Bump the minor-and-patch group with 7 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates:

Package	From	To
commons-codec:commons-codec	1.17.1	1.20.0
io.undertow:undertow-core	2.3.17.Final	2.3.20.Final
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor	2.17.2	2.20.1
org.netpreserve:jwarc	0.31.1	0.32.0
com.nimbusds:nimbus-jose-jwt	10.0.2	10.6
org.webjars.npm:pikaday	1.7.0	1.8.2
org.apache.maven.plugins:maven-shade-plugin	3.2.1	3.6.1

Updates commons-codec:commons-codec from 1.17.1 to 1.20.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.20.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.20.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

•         Add org.apache.commons.codec.digest.Crc16. Thanks to Fredrik Kjellberg, Gary Gregory.
  

•         Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors. Thanks to Gary Gregory.
  

•         Add builder to Base16 streams and deprecate some old constructors. Thanks to Gary Gregory.
  

•         Add support for SHAKE128-256 and SHAKE256-512 to `DigestUtils` and `MessageDigestAlgorithms` on Java 25 and up. Thanks to Gary Gregory.
  

•         Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses. Thanks to Gary Gregory.
  

Changes

•         Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0. Thanks to Gary Gregory.
  

•         Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0. Thanks to Gary Gregory.
  

•         BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec. Thanks to Gary Gregory.
  

•         BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec. Thanks to Gary Gregory.
  

•         Bump org.apache.commons:commons-parent from 85 to 91. Thanks to Gary Gregory, Dependabot.
  

•         [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0. Thanks to Gary Gregory.
  

For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website:

https://commons.apache.org/proper/commons-codec/

Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi

---

Apache Commons Codec 1.19.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.19.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a

... (truncated)

Commits

• b20db1f Merge branch 'master' into release
• cb344d6 Use leaf in overview
• 004966b Better package description
• 1320800 Use HTTPS in URL
• fcb8bf6 Use component logo
• af58c1a Use final
• 4368bfe Add dependabot email [skip ci]
• cb2b7b6 Clarify comment
• 48bb283 Bump github/codeql-action from 4.30.9 to 4.31.2 (#414)
• f61c2e6 Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#413)
• Additional commits viewable in compare view

Updates io.undertow:undertow-core from 2.3.17.Final to 2.3.20.Final

Release notes

Sourced from io.undertow:undertow-core's releases.

v2.3.20.Final

Release 2.3.20.Final fixes CVE-2025-9784 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.20.Final

v.2.3.19.Final

Release 2.3.19.Final fixes CVE-2024-4109 Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.19.Final

... (truncated)

Commits

• 5e6c73d Prepare 2.3.20.Final
• 967ec02 Merge pull request #1803 from fl4via/backport-fixes_2.3.x
• 2448f7a [UNDERTOW-2598] Replace the delayed cleaning algorithm in DirectByteBufferDea...
• e7c28ac Merge pull request #1802 from fl4via/backport-fixes_2.3.x
• 39fcfbe [UNDERTOW-2598] CVE-2025-9784 At AbstractFramedStreamSinkChannel, safeguard a...
• 1d013b2 [UNDERTOW-2598] CVE-2025-9784 Add a delay in the actual direct byte buffer de...
• afbd244 [UNDERTOW-2598] CVE-2025-9784 Prevent the dispatch of an exchange if the conn...
• 4610806 [UNDERTOW-2598] CVE-2025-9784 Prevent a MadeYouReset HTTP2 attack by sending ...
• c5a9817 [UNDERTOW-2235] Properly handle non servlet methods dispatched as error into ...
• 5756047 [UNDERTOW-2604] fix potential NPE from alternate ctor
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 2.17.2 to 2.20.1

Commits

• 7cf8a3c [maven-release-plugin] prepare release jackson-dataformats-binary-2.20.1
• 106b380 Prep for 2.20.1 release
• b93171e Merge branch '2.19' into 2.20
• 4704691 Post-release dep version bump
• 29d3ed1 [maven-release-plugin] prepare for next development iteration
• 297a10c [maven-release-plugin] prepare release jackson-dataformats-binary-2.19.4
• becef87 Prep for 2.19.4 release
• 6f89feb Merge branch '2.19' into 2.20
• f8b4f74 Post-release dep version bump
• e6cb7a6 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates org.netpreserve:jwarc from 0.31.1 to 0.32.0

Release notes

Sourced from org.netpreserve:jwarc's releases.

v0.32.0

New features

• HeaderValidator with WARC/1.1 standard ruleset
• ExtractTool: can now extract sequential concurrent records (--concurrent option)
• DedupeTool
  • In-memory cache for cross-URL digest-based deduplication (--cache-size option)
  • Now prints deduplication statistics (--dry-run and --quiet options)
  • Multi-threaded deduplication (--threads option)
• ValidateTool
  • Multi-threaded validation (--threads option)
• ParsingException message is now annotated with the source filename and record offset when available

Bugs fixed

• RFC5952 canonical form is now used for IPv6 addresses in WARC-IP-Address
• HttpParser in lenient mode now:
  • accepts responses missing version number
  • ignores header lines missing :
  • ignores folded status lines
• WarcParser: treats alexa/dat ARC records as not HTTP type

Changelog

Sourced from org.netpreserve:jwarc's changelog.

0.32.0

Added

• HeaderValidator with WARC/1.1 standard ruleset
• ExtractTool: can now extract sequential concurrent records (--concurrent option)
• DedupeTool
  • In-memory cache for cross-URL digest-based deduplication (--cache-size option)
  • Now prints deduplication statistics (--dry-run and --quiet options)
  • Multi-threaded deduplication (--threads option)
• ValidateTool
  • Multi-threaded validation (--threads option)
• ParsingException message is now annotated with the source filename and record offset when available

Fixed

• RFC5952 canonical form is now used for IPv6 addresses in WARC-IP-Address
• HttpParser in lenient mode now:
  • accepts responses missing version number
  • ignores header lines missing :
  • ignores folded status lines
• WarcParser: treats alexa/dat ARC records as not HTTP type

Commits

• 388f3ec [maven-release-plugin] prepare release v0.32.0
• 132bd52 Update CHANGELOG.md for 0.32.0 release
• 065a299 Set tagNameFormat in pom.xml
• c29390d Add scm section to pom.xml
• 54c8960 Switch to Maven Central portal from OSSRH
• 196abfe ListTool: Handle ParsingException
• 97bbedc Avoid double filename/offset in CdxWriter exception output
• b0e1f71 HttpParser: Accept (but ignore) folded reason phrases in lenient mode
• 8c469ab WarcParser: Don't treat alexa/dat ARC records as HTTP
• 5d5fef4 Include source filename and record offset in ParsingException message
• Additional commits viewable in compare view

Updates com.nimbusds:nimbus-jose-jwt from 10.0.2 to 10.6

Changelog

Sourced from com.nimbusds:nimbus-jose-jwt's changelog.

10.0.2 (2025-02-25) * Updates JSONObjectUtils.parse and JSONArrayUtils.parse to reject JSON strings with object and array nesting deeper than 255. This is intended to prevent StackOverflowError's in Gson when a parsed JSON string with excessive nesting is serialised, for example to log the claims of a parsed JWT. Note that in Gson the JSON reader is not susceptible to StackOverflowError's, only the serialisation. The nesting limit of depth 255 is introduced in Gson 2.12.0 (iss #583). * Updates GSon to 2.12.1.

10.1 (2025-04-03) * Restores module-info.java. * Adds ExpiredJWTException extends BadJWTException to enable easy programmatic detection whether a JWT has expired (iss #585). * Adds URLBasedJWKSetSource getJWKSetURL and getResourceRetriever methods to ease class extension.

10.2 (2025-04-07) * Gson is made a direct instead of a shaded dependency to address module issues introduced in 10.1 (iss #550).

10.3 (2025-05-09) * Restores the Gson shading, adding placeholder interfaces to prevent NoClassDefFoundError occurrences at runtime when the JAR is used on a module path (iss #550).

10.3.1 (2025-07-01) * OctetKeyPairGenerator with Curve.Ed25519 should use the provided SecureRandom (iss #590).

10.4 (2025-07-19) * Creates a hierarchy of Option interfaces, extended by JWSSignerOption, JWEEncrypterOption and JWEDecrypterOption. Intended to provide optional configuration parameters to RSASSASigner, ECDSASigner, RSADecrypter, etc. * Introduces CipherMode implementing JWEEncrypterOption and JWEDecrypterOption, to specify a preferred JCA Cipher mode, such as MODE_ENCRYPT / MODE_DECRYPT when the default MODE_WRAP / MODE_UNWRAP is not supported by the JCA provider (iss #576). * Updates RSAEncrypter and RSADecrypter to support the JWEEncrypterOption CipherMode.ENCRYPT_DECRYPT (iss #576). * Factors out OptionUtils.ensureMinRSAPrivateKeySize. * Deprecates OptionUtils.optionIsPresent.

10.4.1 (2025-08-05) * Adds "requires java.sql" to module com.nimbusds.jose.jwt (iss #595).

10.4.2 (2025-08-14) * Updates GSon to 2.13.1. * Updates BouncyCastle to 1.81.

... (truncated)

Commits

• c1f3c44 [maven-release-plugin] prepare release 10.3
• 93076c1 [maven-release-plugin] prepare for next development iteration
• 0b56cf0 OctetKeyPairGenerator with Curve.Ed25519 should use the provided SecureRandom...
• 584951f Adds support for specifying the ScheduledExecutorService-instance in RefreshA...
• 8c347ff Adds release date for 10.3.1
• 60d821b Migrates to central-publishing-maven-plugin
• 0f3191f [maven-release-plugin] prepare release 10.3.1
• 63b1101 [maven-release-plugin] prepare for next development iteration
• cd1345b Introduces CipherMode to specify a preferred JCA Cipher mode when the default...
• 9799fd5 Fixes compile errors - generics (iss #576)
• Additional commits viewable in compare view

Updates org.webjars.npm:pikaday from 1.7.0 to 1.8.2

Release notes

Sourced from org.webjars.npm:pikaday's releases.

Version 1.8.2

Fixes:

• Properly parse date string, fixes #735 #755 #688
• Cleaner packages, see #542 #580
• Add space for XHTML, fixes #526
• CSS fixes, see #431 #430 #809 #883 #237 #869 #869 #730
• Add clear functionality, see #720
• Use unique IDs, fixes #650
• Bubble event on left arrow, fixes #710
• Show week numbers based on ISO 8601 by default, fixes #388 #825

Version 1.8.0

• Move to github organisation Pikaday/Pikaday
• Add CSS-classes indicating position
• Remove the Moment.js optional dependency
• Add aria label text configuration

Changelog

Sourced from org.webjars.npm:pikaday's changelog.

1.8.2 - 2020-10-22

• Properly parse date string, fixes #735 #755 #688
• Cleaner packages, see #542 #580
• Add space for XHTML, fixes #526
• CSS fixes, see #431 #430 #809 #883 #237 #869 #869 #730
• Add clear functionality, see #720
• Use unique IDs, fixes #650
• Bubble event on left arrow, fixes #710
• Show week numbers based on ISO 8601 by default, fixes #388 #825

1.8.0 - 2018-10-17

• Remove testling because service is not running atm
• Move to github organisation Pikaday/Pikaday
• Add CSS-classes indicating position
• Remove the Moment.js optional dependency
• Add aria label text configuration

Commits

• 4524a48 1.8.2
• f32e8f6 1.8.1
• ead3410 Merge pull request #869 from jboeijenga/master
• dd9541a Merge branch 'master' into master
• 28bd449 Merge branch 'master' into scss-z-index
• 546f589 Merge pull request #819 from josephting/calendar-button-css
• 425d156 Merge remote-tracking branch 'origin/master' into josundt/master
• 6c5a7a1 Update momentjs, fixes #858
• 28c5924 Merge pull request #872 from echavezNS/master
• d07773e Fix jshint warnings.
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-shade-plugin from 3.2.1 to 3.6.1

Release notes

Sourced from org.apache.maven.plugins:maven-shade-plugin's releases.

3.6.1

📝 Documentation updates

• [MNGSITE-529] - Rename "Goals" to "Plugin Documentation" (#250) @​Bukama

👻 Maintenance

• Enable prevent branch protection rules (#746) @​sparsick
• Enable GH issues (#253) @​Bukama
• Add missing @​Override annotations (#246) @​elharo
• Merge ApacheLicenseResourceTransformer tests (#245) @​Goooler
• Add test cases for .md supports in the Apache License and Notice transformers (#243) @​Goooler
• [MSHADE-479] - Make the mojo much less noisy (#233) @​elharo

📦 Dependency updates

• Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0 (#748) @dependabot[bot]
• Bump org.hamcrest:hamcrest-core from 2.2 to 3.0 (#235) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 42 to 45 (#738) @dependabot[bot]
• Bump org.apache.commons:commons-compress from 1.26.2 to 1.28.0 (#743) @dependabot[bot]
• Bump org.xmlunit:xmlunit-legacy from 2.10.0 to 2.10.3 (#745) @dependabot[bot]
• Bump ASM 9.8 to support JDK 25 bytecode (#744) @​pan3793
• Bump commons-io:commons-io from 2.13.0 to 2.14.0 in /src/it/projects/MSHADE-105/shaded-jar (#241) @dependabot[bot]

3.6.0

What's Changed

• Drop the cruft by @​cstamas in apache/maven-shade-plugin#225
• [MSHADE-478] Extra JARs feature by @​cstamas in apache/maven-shade-plugin#228
• [MSHADE-428] Prevent null value in array of transformers by @​cstamas in apache/maven-shade-plugin#229

Full Changelog: apache/maven-shade-plugin@maven-shade-plugin-3.5.3...maven-shade-plugin-3.6.0

3.5.3

What's Changed

• Bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0 by @​dependabot[bot] in apache/maven-shade-plugin#215
• Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.1 by @​dependabot[bot] in apache/maven-shade-plugin#217
• [MSHADE-470] Bump asmVersion from 9.6 to 9.7 by @​dependabot[bot] in apache/maven-shade-plugin#218
• [MSHADE-471] deal with DST by @​hboutemy in apache/maven-shade-plugin#220
• [MSHADE-472] upgrade parent POM by @​hboutemy in apache/maven-shade-plugin#222

Full Changelog: apache/maven-shade-plugin@maven-shade-plugin-3.5.2...maven-shade-plugin-3.5.3

3.5.2

What's Changed

• Bump org.codehaus.mojo:mrm-maven-plugin from 1.5.0 to 1.6.0 by @​dependabot[bot] in apache/maven-shade-plugin#201
• Bump asmVersion from 9.5 to 9.6 by @​dependabot[bot] in apache/maven-shade-plugin#200
• Bump org.apache.maven.plugins:maven-plugins from 40 to 41 by @​dependabot[bot] in apache/maven-shade-plugin#205

... (truncated)

Commits

• 06902bd [maven-release-plugin] prepare release maven-shade-plugin-3.6.1
• 29e9a9d add .git
• 844e61a use github
• 43101f9 [maven-release-plugin] prepare release maven-shade-plugin-3.6.1
• 2ffb28d use release drafter v4 and dependabot to updade gha as well (#750)
• f5b590e Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
• eee0319 Bump org.hamcrest:hamcrest-core from 2.2 to 3.0
• 0d5a7a4 fix upgrade, remove those useless final
• 6e5f0f3 Bump org.apache.maven.plugins:maven-plugins from 42 to 45
• 35febed Bump org.apache.commons:commons-compress from 1.26.2 to 1.28.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud