Bump the all-maven-dependencies group across 2 directories with 4 updates

[dependabot]

Bumps the all-maven-dependencies group with 4 updates in the / directory: org.springframework.boot:spring-boot-dependencies, org.springframework.boot:spring-boot-maven-plugin, com.sap.cloud.security:java-bom and com.diffplug.spotless:spotless-maven-plugin.
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: org.springframework.boot:spring-boot-maven-plugin, org.springframework.boot:spring-boot-dependencies, com.sap.cloud.security:java-bom and com.diffplug.spotless:spotless-maven-plugin.

Updates org.springframework.boot:spring-boot-dependencies from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.0

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.9

• Fix token exchange logic in DefaultIdTokenExtension to correctly identify App2App tokens that require exchange (where aud contains a single audience different from azp)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

Removed Modules

The following deprecated modules have been removed from the repository:

Removed Module	Replacement	Migration Guide
spring-xsuaa	spring-security (Spring Boot 4.x) or spring-security-3 (Spring Boot 3.x)	Migration Guide
spring-xsuaa-starter	spring-security-starter (Spring Boot 4.x) or spring-security-3-starter (Spring Boot 3.x)	Migration Guide
spring-xsuaa-test	java-security-test	Use JwtGenerator from java-security-test
spring-security-compatibility	spring-security-3	No changes needed, just switch artifact

✨ New Features

... (truncated)

Commits

• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.4.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

• Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
• [fix] ConcurrentModificationException in expandWildcardImports (#2830)

[4.3.0] - 2026-01-27

Added

• Add P2Provisioner interface in lib-extra to enable build-tool-specific caching strategies for Eclipse P2 dependencies, fixing OutOfMemoryError in large multi-project builds. (#2788)

Fixed

• removeSemicolons() should not be applied to multiline strings in groovy #2780 (#2792)

[4.2.0] - 2026-01-22

Added

• Add a expandWildcardImports API for java (#2679)
• Add the ability to specify a wildcard version (*) for external formatter executables. (#2757)

Fixed

• Prevent race conditions when multiple npm-based formatters launch the server process simultaneously while sharing the same node_modules directory. (#2786)
• Git ratchet no longer throws an error with Git worktrees. (#2779)

Changes

• Bump default ktfmt version to latest 0.59 -> 0.61. (2804)
• Bump default ktlint version to latest 1.7.1 -> 1.8.0. (2763)
• Bump default gherkin-utils version to latest 9.2.0 -> 10.0.0. (#2619)

[4.1.0] - 2025-11-18

Changes

• Bump default ktfmt version to latest 0.58 -> 0.59. (#2681
• Bump default jackson version to latest 2.20.0 -> 2.20.1. (#2730)
• Bump default cleanthat version to latest 2.23 -> 2.24. (#2620)

... (truncated)

Commits

• 708a1b0 Published maven/3.4.0
• 1cc0163 Published gradle/8.4.0
• a4cd808 Published lib/4.5.0
• 9066bf6 Add links to the changelog.
• db8dc1c Fix for illegal mutation issue with predeclareDeps (#2892)
• 0eb98a9 chore: Updated gradle plugin change
• 3f7f12e chore: Removes check for predeclare as it's not needed anymore
• 55c0c5c fix: IsolatedProjectTest.predeclaredIsUnsupported() is now actually supported...
• 47489af fix: avoid IllegalMutationException when root project uses predeclareDeps() w...
• 4010e8b test: Introduce a test harnessing predeclared deps
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.0

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.9

• Fix token exchange logic in DefaultIdTokenExtension to correctly identify App2App tokens that require exchange (where aud contains a single audience different from azp)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

Removed Modules

The following deprecated modules have been removed from the repository:

Removed Module	Replacement	Migration Guide
spring-xsuaa	spring-security (Spring Boot 4.x) or spring-security-3 (Spring Boot 3.x)	Migration Guide
spring-xsuaa-starter	spring-security-starter (Spring Boot 4.x) or spring-security-3-starter (Spring Boot 3.x)	Migration Guide
spring-xsuaa-test	java-security-test	Use JwtGenerator from java-security-test
spring-security-compatibility	spring-security-3	No changes needed, just switch artifact

✨ New Features

... (truncated)

Commits

• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates com.diffplug.spotless:spotless-maven-plugin from 3.3.0 to 3.4.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.4.0

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

Lib v3.3.1

Fixed

• GitPrePushHookInstaller didn't work on windows, now fixed. (#2562)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.5.0] - 2026-03-18

Added

• Add tableTest format type for standalone .table files. (#2880)

Changes

• Bump default tabletest-formatter version 1.0.1 -> 1.1.1, now works with Java 17+. (#2880)

[4.4.0] - 2026-03-02

Added

• Add tabletest-formatter support for Java and Kotlin. (#2860)

Fixed

• Fix the ability to specify a wildcard version (*) for external formatter executables, which did not work. (#2848)
• [fix] ConcurrentModificationException in expandWildcardImports (#2830)

[...

Description has been truncated