Skip to content

chore: [DevOps] bump the production-minor-patch group with 7 updates#846

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/maven/main/production-minor-patch-3c01e31c6b
Open

chore: [DevOps] bump the production-minor-patch group with 7 updates#846
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/maven/main/production-minor-patch-3c01e31c6b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026

Bumps the production-minor-patch group with 7 updates:

Package From To
org.springframework.ai:spring-ai-bom 1.1.4 1.1.5
com.fasterxml.jackson.module:jackson-module-parameter-names 2.21.2 2.21.3
com.fasterxml.jackson.module:jackson-module-jsonSchema 2.21.2 2.21.3
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.21.2 2.21.3
commons-codec:commons-codec 1.21.0 1.22.0
com.puppycrawl.tools:checkstyle 13.4.0 13.4.1
org.springframework.ai:spring-ai-autoconfigure-mcp-client 1.0.5 1.0.6

Updates org.springframework.ai:spring-ai-bom from 1.1.4 to 1.1.5

Release notes

Sourced from org.springframework.ai:spring-ai-bom's releases.

Spring AI 1.1.5 Release Notes

🎯 Highlights

This release includes 9 bug fixes, 3 documentation improvements, 11 other improvements.

⚠️ Upgrading Notes

  • The Pixtral 12B model has been removed and Pixtral Large is deprecated. Update your model configuration to use the currently recommended Pixtral models to avoid issues in future releases. 447d2a4

📢 Noteworthy

  • The Pixtral 12B model has been removed and the Pixtral Large model is now deprecated. Integration tests have been updated to use the recommended replacement models. Users relying on these models should migrate to the recommended alternatives. 447d2a4

🪲 Bug Fixes

  • Fixed the CosmosDB vector store's doDelete method to properly parameterize queries, preventing potential SQL injection vulnerabilities and improving correctness. 6039e57
  • Fixed an issue where conversationId was not correctly applied in the VectorStoreChatMemoryAdvisor filter, which could cause incorrect memory retrieval across conversations. 3cccfdf
  • Corrected key handling in the vector store filter expression converter to ensure filter expressions are properly evaluated. 01386e2
  • Resolved test non-determinism in the BedrockConverse streaming token usage tests, improving test reliability. 4747a3c
  • Corrected the test class naming to properly apply the integration test suffix, ensuring proper test categorization and execution. #5853
  • Corrected string parsing logic for the toolChoice field in OpenAiSdkChatModel to ensure proper handling of tool choice configurations. aeb33b0 via #5735
  • Fixed an issue where the extra_body parameter was incorrectly included in outgoing OpenAI API requests, which could cause unexpected behavior. 4c0120c
  • Resolved issues with Javadoc generation and configuration to ensure API documentation is correctly produced. 0a71804
  • Corrected the test bypass condition so integration tests are properly skipped when required API keys are not configured in the environment. bc26dc1

📓 Documentation

  • Updated the README to include a note about CPU architecture requirements or compatibility information. a21e988
  • Added documentation explaining how MCP servers can re-publish tools from MCP clients, clarifying the tool propagation model in multi-server setups. #5778
  • Improved documentation to clarify the intended usage and behavior of the extra_body parameter in OpenAI API requests. 3d4d75b

🔨 Dependency Upgrades

  • Updated the Spring Boot dependency to version 3.5.14, incorporating the latest bug fixes and improvements from the Spring Boot team. eb4c9a5
  • Updated the Spring Boot dependency to version 3.5.13 as an intermediate upgrade. 9b902f8
  • Updated document parsing dependencies: Apache Tika upgraded to 3.3.0, jsoup to 1.22.1, and Apache PDFBox to 3.0.7 for improved document processing capabilities and bug fixes. f25fc52

🔩 Build Updates

  • Updated GitHub Actions workflow dependencies to their latest versions to improve CI/CD reliability and security. 9b70b38
  • Changed the PR check workflow to use mvn package instead of mvn test for more efficient pull request validation. 7d2e455
  • Integration tests are now skipped in the CI pipeline to improve build performance, and the release notes generation workflow has been removed. #5688
  • The project has been bumped to the next development version 1.1.5-SNAPSHOT following the release. 400dc42

🔐 Security

  • Hardened the default cache directory used for transformer models to prevent unauthorized access or tampering with cached model files. aac6b80
  • Fixed a potential denial-of-service vulnerability where a malformed PDF could cause excessive memory allocation during document parsing. b61ac6a

🙏 Contributors

Thanks to all contributors who made this release possible:

... (truncated)

Commits
  • 3d66270 Release version 1.1.5
  • eb4c9a5 Upgrade to latest Spring Boot to 3.5.14
  • aac6b80 Secure the default cache dir for transformer models
  • 6039e57 Fix Cosmosdb doDelete method to parameterize the query
  • b61ac6a Prevent excessive char allocation via malformed pdf
  • 3cccfdf Properly handle conversationId in VectorStoreChatMemoryAdvisor filter
  • 01386e2 fix: vector store filter expression converter key handling
  • 455f97a Apply integration test suffix to JdbcChatMemoryRepositorySchemaInitializerPos...
  • 4747a3c Fix non-determinism in streamingWithTokenUsage in BedrockConverse tests
  • a21e988 Updated README for CPU arch note
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson.module:jackson-module-parameter-names from 2.21.2 to 2.21.3

Commits
  • 962da84 [maven-release-plugin] prepare release jackson-modules-java8-2.21.3
  • 8a35d4a Prep for 2.21.3 release
  • 1b74f6c Merge branch '2.20' into 2.21
  • 97c6179 Merge branch '2.19' into 2.20
  • ea46da8 Merge branch '2.18' into 2.19
  • 0c24a35 Post-release dep version bump
  • b9bea4d [maven-release-plugin] prepare for next development iteration
  • c4590d0 [maven-release-plugin] prepare release jackson-modules-java8-2.18.7
  • b53c8ee Prep for 2.18.7 release
  • 6867734 Post-release dep version bump
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson.module:jackson-module-jsonSchema from 2.21.2 to 2.21.3

Commits
  • 1cd2277 [maven-release-plugin] prepare release jackson-module-jsonSchema-parent-2.21.3
  • fa3c2e4 Prep for 2.21.3 release
  • 5bfa3da Post-release dep version bump
  • d520d15 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-yaml from 2.21.2 to 2.21.3

Commits
  • ccfcc95 [maven-release-plugin] prepare release jackson-dataformats-text-2.21.3
  • 5e81617 Prep for 2.21.3 release
  • 52ab617 Merge branch '2.20' into 2.21
  • 84f99f7 Merge branch '2.19' into 2.20
  • 4fe54cb Merge branch '2.18' into 2.19
  • f18c578 Post-release dep version bump
  • 8db1032 [maven-release-plugin] prepare for next development iteration
  • 7afb263 [maven-release-plugin] prepare release jackson-dataformats-text-2.18.7
  • ec50f24 Prep for 2.18.7 release
  • a8bedbd Post-release dep version bump
  • Additional commits viewable in compare view

Updates com.fasterxml.jackson.module:jackson-module-jsonSchema from 2.21.2 to 2.21.3

Commits
  • 1cd2277 [maven-release-plugin] prepare release jackson-module-jsonSchema-parent-2.21.3
  • fa3c2e4 Prep for 2.21.3 release
  • 5bfa3da Post-release dep version bump
  • d520d15 [maven-release-plugin] prepare for next development iteration
  • See full diff in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-yaml from 2.21.2 to 2.21.3

Commits
  • ccfcc95 [maven-release-plugin] prepare release jackson-dataformats-text-2.21.3
  • 5e81617 Prep for 2.21.3 release
  • 52ab617 Merge branch '2.20' into 2.21
  • 84f99f7 Merge branch '2.19' into 2.20
  • 4fe54cb Merge branch '2.18' into 2.19
  • f18c578 Post-release dep version bump
  • 8db1032 [maven-release-plugin] prepare for next development iteration
  • 7afb263 [maven-release-plugin] prepare release jackson-dataformats-text-2.18.7
  • ec50f24 Prep for 2.18.7 release
  • a8bedbd Post-release dep version bump
  • Additional commits viewable in compare view

Updates commons-codec:commons-codec from 1.21.0 to 1.22.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.22.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.22.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

  • CODEC-326: Add Base58 support. Thanks to Inkeet, Gary Gregory, Wolff Bock von Wuelfingen.
  •         Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[]). Thanks to Gary Gregory.
  • CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers. Thanks to Piotr P. Karwasz, Gary Gregory.

Fixed Bugs

  • CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423. Thanks to Shalu Jha, Andrey, Gary Gregory.
  • CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases. Thanks to DRUser123, Shalu Jha, Gary Gregory.
  •         Add boundary tests for BinaryCodec.fromAscii partial-bit inputs [#425](https://github.com/apache/commons-codec/issues/425). Thanks to fancying, Gary Gregory.
  • CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter. Thanks to Partha Paul, Gary Gregory.

Changes

  •         Bump org.apache.commons:commons-parent from 96 to 98. Thanks to Gary Gregory.

For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website:

https://commons.apache.org/proper/commons-codec/

Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi

Commits

Updates com.puppycrawl.tools:checkstyle from 13.4.0 to 13.4.1

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.4.1

Checkstyle 13.4.1 - https://checkstyle.org/releasenotes.html#Release_13.4.1

Bug fixes:

#5460 - ImportOrder: option=under; doesn't allow empty line between 'import' and 'import static'. #19641 - Add checks for OpenJDK Style §3.10 - Variable Declarations. #19620 - Add checks for OpenJDK Style §3.14 - Literals. #19619 - Add checks for OpenJDK Style §3.7 - Indentation. #19617 - Add checks for OpenJDK Style §2 - Java Source Files. #19662 - Add checks for OpenJDK Style §3.12 - Lambda Expressions. #19559 - AnnotationLocation allows same-line parameterless annotation on class declarations (violates Google Style §4.8.5.2). #19608 - False negative: VariableDeclarationUsageDistance does not flag variable usage inside try blocks. #19682 - Add RECORD_DEF and COMPACT_CTOR_DEF to AtclauseOrder target in google_checks.xml.

Commits
  • 2da95d8 [maven-release-plugin] prepare release checkstyle-13.4.1
  • 5dc79fb doc: release notes for 13.4.1
  • 2a504e4 dependency: bump pmd.version from 7.23.0 to 7.24.0
  • ac2e43f Issue #11440: add comment over testEqualsAndHashCode in XpathFilterElementTest
  • c32d6da Issue #11440: remove redundant tests in XpathFilterElementTest
  • cc58700 Issue #11440: remove tests from XpathFilterElementTest
  • 5489634 dependency: bump commons-io:commons-io from 2.21.0 to 2.22.0
  • 79f6c6c dependency: bump the rewrite group with 3 updates
  • e617f8c Issue #19739: Remove '//ok' comments from it Input files
  • 2cccddd Issue #5460: Fix false positive in ImportOrder for separator between static a...
  • Additional commits viewable in compare view

Updates org.springframework.ai:spring-ai-autoconfigure-mcp-client from 1.0.5 to 1.0.6

Release notes

Sourced from org.springframework.ai:spring-ai-autoconfigure-mcp-client's releases.

Spring AI 1.0.6 - Bug fixes

Spring AI 1.0.6 Release Notes

🎯 Highlights

This release focuses on stability and security improvements. Key fixes include securing the transformer model cache directory, preventing a potential DoS vulnerability via malformed PDF files, and correcting conversation memory and vector store filter handling. Dependencies are upgraded to Spring Boot 3.5.14.

🪲 Bug Fixes

  • The default cache directory for transformer models is now secured with appropriate permissions to prevent unauthorized access to downloaded model files. 4881e0c
  • The CosmosDB vector store's delete method now uses parameterized queries, fixing a potential issue with query construction and improving safety. b32096e
  • Fixed a vulnerability where a specially crafted malformed PDF could cause excessive memory allocation, improving resilience against malicious or corrupted documents. 6a12b6f
  • Properly handles the conversationId filter in VectorStoreChatMemoryAdvisor, ensuring chat memory retrieval is correctly scoped to the intended conversation. 1e8135a
  • Corrects key handling in the vector store filter expression converter, ensuring filter expressions are properly translated across vector store implementations. eb763fd

🔨 Dependency Upgrades

  • Updated the Spring Boot dependency to version 3.5.14, incorporating the latest bug fixes and security patches from the Spring Boot project. aed3b27
  • Updated Spring Boot dependency to version 3.5.13 as an intermediate upgrade step. a1d3dee

🔩 Build Updates

  • Renamed JdbcChatMemoryRepositorySchemaInitializerPostgresqlTests to follow the standard integration test naming convention, ensuring correct test classification and execution. #5853

🔐 Security

  • A malformed PDF could trigger excessive heap allocation during parsing. This fix adds safeguards to limit character buffer allocation, mitigating potential denial-of-service from crafted documents. 6a12b6f
  • The default cache directory used for storing downloaded transformer models is now created with restricted permissions, reducing the risk of unauthorized access to cached model artifacts. 4881e0c

🙏 Contributors

Thanks to all contributors who made this release possible:

Commits
  • 057e111 Release version 1.0.6
  • aed3b27 Upgrade Spring Boot to 3.5.14
  • 4881e0c Secure the default cache dir for transformer models
  • b32096e Fix Cosmosdb doDelete method to parameterize the query
  • 6a12b6f Prevent excessive char allocation via malformed pdf
  • 1e8135a Properly handle conversationId in VectorStoreChatMemoryAdvisor filter
  • eb763fd fix: vector store filter expression converter key handling
  • bc7789e Apply integration test suffix to JdbcChatMemoryRepositorySchemaInitializerPos...
  • a1d3dee Upgrade to Spring Boot 3.5.13
  • e99cdcb Next development version 1.0.6-SNAPSHOT
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore: [DevOps] bump the production-minor-patch group with 7 updates
7c49685 
Bumps the production-minor-patch group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [org.springframework.ai:spring-ai-bom](https://github.com/spring-projects/spring-ai) | `1.1.4` | `1.1.5` |
| [com.fasterxml.jackson.module:jackson-module-parameter-names](https://github.com/FasterXML/jackson-modules-java8) | `2.21.2` | `2.21.3` |
| [com.fasterxml.jackson.module:jackson-module-jsonSchema](https://github.com/FasterXML/jackson-module-jsonSchema) | `2.21.2` | `2.21.3` |
| [com.fasterxml.jackson.dataformat:jackson-dataformat-yaml](https://github.com/FasterXML/jackson-dataformats-text) | `2.21.2` | `2.21.3` |
| [commons-codec:commons-codec](https://github.com/apache/commons-codec) | `1.21.0` | `1.22.0` |
| [com.puppycrawl.tools:checkstyle](https://github.com/checkstyle/checkstyle) | `13.4.0` | `13.4.1` |
| [org.springframework.ai:spring-ai-autoconfigure-mcp-client](https://github.com/spring-projects/spring-ai) | `1.0.5` | `1.0.6` |


Updates `org.springframework.ai:spring-ai-bom` from 1.1.4 to 1.1.5
- [Release notes](https://github.com/spring-projects/spring-ai/releases)
- [Commits](spring-projects/spring-ai@v1.1.4...v1.1.5)

Updates `com.fasterxml.jackson.module:jackson-module-parameter-names` from 2.21.2 to 2.21.3
- [Commits](FasterXML/jackson-modules-java8@jackson-modules-java8-2.21.2...jackson-modules-java8-2.21.3)

Updates `com.fasterxml.jackson.module:jackson-module-jsonSchema` from 2.21.2 to 2.21.3
- [Commits](FasterXML/jackson-module-jsonSchema@jackson-module-jsonSchema-parent-2.21.2...jackson-module-jsonSchema-parent-2.21.3)

Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.21.2 to 2.21.3
- [Commits](FasterXML/jackson-dataformats-text@jackson-dataformats-text-2.21.2...jackson-dataformats-text-2.21.3)

Updates `com.fasterxml.jackson.module:jackson-module-jsonSchema` from 2.21.2 to 2.21.3
- [Commits](FasterXML/jackson-module-jsonSchema@jackson-module-jsonSchema-parent-2.21.2...jackson-module-jsonSchema-parent-2.21.3)

Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.21.2 to 2.21.3
- [Commits](FasterXML/jackson-dataformats-text@jackson-dataformats-text-2.21.2...jackson-dataformats-text-2.21.3)

Updates `commons-codec:commons-codec` from 1.21.0 to 1.22.0
- [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt)
- [Commits](apache/commons-codec@rel/commons-codec-1.21.0...rel/commons-codec-1.22.0)

Updates `com.puppycrawl.tools:checkstyle` from 13.4.0 to 13.4.1
- [Release notes](https://github.com/checkstyle/checkstyle/releases)
- [Commits](checkstyle/checkstyle@checkstyle-13.4.0...checkstyle-13.4.1)

Updates `org.springframework.ai:spring-ai-autoconfigure-mcp-client` from 1.0.5 to 1.0.6
- [Release notes](https://github.com/spring-projects/spring-ai/releases)
- [Commits](spring-projects/spring-ai@v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: org.springframework.ai:spring-ai-bom
  dependency-version: 1.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: com.fasterxml.jackson.module:jackson-module-parameter-names
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: com.fasterxml.jackson.module:jackson-module-jsonSchema
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: com.fasterxml.jackson.module:jackson-module-jsonSchema
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: commons-codec:commons-codec
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: com.puppycrawl.tools:checkstyle
  dependency-version: 13.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: org.springframework.ai:spring-ai-autoconfigure-mcp-client
  dependency-version: 1.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants