Update Renovatebot Gradle Updates (major)

[protocols-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.nimbusds:nimbus-jose-jwt	9.48 → 10.9
com.squareup.okhttp3:logging-interceptor (source)	4.12.0 → 5.3.2
com.squareup.okhttp3:mockwebserver (source)	4.12.0 → 5.3.2
com.squareup.okhttp3:okhttp (source)	4.12.0 → 5.3.2
io.zonky.test.postgres:embedded-postgres-binaries-bom	17.9.0 → 18.3.0
org.flywaydb:flyway-database-postgresql	11.20.3 → 12.6.2
org.flywaydb:flyway-core	11.20.3 → 12.6.2
io.rest-assured:rest-assured (source)	5.5.7 → 6.0.0
org.mock-server:mockserver-netty (source)	5.15.0 → 6.0.0
io.vertx:vertx-health-check (source)	4.5.26 → 5.1.0
io.vertx:vertx-junit5 (source)	4.5.26 → 5.1.0
io.vertx:vertx-web (source)	4.5.26 → 5.1.0
io.vertx:vertx-web-client (source)	4.5.26 → 5.1.0
io.vertx:vertx-unit (source)	4.5.26 → 5.1.0
io.vertx:vertx-core (source)	4.5.26 → 5.1.0
io.vertx:vertx-codegen (source)	4.5.26 → 5.1.0
net.ltgt.errorprone	4.4.0 → 5.1.0
org.junit:junit-bom (source)	5.14.3 → 6.1.0

---

Release Notes

connect2id/nimbus-jose-jwt (com.nimbusds:nimbus-jose-jwt)

v10.9

Compare Source

v10.8

Compare Source

v10.7

Compare Source

v10.6

Compare Source

v10.5

Compare Source

v10.4.2

Compare Source

v10.4.1

Compare Source

v10.4

Compare Source

v10.3.1

Compare Source

v10.3

Compare Source

v10.2

Compare Source

v10.1

Compare Source

v10.0.2

Compare Source

v10.0.1

Compare Source

v10.0

Compare Source

square/okhttp (com.squareup.okhttp3:logging-interceptor)

v5.3.2

2025-11-18

• Fix: Don't delay triggering timeouts. In Okio 3.16.0 we introduced a regression that caused
  timeouts to fire later than they were supposed to.

• Upgrade: [Okio 3.16.4][okio_3_16_4].

v5.3.1

2025-11-16

This release is the same as 5.3.0. Okio 3.16.3 didn't have a necessary fix!

• Upgrade: [Okio 3.16.3][okio_3_16_3].

v5.3.0

2025-10-30

• New: Add tags to Call, including computable tags. Use this to attach application-specific
  metadata to a Call in an EventListener or Interceptor. The tag can be read in any other
  EventListener or Interceptor.

    override fun intercept(chain: Interceptor.Chain): Response {
      chain.call().tag(MyAnalyticsTag::class) {
        MyAnalyticsTag(...)
      }
  
      return chain.proceed(chain.request())
    }

• New: Support request bodies on HTTP/1.1 connection upgrades.

• New: EventListener.plus() makes it easier to observe events in multiple listeners.

• Fix: Don't spam logs with ‘Method isLoggable in android.util.Log not mocked.’ when using
  OkHttp in Robolectric and Paparazzi tests.

• Upgrade: [Kotlin 2.2.21][kotlin_2_2_21].

• Upgrade: [Okio 3.16.2][okio_3_16_2].

• Upgrade: [ZSTD-KMP 0.4.0][zstd_kmp_0_4_0]. This update fixes a bug that caused APKs to fail
  [16 KB ELF alignment checks][elf_alignment].

v5.2.3

2025-11-18

• Fix: Don't delay triggering timeouts. In Okio 3.16.0 we introduced a regression that caused
  timeouts to fire later than they were supposed to.

• Upgrade: [Okio 3.16.4][okio_3_16_4].

v5.2.2

2025-11-16

This release is the same as 5.2.1. Okio 3.16.3 didn't have a necessary fix!

• Upgrade: [Okio 3.16.3][okio_3_16_3].

v5.2.1

2025-10-09

• Fix: Don't crash when calling Socket.shutdownOutput() or shutdownInput() on an SSLSocket
  on Android API 21 through 23. This method throws an UnsupportedOperationException, so we now
  catch that and close the underlying stream instead.

• Upgrade: [Okio 3.16.1][okio_3_16_1].

v5.2.0

2025-10-07

• New: Support [HTTP 101] responses with Response.socket. This mechanism is only supported on
  HTTP/1.1. We also reimplemented our websocket client to use this new mechanism.

• New: The okhttp-zstd module negotiates [Zstandard (zstd)][zstd] compression with servers that
  support it. It integrates a new (unstable) [ZSTD-KMP] library, also from Square. Enable it like
  this:

  val client = OkHttpClient.Builder()
    .addInterceptor(CompressionInterceptor(Zstd, Gzip))
    .build()

• New: Support the QUERY HTTP method. You will need to set the Request.cacheUrlOverride
  property to cache calls made with this method. The RequestBody.sha256() may be helpful here;
  use it to compose a cache URL from the query body.

• New: Publish events when calls must wait to execute. EventListener.dispatcherQueueStart()
  is invoked when a call starts waiting, and dispatcherQueueEnd() is invoked when it's done.

• New: Request.toCurl() returns a copy-pasteable [curl] command consistent with Chrome’s and
  Firefox’s ‘copy as cURL’ features.

• New: Support [JPMS]. We replaced our Automatic-Module-Name metadata with proper
  module-info.java files.

• Fix: Recover gracefully when worker threads are interrupted. When we introduced fast fallback in
  OkHttp 5.0, we started using background threads while connecting. Sadly that code didn't handle
  interruptions well. This is now fixed.

• Upgrade: [Kotlin 2.2.20][kotlin_2_2_20].

• Upgrade: [Okio 3.16.0][okio_3_16_0].

v5.1.0

2025-07-07

• New: Response.peekTrailers(). When we changed Response.trailers() to block instead of
  throwing in 5.0.0, we inadvertently removed the ability for callers to peek the trailers
  (by catching the IllegalStateException if they weren't available). This new API restores that
  capability.

• Fix: Don't crash on trailers() if the response doesn't have a body. We broke [Retrofit] users
  who read the trailers on the raw() OkHttp response, after its body was decoded.

v5.0.0

2025-07-02

This is our first stable release of OkHttp since 2023. Here's the highlights if you're upgrading
from OkHttp 4.x:

OkHttp is now packaged as separate JVM and Android artifacts. This allows us to offer
platform-specific features and optimizations. If your build system handles [Gradle module metadata],
this change should be automatic.

MockWebServer has a new coordinate and package name. We didn’t like that our old artifact
depends on JUnit 4 so the new one doesn’t. It also has a better API built on immutable values. (We
intend to continue publishing the old okhttp3.mockwebserver artifact so there’s no urgency to
migrate.)

Coordinate	Package Name	Description
com.squareup.okhttp3:mockwebserver3:5.0.0	mockwebserver3	Core module. No JUnit dependency!
com.squareup.okhttp3:mockwebserver3-junit4:5.0.0	mockwebserver3.junit4	Optional JUnit 4 integration.
com.squareup.okhttp3:mockwebserver3-junit5:5.0.0	mockwebserver3.junit5	Optional JUnit 5 integration.
com.squareup.okhttp3:mockwebserver:5.0.0	okhttp3.mockwebserver	Obsolete. Depends on JUnit 4.

OkHttp now supports Happy Eyeballs ([RFC 8305][rfc_8305]) for IPv4+IPv6 networks. It attempts
both IPv6 and IPv4 connections concurrently, keeping whichever connects first.

We’ve improved our Kotlin APIs. You can skip the builder:

val request = Request(
  url = "https://cash.app/".toHttpUrl(),
)

OkHttp now supports [GraalVM].

Here’s what has changed since 5.0.0-alpha.17:

• Upgrade: [Okio 3.15.0][okio_3_15_0].
• Upgrade: [Kotlin 2.2.0][kotlin_2_2_0].
• Fix: Don't crash with a NoSuchMethodError when using OkHttp with the Sentry SDK.
• Fix: Retain the query data in the old okhttp3.mockwebserver.RecordedRequest.path property. We
  inadvertently changed this behavior when we introduced the mockwebserver3 API.

zonkyio/embedded-postgres-binaries (io.zonky.test.postgres:embedded-postgres-binaries-bom)

v18.2.0

Changes:

• Fixed ELF page alignment issues affecting systems with non-standard page sizes, such as Asahi Linux on Apple Silicon (#​105)

rest-assured/rest-assured (io.rest-assured:rest-assured)

v6.0.0

• spring-mock-mvc module now supports Spring 7.x
• spring-web-test-client now supports Spring 7.x
• Upgraded commons-lang3 from 3.18.0 to 3.19.0
• The spring modules now required Spring 5.3+ (previously 5.1 was required)
• New minimum Java baseline is now 17
• New minimum Groovy base is now 5.x
• Support for Jackson 3 object mapping
• Support for Yasson 3 object mapping
• Support for jakarta JsonB/Johnzon 3 object mapping
• Migrate json-path fully to Java, bypass GroovyShell for evaluation (#​1844) (thanks to Michael Edgar for PR)
  • This fixed some nasty memory leaks when using JsonPath heavily in long running processes
• Stop resetting ResponseParserRegistrar during build (#​1759, #​1505, #​1207 & #​978) (thanks to Marc Easen for PR)
• Skip Null filters in FilterContextImpl (#​1834) (thanks to Boyarshinov Alexander for PR)
• Upgraded Kotlin extension module to use Kotlin 2.2.21

mock-server/mockserver-monorepo (org.mock-server:mockserver-netty)

v6.0.0

Added

Protocol & transport

• gRPC protocol mocking without a grpc-java dependency: upload a Protobuf descriptor and mock unary, client-streaming, server-streaming, and bidirectional-streaming RPCs; GrpcStreamResponse supports multi-frame streaming responses
• GraphQL body matching: whitespace-normalised query comparison, operationName matching, and variablesSchema JSON Schema validation for variables
• binary request/response mocking via BinaryRequestDefinition and BinaryResponse for non-HTTP protocols
• DNS mocking with dnsEnabled/dnsPort configuration and support for A, AAAA, CNAME, MX, SRV, TXT, and PTR record types
• IPv6 CONNECT proxy support including correctly bracketed IPv6 address handling in the CONNECT tunnel

Request matching

• probabilistic expectation matching: set a percentage field (0–100) on an expectation so only a fraction of matching requests are served by it, enabling fault-injection scenarios (fixes #​2122)
• HTTP method factory methods on HttpRequest: HttpRequest.get(path), .post(path), .put(path), .delete(path), .patch(path), .head(path), .options(path) for more concise expectation definitions (fixes #​1509)

Responses & actions

• multi-response expectations: define an httpResponses list with a responseMode of SEQUENTIAL (cycle repeatedly through the list in order) or RANDOM (pick at random) to serve different responses on successive matched requests
• multi-action expectations: compose response, forward, and callback actions in a single expectation with a primary action and post-action callbacks
• stateful scenarios with atomic state transitions: gate expectations behind named states and advance through them by setting newScenarioState on the expectation, making it straightforward to model multi-step protocols
• CRUD simulation via PUT /mockserver/crud: supply a data model and MockServer auto-generates a fully stateful REST API (list, create, read, update, delete) backed by an in-memory store
• FileBody response body type that loads content from a file path at response time, useful for large or binary payloads (fixes #​2163)
• in-memory file store: upload files via PUT /mockserver/files/store, retrieve via PUT /mockserver/files/retrieve, list via PUT /mockserver/files/list, and delete via PUT /mockserver/files/delete; stored files can be referenced by FileBody (fixes #​1652)
• respondBeforeBody flag on the request matcher to dispatch the configured response (and optionally close the connection) before MockServer reads the request body, useful for reproducing client behaviour when a server responds and closes mid-upload (fixes #​1831)

Delays & timing

• response delays with statistical distributions (uniform, Gaussian, log-normal) for realistic latency simulation (fixes #​1688)
• global response delay via mockserver.globalResponseDelayMillis configuration property to add a baseline delay to every response
• connection timeout emulation via mockserver.connectionDelayMillis configuration property: a configurable delay before protocol detection fires, so slow-connect scenarios can be tested without a real network (fixes #​1604)
• chunked dribble delay via ConnectionOptions.withChunkSize() / withChunkDelay() to drip-feed any response body in configurable-size chunks at a configurable rate

Response templates

• template helper functions: JWT generation, string manipulation, JSON path extraction, date arithmetic, and math operations available inside JavaScript, Velocity, and Mustache templates

Record & replay

• HAR 1.2 export: pass format=HAR to the retrieve API to get a standard HAR file of all recorded requests and responses (fixes #​2175)
• automatic persistence of recorded expectations: persistRecordedExpectations and persistedRecordedExpectationsPath configuration properties save recorded traffic to disk so it survives restarts (fixes #​2175)

Debugging & diagnostics

• per-expectation match count tracking: each expectation now exposes an invocation counter so tests can assert exactly how many times an endpoint was hit
• closest-match tracking: when a request does not match any expectation, MockServer identifies the expectation with the most fields satisfied and surfaces it via the API and dashboard
• debugMismatch() client method and PUT /mockserver/debugMismatch endpoint to programmatically retrieve the closest-match analysis for the last unmatched request
• match failure hints: actionable suggestions attached to EXPECTATION_NOT_MATCHED log events to guide correction of common mistakes
• "Why didn't this match?" debug dialog in the dashboard: click any unmatched request to see a field-by-field comparison against the closest expectation with per-field pass/fail indicators
• expectation ID included in EXPECTATION_NOT_MATCHED log messages to make it easier to correlate log output with the intended expectation (fixes #​1937)

Logging

• compact log format: set mockserver.compactLogFormat=true to emit single-line JSON log entries instead of multi-line formatted output (fixes #​1510)
• per-category log level overrides via mockserver.logLevelOverrides so individual event types can have different log levels (fixes #​1694)
• correlation ID retrieval: retrieveLogsByCorrelationId() client method and a correlationId chip in the dashboard for tracing a single request across all related log events
• retrieveLogEntries() client method returning typed LogEntry objects with optional time-range filtering; pass LOG_ENTRIES as the format to the retrieve API for programmatic access
• custom log event listener via a Consumer<LogEntry> callback registered with the Configuration object, enabling integration with external observability tools (fixes #​1960)

Proxy & forwarding configuration

• mockserver.forwardDefaultHostHeader configuration property: set a specific Host header value to send on all forwarded requests, overriding the original client Host header (fixes #​1782)
• mockserver.proxyRemoteHost and mockserver.proxyRemotePort configuration properties to route all proxy traffic through an upstream proxy (fixes #​1753)
• request forwarding timings captured per forwarded request: both connect time and total round-trip time are available in the log and dashboard (fixes #​1574)

OpenAPI

• OpenAPI callback support: MockServer reads callbacks entries in an OpenAPI specification and automatically creates AfterAction webhook expectations (fixes #​1483)

TLS & security

• BouncyCastle FIPS provider support for environments that require FIPS 140-2 compliant cryptography (fixes #​1769)
• support for custom TLS protocols TLSv1.2 and TLSv1.3
• better error messages when MockServerClient fails due to TLS or networking errors

Client & test integration

• @MockServerTest now applies mockserver.* prefixed properties to the per-instance MockServer Configuration object, enabling declarative configuration of initializationClass, logLevel, maxExpectations, and other settings directly in the annotation (fixes #​1554)
• Jackson StreamReadConstraints maximum string length raised to 100 MB to handle large JSON bodies without StreamConstraintsException (fixes #​1754)

Build & deployment

• Maven plugin initializationJson now accepts glob patterns to load multiple expectation files from a directory (fixes #​2231)
• mockserver/mockserver:graaljs Docker image tag that bundles the GraalJS engine JARs, enabling native ECMAScript 2022 support in response templates without Nashorn
• Docker HEALTHCHECK instruction added to all official images so container orchestrators can determine readiness without an external probe
• Helm chart podLabels value to attach arbitrary labels to MockServer pods, useful for service-mesh injection and internal routing rules (fixes #​1884)

Changed

• BREAKING: removed implicit reliance on internal java-certificate-classes (thanks to @​Arkinator)
• BREAKING: the classifier=shaded form of mockserver-client-java, mockserver-netty, mockserver-junit-jupiter, mockserver-junit-rule, and mockserver-spring-test-listener is no longer published. Use the corresponding *-no-dependencies artifactId instead (e.g. depend on mockserver-netty-no-dependencies rather than mockserver-netty with <classifier>shaded</classifier>). The *-no-dependencies variants are now proper Maven modules and are the supported way to consume a shaded MockServer jar.

Fixed

Proxy & forwarding

• proxy forwarding failures now return 502 Bad Gateway instead of 404 Not Found, making it clearer to clients that the upstream could not be reached (fixes #​1519)
• Host header updated to match the forwarding target to prevent 421 Misdirected Request errors from strict servers (fixes #​1897)
• request/response bodies with Content-Encoding are now re-compressed correctly when forwarding, preventing garbled bodies on the upstream (fixes #​1668)
• Transfer-Encoding header preserved on forwarded responses; spurious Content-Length header no longer added when Transfer-Encoding is present (fixes #​1733)

Request & response handling

• cookie values starting with ! were corrupted in forwarded responses (fixes #​1875)
• duplicate query parameter values are now preserved instead of being deduplicated (fixes #​1866)
• binary response bodies (e.g. application/octet-stream; charset=utf-8) were corrupted because a charset parameter in Content-Type caused the body to be treated as a string; now correctly treated as binary (fixes #​1910)
• JSON body serialization preserved numeric precision — 0.00 was incorrectly serialized as 0.0 (fixes #​1740)

OpenAPI

• ByteArraySchema (string format byte) properties were omitted from generated OpenAPI examples (fixes #​1788)
• $ref inside OpenAPI example values was not resolved, leading to raw $ref strings in generated responses (fixes #​1474)
• allOf/anyOf/oneOf composed schemas now generate merged example responses (fixes #​1852)
• OAS 3.0 boolean exclusiveMinimum/exclusiveMaximum now correctly translated to JSON Schema Draft-07 numeric format (fixes #​1896)
• OpenAPI 3.1 types array field now correctly preserved during schema serialization (fixes #​1940)

XML

• XSD schemas with xs:include or xs:import using relative paths now resolve correctly (fixes #​2118)

JUnit & Spring integration

• @MockServerTest field injection now works in @Nested JUnit 5 test classes (fixes #​1979)
• double server start when @MockServerSettings (carrying @ExtendWith) is combined with explicit MockServerExtension registration is now prevented (fixes #​1977)
• clientCertificateChain, localAddress, and remoteAddress fields on HttpRequest were serialized but not deserialized — both directions now work (fixes #​1973)
• MockServerClient parameter injection now works with @TestInstance(PER_CLASS) where the test instance is created before @BeforeAll (fixes #​1621)
• ClassNotFoundException for callback classes when running in a Spring Boot uber JAR (fixes #​1571)

Dashboard & WebSocket

• dashboard WebSocket returned 404 when MockServer was running behind a reverse proxy with a path prefix (fixes #​1693)
• HTTP/2 CONNECT proxy no longer hangs when the client advertises h2 via ALPN (fixes #​1933)
• WebSocket upgrade over HTTP/2 is now rejected cleanly instead of hanging the dashboard (fixes #​1803)

Concurrency & thread safety

• Times.remainingTimes() made thread-safe with AtomicInteger to prevent race conditions under concurrent load (fixes #​1834)
• XmlStringMatcher made thread-safe by creating a new DiffBuilder per match instead of sharing one (fixes #​1796)
• Disruptor ring buffer is drained before verify() to prevent false-positive or false-negative results under high throughput (fixes #​1757)
• expired TTL expectations are now filtered from the event bus and event bus subscribers are cleared after publish to prevent stale matches (fixes #​1847, #​1874)

TLS & mTLS

• mTLS (data-plane) enforcement moved from transport layer to application layer, fixing scenarios where client certificate validation was applied to non-mTLS connections (fixes #​1766)

Docker & deployment

• netty-tcnative native libraries no longer bundled in the shaded JAR, preventing native library conflicts (fixes #​1778)
• Helm chart sub-chart deployments generated conflicting Kubernetes resource names when chart name was omitted (fixes #​1752)

Glob & file initialization

• glob brace expansion in initializationJson path failed to find the starting directory in some environments (fixes #​1715)
• WebSocket channel leak when the CircularHashMap evicted the oldest callback client (fixes #​1543)
• verify failure message incorrectly said "was not found" even when matching requests existed; message now accurately describes the mismatch (fixes #​1789)

eclipse-vertx/vertx-health-check (io.vertx:vertx-health-check)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

eclipse-vertx/vertx-junit5 (io.vertx:vertx-junit5)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

vert-x3/vertx-web (io.vertx:vertx-web)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

vert-x3/vertx-unit (io.vertx:vertx-unit)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

eclipse/vert.x (io.vertx:vertx-core)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

vert-x3/vertx-sockjs-service-proxy (io.vertx:vertx-codegen)

v5.1.0

Compare Source

v5.0.12

Compare Source

v5.0.11

Compare Source

v5.0.10

Compare Source

v5.0.9

Compare Source

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.5.27

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

---

Note

High Risk
Vert.x 5 drives the production HTTP stack and Flyway 12 runs DB migrations; major JWT and test-stack upgrades add regression surface across signing, slashing DB, and CI despite no source edits.

Overview
This PR bumps major dependency versions in gradle/versions.gradle and the Error Prone Gradle plugin in build.gradle (4.4.0 → 5.1.0). There is no application source change in the diff—only centralized version pins.

The most impactful runtime moves are Eclipse Vert.x 4.5.26 → 5.1.0 (entire io.vertx set used for the HTTP server, web routing, health checks, and JUnit5 test integration) and Flyway 11.20.3 → 12.6.2 for PostgreSQL slashing-protection migrations. OkHttp is raised to 5.3.2 (including mockwebserver used in tests). JUnit BOM goes to 6.1.0; REST Assured and MockServer move to 6.0.0 for acceptance/integration testing. Nimbus JOSE JWT 9.48 → 10.9 affects the transitive stack around Azure identity/OIDC. Embedded Postgres test binaries move from 17.9.0 to 18.3.0.

Review should focus on compile/test failures and any Vert.x 5 / Flyway 12 breaking changes rather than new product logic.

^{Reviewed by Cursor Bugbot for commit a7da13e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8f6fda0. Configure here.}

[cursor]

JUnit 6 Mockito mismatch

Medium Severity

Importing junit-bom 6.1.0 aligns all Jupiter and Platform artifacts to JUnit 6, but mockito-junit-jupiter stays at 5.23.0, which is built and released against JUnit 5. Core tests that use @ExtendWith(MockitoExtension.class) can fail at runtime because the Mockito extension and the JUnit 6 engine are not a supported combination.

 

^{Reviewed by Cursor Bugbot for commit 8f6fda0. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud