Bump the all-maven-dependencies group across 2 directories with 4 updates

[dependabot]

Bumps the all-maven-dependencies group with 4 updates in the / directory: org.springframework.boot:spring-boot-dependencies, org.springframework.boot:spring-boot-maven-plugin, com.sap.cloud.sdk:sdk-modules-bom and com.sap.cloud.security:java-bom.
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: org.springframework.boot:spring-boot-maven-plugin, org.springframework.boot:spring-boot-dependencies, com.sap.cloud.sdk:sdk-modules-bom and com.sap.cloud.security:java-bom.

Updates org.springframework.boot:spring-boot-dependencies from 3.5.12 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates com.sap.cloud.sdk:sdk-modules-bom from 5.27.0 to 5.29.0

Release notes

Sourced from com.sap.cloud.sdk:sdk-modules-bom's releases.

Release 5.29.0

What's Changed

• chore: Use GH app instead of PAT by @​marikaner in SAP/cloud-sdk-java#1140
• chore: bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 by @​dependabot[bot] in SAP/cloud-sdk-java#1150
• fix: [DevOps] Declare io.grpc:grpc-netty as direct dependency by @​rpanackal in SAP/cloud-sdk-java#1152
• chore: [DevOps] bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre in the test group by @​dependabot[bot] in SAP/cloud-sdk-java#1154
• fix: Upgrade minor netty version (transitive dependency patch) by @​newtork in SAP/cloud-sdk-java#1155
• fix: Declare dependency updates explicitly while leveraging Netty BOM by @​newtork in SAP/cloud-sdk-java#1156
• Fix: Remove redundant test setup condition by @​newtork in SAP/cloud-sdk-java#1157
• chore: [DevOps] bump the production-major group across 1 directory with 2 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1146

New Contributors

• @​marikaner made their first contribution in SAP/cloud-sdk-java#1140

Full Changelog: https://github.com/SAP/cloud-sdk-java/commits/rel/5.29.0

Release 5.28.0

5.28.0 Release Notes

All Release Changes

🔧 Compatibility Notes

• [OpenAPI Apache Generator] Remove no args constructor in generated API clients.

✨ New Functionality

• Added support for SAP Cloud Identity Services (SCI) sap_id_type and sub claims in OIDC principal extraction. When sap_id_type=user, the sub claim is now used as the Subject Name Identifier (User ID, Email, or Custom Attribute as configured in SCI).

📈 Improvements

• Improved the support for the credential type X509_ATTESTED. HttpDestination objects created via ServiceBindingDestinationLoader no longer need to be re-created for the rotation of certificates to take effect.

🐛 Fixed Issues

• Fixed stateful OData request path construction caused by shared ODataResourcePath instances being mutated when building count, read-by-key, and function requests.
• ODataRequestRead, ODataRequestCount, ODataRequesReadByKey, ODataRequestFunction and ServiceWithNavigableEntitiesImpl now create a defensive copy of the ODataResourcePath to prevent unintended side effects from shared mutable state.

What's Changed

• chore: [DevOps] bump the test group with 2 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1123
• chore: [DevOps] bump the production-minor-patch group with 15 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1122
• feat: Migrate to HttpClient5 in OAuth2Service by @​Jonas-Isr in SAP/cloud-sdk-java#1103
• [Security] Support new sap_id_typeclaim by @​CharlesDuboisSAP in SAP/cloud-sdk-java#1124
• fix: avoid mutating resource paths in ODataRequestCount by @​Louis-Stegra in SAP/cloud-sdk-java#1121
• chore: [DevOps] bump the production-minor-patch group with 8 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1125
• fix: [OpenAPI] Remove generated no args constructor by @​CharlesDuboisSAP in SAP/cloud-sdk-java#1128
• chore: [DevOps] bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.2 to 4.9.8.3 in the plugins group by @​dependabot[bot] in SAP/cloud-sdk-java#1133

... (truncated)

Commits

• 1de436f Update to version 5.29.0
• 88ea17d chore: [DevOps] bump the production-major group across 1 directory with 2 upd...
• 7f9526d Fix: Remove redundant test setup condition (#1157)
• d67c4e1 fix: Declare dependency updates explicitly while leveraging Netty BOM (#1156)
• 2acf78b fix: Upgrade minor netty version (transitive dependency patch) (#1155)
• 3eb70a1 chore: [DevOps] bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre in ...
• 96aa459 fix: [DevOps] Declare io.grpc:grpc-netty as direct dependency (#1152)
• 027585d chore: bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 (#1150)
• cb54804 chore: Use GH app instead of PAT (#1140)
• fc13905 Release 5.28.0 (#1147)
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.4

improve domain validation handling

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4

... (truncated)

Commits

• acb1d15 improve domain validation handling (#1945)
• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.12 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11...

  Description has been truncated