Bump the maven-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the maven-dependencies group with 7 updates in the / directory:

Package	From	To
org.slf4j:slf4j-api	2.0.17	2.0.18
org.slf4j:slf4j-simple	2.0.17	2.0.18
org.junit.jupiter:junit-jupiter	6.0.3	6.1.0
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3
org.apache.maven.plugins:maven-dependency-plugin	3.10.0	3.11.0
org.apache.maven.plugins:maven-surefire-plugin	3.5.5	3.5.6
org.owasp:dependency-check-maven	12.2.0	12.2.2

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

• @​JarvisCraft made their first contribution in junit-team/junit-framework#5633
• @​Maran23 made their first contribution in junit-team/junit-framework#5644

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

• @​mariokhoury4 made their first contribution in junit-team/junit-framework#4574
• @​Ogu1208 made their first contribution in junit-team/junit-framework#5145
• @​HyungGeun94 made their first contribution in junit-team/junit-framework#5271
• @​yalishevant made their first contribution in junit-team/junit-framework#5316
• @​JINU-CHANG made their first contribution in junit-team/junit-framework#5290
• @​jaschdoc made their first contribution in junit-team/junit-framework#5427
• @​kawshikbuet17 made their first contribution in junit-team/junit-framework#5561
• @​msridhar made their first contribution in junit-team/junit-framework#5602

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

• @​vy made their first contribution in junit-team/junit-framework#5041
• @​Pankraz76 made their first contribution in junit-team/junit-framework#5006
• @​arukiidou made their first contribution in junit-team/junit-framework#5066
• @​laeubi made their first contribution in junit-team/junit-framework#5092
• @​jihun4452 made their first contribution in junit-team/junit-framework#5088
• @​TWiStErRob made their first contribution in junit-team/junit-framework#5133

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

Commits

• 0dc3af1 Release 6.1.0
• 1d13002 Prepare 6.1.0 release notes
• 072b217 Update plugin spotless to v8.5.0 (#5668)
• 3a53480 Update Gradle to v9.5.1 (#5666)
• 0e18a20 Update zizmorcore/zizmor-action action to v0.5.4 (#5669)
• 0a2634f Update github/codeql-action action to v4.35.5 (#5671)
• 4dbd556 Restructure workflows to have single "status" job (#5670)
• f2194ce Increase timeout to reduce flakiness
• 5c8fdd2 Update dependency org.apache.groovy:groovy to v5.0.6 (#5659)
• 43c6982 Update dependency org.slf4j:slf4j-jdk14 to v2.0.18 (#5667)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.3

🚀 New features and improvements

• Make bannedDependencies report root and transitive dependency in case both are banned. (#940) @​hvoynov
• Add enforceBytecodeVersion rule based on mojohaus (#968) @​cstamas
• Improve formatting of deprecated API warning (#951) @​mthmulders

🐛 Bug Fixes

• Fix handling of Java versions like 21.0.10.0.1 (#967) @​parttimenerd
• Add null checks for modelId in PluginWrapper (#974) @​cpfeiffer

📝 Documentation updates

• Document the banMavenDefaults option for the requirePluginVersions rule. (#936) @​rpkrajewski

👻 Maintenance

• PlexusStringUtils Refaster recipes (#943) @​slachiewicz
• JUnit Jupiter migration from JUnit 4.x (#941) @​slachiewicz

📦 Dependency updates

• Bump org.apache.logging.log4j:log4j-core from 2.25.3 to 2.25.4 in /maven-enforcer-plugin/src/it/projects/MENFORCER-434 (#970) @dependabot[bot]
• Deps: Parent POM 48 and align deps (#979) @​cstamas
• Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#973) @dependabot[bot]
• Bump mavenVersion from 3.9.13 to 3.9.14 (#965) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.13 (#964) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#963) @dependabot[bot]
• Update log4j in test to avoid CVE (#961) @​Bukama
• Bump commons-codec:commons-codec from 1.20.0 to 1.21.0 (#962) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#960) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#959) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 46 to 47 (#958) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#957) @dependabot[bot]
• Update to 46 including fixes (#955) @​Bukama
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.5.0 (#956) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#948) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#947) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#946) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#945) @dependabot[bot]

Commits

• c7daff3 [maven-release-plugin] prepare release enforcer-3.6.3
• ee46e78 Make bannedDependencies report root and transitive dependency in case both ar...
• 0806924 Document the banMavenDefaults option for the requirePluginVersions rule. (#936)
• 8e4f5b9 Add better enforceBytecodeVersion rule based on mojohaus (#968)
• fd4b148 Add fix for 21.0.10.0.1 issue (#967)
• f32d597 Deps: Parent POM 48 and align deps (#979)
• df0f2a6 Bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#976)
• 2da7a68 Add null checks for modelId in PluginWrapper
• 91eb4d9 Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#975)
• b622245 Bump mavenVersion from 3.9.14 to 3.9.15 (#973)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.11.0

🚀 New features and improvements

• Add dependency:add and dependency:remove goals (#1599) @​brunoborges
• Added ability to provide arbitrary dependencies to properties mojo (#1561) @​treilhes

🐛 Bug Fixes

• Fix artifact relocation support (#1633) @​slawekjaranowski
• fix: fix addParentPoms=true causes repositories to be ignored. (#1585) @​k-wall
• Fix false positive in analyze-exclusions with transitive dependency exclusion (#1628) @​slawekjaranowski
• Make AbstractAnalyzeMojo.filterArtifactsByScope() null-safe (#1622) @​elharo
• Prevent NPE in BuildClasspathMojo.appendArtifactPath() when an artifact has no resolved file (#1623) @​elharo
• Log unpacking at debug level (#1624) @​elharo
• Resolve plugins declared in pluginManagement for resolve-plugins and go-offline (#1603) @​slawekjaranowski
• Fix analyze-exclusions crashes if there is no dependencyManagement element (#1597) @​JackPGreen

👻 Maintenance

• Enable ITs for dependency:remove and use mock dependencies (#1613) @​slawekjaranowski
• More meaningful assertions (#1611) @​elharo
• Cure various typos IntelliJ complains about (#1612) @​elharo
• Remove unused jansi dependency (#1606) @​slawekjaranowski
• Enable ITs for dependecy:add and use mock dependencies (#1610) @​slawekjaranowski
• Cleaner exception handling (#1566) @​elharo

📦 Dependency updates

• Manage ASM version 9.10 to support JDK 27 (#1632) @​slawekjaranowski
• Bump eu.maveniverse.maven.domtrip:domtrip-core from 1.5.0 to 1.5.1 (#1631) @dependabot[bot]
• Bump eu.maveniverse.maven.domtrip:domtrip-maven from 1.5.0 to 1.5.1 (#1630) @dependabot[bot]
• Bump mavenVersion from 3.9.15 to 3.9.16 (#1626) @dependabot[bot]
• Bump org.apache.maven.shared:maven-dependency-analyzer from 1.17.0 to 1.17.1 (#1627) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 in /src/it/projects/remove-dependency/basic (#1607) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 47 to 48 (#1605) @dependabot[bot]
• Bump mavenVersion from 3.9.14 to 3.9.15 (#1601) @dependabot[bot]
• Bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#1602) @dependabot[bot]
• Bump org.apache.maven.doxia:doxia-sink-api from 2.0.0 to 2.1.0 (#1595) @dependabot[bot]
• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#1596) @dependabot[bot]
• Bump mavenVersion from 3.9.12 to 3.9.14 (#1594) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.5.0 to 3.5.1 (#1589) @dependabot[bot]

Commits

• c186d05 [maven-release-plugin] prepare release maven-dependency-plugin-3.11.0
• 3712611 Fix artifact relocation support
• e873e0e Manage ASM version 9.10 to support JDK 27
• 70b5356 fix: fix addParentPoms=true causes repositories to be ignored. (#1585)
• 51d8939 Fix false positive in analyze-exclusions with transitive dependency exclusion...
• 02b865b Bump eu.maveniverse.maven.domtrip:domtrip-core from 1.5.0 to 1.5.1
• 04f4de1 Bump eu.maveniverse.maven.domtrip:domtrip-maven from 1.5.0 to 1.5.1
• 2812490 Bump mavenVersion from 3.9.15 to 3.9.16
• ce117da Bump org.apache.maven.shared:maven-dependency-analyzer
• aea7a64 Prevent NPE (#1622)
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6

Release notes

Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases.

3.5.6

🚀 New features and improvements

• Introduce reportTestTimestamp option and include timestamp for test sets and test cases (#3261) (#3302) @​olamy

🐛 Bug Fixes

• Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_socket at address' is not displayed anymore when using maven.surefire.debug (#3353) (#3354) @​olamy
• Ensure that the statistics filename is calculated only once. (#3326) (#3327) @​olamy
• Add flakes attribute to use in testsuite report (#3306) (#3308) @​olamy
• [BACKPORT 3.5.x] [SUREFIRE-2049] - Fix SHUTDOWN type lost during command serialization. (#3270) (#3289) @​olamy
• fix: null guard for context map (#3269) (#3272) @​olamy

👻 Maintenance

• 3.5.x/bug/cherry pick embedded mode its (#3328) @​olamy
• Use surefire 3.5.5 by project itself for testing (#3324) @​slawekjaranowski
• Follow Oracle javadoc guidelines (#3177) @​elharo

📦 Dependency updates

• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#3334) @dependabot[bot]
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#3350) @dependabot[bot]

Commits

• 25ea054 [maven-release-plugin] prepare release surefire-3.5.6
• e5f374c Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3
• dadd55b Issue #2613 Debugging failsafe tests: Message 'Listening for transport dt_soc...
• 39dd250 Bump commons-io:commons-io from 2.21.0 to 2.22.0
• 2774273 Ensure that the statistics filename is calculated only once. (#3326) (#3327)
• 0d5df8a 3.5.x/bug/cherry pick embedded mode its (#3328)
• 04ad9a2 Use surefire 3.5.5 by project itself for testing
• 37e8f69 Add flakes attribute to use in testsuite report (#3306) (#3308)
• a970fef Introduce reportTestTimestamp option and include timestamp for test sets and ...
• e838393 deploy 3.5.x branch to nexus
• Additional commits viewable in compare view

Updates org.owasp:dependency-check-maven from 12.2.0 to 12.2.2

Release notes

Sourced from org.owasp:dependency-check-maven's releases.

Version 12.2.2

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Version 12.2.1

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.2.2 (2026-05-03)

NOTE: The database schema was updated to fix #8466 - if using an external database the update scripts must be run!

• feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting (#8451)
• feat: support and prefer githubID vuln identifiers from RetireJS (#8419)
• fix(db): widen reference URL column to handle long Mozilla CVE URLs (#8467)
• fix: add corepack to docker image (#8386)
• fix: bump open-vulnerability-clients to resolve NVD timestamp parsing errors (#8427)
• fix: de-duplicate and sort both includedBy and projectReferences in reports (#8440)
• fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#8404)
• docs: correct missing documentation for Gradle plugin (#8431)
• docs: tweak docs site structure; documenting missing analyzers (#8462)
• chore: remove spurious bundle-audit log line when there are no errors (#8454)
• chore: tidy CHANGELOG formatting (#8414)
• chore(fp): remove duplicate log4j FP suppressions (#8468)
• build(deps): bump apache.ant.version from 1.10.16 to 1.10.17 (#8416)
• build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8465)
• build(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#8420)
• build(deps): bump com.mysql:mysql-connector-j from 9.6.0 to 9.7.0 (#8445)
• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 (#8448)
• build(deps): bump httpcomponents.client.version from 5.6 to 5.6.1 (#8432)
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 (#8464)
• build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to 3.10.0 (#8452)
• build(deps): bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#8437)
• build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• build(deps): bump the actions-deps group with 8 updates (#8472)

See the full listing of changes

Version 12.2.1 (2026-04-11)

• fix(core): correct xml schema validation handling without needing external access (#8272)
• fix(deps): upgrade slf4j and logback (#8306)
• fix(test): disable pnpm analyzer during test (#8305)
• fix: Correct published/hosted suppressions namespace header and indent (#8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#8248)
• fix: #8140 AssemblyAnalyzer version resolution issue (#8352)
• fix: #8140 fix version resolution
• fix: #8140 hint azure_identity_library_for_.net
• fix: #8356 narrow down VersionFilterAnalyzer scope to JAR files (#8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
• fix: evidence source in Retire JS analyzer (#8303)
• fix: exclude deprecations from Yarn Berry audit results (#8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#8245)
• fix: improve configuration consistency (casing) (#8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#8250)
• fix: raw type warning in ProcessReader (#8324)
• fix: suppress false positives for zabbix-utils #8087 (#8218)

... (truncated)

Commits

• b51290f build: prepare release v12.2.2
• 70070a9 docs: release 12.2.2
• 47aa0c7 fix: widen reference URL column to handle long Mozilla CVE URLs (#8467)
• 1de40c0 build(deps): bump the actions-deps group with 8 updates (#8472)
• 74678b0 build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8...
• 3f83d80 build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• 04387c3 build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• 11e1771 build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to...
• e850545 chore(fp): remove duplicate log4j FP suppressions (#8468)
• 9acbb33 feat: improve Sonatype Guide / OSS Index cache handling and insufficient cred...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions