fix(deps): update maven

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.apache.maven:maven-artifact (source)	3.9.11 → 3.9.12
io.micrometer:micrometer-core	1.16.3 → 1.16.5
org.projectlombok:lombok (source)	1.18.42 → 1.18.46
org.apache.maven.plugins:maven-deploy-plugin (source)	3.1.3 → 3.1.4
org.hibernate.orm:hibernate-processor (source)	7.2.4.Final → 7.2.12.Final
org.hibernate.orm:hibernate-core (source)	7.2.4.Final → 7.2.12.Final
org.testcontainers:testcontainers (source)	2.0.3 → 2.0.5
org.springframework.boot:spring-boot-test (source)	4.0.3 → 4.0.6
org.springframework.data:spring-data-jpa (source)	4.0.3 → 4.0.5
org.springframework.boot:spring-boot-starter-data-redis (source)	4.0.3 → 4.0.6
net.javacrumbs.shedlock:shedlock-provider-cassandra (source)	7.6.0 → 7.7.0
net.javacrumbs.shedlock:shedlock-core (source)	7.6.0 → 7.7.0
org.flywaydb:flyway-database-postgresql	11.14.1 → 11.20.3
org.flywaydb:flyway-core	11.14.1 → 11.20.3
org.springframework.data:spring-data-commons (source)	4.0.3 → 4.0.5
com.fasterxml.jackson:jackson-bom	2.20.2 → 2.21.2
org.springframework.boot:spring-boot-starter-jdbc (source)	4.0.3 → 4.0.6
org.springframework.data:spring-data-redis (source)	4.0.3 → 4.0.5
io.grpc:grpc-stub	1.77.0 → 1.79.0
io.grpc:grpc-protobuf	1.77.0 → 1.79.0
io.grpc:grpc-netty-shaded	1.77.0 → 1.79.0
com.arangodb:arangodb-java-driver (source)	7.25.0 → 7.26.0
org.springframework.boot:spring-boot-starter-data-cassandra (source)	4.0.3 → 4.0.6
org.mongodb:mongodb-driver-sync (source)	5.6.3 → 5.6.5
org.springframework.data:spring-data-mongodb (source)	5.0.3 → 5.0.5
org.postgresql:postgresql (source)	42.7.10 → 42.7.11
org.springframework.boot:spring-boot-starter-test (source)	4.0.3 → 4.0.6
org.springframework.boot:spring-boot-autoconfigure (source)	4.0.3 → 4.0.6
org.springframework.data:spring-data-cassandra (source)	5.0.3 → 5.0.5
org.opensearch.client:opensearch-java	3.7.0 → 3.8.0
org.springframework:spring-test	7.0.5 → 7.0.7
org.springframework:spring-beans	7.0.5 → 7.0.7
org.springframework:spring-web	7.0.5 → 7.0.7
org.springframework:spring-context	7.0.5 → 7.0.7
org.springframework:spring-expression	7.0.5 → 7.0.7
org.springframework:spring-core	7.0.5 → 7.0.7
com.clickhouse:clickhouse-jdbc (source)	0.9.7 → 0.9.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

1. The connection uses SCRAM-SHA-256 authentication.
2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

• the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
• the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
• the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
• the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
• an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
• an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

1. Only connect to trusted PostgreSQL servers whose identity is verified.
   Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
   TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
   On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

3. Avoid SCRAM on untrusted or interceptable connection paths.
   For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

4. Reduce blast radius operationally.
   Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
   This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
• https://nvd.nist.gov/vuln/detail/CVE-2026-42198
• https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
• https://github.com/advisories/GHSA-98qh-xjc8-98pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

BIT-postgresql-jdbc-driver-2026-42198 / CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

1. The connection uses SCRAM-SHA-256 authentication.
2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

• the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
• the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
• the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
• the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
• an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
• an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

1. Only connect to trusted PostgreSQL servers whose identity is verified.
   Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
   TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
   On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

3. Avoid SCRAM on untrusted or interceptable connection paths.
   For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

4. Reduce blast radius operationally.
   Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
   This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
• https://nvd.nist.gov/vuln/detail/CVE-2026-42198
• https://github.com/pgjdbc/pgjdbc
• https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

apache/maven (org.apache.maven:maven-artifact)

v3.9.12: 3.9.12

🚀 New features and improvements

• [3.9.x] Apply resolver changes and improvements (#​11536) @​cstamas
• Update formatting of prerequisites-requirements error to improve readability (#​11523) @​slawekjaranowski
• Allow a Maven plugin to require a Java version (#​11479) @​slawekjaranowski
• Use MavenRepositorySystem in ProjectBuildingHelper instead of deprecated RepositorySystem (#​11358) @​slawekjaranowski
• Make maven.config use UTF8 (#​11264) @​cstamas
• Simplify prefix resolution (#​11197) @​slawekjaranowski

🐛 Bug Fixes

• Add default implementation for new method in MavenPluginManager (#​11522) @​slawekjaranowski
• Repository layout should be used in MavenRepositorySystem (#​11495) @​slawekjaranowski
• Fix plugin prefix resolution when metadata is not available from repository (#​11290) @​slawekjaranowski
• Improve source root modification warning message (#​11105) @​gnodet
• Bug: bad cache isolation between two sessions (#​11082) @​cstamas
• Set Guice class loading to CHILD - avoid using terminally deprecated methods (#​11003) @​slawekjaranowski
• Avoid parsing MAVEN_OPTS (3.9.x) (#​10969) @​BobVul

📝 Documentation updates

• clarify repository vs deployment repository (#​11492) @​hboutemy
• add maintained branches (#​11448) @​hboutemy

👻 Maintenance

• Add IntelliJ icon (#​11408) @​Bukama
• Build by JDK 25 (#​11187) @​slawekjaranowski
• Deprecate org.apache.maven.repository.RepositorySystem in 3.9.x (#​11096) @​slawekjaranowski

🔧 Build

• Bump actions/download-artifact from 5.0.0 to 6.0.0 (#​11335) @​dependabot[bot]
• Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#​11336) @​dependabot[bot]

📦 Dependency updates

• Bump actions/cache from 4.3.0 to 5.0.0 (#​11542) @​dependabot[bot]
• Bump resolverVersion from 1.9.24 to 1.9.25 (#​11533) @​dependabot[bot]
• Bump actions/checkout from 6.0.0 to 6.0.1 (#​11512) @​dependabot[bot]
• Bump actions/setup-java from 5.0.0 to 5.1.0 (#​11519) @​dependabot[bot]
• Bump actions/checkout from 5.0.1 to 6.0.0 (#​11476) @​dependabot[bot]
• Bump actions/checkout from 5.0.0 to 5.0.1 (#​11458) @​dependabot[bot]
• Bump commons-cli:commons-cli from 1.10.0 to 1.11.0 (#​11438) @​dependabot[bot]
• Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29 (#​11416) @​dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#​11417) @​dependabot[bot]
• Bump xmlunitVersion from 2.10.4 to 2.11.0 (#​11331) @​dependabot[bot]
• Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24 to 1.26 (#​11231) @​dependabot[bot]
• Bump org.ow2.asm:asm from 9.8 to 9.9 (#​11203) @​dependabot[bot]
• Bump actions/cache from 4.2.4 to 4.3.0 (#​11172) @​dependabot[bot]
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#​11143) @​dependabot[bot]
• Bump xmlunitVersion from 2.10.3 to 2.10.4 (#​11121) @​dependabot[bot]
• Bump actions/cache from 4.2.3 to 4.2.4 (#​11032) @​dependabot[bot]
• Bump commons-cli:commons-cli from 1.9.0 to 1.10.0 (#​11018) @​dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#​10966) @​dependabot[bot]

micrometer-metrics/micrometer (io.micrometer:micrometer-core)

v1.16.5: 1.16.5

Compare Source

🐞 Bug Fixes

• Invalid reflection hint in micrometer-core for native GraalVM 25 build #​7316
• ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #​7380
• Wrong Nullability Information in OkHttpMetricsEventListener #​7373

🔨 Dependency Upgrades

• Bump com.netflix.spectator:spectator-reg-atlas from 1.9.4 to 1.9.6 #​7393
• Bump spring6 from 6.2.16 to 6.2.17 #​7294

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, and @​ribafish

v1.16.4: 1.16.4

Compare Source

🐞 Bug Fixes

• Using context-propagation with a no-op Observation corrupts the current Observation #​7200

📔 Documentation

• Document (Default)MeterObservationHandler #​6361
• Document Jakarta Mail instrumentation #​6485
• Document statsd UDS config #​5730

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​izeye, @​kangdaeun1022, and @​seonghyeoklee

projectlombok/lombok (org.projectlombok:lombok)

v1.18.46

v1.18.44

hibernate/hibernate-orm (org.hibernate.orm:hibernate-processor)

v7.2.12.Final

Compare Source

v7.2.11.Final

Compare Source

v7.2.10.Final

Compare Source

v7.2.9.Final

Compare Source

v7.2.8.Final

Compare Source

v7.2.7.Final

Compare Source

v7.2.6.Final

Compare Source

v7.2.5.Final

Compare Source

testcontainers/testcontainers-java (org.testcontainers:testcontainers)

v2.0.5

Compare Source

What's Changed

🚀 Features & Enhancements

• Support apache/artemis in ArtemisContainer (#​11590) @​eddumelendez
• Add getHttpPort and getGrpcPort methods in WeaviateContainer (#​11712) @​eddumelendez
• Add support for !override docker compose tag (#​11490) @​meck-gd

🐛 Bug Fixes

• Fix jarFileTest cache relocatability (#​11574) @​ribafish

📖 Documentation

• Update LocalStack docs (#​11581) @​eddumelendez

🧹 Housekeeping

• Fix typo in GenericContainer namespace validation error message (#​11717) @​haider2122
• Replace deprecated/removed method calls javadoc examples (#​11570) @​ratonalgaze
• Use weaviate client v6 (#​11711) @​eddumelendez
• Polish CI workflows (#​11686) @​eddumelendez
• Update testcontainers version to 2.0.4 (#​11357) @​github-actions[bot]
• Update docs version to 2.0.4 (#​11573) @​github-actions[bot]

📦 Dependency updates

16 changes

• Combined dependencies PR (#​11710) @​eddumelendez
• Combined dependencies PR (#​11708) @​eddumelendez
• Combined dependencies PR (#​11707) @​eddumelendez
• Combined dependencies PR (#​11706) @​eddumelendez
• Combined dependencies PR (#​11705) @​eddumelendez
• Combined dependencies PR (#​11704) @​eddumelendez
• Combined dependencies PR (#​11701) @​eddumelendez
• Combined dependencies PR (#​11700) @​eddumelendez
• Combined dependencies PR (#​11699) @​eddumelendez
• Combined dependencies PR (#​11685) @​eddumelendez
• Combined dependencies PR (#​11684) @​eddumelendez
• Combined dependencies PR (#​11681) @​eddumelendez
• Combined dependencies PR (#​11672) @​eddumelendez
• Combined dependencies PR (#​11671) @​eddumelendez
• Combined dependencies PR (#​11670) @​eddumelendez
• Combined dependencies PR (#​11632) @​eddumelendez

v2.0.4

Compare Source

What's Changed

• Use non-deprecated MSSQLServerContainer in ServiceBusEmulatorContainer (#​11223) @​bramvonk
• Support apache/activemq in ActiveMQContainer (#​11498) @​eddumelendez
• Update ryuk version to 0.14.0 (#​11486) @​eddumelendez

📖 Documentation

• Improve k6 docs (#​11564) @​PreAgile

📦 Dependency updates

• Update docker-java version to 3.7.1 (#​11572) @​eddumelendez

spring-projects/spring-boot (org.springframework.boot:spring-boot-test)

v4.0.6

v4.0.5

🐞 Bug Fixes

• Test starter for Spring Integration does not include Spring Integration test module #​49784
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #​49782
• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #​49753
• WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #​49749
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #​49738
• Override of property in external 'application.properties' or 'application.yaml' is ignored #​49731
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #​49706
• Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #​49695
• @GraphQlTest does not include @ControllerAdvice #​49672

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #​49727
• Add some more Kotlin examples and trivial style fixes #​49714
• Overhaul Spring Session documentation following modularization [#​49704](https://redirect.gith

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud