fix(deps): bump the prod-deps group across 1 directory with 9 updates

[dependabot]

Bumps the prod-deps group with 6 updates in the / directory:

Package	From	To
org.springframework.boot:spring-boot-starter-parent	3.5.5	4.0.2
org.folio:folio-service-tools-spring-dev	5.0.0	5.0.1
commons-io:commons-io	2.20.0	2.21.0
io.hypersistence:hypersistence-utils-hibernate-63	3.11.0	3.14.1
com.jayway.jsonpath:json-path	2.9.0	2.10.0
com.puppycrawl.tools:checkstyle	11.0.1	13.0.0

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.5 to 4.0.2

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.2

⚠️ Noteworthy Changes

• The dependency on org.eclipse.jetty.ee11:jetty-ee11-servlets has been removed from spring-boot-jetty as it was unnecessary and unused. If your application code depends on a class from jetty-ee11-servlets, declare a dependency on it in your build configuration. #48677

🐞 Bug Fixes

• No TransactionAutoConfiguration with spring-boot-starter-kafka for Spring Boot 4 #48880
• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #48840
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #48838
• SessionAutoConfiguration creates a DefaultCookieSerializer with a default SameSite of null instead of Lax #48830
• Setting graphql schema location to "classpath*:graphql/**/" causes failure due to incorrectly packaged test resource #48829
• Message interpolation by MVC and WebFlux's Validators does not work correctly in a native image #48828
• CloudFoundry integration fails in Servlet-based web app without a dependency on spring-boot-starter-restclient #48826
• RestTestClientAutoConfiguration and TestRestTemplateAutoConfiguration should be package-private #48820
• SSL metrics are no longer auto-configured #48819
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #48812
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #48703
• The spring-boot-cloudfoundry module should only have an optional dependency on spring-boot-security #48685
• Application JAR created by extract command is not reproductible #48678
• AOT processing of tests should not be disabled when 'skipTests' is set #48662
• @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) is no longer applied to the management server #48653
• Fix zero-length byte buffer in InspectedContent #48650
• Can no longer override JacksonJsonHttpMessageConverter with ServerHttpMessageConvertersCustomizer #48635
• HttpServiceClientProperties incorrectly uses the @ConfigurationProperties annotation on a LinkedHashMap class #48616
• spring-boot-micrometer-tracing-opentelemetry fails if spring-boot-opentelemetry isn't there #48585
• App fails to start with starter-webmvc and starter-zipkin #48581
• Micrometer test modules should have an api dependency on micrometer-observation-test #48386

📔 Documentation

• Fix typo in REST client documentation #48907
• Remove duplicate word #48874
• Document support for configuring arguments passed to Docker Compose #48806
• The documentation related to EnvironmentPostProcessor links to deprecated interface #48803
• Update documentation for Buildpack's AOT Cache support #48769
• Correct docs to use new location for error handling configuration properties #48767
• Document spring-boot-starter-cloudfoundry on Cloud Foundry Support Page #48675
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #48659
• Example using excludeDevtools property should document that optional dependencies should be enabled #48641
• Fix grammar and typos in the reference guide #48601
• Update Tracing section for Spring Boot 4's modularity #48576

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #48783
• Upgrade to Elasticsearch Client 9.2.3 #48721
• Upgrade to Hibernate 7.2.1.Final #48857
• Upgrade to HttpClient5 5.5.2 #48784
• Upgrade to Jackson 2 Bom 2.20.2 #48910

... (truncated)

Commits

• fae3545 Release v4.0.2
• 9fde744 Merge branch '3.5.x' into 4.0.x
• 650236d Remove breaking and unnecessary Undertow TLS with RSA test
• 547bc77 Upgrade to Spring Batch 6.0.2
• 4387cbb Upgrade to Jackson Bom 3.0.4
• abec26e Polish
• f677fba Upgrade to Spring Integration 7.0.2
• 849c2ee Upgrade to Spring GraphQL 2.0.2
• facd456 Upgrade to Nullability Plugin 0.0.10
• e99c08f Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.folio:folio-service-tools-spring-dev from 5.0.0 to 5.0.1

Release notes

Sourced from org.folio:folio-service-tools-spring-dev's releases.

v5.0.1

Dependencies

• Bump RMB from 35.4.0 to 35.4.1 (FST-98)
• Bump Vertx from 4.5.13 to 4.5.22

Changelog

Sourced from org.folio:folio-service-tools-spring-dev's changelog.

v5.0.1 2025-12-11

Dependencies

• Bump RMB from 35.4.0 to 35.4.1 (FST-98)
• Bump Vertx from 4.5.13 to 4.5.22

---

Commits

• 5cf7f8b [maven-release-plugin] prepare release v5.0.1
• 12c99d8 feat(deps): upgrade to RMB 35.4.1
• bb62fb1 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates org.springframework.kafka:spring-kafka from 3.3.9 to 4.0.2

Release notes

Sourced from org.springframework.kafka:spring-kafka's releases.

v4.0.2

⭐ New Features

• Remove TODO comment and unnecessary null checks for getBeanName() #4253
• Standardize usage of @Serial annotation for serialVersionUID #4236
• @BackOff does not recognize the __listener placeholder #4232

🐞 Bug Fixes

• Duplicated metric "spring.kafka.listener" increment when RetryableTopic enabled #4230

📔 Documentation

• Fix reference of deprecated serde APIs in docs #4244
• Update example Javadoc for EnableKafka annotations #4239
• Correct method javadoc #4229
• Fix plural words rendering in docs #4201

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #4256
• Bump org.springframework:spring-framework-bom from 7.0.2 to 7.0.3 #4252
• Bump io.micrometer:micrometer-tracing-bom from 1.6.1 to 1.6.2 #4251
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #4249
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #4248
• Bump io.micrometer:micrometer-bom from 1.16.1 to 1.16.2 #4247
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #4237
• Bump log4jVersion from 2.25.2 to 2.25.3 #4226

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​david-parkk, @​jjank, @​ngocnhan-tran1996, and @​quaff

v4.0.1

⭐ New Features

• Allow telling Spring to ignore an argument when identifying the type #4210
• Polish unchecked warning suppression in KafkaEvent #4183
• Remove unnecessary stream method #4181

🐞 Bug Fixes

• Unable to properly serialize/deserialize null values with JackJsonSerializer/Deserializer in Kotlin #4205
• [GraalVM Native] DefaultJwtValidator ClassNotFoundException is thrown with kafka-clients 4.1.1 #4190
• @KafkaListener with Both topics and topicPartitions Breaks @RetryableTopic #4170

📔 Documentation

... (truncated)

Commits

• 17106fb [artifactory-release] Release version 4.0.2
• 33e93d3 Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 (#4256)
• 2b7c4b7 Bump org.springframework:spring-framework-bom from 7.0.2 to 7.0.3 (#4252)
• 2ca9c72 Remove TODO comment and unnecessary null checks for getBeanName()
• 3d8fadc Bump io.micrometer:micrometer-tracing-bom from 1.6.1 to 1.6.2 (#4251)
• da258db Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 (#4249)
• c168423 Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 (#4248)
• fb6cbb1 Bump io.micrometer:micrometer-bom from 1.16.1 to 1.16.2 (#4247)
• 622aa3f Fix plural words rendering in docs (#4201)
• b8b9be0 Fix reference of deprecated serde APIs in docs (#4244)
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-configuration-processor from 3.5.5 to 4.0.2

Release notes

Sourced from org.springframework.boot:spring-boot-configuration-processor's releases.

v4.0.2

⚠️ Noteworthy Changes

• The dependency on org.eclipse.jetty.ee11:jetty-ee11-servlets has been removed from spring-boot-jetty as it was unnecessary and unused. If your application code depends on a class from jetty-ee11-servlets, declare a dependency on it in your build configuration. #48677

🐞 Bug Fixes

• No TransactionAutoConfiguration with spring-boot-starter-kafka for Spring Boot 4 #48880
• Evaluation of bean conditions unnecessarily queries the bean factory for types that are not present #48840
• When a bean condition references a type that is not present, it appears as ? in the condition evaluation report #48838
• SessionAutoConfiguration creates a DefaultCookieSerializer with a default SameSite of null instead of Lax #48830
• Setting graphql schema location to "classpath*:graphql/**/" causes failure due to incorrectly packaged test resource #48829
• Message interpolation by MVC and WebFlux's Validators does not work correctly in a native image #48828
• CloudFoundry integration fails in Servlet-based web app without a dependency on spring-boot-starter-restclient #48826
• RestTestClientAutoConfiguration and TestRestTemplateAutoConfiguration should be package-private #48820
• SSL metrics are no longer auto-configured #48819
• Actuator /info endpoint fails in Java 25 Native Image (VirtualThreadSchedulerMXBean support) #48812
• DataSourceBuilder cannot create oracle.ucp.jdbc.PoolDataSourceImpl in a native image #48703
• The spring-boot-cloudfoundry module should only have an optional dependency on spring-boot-security #48685
• Application JAR created by extract command is not reproductible #48678
• AOT processing of tests should not be disabled when 'skipTests' is set #48662
• @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) is no longer applied to the management server #48653
• Fix zero-length byte buffer in InspectedContent #48650
• Can no longer override JacksonJsonHttpMessageConverter with ServerHttpMessageConvertersCustomizer #48635
• HttpServiceClientProperties incorrectly uses the @ConfigurationProperties annotation on a LinkedHashMap class #48616
• spring-boot-micrometer-tracing-opentelemetry fails if spring-boot-opentelemetry isn't there #48585
• App fails to start with starter-webmvc and starter-zipkin #48581
• Micrometer test modules should have an api dependency on micrometer-observation-test #48386

📔 Documentation

• Fix typo in REST client documentation #48907
• Remove duplicate word #48874
• Document support for configuring arguments passed to Docker Compose #48806
• The documentation related to EnvironmentPostProcessor links to deprecated interface #48803
• Update documentation for Buildpack's AOT Cache support #48769
• Correct docs to use new location for error handling configuration properties #48767
• Document spring-boot-starter-cloudfoundry on Cloud Foundry Support Page #48675
• Clarify javadoc to make it clear that HazelcastConfigCustomizer beans are only applied if Hazelcast is configured via a config file #48659
• Example using excludeDevtools property should document that optional dependencies should be enabled #48641
• Fix grammar and typos in the reference guide #48601
• Update Tracing section for Spring Boot 4's modularity #48576

🔨 Dependency Upgrades

• Upgrade to Classmate 1.7.3 #48783
• Upgrade to Elasticsearch Client 9.2.3 #48721
• Upgrade to Hibernate 7.2.1.Final #48857
• Upgrade to HttpClient5 5.5.2 #48784
• Upgrade to Jackson 2 Bom 2.20.2 #48910

... (truncated)

Commits

• fae3545 Release v4.0.2
• 9fde744 Merge branch '3.5.x' into 4.0.x
• 650236d Remove breaking and unnecessary Undertow TLS with RSA test
• 547bc77 Upgrade to Spring Batch 6.0.2
• 4387cbb Upgrade to Jackson Bom 3.0.4
• abec26e Polish
• f677fba Upgrade to Spring Integration 7.0.2
• 849c2ee Upgrade to Spring GraphQL 2.0.2
• facd456 Upgrade to Nullability Plugin 0.0.10
• e99c08f Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.projectlombok:lombok from 1.18.38 to 1.18.42

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.42 (September 18th, 2025)

• FEATURE: All the various @Log annotations now allow you to change their access level (they still default to private). #2280. Thanks to new contributor Liam Pace!
• BUGFIX: Javadoc parsing was broken in Netbeans and ErrorProne for JDK25 #3940.

v1.18.40 (September 4th, 2025)

• PLATFORM: JDK25 support added #3859.
• BUGFIX: Recent versions of eclipse (or the eclipse-based java lang server for VSCode) caused java.lang.IllegalArgumentException: Document does not match the AST. [Issue #3886](projectlombok/lombok#3886).
• PERFORMANCE: @ExtensionMethod is now significantly faster [Issue #3866](projectlombok/lombok#3866).
• BUGFIX: the command line config tool would emit incorrect output for nullity annotations. [Issue #3931](projectlombok/lombok#3931).
• FEATURE: @Jacksonized @Accessors(fluent=true) automatically creates the relevant annotations such that Jackson correctly identifies fluent accessors. [Issue #3265](projectlombok/lombok#3265), [Issue #3270](projectlombok/lombok#3270).
• IMPROBABLE BREAKING CHANGE: From versions 1.18.16 to 1.18.38, lombok automatically copies certain Jackson annotations (e.g., @JsonProperty) from fields to the corresponding accessors (getters/setters). However, it turned out to be harmful in certain situations. Thus, Lombok does not automatically copy those annotations any more. You can restore the old behavior using the config key lombok.copyJacksonAnnotationsToAccessors = true.

Commits

• 2031eb0 [release] pre-release version bump for v1.18.42
• c95a6c1 Merge branch 'logger-access'
• 71d85ca #2280 Add delivery of this 'access for logging' to the changelog.
• 99ba3e3 [trivial] Slightly reworded the javadoc on each @Log annotation's `access()...
• e9cf11e [trivial][style]
• a6d5568 [deprecation] Marked AccessLevel.MODULE as deprecated. It was written for a...
• 492011d Refactored to use Javac/Eclipse utility function
• c1f7f66 Update copyright in logger files
• f63f40a Add myself to AUTHORS
• 9152c34 Fix failing tests
• Additional commits viewable in compare view

Updates commons-io:commons-io from 2.20.0 to 2.21.0

Changelog

Sourced from commons-io:commons-io's changelog.

Apache Commons IO 2.22.0 Release Notes

The Apache Commons IO team is pleased to announce the release of Apache Commons IO 2.22.0.

Introduction

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

This is a feature and maintenance release. Java 8 or later is required.

New features

o Add and use IOUtils.closeQuietlyAdd(Closeable, Throwable) #818. Thanks to Gary Gregory.

Fixed Bugs

o Fix Apache RAT plugin console warnings. Thanks to Gary Gregory. o ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large #817. Thanks to Gary Gregory, Piotr P. Karwasz. o Fix malformed Javadoc comments. Thanks to Gary Gregory. o ReadAheadInputStream.close() doesn't always close its filtered input stream. Thanks to Stanislav Fort, Gary Gregory.

Changes

o Bump org.apache.commons:commons-parent from 91 to 96 #816. Thanks to Gary Gregory, Dependabot. o Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 #812. Thanks to Gary Gregory, Dependabot. o Bump commons.bytebuddy.version from 1.17.8 to 1.18.4 #814, #820. Thanks to Gary Gregory, Dependabot. o Bump commons-lang3 from 3.19.0 to 3.20.0. Thanks to Gary Gregory, Dependabot.

Commons IO 2.7 and up requires Java 8 or above. Commons IO 2.6 requires Java 7 or above. Commons IO 2.3 through 2.5 requires Java 6 or above. Commons IO 2.2 requires Java 5 or above. Commons IO 1.4 requires Java 1.3 or above.

Historical list of changes: https://commons.apache.org/proper/commons-io/changes.html

For complete information on Apache Commons IO, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons IO website:

https://commons.apache.org/proper/commons-io/

Download page: https://commons.apache.org/proper/commons-io/download_io.cgi

... (truncated)

Commits

• 54073d3 Prepare for the release candidate 2.21.0 RC1
• f141f09 Prepare for the next release candidate
• adcf135 Add license header
• 0f499d0 Use new oak logo
• 34a961c Use HTTPS in URL
• 9e51118 Use HTTPS in URL
• d715865 Add dependabot email [skip ci]
• 3d6a7e1 Javadoc
• ad875d5 Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#810)
• bc01dee Bump github/codeql-action from 4.30.9 to 4.31.2 (#811)
• Additional commits viewable in compare view

Updates io.hypersistence:hypersistence-utils-hibernate-63 from 3.11.0 to 3.14.1

Changelog

Sourced from io.hypersistence:hypersistence-utils-hibernate-63's changelog.

Version 3.14.1 - December 17, 2025

Deprecate all ArrayTypes, with the exception of the EnumArrayType #823

Version 3.14.0 - December 16, 2025

The Hibernate SessionFactory cannot be built due to a ClassCastException after upgrading to 3.13.3 #821

Add support for Hibernate 7.2.0.CR4

Version 3.13.3 - December 12, 2025

ArrayType causes org.hibernate.tool.schema.spi.SchemaManagementException: Schema-validation: wrong column type encountered in column found (Types#ARRAY), but expecting (Types#OTHER) #697

Version 3.13.2 - December 03, 2025

Change SQLStatementCountMismatchException to extend AssertionError #820

Version 3.13.1 - December 01, 2025

Change the signature of the SequenceOptimizerGenerator.configure method for Hibernate 7.1 #818

Add a null check for the XProperty JsonType parameter #814

Version 3.13.0 - December 01, 2025

Add SequenceOptimizer as an alternative to the deprecated GenericGenerator #817

Add support for registering the Jackson KotlinModule when using Kotlin #816

Version 3.12.0 - November 09, 2025

Add support for Short identifiers in BatchSequenceGenerator #813

Replace JdbcOperationQuerySelect with JdbcOperation for Hibernate 7.2.0.CR1 #812

Commits

• b28c619 [maven-release-plugin] prepare release hypersistence-utils-parent-3.14.1
• e0590a0 Update changelog for the 3.14.1 release
• 8812b18 Deprecate all ArrayTypes, with the exception of the EnumArrayType #823
• 0895613 Bump version up
• 1c3b14e [maven-release-plugin] prepare for next development iteration
• acc9347 [maven-release-plugin] prepare release hypersistence-utils-parent-3.14.0
• 57d5869 Update changelog for the 3.14.0 release
• 1200e6a The Hibernate SessionFactory cannot be built due to a ClassCastException afte...
• e434ecd Upgrade Hibernate version to 7.2.0.Final
• 76d2011 Add support for Hibernate 7.2.0.CR4
• Additional commits viewable in compare view

Updates com.jayway.jsonpath:json-path from 2.9.0 to 2.10.0

Release notes

Sourced from com.jayway.jsonpath:json-path's releases.

json-path-2.10.0

What's Changed

• Bumps dependency versions by @​kallestenflo in json-path/JsonPath#1057
  • net.minidev:json-smart:2.6.0
  • org.slf4j:slf4j-api:2.0.17
  • com.google.code.gson:gson:2.13.2
  • org.hamcrest:hamcrest:3.0
  • com.fasterxml.jackson.core:jackson-databind:2.19.2
  • org.json:json:20250517
  • org.apache.tapestry:tapestry-json:5.9.0
  • jakarta.json:jakarta.json-api:2.1.3
  • jakarta.json.bind:jakarta.json.bind-api:2.0.0

Full Changelog: json-path/JsonPath@json-path-2.9.0...json-path-2.10.0

Commits

• a427387 Release 2.10.0 (#1058)
• 8e3b92f Bumps dependency versions (#1057)
• 45333e0 [CI] Remove Java 18 from build matrix (#1005)
• 3732a85 Upgrade net.minidev:json-smart from 2.5.0 to 2.5.1 (#1004)
• 2d4cc06 Upgrade to gradle 8.5 and add java 21 build (#995)
• 83ced52 Remove web-test project (#994)
• af031cd Upgrade to junit-jupiter (#993)
• 0ed52b4 Prepare next version
• See full diff in compare view

Updates com.puppycrawl.tools:checkstyle from 11.0.1 to 13.0.0

Release notes

Sourced from com.puppycrawl.tools:checkstyle's releases.

checkstyle-13.0.0

Checkstyle 13.0.0 - https://checkstyle.org/releasenotes.html#Release_13.0.0

Breaking backward compatibility:

#17430 - Use jdk21 as minimial required

Bug fixes:

#18409 - Remove duplicate violations in WhitespaceAfter and WhitespaceAround in sun_checks.xml

checkstyle-12.3.1

Checkstyle 12.3.1 - https://checkstyle.org/releasenotes.html#Release_12.3.1

Bug fixes:

#17265 - Duplicate violations in WhitespaceAfter and WhitespaceAround in google config #17778 - Add support to properly follow Rule 7.1.1 General Form in Google Style Guide Implementation #18381 - NullPointerException in TextBlockGoogleStyleFormatting with text blocks in annotations #17727 - Need default config in google_checks.xml to forbid lowercase Javadoc beginnings

... (truncated)

Commits

• d02376e [maven-release-plugin] prepare release checkstyle-13.0.0
• e125229 doc: release notes for 13.0.0
• 3e68230 Revert "doc: release notes for 13.0.0"
• 610c605 Issue #17430: migration to jdk21 for release actions
• ace8678 doc: release notes for 13.0.0
• 042527c Issue #17428: Activated MissingNullCaseInSwitch
• e16b3bc Issue #18034: Resolve PIT Mutation Suppression for NonVoidMethodCallMutation ...
• 0cd8f7c infra: use 'React to comment' from Github
• 9e3599a Issue #17674: remove supression
• 80fbe6d infra: revert to 'true' to make it work, see #18507
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions