chore(deps): bump the maven group across 4 directories with 7 updates by dependabot[bot] · Pull Request #5 · escbeargew99-stack/OpenMetadata

dependabot · 2026-02-25T18:37:37Z

Bumps the maven group with 7 updates in the / directory:

Package	From	To
ch.qos.logback:logback-core	`1.5.18`	`1.5.25`
org.springframework:spring-core	`6.1.14`	`6.2.11`
org.apache.logging.log4j:log4j-core	`2.21.0`	`2.25.3`
org.assertj:assertj-core	`3.26.3`	`3.27.7`
org.eclipse.jetty:jetty-http	`11.0.25`	`12.0.12`
com.mchange:c3p0	`0.10.1`	`0.12.0`
org.mozilla:rhino	`1.7.15`	`1.7.15.1`

Bumps the maven group with 1 update in the /openmetadata-clients/openmetadata-java-client directory: org.mozilla:rhino.
Bumps the maven group with 5 updates in the /openmetadata-mcp directory:

Package	From	To
ch.qos.logback:logback-core	`1.5.18`	`1.5.25`
org.springframework:spring-core	`6.1.14`	`6.2.11`
org.apache.logging.log4j:log4j-core	`2.21.0`	`2.25.3`
org.assertj:assertj-core	`3.26.3`	`3.27.7`
org.eclipse.jetty:jetty-http	`11.0.25`	`12.0.12`

Bumps the maven group with 6 updates in the /openmetadata-service directory:

Package	From	To
ch.qos.logback:logback-core	`1.5.18`	`1.5.25`
org.springframework:spring-core	`6.1.14`	`6.2.11`
org.apache.logging.log4j:log4j-core	`2.21.0`	`2.25.3`
org.assertj:assertj-core	`3.26.3`	`3.27.7`
org.eclipse.jetty:jetty-http	`11.0.25`	`12.0.12`
com.mchange:c3p0	`0.10.1`	`0.12.0`

Updates ch.qos.logback:logback-core from 1.5.18 to 1.5.25

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

• Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

... (truncated)

Commits

f426e00 prepare release of 1.5.25
d28931f restrict object creation to expected supertype
aa264f7 test default variable values in appender-ref ref attribute
8fb403a adjust copyright year
b294a12 check optionList in start()
b65040a Add EpochConverter for milliseconds/seconds since epoch (related to issue #96...
0690174 cla for Duncan Jauncey
71dc2af Removed email address for Tony.
1f97ae1 check for undeclared by referenced appenders
b07355e Move the artifact version checking code to VersionUtil in logback-core.
Additional commits viewable in compare view

Updates org.springframework:spring-core from 6.1.14 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

Missing @Nullable on JsonPathAssertions.isEqualTo #35445

Graceful fallback for non-default NIO.2 FileSystems #35443

Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423

Detect Informix error codes as DuplicateKeyException #35400

Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377

Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372

StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

"mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409

Annotation not found on parameter in overridden method unless method is public #35349

Annotations on overridden methods not found in type hierarchy with unresolved generics #35342

Performance degradation when using singleton beans with Provider #35330

JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319

Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410

Fix links to Reactive Libraries and RestTemplate #35392

Fix broken link in WebDriver docs #35374

Document Web DataBinder support for RouterFunction #35367

Improve documentation for ApplicationEvents to clarify recommended usage #35335

Document terms and units in DataSize.parse() #35298

Refine @Contract Javadoc #35285

Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

Upgrade to Micrometer 1.14.11 #35455

Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Dockerel, @Kehrlann, @acktsap, @khj68, @ngocnhan-tran1996, @scordio, and @sgflt

v6.2.10

⭐ New Features

Optimize NIO path resolution in PathEditor #35304

Make type in ProblemDetail nullable #35294

Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253

Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits

4c13425 Release v6.2.11
d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
0e3e34b Find annotations on parameters in overridden non-public methods
4745c7c Name local variables consistently
275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
7f9aa39 Polishing
c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
Additional commits viewable in compare view

Updates org.apache.logging.log4j:log4j-core from 2.21.0 to 2.25.3

Updates org.assertj:assertj-core from 3.26.3 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)

See GHSA-rqfh-9r24-8c9r for details; many thanks to @wxt201 and @Song-Li for responsibly reporting it!

🚫 Deprecated

Core

Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

Upgrade to Byte Buddy 1.18.3

Upgrade to JUnit BOM 5.14.1

Guava

Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@duponter

v3.27.5

⚡ Improvements

Core

ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
85ca7eb Deprecate XmlStringPrettyFormatter
77081dc Merge commit from fork
b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
d393ef1 Abort tests when symbolic links cannot be created (#3788)
2212433 Add IntelliJ custom inspection for test class names
5717d02 Update JetBrains icon
a8ec20b Add icon for JetBrains products
c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
Additional commits viewable in compare view

Updates org.eclipse.jetty:jetty-http from 11.0.25 to 12.0.12

Updates com.mchange:c3p0 from 0.10.1 to 0.12.0

Changelog

Sourced from com.mchange:c3p0's changelog.

c3p0-0.12.0 -- Replace com.mchange.v2.naming.permitNonlocalJndiNames with more configurable com.mchange.v2.naming.nameGuardClassName. By default, it is null, and the same "apparently local" restriction previously enforced by com.mchange.v2.naming.permitNonlocalJndiNames is enforced. But users can supply custom com.mchange.v2.naming.NameGuard instances to control what names are permissible, and four implementations of NameGuard are provided. (See the main docs.) -- Documentation updates. -- Disable by default reflective instantiation of javax.naming.spi.ObjectFactory instances unless their classname is included on a whitelist. Define properties-style config parameter com.mchange.v2.naming.objectFactoryWhitelist where the comma-separated whitelist can be provided. By default this parameter contains the two ObjectFactory classes c3p0 includes in references it creates. -- Change the format of userOverridesAsString, which is just a String representation of Map<String,Map<String,String>>. Use a CSV-inspired format, and the mchange-commons-java fastcsv utility, rather than dangerous Java Object serialization of the Map of Maps. -- Disable by default support for resolving references serialized with their own InitialContext custom environment. Define properties-style config parameter com.mchange.v2.naming.acceptDeserializedInitialContextEnvironment, defaulting to false, to manage this dangerous functionality. -- Disable by default JNDI lookups of nonlocal names (conservatively, names that do not seem to be local). For now only String names beginning with "java:" or Name objects whose first component starts with "java:" are considered to be local. Define properties-style config parameter com.mchange.v2.naming.permitNonlocalJndiNames, defaulting to false, to manage this dangerous functionality. -- Disable by default support for loading of javax.naming.spi.ObjectFactory from remote locations via Reference.factoryClassLocation. Define properties-style config parameter com.mchange.v2.naming.supportReferenceRemoteFactoryClassLocation, defaulting to false, to manage this dangerous functionality. -- Fix rare issue in Statement caching (GooGooStatementCache), make sure any Statement we remove is checked into the cache in order to ensure we don't see internal inconsistencies when Statements we mean to cull fail to be removed by removeStatement(...) because they are checked out. Thanks to vimalesh on GitHub for calling attention to this issue. c3p0-0.11.2 -- Expose utilities overwriteJavaBeanProperties and overwriteC3P0PrefixedProperties in the DataSources class, and refactor existing functions to use those. c3p0-0.11.1 -- in BasicResourcePool, forceKillAcquires() accidentally failed to surrender its lock, leading to deadlocks following a full round of acquisition failures. Many thanks to @pwielgolaski on github for tracking down the issue, to @driseley on github for providing a reproduction of the issue, and to @michalgutkowski on github for providing a pull request with the fix. c3p0-0.11.0 -- Additional testing. c3p0-0.11.0-pre2 -- Define new property cancelAutomaticallyClosedStatements, which, if true, ensures that Statement.cancel() will be called prior to Statement.close() when c3p0 automatically close()es statements because a client has neglected to, a Connection with open Statements has exceeded its unreturnedConnectionTimeout, or the Statement cache is expiring a PreparedStatement. Thanks to Andreas Dangel (in 2014!) for pointing out scenarios where this might be

... (truncated)

Commits

afbb946 Bump version for c3p0-0.12.0 final.
c5f2445 Documentation updates, RELEASE_NOTES-0.12.0, cap CHANGELOG for c3p0-0.12.0.
d0d1c50 Modify MarshallUnmarshallDataSourcesJUnitTestCase to include C3P0 config when...
a42833d Update mchange-commons-java version to 0.4.0.
415662b Claude-generated tests of deserialization-gadget mitigations.
69dab9c CHANGELOG and documentation updates.
5cb3247 Track changes to com.mchange.ser.naming, more flexible control of whether nam...
9bef1f6 Update CHANGELOG and docs to more accurately reflect the necessarily imperfec...
c6f5d11 Centralize some of the jndiName-remoteness testing code, gate mbean- and jbos...
155be12 Small documentation fixes.
Additional commits viewable in compare view

Updates org.mozilla:rhino from 1.7.15 to 1.7.15.1

Changelog

Sourced from org.mozilla:rhino's changelog.

Rhino 1.8.1, Rhino 1.7.15.1, Rhino 1.7.14.1

December 2, 2025

These releases fix a bug in the code that formats floating-point numbers into strings that could result in very bad performance in some cases.

We recommend that all users of Rhino upgrade to release 1.8.1 if possible, and upgrade to Java 17 or 21.

Users who need an older release, or who cannot yet leave Java 8, can also use 1.7.15.1 or 1.7.14.1.

Rhino 1.8.0

January 2, 2025

Rhino 1.8.0 contains some significant changes, so we're incrementing the final version number for the first time in a very long time. Here are a few highlights:

Rhino now requires Java 11 minimum. We currently test against Java 11, 17, and 21.

Rhino has been broken down into individual Java modules that are properly encapsulated as Java Modules. See README.md for a breakdown of which modules are which -- short answer is that everyone will need the "rhino" module and many will need others.

Older code not able to adapt to using multiple JARS can still use the "rhino-all" module, which publishes an "all-in-one" JAR like the old "rhino.jar".

The default language level is "VERSION_ES6". That means that modern JavaScript features supported by Rhino will work by default.

There are big improvements in compatibility, including support for "super", reflect and proxy, and lots of other language features. See the compatibility table for the details.

Thanks to all who contributed -- we had 24 contributors to this release, with some new contributors who added significant capabilities. Please keep the contributions and attention coming!

Commits

See full diff in compare view

Updates org.mozilla:rhino from 1.7.15 to 1.7.15.1

Changelog

Sourced from org.mozilla:rhino's changelog.

Rhino 1.8.1, Rhino 1.7.15.1, Rhino 1.7.14.1

December 2, 2025

These releases fix a bug in the code that formats floating-point numbers into strings that could result in very bad performance in some cases.

We recommend that all users of Rhino upgrade to release 1.8.1 if possible, and upgrade to Java 17 or 21.

Users who need an older release, or who cannot yet leave Java 8, can also use 1.7.15.1 or 1.7.14.1.

Rhino 1.8.0

January 2, 2025

Rhino 1.8.0 contains some significant changes, so we're incrementing the final version number for the first time in a very long time. Here are a few highlights:

Rhino now requires Java 11 minimum. We currently test against Java 11, 17, and 21.

Rhino has been broken down into individual Java modules that are properly encapsulated as Java Modules. See README.md for a breakdown of which modules are which -- short answer is that everyone will need the "rhino" module and many will need others.

Older code not able to adapt to using multiple JARS can still use the "rhino-all" module, which publishes an "all-in-one" JAR like the old "rhino.jar".

The default language level is "VERSION_ES6". That means that modern JavaScript features supported by Rhino will work by default.

There are big improvements in compatibility, including support for "super", reflect and proxy, and lots of other language features. See the compatibility table for the details.

Thanks to all who contributed -- we had 24 contributors to this release, with some new contributors who added significant capabilities. Please keep the contributions and attention coming!

Commits

See full diff in compare view

Updates ch.qos.logback:logback-core from 1.5.18 to 1.5.25

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

• Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

... (truncated)

Commits

f426e00 prepare release of 1.5.25
d28931f restrict object creation to expected supertype
aa264f7 test default variable values in appender-ref ref attribute
8fb403a adjust copyright year
b294a12 check optionList in start()
b65040a Add EpochConverter for milliseconds/seconds since epoch (related to issue #96...
0690174 cla for Duncan Jauncey
71dc2af Removed email address for Tony.
1f97ae1 check for undeclared by referenced appenders
b07355e Move the artifact version checking code to VersionUtil in logback-core.
Additional commits viewable in compare view

Updates org.springframework:spring-core from 6.1.14 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

Missing @Nullable on JsonPathAssertions.isEqualTo #35445

Graceful fallback for non-default NIO.2 FileSystems #35443

Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423

Detect Informix error codes as DuplicateKeyException #35400

Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377

Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372

StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

"mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409

Annotation not found on parameter in overridden method unless method is public #35349

Annotations on overridden methods not found in type hierarchy with unresolved generics #35342

Performance degradation when using singleton beans with Provider #35330

JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319

Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410

Fix links to Reactive Libraries and RestTemplate #35392

Fix broken link in WebDriver docs #35374

Document Web DataBinder support for RouterFunction #35367

Improve documentation for ApplicationEvents to clarify recommended usage #35335

Document terms and units in DataSize.parse() #35298

Refine @Contract Javadoc #35285

Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

Upgrade to Micrometer 1.14.11 #35455

Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Dockerel, @Kehrlann, @acktsap, @khj68, @ngocnhan-tran1996, @scordio, and @sgflt

v6.2.10

⭐ New Features

Optimize NIO path resolution in PathEditor #35304

Make type in ProblemDetail nullable #35294

Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #35253

Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #35218

... (truncated)

Commits

4c13425 Release v6.2.11
d17601e Upgrade to Undertow 2.3.19, RxJava 3.1.11, Aalto 1.3.3
5b38761 Clarify intended nestedTransactionAllowed default in JpaTransactionManager
0e3e34b Find annotations on parameters in overridden non-public methods
4745c7c Name local variables consistently
275fb52 Upgrade to Reactor 2024.0.10 and Micrometer 1.14.11
7f9aa39 Polishing
c788554 Avoid thread pinning in SseEmitter, ResponseBodyEmitter
9e8c640 Make JsonPathAssertions#isEqualTo parameter nullable
ebb8e34 Upgrade to Jetty 12.0.26, Jetty Reactive HttpClient 4.0.11, Netty 4.1.127, Ht...
Additional commits viewable in compare view

Updates org.apache.logging.log4j:log4j-core from 2.21.0 to 2.25.3

Updates org.assertj:assertj-core from 3.26.3 to 3.27.7

Release notes

Sourced from org.assertj:assertj-core's releases.

v3.27.7

🔒 Security

Core

Fix XXE vulnerability in isXmlEqualTo assertion (CVE-2026-24400)

See GHSA-rqfh-9r24-8c9r for details; many thanks to @wxt201 and @Song-Li for responsibly reporting it!

🚫 Deprecated

Core

Deprecate XmlStringPrettyFormatter with no replacement

🐛 Bug Fixes

Guava

Navigation to assertj-core or guava types from assertj-guava Javadoc site has unnecessary header #3478

🔨 Dependency Upgrades

Core

Upgrade to Byte Buddy 1.18.3

Upgrade to JUnit BOM 5.14.1

Guava

Upgrade to Guava 33.5.0-jre

v3.27.6

🐛 Bug Fixes

Core

Add missing export for org.assertj.core.annotation #3951

❤️ Contributors

Thanks to all the contributors who worked on this release:

@duponter

v3.27.5

⚡ Improvements

Core

ByteBuddy in AssertJ 3.27.4 not compatible with Java 25 #3946

... (truncated)

Commits

e840716 [maven-release-plugin] prepare release assertj-build-3.27.7
85ca7eb Deprecate XmlStringPrettyFormatter
77081dc Merge commit from fork
b68fc24 Bump github/codeql-action from 4.31.9 to 4.31.10 in the github-actions group ...
0cf5bb6 Bump kotlin.version from 2.1.0 to 2.2.21
d393ef1 Abort tests when symbolic links cannot be created (#3788)
2212433 Add IntelliJ custom inspection for test class names
5717d02 Update JetBrains icon
a8ec20b Add icon for JetBrains products
c05fb3d Bump Maven to 3.9.12 and Wrapper to 3.3.4
Additional commits viewable in compare view

Updates org.eclipse.jetty:jetty-http from 11.0.25 to 12.0.12

Updates ch.qos.logback:logback-core from 1.5.18 to 1.5.25

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

2025-11-10 Release of logback version 1.5.21

• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()... remain as they were, untouched. However, any installed instances of TurboFilter are now invoked also from within the log(LoggingEvent) method of Logger with the contents of the LoggingEvent, typically via the fluent API. This fixes issues/871.

• Removed reentry-guard in most subclasses of UnsynchronizedAppenderBase where it was not needed.

• Initialization procedure has been simplified by removing the step instantiating a SerializedModelConfigurator. However, it is still possible to set up SerializedModelConfigurator as a custom configurator.

• JsonEncoder is now friendlier to derivation by sub-classes as requested in issues/979.

... (truncated)

Commits

f426e00 prepare release of 1.5.25
d28931f restrict object creation to expected supertype
aa264f7 test default variable values in appender-ref ref attribute
8fb403a adjust copyright year
b294a12 check optionList in start()
b65040a Add EpochConverter for milliseconds/seconds since epoch (related to issue #96...
0690174 cla for Duncan Jauncey
71dc2af Removed email address for Tony.
1f97ae1 check for undeclared by referenced appenders
b07355e Move the artifact version checking code to VersionUtil in logback-core.
Additional commits viewable in compare view

Updates org.springframework:spring-core from 6.1.14 to 6.2.11

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.11

⭐ New Features

Missing @Nullable on JsonPathAssertions.isEqualTo #35445

Graceful fallback for non-default NIO.2 FileSystems #35443

Avoid thread pinning in SseEmitter, ResponseBodyEmitter #35423

Detect Informix error codes as DuplicateKeyException #35400

Inconsistent nullability for String value arguments in ResponseCookie from*() factory methods #35377

Revisit taskTerminationTimeout semantics on SimpleAsyncTaskExecutor/Scheduler #35372

StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver #35371

🐞 Bug Fixes

"mainThreadPrefix = null " Causing multiple background bean locks to be blocked #35409

Annotation not found on parameter in overridden method unless method is public #35349

Annotations on overridden methods not found in type hierarchy with unresolved generics #35342

Performance degradation when using singleton beans with Provider #35330

JettyClientHttpConnector buffer leak in Spring Framework 6.2 #35319

Spring application hangs on shutdown with @Scheduled(cron=…) when custom ScheduledExecutorService bean is defined (Java 19+) #35316

📔 Documentation

Document potential need to use Mockito.doXxx() to stub a @MockitoSpyBean #35410

Fix links to Reactive Libraries and RestTemplate #35392

Fix broken link in WebDriver docs #35374

Document Web DataBinder support for RouterFunction #35367

Improve documentation for ApplicationEvents to clarify recommended usage #35335

Document terms and units in DataSize.parse() #35298

Refine @Contract Javadoc #35285

Correct the default value of nestedTransactionAllowed in JpaTransactionManager javadoc #35212

🔨 Dependency Upgrades

Upgrade to Micrometer 1.14.11 #35455

Upgrade to Reactor 2024.0.10 #35454

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Dockerel, @Kehrlann, @acktsap, @khj68, @ngocnhan-tran1996, @scordio, and @sgflt

v6.2.10

⭐ New Features

Optimize NIO path resolution in PathEditor #3...
Description has been truncated

Bumps the maven group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.5.18` | `1.5.25` | | [org.springframework:spring-core](https://github.com/spring-projects/spring-framework) | `6.1.14` | `6.2.11` | | org.apache.logging.log4j:log4j-core | `2.21.0` | `2.25.3` | | [org.assertj:assertj-core](https://github.com/assertj/assertj) | `3.26.3` | `3.27.7` | | org.eclipse.jetty:jetty-http | `11.0.25` | `12.0.12` | | [com.mchange:c3p0](https://github.com/swaldman/c3p0) | `0.10.1` | `0.12.0` | | [org.mozilla:rhino](https://github.com/mozilla/rhino) | `1.7.15` | `1.7.15.1` | Bumps the maven group with 1 update in the /openmetadata-clients/openmetadata-java-client directory: [org.mozilla:rhino](https://github.com/mozilla/rhino). Bumps the maven group with 5 updates in the /openmetadata-mcp directory: | Package | From | To | | --- | --- | --- | | [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.5.18` | `1.5.25` | | [org.springframework:spring-core](https://github.com/spring-projects/spring-framework) | `6.1.14` | `6.2.11` | | org.apache.logging.log4j:log4j-core | `2.21.0` | `2.25.3` | | [org.assertj:assertj-core](https://github.com/assertj/assertj) | `3.26.3` | `3.27.7` | | org.eclipse.jetty:jetty-http | `11.0.25` | `12.0.12` | Bumps the maven group with 6 updates in the /openmetadata-service directory: | Package | From | To | | --- | --- | --- | | [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) | `1.5.18` | `1.5.25` | | [org.springframework:spring-core](https://github.com/spring-projects/spring-framework) | `6.1.14` | `6.2.11` | | org.apache.logging.log4j:log4j-core | `2.21.0` | `2.25.3` | | [org.assertj:assertj-core](https://github.com/assertj/assertj) | `3.26.3` | `3.27.7` | | org.eclipse.jetty:jetty-http | `11.0.25` | `12.0.12` | | [com.mchange:c3p0](https://github.com/swaldman/c3p0) | `0.10.1` | `0.12.0` | Updates `ch.qos.logback:logback-core` from 1.5.18 to 1.5.25 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.18...v_1.5.25) Updates `org.springframework:spring-core` from 6.1.14 to 6.2.11 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v6.1.14...v6.2.11) Updates `org.apache.logging.log4j:log4j-core` from 2.21.0 to 2.25.3 Updates `org.assertj:assertj-core` from 3.26.3 to 3.27.7 - [Release notes](https://github.com/assertj/assertj/releases) - [Commits](assertj/assertj@assertj-build-3.26.3...assertj-build-3.27.7) Updates `org.eclipse.jetty:jetty-http` from 11.0.25 to 12.0.12 Updates `com.mchange:c3p0` from 0.10.1 to 0.12.0 - [Changelog](https://github.com/swaldman/c3p0/blob/0.12.x/CHANGELOG) - [Commits](swaldman/c3p0@v0.10.1...v0.12.0) Updates `org.mozilla:rhino` from 1.7.15 to 1.7.15.1 - [Release notes](https://github.com/mozilla/rhino/releases) - [Changelog](https://github.com/mozilla/rhino/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/mozilla/rhino/commits) Updates `org.mozilla:rhino` from 1.7.15 to 1.7.15.1 - [Release notes](https://github.com/mozilla/rhino/releases) - [Changelog](https://github.com/mozilla/rhino/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/mozilla/rhino/commits) Updates `ch.qos.logback:logback-core` from 1.5.18 to 1.5.25 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.18...v_1.5.25) Updates `org.springframework:spring-core` from 6.1.14 to 6.2.11 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v6.1.14...v6.2.11) Updates `org.apache.logging.log4j:log4j-core` from 2.21.0 to 2.25.3 Updates `org.assertj:assertj-core` from 3.26.3 to 3.27.7 - [Release notes](https://github.com/assertj/assertj/releases) - [Commits](assertj/assertj@assertj-build-3.26.3...assertj-build-3.27.7) Updates `org.eclipse.jetty:jetty-http` from 11.0.25 to 12.0.12 Updates `ch.qos.logback:logback-core` from 1.5.18 to 1.5.25 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.18...v_1.5.25) Updates `org.springframework:spring-core` from 6.1.14 to 6.2.11 - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v6.1.14...v6.2.11) Updates `org.apache.logging.log4j:log4j-core` from 2.21.0 to 2.25.3 Updates `org.assertj:assertj-core` from 3.26.3 to 3.27.7 - [Release notes](https://github.com/assertj/assertj/releases) - [Commits](assertj/assertj@assertj-build-3.26.3...assertj-build-3.27.7) Updates `org.eclipse.jetty:jetty-http` from 11.0.25 to 12.0.12 Updates `com.mchange:c3p0` from 0.10.1 to 0.12.0 - [Changelog](https://github.com/swaldman/c3p0/blob/0.12.x/CHANGELOG) - [Commits](swaldman/c3p0@v0.10.1...v0.12.0) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-core dependency-version: 1.5.25 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-core dependency-version: 6.2.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.3 dependency-type: direct:production dependency-group: maven - dependency-name: org.assertj:assertj-core dependency-version: 3.27.7 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-http dependency-version: 12.0.12 dependency-type: direct:production dependency-group: maven - dependency-name: com.mchange:c3p0 dependency-version: 0.12.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.mozilla:rhino dependency-version: 1.7.15.1 dependency-type: direct:production dependency-group: maven - dependency-name: org.mozilla:rhino dependency-version: 1.7.15.1 dependency-type: direct:production dependency-group: maven - dependency-name: ch.qos.logback:logback-core dependency-version: 1.5.25 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-core dependency-version: 6.2.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.3 dependency-type: direct:production dependency-group: maven - dependency-name: org.assertj:assertj-core dependency-version: 3.27.7 dependency-type: direct:development dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-http dependency-version: 12.0.12 dependency-type: direct:production dependency-group: maven - dependency-name: ch.qos.logback:logback-core dependency-version: 1.5.25 dependency-type: direct:production dependency-group: maven - dependency-name: org.springframework:spring-core dependency-version: 6.2.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.3 dependency-type: direct:production dependency-group: maven - dependency-name: org.assertj:assertj-core dependency-version: 3.27.7 dependency-type: direct:development dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-http dependency-version: 12.0.12 dependency-type: direct:production dependency-group: maven - dependency-name: com.mchange:c3p0 dependency-version: 0.12.0 dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-02-25T18:38:00Z

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Feb 25, 2026

dependabot bot mentioned this pull request Feb 25, 2026

chore(deps): bump the maven group across 3 directories with 2 updates #1

Closed