Bump the maven-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the maven-dependencies group with 8 updates in the / directory:

Package	From	To
com.auth0:java-jwt	4.5.1	4.5.2
com.github.ben-manes.caffeine:caffeine	3.2.3	3.2.4
org.slf4j:slf4j-api	2.0.17	2.0.18
org.slf4j:slf4j-simple	2.0.17	2.0.18
org.junit.jupiter:junit-jupiter	6.0.3	6.1.0
org.apache.maven.plugins:maven-dependency-plugin	3.10.0	3.11.0
org.apache.maven.plugins:maven-surefire-plugin	3.5.3	3.5.6
org.owasp:dependency-check-maven	12.2.0	12.2.2

Updates com.auth0:java-jwt from 4.5.1 to 4.5.2

Release notes

Sourced from com.auth0:java-jwt's releases.

4.5.2

Added

• Chore: Bump update commons-beanutils dependency #761 (tanya732)
• Chore: Update Readme with Java 21 #760 (tanya732)

Changelog

Sourced from com.auth0:java-jwt's changelog.

4.5.2 (2026-04-29)

Full Changelog

Added

• Chore: Bump update commons-beanutils dependency #761 (tanya732)
• Chore: Update Readme with Java 21 #760 (tanya732)

Commits

• 695fd2b Release 4.5.2 (#765)
• 4ac3178 Release 4.5.2
• d056a79 Bump com.fasterxml.jackson.core:jackson-databind from 2.21.2 to 2.21.3 in /li...
• 37f195a Bump com.fasterxml.jackson.core:jackson-databind in /lib
• dba4c93 Chore: Bump update commons-beanutils dependency (#761)
• 84d4c8f Merge branch 'master' into chore/bump-commons-beanutils
• 5c923d4 Chore: Add SCA scan workflow (#762)
• 09a4da5 Merge branch 'master' into chore/add-sca-scan
• ef47e64 Chore: Add SCA scan workflow
• 3fcfbcb Chore: Bump update commons-beanutils dependency
• Additional commits viewable in compare view

Updates com.github.ben-manes.caffeine:caffeine from 3.2.3 to 3.2.4

Release notes

Sourced from com.github.ben-manes.caffeine:caffeine's releases.

3.2.4

• Improved access expiration's read performance by avoiding false sharing effects caused by the timestamp update
• Fixed head-of-line blocking of expiration queues caused by in-flight async entries (#1954)
• Fixed various minor issues found using AI audits
• Added ObjectInputFilter support to JCache

Commits

• 836b65c use a consistent expiration tolerance calculation
• 0dc7daf resurrect in-flight async entries on expiration
• 0bac8b5 handle head-of-line blocking of expiration queues (fixes #1954)
• ff25836 test polish
• f3a6176 Fix JCache close/createCache races and recursive teardown
• 622fbe7 Fix removal in identity views and widen hill-climber counters
• 8da5a7a defer weighing the entry until after the putIfAbsent hit fast-path
• 94ad0ff Record eviction stats before notifying the removal listener consistently
• f94c011 Auto-assert eviction stats alongside notifications.withCause.exclusively
• 2e945e0 Skip timestamp writes within tolerance on the read path.
• Additional commits viewable in compare view

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

• @​JarvisCraft made their first contribution in junit-team/junit-framework#5633
• @​Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

• @​mariokhoury4 made their first contribution in junit-team/junit-framework#4574
• @​Ogu1208 made their first contribution in junit-team/junit-framework#5145
• @​HyungGeun94 made their first contribution in junit-team/junit-framework#5271
• @​yalishevant made their first contribution in junit-team/junit-framework#5316
• @​JINU-CHANG made their first contribution in junit-team/junit-framework#5290
• @​jaschdoc made their first contribution in junit-team/junit-framework#5427
• @​kawshikbuet17 made their first contribution in junit-team/junit-framework#5561
• @​msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

• @​vy made their first contribution in junit-team/junit-framework#5041
• @​Pankraz76 made their first contribution in junit-team/junit-framework#5006
• @​arukiidou made their first contribution in junit-team/junit-framework#5066
• @​laeubi made their first contribution in junit-team/junit-framework#5092
• @​jihun4452 made their first contribution in junit-team/junit-framework#5088
• @​TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

• 0dc3af1 Release 6.1.0
• 1d13002 Prepare 6.1.0 release notes
• 072b217 Update plugin spotless to v8.5.0 (#5668)
• 3a53480 Update Gradle to v9.5.1 (#5666)
• 0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
• 0a2634f Update github/codeql-action action to v4.35.5 (#5671)
• 4dbd556 Restructure workflows to have single "status" job (#5670)
• f2194ce Increase timeout to reduce flakiness
• 5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
• 43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
• Additional commits viewable in compare view

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.11.0

🚀 New features and improvements

• Add dependency:add and dependency:remove goals (#1599) @​brunoborges
• Added ability to provide arbitrary dependencies to properties mojo (#1561) @​treilhes

🐛 Bug Fixes

• Fix artifact relocation support (#1633) @​slawekjaranowski
• fix: fix addParentPoms=true causes repositories to be ignored. (#1585) @​k-wall
• Fix false positive in analyze-exclusions with transitive dependency exclusion (#1628) @​slawekjaranowski
• Make AbstractAnalyzeMojo.filterArtifactsByScope() null-safe (#1622) @​elharo
• Prevent NPE in BuildClasspathMojo.appendArtifactPath() when an artifact has no resolved file (#1623) @​elharo
• Log unpacking at debug level (#1624) @​elharo
• Resolve plugins declared in pluginManagement for resolve-plugins and go-offline (#1603) @​slawekjaranowski
• Fix analyze-exclusions crashes if there is no dependencyManagement element (#1597) @​JackPGreen

👻 Maintenance

• Enable ITs for dependency:remove and use mock dependencies (#1613) @​slawekjaranowski
• More meaningful assertions (#1611) @​elharo
• Cure various typos IntelliJ complains about (#1612) @​elharo
• Remove unused jansi dependency (#1606) @​slawekjaranowski
• Enable ITs for dependecy:add and use mock dependencies (#1610) @​slawekjaranowski
• Cleaner exception handling (#1566) @​elharo

📦 Dependency updates

• Manage ASM version 9.10 to support JDK 27 (#1632) @​slawekjaranowski
• Bump eu.maveniverse.maven.domtrip:domtrip-core from 1.5.0 to 1.5.1 (#1631) @dependabot[bot]
• Bump eu.maveniverse.maven.domtrip:domtrip-maven from 1.5.0 to 1.5.1 (#1630) @dependabot[bot]
• Bump mavenVersion from 3.9.15 to 3.9.16 (#1626) @dependabot[bot]
• Bump org.apache.maven.shared:maven-dependency-analyzer from 1.17.0 to 1.17.1 (#1627) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 in /src/it/projects/remove-dependency/basic (#1607) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 47 to 48 (#1605) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#1601) @dependabot[bot]
• Bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#1602) @dependabot[bot]
• Bump org.apache.maven.doxia:doxia-sink-api from 2.0.0 to 2.1.0 (#1595) @dependabot[bot]
• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#1596) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.14 (#1594) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#1589) @dependabot[bot]

Commits

• c186d05 [maven-release-plugin] prepare release maven-dependency-plugin-3.11.0
• 3712611 Fix artifact relocation support
• e873e0e Manage ASM version 9.10 to support JDK 27
• 70b5356 fix: fix addParentPoms=true causes repositories to be ignored. (#1585)
• 51d8939 Fix false positive in analyze-exclusions with transitive dependency exclusion...
• 02b865b Bump eu.maveniverse.maven.domtrip:domtrip-core from 1.5.0 to 1.5.1
• 04f4de1 Bump eu.maveniverse.maven.domtrip:domtrip-maven from 1.5.0 to 1.5.1
• 2812490 Bump mavenVersion from 3.9.15 to 3.9.16
• ce117da Bump org.apache.maven.shared:maven-dependency-analyzer
• aea7a64 Prevent NPE (#1622)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

• Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

• Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_socket at address' is not displayed anymore when using maven.surefire.debug (#3353) (#3354) @​olamy
• Ensure that the statistics filename is calculated only once. (#3326) (#3327) @​olamy
• Add flakes attribute to use in testsuite report (#3306) (#3308) @​olamy
• [BACKPORT 3.5.x] [SUREFIRE-2049] - Fix SHUTDOWN type lost during command serialization. (#3270) (#3289) @​olamy
• fix: null guard for context map (#3269) (#3272) @​olamy

👻 Maintenance

• 3.5.x/bug/cherry pick embedded mode its (#3328) @​olamy
• Use surefire 3.5.5 by project itself for testing (#3324) @​slawekjaranowski
• Follow Oracle javadoc guidelines (#3177) @​elharo

📦 Dependency updates

• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#3334) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#3350) @dependabot[bot]

3.5.5

🚀 New features and improvements

• Replace runing external process and parsing output with simple ProcessHandle if available (Java9+) (#3252) @​olamy
• Pass slf4j context to spawned thread (#3241) @​scottrw93
• [SUREFIRE-3239] - allow override of statistics file checksum (#3247) @​XN137
• Reduce log level for skipped tests result to info (#3232) @​strangelookingnerd

🐛 Bug Fixes

• Use PowerShell instead of WMIC for detecting zombie process on Windows (#3258) @​jbliznak. Please note if you are using Windows with Java 8 and not PowerShell (you have options to: use Java 9+, install PowerShell or stay on Surefire 3.5.4)
• Properly work with test failures caused during beforeAll phase (#3194) @​Frawless

📝 Documentation updates

• Clarify how late placeholder replacement (@{...}) deals with (#3208) @​kwin

👻 Maintenance

• Fix Jenkin badges in README (#3254) @​slawekjaranowski
• Use JUnit5 in failsafe ITs (#3251) @​slawekjaranowski
• Remove long-deprecated unused encoding property from VerifyMojo (#3198) @​Tomlincoln
• Add IT and deal with corner cases of handling beforeAll failures (#3200) @​Frawless
• Revert PR #3194 that handle beforeAll failures to follow proper contributing rules (#3211) @​Frawless

... (truncated)

Commits

• 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
• e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
• dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
• 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
• 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
• 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
• 04ad9a2 Use surefire 3.5.5 by project itself for testing
• 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
• a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
• e838393 deploy 3.5.x branch to nexus
• Additional commits viewable in compare view

Updates org.owasp:dependency-check-maven from 12.2.0 to 12.2.2

Release notes

Sourced from org.owasp:dependency-check-maven's releases.

Version 12.2.2

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Version 12.2.1

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.2.2 (2026-05-03)

NOTE: The database schema was updated to fix #8466 - if using an external database the update scripts must be run!

• feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting (#8451)
• feat: support and prefer githubID vuln identifiers from RetireJS (#8419)
• fix(db): widen reference URL column to handle long Mozilla CVE URLs (#8467)
• fix: add corepack to docker image (#8386)
• fix: bump open-vulnerability-clients to resolve NVD timestamp parsing errors (#8427)
• fix: de-duplicate and sort both includedBy and projectReferences in reports (#8440)
• fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#8404)
• docs: correct missing documentation for Gradle plugin (#8431)
• docs: tweak docs site structure; documenting missing analyzers (#8462)
• chore: remove spurious bundle-audit log line when there are no errors (#8454)
• chore: tidy CHANGELOG formatting (#8414)
• chore(fp): remove duplicate log4j FP suppressions (#8468)
• build(deps): bump apache.ant.version from 1.10.16 to 1.10.17 (#8416)
• build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8465)
• build(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#8420)
• build(deps): bump com.mysql:mysql-connector-j from 9.6.0 to 9.7.0 (#8445)
• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 (#8448)
• build(deps): bump httpcomponents.client.version from 5.6 to 5.6.1 (#8432)
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 (#8464)
• build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to 3.10.0 (#8452)
• build(deps): bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#8437)
• build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• build(deps): bump the actions-deps group with 8 updates (#8472)

See the full listing of changes

Version 12.2.1 (2026-04-11)

• fix(core): correct xml schema validation handling without needing external access (#8272)
• fix(deps): upgrade slf4j and logback (#8306)
• fix(test): disable pnpm analyzer during test (#8305)
• fix: Correct published/hosted suppressions namespace header and indent (#8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#8248)
• fix: #8140 AssemblyAnalyzer version resolution issue (#8352)
• fix: #8140 fix version resolution
• fix: #8140 hint azure_identity_library_for_.net
• fix: #8356 narrow down VersionFilterAnalyzer scope to JAR files (#8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
• fix: evidence source in Retire JS analyzer (#8303)
• fix: exclude deprecations from Yarn Berry audit results (#8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#8245)
• fix: improve configuration consistency (casing) (#8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#8250)
• fix: raw type warning in ProcessReader (#8324)
• fix: suppress false positives for zabbix-utils #8087 (#8218)

... (truncated)

Commits

• b51290f build: prepare release v12.2.2
• 70070a9 docs: release 12.2.2
• 47aa0c7 fix: widen reference URL column to handle long Mozilla CVE URLs (#8467)
• 1de40c0 build(deps): bump the actions-deps group with 8 updates (#8472)
• 74678b0 build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8...
• 3f83d80 build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• 04387c3 build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• 11e1771 build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to...
• e850545 chore(fp): remove duplicate log4j FP suppressions (#8468)
• 9acbb33 feat: improve Sonatype Guide / OSS Index cache handling and insufficient cred...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions