Bump the backend-dev group across 1 directory with 4 updates

[dependabot]

Bumps the backend-dev group with 4 updates in the / directory: org.springframework.boot:spring-boot-starter-test, org.springframework:spring-web, org.jacoco:jacoco-maven-plugin and org.apache.maven.plugins:maven-enforcer-plugin.

Updates org.springframework.boot:spring-boot-starter-test from 3.5.13 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-starter-test's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.springframework:spring-web from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-web's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs, you can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Improve path pattern matching #36886
• Eagerly compute exit descriptors for negative literals #36887
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718
• Unexpected path element removal when resolving versioned resources #36699

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.jacoco:jacoco-maven-plugin from 0.8.14 to 0.8.15

Release notes

Sourced from org.jacoco:jacoco-maven-plugin's releases.

0.8.15

New Features

• JaCoCo now officially supports Java 26 (GitHub #2076).
• Experimental support for Java 27 class files (GitHub #2004).
• Compatibility methods generated by Kotlin compiler for functions defined in interfaces are filtered out during generation of report (GitHub #1905).
• Compatibility methods generated by Kotlin compiler for exposed boxed inline value classes (JvmExposeBoxed annotation) are filtered out during generation of report (GitHub #1944).
• Methods generated by the Kotlin compiler for functions with JvmStatic annotation are filtered out during generation of report (GitHub #2097).
• Improved filtering of bytecode generated by Kotlin compiler for when expressions and statements with kotlin.String subject where first branch condition contains string with largest hash (GitHub #2098).
• Part of bytecode that javac versions from 24 to 26 generate for switch statements and expressions with selector expression of type java.lang.String inside lambdas is filtered out during generation of report (GitHub #2023).
• Improved performance of Kotlin files analysis by parsing SMAPs only once per class (GitHub #2114).
• For better performance agent output methods tcpclient and tcpserver use BufferedOutputStream to write execution data to socket. Maven plugin, Ant tasks, CLI, API usage examples, and ExecDumpClient API use BufferedInputStream to read execution data from socket. Third-party integrations should do the same to benefit from this change in agent (GitHub #2089).

Fixed bugs

• Fixed processing of Kotlin SMAP in synthetic classes (GitHub #1985).
• Multiple JaCoCo runtimes within one JVM writing to the same output file should not cause data corruption when running on JDK versions from 6 to 10 affected by JDK-8166253 (GitHub #2065, #2074).
• For better performance agent writes to output file via BufferedOutputStream, this fixes regression introduced in version 0.6.2 (GitHub #2073).
• Fixed NullPointerException when JaCoCo agent is loaded by non system class loader, for example when loaded by JBoss Modules (GitHub #1651).

Non-functional Changes

• JaCoCo now depends on ASM 9.10.1 (GitHub #2134).

Commits

• 6c5260a Prepare release v0.8.15
• 5c05141 Transfer of execution data through socket should use buffered stream (#2089)
• ab5efa9 Remove from Azure Pipelines all builds except with JDK 5 and JDK EA (#2148)
• 5f6ea38 Use Windows 2025 image in GitHub Actions (#2130)
• 35a8af2 Use Renovate instead of Dependabot for updates of ASM (#2137)
• 85b8ddf Upgrade ASM to 9.10.1 (#2134)
• 2988647 AgentModule should use ClassLoader of agent instead of SystemClassLoader (#1651)
• 75a4e31 Add filter for Kotlin @JvmExposeBoxed (#1944)
• 691fa1d Use Renovate instead of Dependabot for updates of GitHub Actions (#2132)
• 3e18f17 Require at least JDK 21 for build (#2128)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.3

🚀 New features and improvements

• Make bannedDependencies report root and transitive dependency in case both are banned. (#940) @​hvoynov
• Add enforceBytecodeVersion rule based on mojohaus (#968) @​cstamas
• Improve formatting of deprecated API warning (#951) @​mthmulders

🐛 Bug Fixes

• Fix handling of Java versions like 21.0.10.0.1 (#967) @​parttimenerd
• Add null checks for modelId in PluginWrapper (#974) @​cpfeiffer

📝 Documentation updates

• Document the banMavenDefaults option for the requirePluginVersions rule. (#936) @​rpkrajewski

👻 Maintenance

• PlexusStringUtils Refaster recipes (#943) @​slachiewicz
• JUnit Jupiter migration from JUnit 4.x (#941) @​slachiewicz

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-core from 2.25.3 to 2.25.4 in /maven-enforcer-plugin/src/it/projects/MENFORCER-434 (#970) @dependabot[bot]
• Deps: Parent POM 48 and align deps (#979) @​cstamas
• Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#973) @dependabot[bot]
• Bump mavenVersion from 3.9.13 to 3.9.14 (#965) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.13 (#964) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#963) @dependabot[bot]
• Update log4j in test to avoid CVE (#961) @​Bukama
• Bump commons-codec:commons-codec from 1.20.0 to 1.21.0 (#962) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#960) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#959) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 46 to 47 (#958) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#957) @dependabot[bot]
• Update to 46 including fixes (#955) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.5.0 (#956) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#948) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#947) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#946) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#945) @dependabot[bot]

Commits

• c7daff3 [maven-release-plugin] prepare release enforcer-3.6.3
• ee46e78 Make bannedDependencies report root and transitive dependency in case both ar...
• 0806924 Document the banMavenDefaults option for the requirePluginVersions rule. (#936)
• 8e4f5b9 Add better enforceBytecodeVersion rule based on mojohaus (#968)
• fd4b148 Add fix for 21.0.10.0.1 issue (#967)
• f32d597 Deps: Parent POM 48 and align deps (#979)
• df0f2a6 Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976)
• 2da7a68 Add null checks for modelId in PluginWrapper
• 91eb4d9 Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975)
• b622245 Bump mavenVersion from 3.9.14 to 3.9.15 (#973)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
org.springframework.boot:spring-boot-starter-test	[>= 4.a0, < 5]
org.springframework:spring-web	[>= 7.a0, < 8]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions