple of 65536 bytes. For example, one write of 70000 bytes or two write calls of 50000 bytes each would trigger the bug. The bug isn't triggered if there are ten write calls of 8192 bytes each followed by one 123-byte write.

  If encoding to a .xz file, a decoder would catch the issue because the integrity check wouldn't match.

• The binaries of 1.10 in the Maven Central require Java 8 and contain optimized classes for Java >= 9 as multi-release JAR. They were built with OpenJDK 21.0.9 on GNU/Linux and can be reproduced using the following command:

  SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven
  

Commits

• eec2ad9 Bump the version number to 1.11
• cd59206 Update NEWS.md for 1.11
• afd20a2 Omit the .github directory from releases
• 061ba5d CI: Add Coverity Scan
• cc7ea2e UncompressedLZMA2OutputStream: Don't mention ResettableArrayCache
• 6dd6e27 LZMACoder: Fix a copy-paste error
• d010bdf IA64.code: Silence a false positive from Coverity
• 2ff3ec5 REUSE.toml: Bump REUSE spec version from 3.2 to 3.3
• 14c7102 REUSE.toml: Add SHA256SUMS
• 74e42f4 Avoid an unneeded arraycopy in UncompressedLZMA2OutputStream
• Additional commits viewable in compare view

Updates com.mysql:mysql-connector-j from 9.4.0 to 9.5.0

Changelog

Sourced from com.mysql:mysql-connector-j's changelog.

Changelog

https://dev.mysql.com/doc/relnotes/connector-j/en/

Version 9.5.0

• Fix for Bug#72036 (Bug#18403804), XA isSameRM() shouldn't take database into account.

• Fix for Bug#62693 (Bug#16722068), XAConnection savepoint capability.

• Fix for Bug#81128 (Bug#23146631), Master host list overwritten by slave list when loadBalanceConnectionGroup used.

• Fix for Bug#19887224, RUNNING THE TEST SUITE WITH SOCKSPROXY* PROPERTIES HANGS IN TEST TESTBUG56429.

• Fix for Bug#98699 (Bug#30932850), Allow empty keyStore file for keyStoreTypes that do not require files. Thanks to Kolbe Kegel for his contribution.

• Fix for Bug#118938 (Bug#38396227), DatabaseMetaDataInformationSchema#getSchemas has a bug.

• Fix for Bug#99292 (Bug#31195955), Contribution: Support Windows time zone 'Coordinated Universal Time'. Thanks to Frédéric Barrière for his contribution.

• Fix for Bug#107094 (Bug#34104230), NullPointerException when calling equals with null on MultiHostConnectionProxy.

• Fix for Bug#107543 (Bug#34464351), Cannot execute a SELECT statement that writes to an OUTFILE.

• Fix for Bug#17881458, BEHAVIOR OF SETBINARYSTREAM() METHOD IS DIFFERENT WHEN USESERVERPREPSTMTS=TRUE.

• Fix for Bug#45554 (Bug#11754018), Connector/J does not encode binary data if useServerPrepStatements=false.

• Fix for Bug#114974 (Bug#36614381), the SQL in batch will not clear after statement close. Thanks to Chengyi Dong for his contribution.

• Fix for Bug#118688 (Bug#38222681), com.mysql.cj.protocol.a.StringValueEncoder#getString does not handle string escaping. Thanks to Feng Shen for his contribution.

• Fix for Bug#118329 (Bug#38022329), Contribution: Optimize BigDecimal zero value handling to reduce memory footprint. Thanks to Chengjun Huang for his contribution.

• Fix for Bug#42777 (Bug#11751788), loadBalanceStrategy and roundRobinLoadBalance should be consolidated.

• Fix for Bug#112090 (Bug#35716608), SHOW ENGINE command runs forever when using cursor fetch.

Version 9.4.0

• Fix for Bug#116120 (Bug#37079448), Inappropriate charset selected for connection when jdk.charsets not included.

• Fix for Bug#98620 (Bug#31503893), Using DatabaseMetaData.getColumns() gives collation mix error.

• Fix for Bug#118389 (Bug#38044940), OCI ephemeral keys not working after change in OCI CLI.

... (truncated)

Commits

• a7b3c94 Update for GPL license book.
• a17a256 Fix for StatementRegressionTest.testBug107543_IntoFile() failing when
• 0d642f5 Fix for Bug#72036 (Bug#18403804), XA isSameRM() shouldn't take database into ...
• cdb5880 Fix for Bug#62693 (Bug#16722068), XAConnection savepoint capability.
• 2ce8cb2 Fix for Bug#81128 (Bug#23146631), Master host list overwritten by slave list ...
• f889dec Fix for Bug#19887224, RUNNING THE TEST SUITE WITH SOCKSPROXY* PROPERTIES HANG...
• b62afb2 Fix for Bug#98699 (Bug#30932850), Allow empty keyStore file for keyStoreTypes...
• 1470742 Fix for typo.
• af1348a Update build instructions to use protoc for consistency; perform minor cleanups.
• 29a877b Fix for Bug#118938 (Bug#38396227), DatabaseMetaDataInformationSchema#getSchem...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml