Bump the maven-all group with 6 updates

[dependabot]

Bumps the maven-all group with 6 updates:

Package	From	To
com.google.protobuf:protobuf-java	4.32.1	4.34.0
org.jsoup:jsoup	1.21.2	1.22.1
org.graalvm.polyglot:polyglot	25.0.0	25.0.2
org.graalvm.polyglot:js	25.0.0	25.0.2
org.testng:testng	7.11.0	7.12.0
com.microsoft.playwright:playwright	1.55.0	1.58.0

Updates com.google.protobuf:protobuf-java from 4.32.1 to 4.34.0

Commits

• See full diff in compare view

Updates org.jsoup:jsoup from 1.21.2 to 1.22.1

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.1

jsoup 1.22.1 is out now, adding support for the re2j regular expression engine for regex-based CSS selectors, a configurable maximum parser depth, and numerous bug fixes and improvements.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via Parser.setMaxDepth(). #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

---

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.1 (2026-Jan-01)

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling org.jsoup.helper.Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via org.jsoup.parser.Parser#setMaxDepth. #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

Commits

• 8dd66fe [maven-release-plugin] prepare release jsoup-1.22.1
• d924385 Changelog prep for v1.22.1
• 0f3100c Bump actions/upload-artifact from 5 to 6 (#2457)
• cf6ac20 Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1 (#2455)
• 6bef938 Fix parsing of SVG foreignObject in paragraphs
• 9b1c0fc Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.0 (#2450)
• 1415e64 Bump actions/checkout from 5 to 6 (#2451)
• 0e99fd9 Isolate TagSet copies to prevent shared mutation (#2453)
• 90019cb Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.24.2 to 0.25.0 (#2...
• 9395269 Don't preemptively close
• Additional commits viewable in compare view

Updates org.graalvm.polyglot:polyglot from 25.0.0 to 25.0.2

Commits

• 981ecb6 [GR-72395] Release GraalVM 25.0.2
• 811aa54 release GraalVM 25.0.2
• aeff345 [GR-70219] Backport to 25.0: Induction variable overflow detection: iv have r...
• 58ec3b9 [GR-71786] Backport to 25.0: In-place copySwap in JavaMemoryUtil is a no-op.
• 3df0577 [GR-71011] Backport to 25.0: Make native slot wrappers context-specific. Fixe...
• ee11ac4 [GR-68985] Backport to 25.0: Fix the reachability-metadata schema and include...
• ee7da6d [GR-72185] Update labsjdk to 25.0.2+10-jvmci-b01
• c9260ad [GR-70097] Backport to 25.0: Fix constructor accessor checks.
• 182c6d5 [GR-71881] Drop RSSTracker from disabled trackers for barista.
• 0c0e816 [GR-71488] Backport to 25.0: Converting values injected by instruments.
• Additional commits viewable in compare view

Updates org.graalvm.polyglot:js from 25.0.0 to 25.0.2

Commits

• 981ecb6 [GR-72395] Release GraalVM 25.0.2
• 811aa54 release GraalVM 25.0.2
• aeff345 [GR-70219] Backport to 25.0: Induction variable overflow detection: iv have r...
• 58ec3b9 [GR-71786] Backport to 25.0: In-place copySwap in JavaMemoryUtil is a no-op.
• 3df0577 [GR-71011] Backport to 25.0: Make native slot wrappers context-specific. Fixe...
• ee11ac4 [GR-68985] Backport to 25.0: Fix the reachability-metadata schema and include...
• ee7da6d [GR-72185] Update labsjdk to 25.0.2+10-jvmci-b01
• c9260ad [GR-70097] Backport to 25.0: Fix constructor accessor checks.
• 182c6d5 [GR-71881] Drop RSSTracker from disabled trackers for barista.
• 0c0e816 [GR-71488] Backport to 25.0: Converting values injected by instruments.
• Additional commits viewable in compare view

Updates org.graalvm.polyglot:js from 25.0.0 to 25.0.2

Commits

• 981ecb6 [GR-72395] Release GraalVM 25.0.2
• 811aa54 release GraalVM 25.0.2
• aeff345 [GR-70219] Backport to 25.0: Induction variable overflow detection: iv have r...
• 58ec3b9 [GR-71786] Backport to 25.0: In-place copySwap in JavaMemoryUtil is a no-op.
• 3df0577 [GR-71011] Backport to 25.0: Make native slot wrappers context-specific. Fixe...
• ee11ac4 [GR-68985] Backport to 25.0: Fix the reachability-metadata schema and include...
• ee7da6d [GR-72185] Update labsjdk to 25.0.2+10-jvmci-b01
• c9260ad [GR-70097] Backport to 25.0: Fix constructor accessor checks.
• 182c6d5 [GR-71881] Drop RSSTracker from disabled trackers for barista.
• 0c0e816 [GR-71488] Backport to 25.0: Converting values injected by instruments.
• Additional commits viewable in compare view

Updates org.testng:testng from 7.11.0 to 7.12.0

Release notes

Sourced from org.testng:testng's releases.

7.12.0

What's Changed

• GITHUB-2765: Propagate timeout stack trace to fix testng-team#2765 by @​idontusenumbers in testng-team/testng#3206
• Streamline working of shared thread pools by @​krmahadevan in testng-team/testng#3207
• Streamline xml serialisation to string by @​krmahadevan in testng-team/testng#3208
• test: improve osgi tests by @​vlsi in testng-team/testng#3213
• chore: setup-java Oracle action supports Java 21+ only by @​vlsi in testng-team/testng#3215
• Add DynamicImport-Package to load classes by name by @​laeubi in testng-team/testng#3220
• Use UUID backed instance id instead by @​krmahadevan in testng-team/testng#3218
• Ensure assertions is contents aware by @​krmahadevan in testng-team/testng#3228
• Fix: Ensure DataProvider parameters are refreshed on retry when cacheDataForTestRetries=false by @​baflQA in testng-team/testng#3250
• Improve/test workflow jdk25 by @​baflQA in testng-team/testng#3253
• Fix: issue 3231 retry infinite loop by @​baflQA in testng-team/testng#3251
• Fix Release process by @​krmahadevan in testng-team/testng#3255

New Contributors

• @​idontusenumbers made their first contribution in testng-team/testng#3206
• @​laeubi made their first contribution in testng-team/testng#3220

Full Changelog: testng-team/testng@7.11.0...7.12.0

Changelog

Sourced from org.testng:testng's changelog.

7.12.0 Fixed: GITHUB-3231: TestNG retry is going into infinite loop when the data provider returned object is modified before failure (Bartek Florczak) Update: Updated GitHub Actions test matrix to include JDK 25 and JDK 26 EA (Bartek Florczak) Fixed: GITHUB-3236: DataProvider parameters are not refreshed on retry when cacheDataForTestRetries=false (Bartek Florczak) Fixed: GITHUB-3227: assertEqualsNoOrder false positive when collection has same size and actual Collection is subset of expected collection (Krishnan Mahadevan) Fixed: GITHUB-3177: Method org.testng.xml.XmlSuite#toXml do not save new properties like "share-thread-pool-for-data-providers" (Krishnan Mahadevan) Fixed: GITHUB-3179: ClassCastException when use shouldUseGlobalThreadPool(true) property (Krishnan Mahadevan) Fixed: GITHUB-2765: Test timeouts using existing Executor now propagate the stack trace to the ThreadTimeoutException (Charlie Hayes)

Commits

• a21a584 Fix Release process (#3255)
• be97321 Fix: issue 3231 retry infinite loop (#3251)
• bad4cb5 Improve/test workflow jdk25 (#3253)
• 61068a1 Fix: Ensure DataProvider parameters are refreshed on retry when cacheDataForT...
• d50b2ad Ensure assertions is contents aware
• 02d223d Use a composite key instead of String as key
• 58b3824 Add DynamicImport-Package to load classes by name
• 40cd805 chore: use pax-logging for osgi tests so it does not require runtime bytecode...
• 0fdf868 chore: setup-java Oracle action supports Java 21+ only
• 6a25754 test: improve osgi tests
• Additional commits viewable in compare view

Updates com.microsoft.playwright:playwright from 1.55.0 to 1.58.0

Release notes

Sourced from com.microsoft.playwright:playwright's releases.

v1.58.0

UI Mode and Trace Viewer Improvements

• New 'system' theme option follows your OS dark/light mode preference
• Search functionality (Cmd/Ctrl+F) is now available in code editors
• Network details panel has been reorganized for better usability
• JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

browserType.connectOverCDP() now accepts an isLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

• Removed _react and _vue selectors. See locators guide for alternatives.
• Removed :light selector engine suffix. Use standard CSS selectors instead.
• Option devtools from browserType.launch() has been removed. Use setArgs(Arrays.asList("--auto-open-devtools-for-tabs")) instead.
• Removed macOS 13 support for WebKit. We recommend to upgrade your macOS version, or keep using an older Playwright version.

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 144
• Microsoft Edge 144

v1.57.0

Chrome for Testing

Starting with this release, Playwright switches from Chromium, to using Chrome for Testing builds. Both headed and headless browsers are subject to this. Your tests should still be passing after upgrading to Playwright 1.57.

We're expecting no functional changes to come from this switch. The biggest change is the new icon and title in your toolbar.

If you still see an unexpected behaviour change, please file an issue.

On Arm64 Linux, Playwright continues to use Chromium.

Breaking Change

After 3 years of being deprecated, we removed page.accessibility() from our API. Please use other libraries such as Axe if you need to test page accessibility. See our Node.js guide for integration with Axe.

New APIs

• worker. onConsole event is emitted when JavaScript within the worker calls one of console API methods, e.g. console.log or console.dir. Worker.waitForConsoleMessage() can be used to wait for it.
• locator.description() returns locator description previously set with locator.describe().
• New option steps in locator.click() and locator.dragTo() that configures the number of mousemove events emitted while moving the mouse pointer to the target element.

... (truncated)

Commits

• 66dd817 chore: update Maven version to 1.58.0 (#1887)
• b5c2160 chore: roll to 1.58.0 (#1883)
• 63bb008 chore: roll driver to 1.57.0-beta-1764692940000 (#1870)
• 9b3a788 chore(deps): bump actions/checkout from 5 to 6 in the actions group (#1868)
• 2f387ed chore(deps): bump the all group with 3 updates (#1867)
• 6eb30e2 chore(deps): bump junit.version from 5.13.4 to 5.14.1 (#1859)
• 0f14588 Migrate ExtensionContext.Store.CloseableResource to AutoCloseable (#1860)
• e417cad Fix document typo - setContextOptions (#1862)
• 059667e chore: remove background pages implementation (#1861)
• 98296d9 devops: update ado approver (#1857)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions