Skip to content

chore(deps): Consolidated dependency updates#2631

Merged
cmgrote merged 3 commits into
mainfrom
dependencies
Jul 13, 2026
Merged

chore(deps): Consolidated dependency updates#2631
cmgrote merged 3 commits into
mainfrom
dependencies

Conversation

@cmgrote

@cmgrote cmgrote commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

Consolidates 18 dependency PRs into a single update.

Updates

Dependency Version Change Original PR
jackson 2.22.0 → 2.22.1 #2616
co.elastic.clients:elasticsearch-java 9.4.2 → 9.4.3 #2600
log4j 2.26.0 → 2.26.1 #2605
awssdk 2.46.15 → 2.47.5 #2628
com.google.cloud:libraries-bom 26.84.0 → 26.85.0 #2619
de.siegmar:fastcsv 4.3.0 → 4.3.1 #2594
io.swagger.parser.v3:swagger-parser 2.1.44 → 2.1.45 #2587
pkl 0.31.1 → 0.32.0 #2622
io.openlineage:openlineage-java 1.50.0 → 1.51.0 #2612
jetty 12.1.10 → 12.1.11 #2615
netty 4.2.15.Final → 4.2.16.Final #2611
io.opentelemetry:opentelemetry-bom 1.63.0 → 1.64.0 #2629
com.diffplug.spotless:spotless-plugin-gradle 8.7.0 → 8.8.0 #2596
org.pkl-lang:org.pkl-lang.gradle.plugin 0.31.1 → 0.32.0 #2623
actions/setup-java v5.3.0 → v5.5.0 #2617
docker/login-action v4.2.0 → v4.4.0 #2609
docker/setup-buildx-action v4.1.0 → v4.2.0 #2606
docker/build-push-action v7.2.0 → v7.3.0 #2602

Original PRs

Consolidated: #2616, #2600, #2605, #2628, #2619, #2594, #2587, #2622, #2612, #2615, #2611, #2629, #2596, #2623, #2617, #2609, #2606, #2602

Excluded

These are held back because they need Gradle 9 or are deferred major bumps:


Generated by /consolidate-deps skill

Consolidates updates from the following dependency PRs:
- #2616: Bump jackson from 2.22.0 to 2.22.1
- #2600: Bump co.elastic.clients:elasticsearch-java from 9.4.2 to 9.4.3
- #2605: Bump log4j from 2.26.0 to 2.26.1
- #2628: Bump awssdk from 2.46.15 to 2.47.5
- #2619: Bump com.google.cloud:libraries-bom from 26.84.0 to 26.85.0
- #2594: Bump de.siegmar:fastcsv from 4.3.0 to 4.3.1
- #2587: Bump io.swagger.parser.v3:swagger-parser from 2.1.44 to 2.1.45
- #2622: Bump pkl from 0.31.1 to 0.32.0
- #2612: Bump io.openlineage:openlineage-java from 1.50.0 to 1.51.0
- #2615: Bump jetty from 12.1.10 to 12.1.11
- #2611: Bump netty from 4.2.15.Final to 4.2.16.Final
- #2629: Bump io.opentelemetry:opentelemetry-bom from 1.63.0 to 1.64.0
- #2614: Bump com.gradleup.shadow from 9.4.2 to 9.5.1
- #2596: Bump com.diffplug.spotless:spotless-plugin-gradle from 8.7.0 to 8.8.0
- #2623: Bump org.pkl-lang:org.pkl-lang.gradle.plugin from 0.31.1 to 0.32.0
- #2617: Bump actions/setup-java from 5.3.0 to 5.5.0
- #2609: Bump docker/login-action from 4.2.0 to 4.4.0
- #2606: Bump docker/setup-buildx-action from 4.1.0 to 4.2.0
- #2602: Bump docker/build-push-action from 7.2.0 to 7.3.0

Excludes #2591 (Gradle 8->9 major) and #2627 (simple-java-mail 8->9 major).

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
@cmgrote cmgrote added the dependencies Pull requests that update a dependency file label Jul 13, 2026
@cmgrote cmgrote enabled auto-merge July 13, 2026 08:55
@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedco.elastic.clients/​elasticsearch-java@​9.4.2 ⏵ 9.4.336 -6410090100100
Updatedcom.fasterxml.jackson.core/​jackson-databind@​2.22.0 ⏵ 2.22.136 -64100 +290100100
Updatedcom.fasterxml.jackson.module/​jackson-module-kotlin@​2.22.0 ⏵ 2.22.13610090100100
Updatedio.openlineage/​openlineage-java@​1.50.0 ⏵ 1.51.03610090100100
Updatedorg.eclipse.jetty/​jetty-http@​12.1.10 ⏵ 12.1.11361009010070
Updatedorg.pkl-lang/​pkl-config-java-all@​0.31.1 ⏵ 0.32.03610090100100
Updatedorg.eclipse.jetty.http2/​jetty-http2-common@​12.1.10 ⏵ 12.1.1140 -601009010070 -30
Updatedsoftware.amazon.awssdk/​sts@​2.46.15 ⏵ 2.47.55010095100100
Updatedorg.eclipse.jetty/​jetty-server@​12.1.10 ⏵ 12.1.1156 -4410099 +910070 -30
Updatedio.netty/​netty-common@​4.2.15.Final ⏵ 4.2.16.Final58 -42100100 +1175100
Updatedorg.apache.logging.log4j/​log4j-core@​2.26.0 ⏵ 2.26.16010010010080
Updatedsoftware.amazon.awssdk/​s3@​2.46.15 ⏵ 2.47.561100100100100
Updatedio.netty/​netty-codec-http2@​4.2.15.Final ⏵ 4.2.16.Final64 -36100100 +1175100
Updatedorg.eclipse.jetty.http2/​jetty-http2-hpack@​12.1.10 ⏵ 12.1.1199 -11009010070 -30
Updatedorg.eclipse.jetty.http2/​jetty-http2-server@​12.1.10 ⏵ 12.1.1197 -31009010070 -30
Updatedorg.eclipse.jetty/​jetty-bom@​12.1.10 ⏵ 12.1.111001009010070
Updatedcom.fasterxml.jackson.dataformat/​jackson-dataformat-yaml@​2.22.0 ⏵ 2.22.194 -61009010080 -19
Updatedcom.google.cloud/​libraries-bom@​26.84.0 ⏵ 26.85.010010090100100
Updatedde.siegmar/​fastcsv@​4.3.0 ⏵ 4.3.195 -510090100100
Updatedio.swagger.parser.v3/​swagger-parser@​2.1.44 ⏵ 2.1.4510010090100100
Updatedorg.apache.logging.log4j/​log4j-slf4j2-impl@​2.26.0 ⏵ 2.26.19810090100100
Updatedorg.pkl-lang/​pkl-codegen-kotlin@​0.31.1 ⏵ 0.32.09910090100100
Updatedorg.pkl-lang/​pkl-config-kotlin@​0.31.1 ⏵ 0.32.09710090100100
Updatedio.opentelemetry/​opentelemetry-bom@​1.63.0 ⏵ 1.64.0N/AN/AN/AN/AN/A

View full report

@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: maven com.fasterxml.jackson.core:jackson-databind is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/com.fasterxml.jackson.core/jackson-databind@2.22.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/com.fasterxml.jackson.core/jackson-databind@2.22.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven com.fasterxml.jackson.core:jackson-databind is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/com.fasterxml.jackson.core/jackson-databind@2.22.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/com.fasterxml.jackson.core/jackson-databind@2.22.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven io.netty:netty-transport is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?maven/io.netty/netty-codec-http2@4.2.16.Finalmaven/io.netty/netty-transport@4.2.16.Final

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/io.netty/netty-transport@4.2.16.Final. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.apache.logging.log4j:log4j-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.apache.logging.log4j/log4j-core@2.26.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.logging.log4j/log4j-core@2.26.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.apache.logging.log4j:log4j-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.apache.logging.log4j/log4j-core@2.26.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.logging.log4j/log4j-core@2.26.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.apache.logging.log4j:log4j-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.apache.logging.log4j/log4j-core@2.26.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.logging.log4j/log4j-core@2.26.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.apache.logging.log4j:log4j-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.apache.logging.log4j/log4j-core@2.26.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.apache.logging.log4j/log4j-core@2.26.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.eclipse.jetty:jetty-server is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.eclipse.jetty/jetty-server@12.1.11

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.eclipse.jetty/jetty-server@12.1.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.graalvm.truffle:truffle-api is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?maven/org.pkl-lang/pkl-codegen-kotlin@0.32.0maven/org.graalvm.truffle/truffle-api@25.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.graalvm.truffle/truffle-api@25.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.pkl-lang:pkl-config-java-all is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: gradle/libs.versions.tomlmaven/org.pkl-lang/pkl-config-java-all@0.32.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.pkl-lang/pkl-config-java-all@0.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.snakeyaml:snakeyaml-engine is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?maven/org.pkl-lang/pkl-codegen-kotlin@0.32.0maven/org.snakeyaml/snakeyaml-engine@3.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.snakeyaml/snakeyaml-engine@3.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Shadow plugin 9.5.1 calls AdhocComponentWithVariants.addVariantsFromConfiguration(Provider, Action),
a Gradle 9 API absent in Gradle 8.14.3, causing a NoSuchMethodError at plugin-apply time and
failing both pr-build and pr-test. Reverting to 9.4.2 until the Gradle 9 wrapper bump (#2591) lands.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
@cmgrote cmgrote merged commit 474a5ab into main Jul 13, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant