chore(deps): update all non-major dependencies (3.x)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
actions/upload-artifact	action	patch	v7.0.0 → v7.0.1
org.jreleaser:jreleaser-maven-plugin	build	minor	1.23.0 → 1.24.0
org.sonarsource.scanner.maven:sonar-maven-plugin (source)	build	minor	5.5.0.6356 → 5.6.0.6792
org.owasp:dependency-check-maven (source)	build	patch	12.2.0 → 12.2.1	12.2.2

---

Release Notes

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

jreleaser/jreleaser (org.jreleaser:jreleaser-maven-plugin)

v1.24.0

Compare Source

Binaries

https://github.com/jreleaser/jreleaser/wiki/Release-v1.24.0

Changelog

🚀 Features

announce

• c8033ee Support zernio as announcer, closes #​2098

core

• 4586b4a Add a flag to activate reproducible artifacts, closes #​2115

gradle

• 48a2685 Fix access to Task.project at task execution time, closes #​1992

jdks

• bfb88cd Fix inconsistent timeout validation, closes #​2087
• 6dffe57 Add download timeout support to jdks-maven-plugin, closes #​2083

🐛 Fixes

assemble

• af9767b Pass JVM options to generated launcher by jlink, closes #​2090
• e7b4afb Resolve relative launcher symlinks, closes #​1994
• dce1c0f Avoid duplicate resources in Native Image by using -cp option during assemble step, closes #​2094

deploy

• 39250fa Consider PUBLISHED state when checking deployment transition, closes #​2082

gradle

• 2737a31 Add property keys related to deprecated Convention APIs, closes #​2078

packager

• 401af4b Use snap arch in JAVA_HOME, closes #​2027

packagers

• 3736268 Update chocolatey templates, closes #​2107 #​2108
• 1b0e37b Use consistent paths in single-jar Dockerfile template
• 0955463 Use multi-stage build in Docker templates to avoid duplicate layers, closes #​2079

sign

• e820f56 Support PGP subkeys, closes #​2086

🔄️ Changes

packagers

• e5eab0a Fix default Docker entrypoints, closes #​2112 #​2113
• c775aa9 Fine tune multi-stage docker files, closes #​2079

unscoped

• 735a8df More code audit fixes
• 37fc14b Apply suggestions from code audits

🛠 Build

• 7d313fd Fix GH workflows
• d7488ab Update release announcements
• 805a0fd Fix wiki updates
• e20ce15 Fix workflow issues
• 1d195ce Fix update-wiki script
• a94a966 Fix issues found by CodeQL
• af15bca Update GH workflows based on lint audits
• f925bed Update CodeQL settings
• 1ff8029 More GH workflow improvements based on audits
• 4e9bb7d Improve GH workflows based on audits
• ab785d8 Update github workflows in templates
• 161c490 Fix workflow linting issues
• 77d1e3c Pin versions in GH workflows
• 84aa4b9 Fix some linting issues in GH workflows
• 9ef4afe Add version management to release workflow
• 19eb19a Add a GH workflow for linting GH workflows
• 2f79751 Update readme
• f978967 Fix wiki template
• 337c1d3 Update release workflow

📝 Documentation

• 2f0fd0a Add XiaoPengMei as a contributor for code
• 564ed30 Add mhoffrog as a contributor for code
• de84e9e Add PrakarshSrivastav as a contributor for code

⚙️ Dependencies

• 55c0de7 Update ant to 1.10.17
• b058360 Update aws-java-sdk to 2.42.41
• 93f5b77 Update bouncycastle to 1.84
• 9fec8ee Update byte-buddy to 1.18.8
• 3d87d5d Update commons-codec to 1.22.0
• 22b1263 Update commons-io to 2.22.0
• 79ca5e3 Update commons-net to 3.13.0
• 390619b Update cosign to 3.0.6
• b2d7465 Update feign to 13.12
• fc629be Update jsoup to 1.22.2
• f0f7868 Update syft to 1.43.0
• b52e929 Update stax2-api to 4.3.0
• d70d2c3 Update xz to 1.12

---

• 4def722 Releasing version 1.24.0
• f645ecd Bump for next development cycle

Contributors

We'd like to thank the following people for their contributions:

• Andres Almiray (@​aalmiray)
• DavidMei (@​XiaoPengMei)
• Eduards Jemarks
• Julien Ruaux (@​jruaux)
• Marcin P. (@​p-marcin)
• Marius Barbulescu
• Markus Hoffrogge
• Patrick Reimers
• Prakarsh (@​PrakarshSrivastav)

SonarSource/sonar-scanner-maven (org.sonarsource.scanner.maven:sonar-maven-plugin)

v5.6.0.6792

Compare Source

Release notes - Sonar Scanner for Maven - 5.6

Maintenance

SCANMAVEN-318 Update Orchestrator and fix e2e matrix
SCANMAVEN-324 Convert e2e tests to invoker
SCANMAVEN-346 Fix CI failure
SCANMAVEN-347 Automate detection of sonar:sonar shorthand failure
SCANMAVEN-348 Bump org.assertj:assertj-core from 3.26.3 to 3.27.7 in /sonar-maven-plugin
SCANMAVEN-349 Remove Maven 4 e2e tests from promotion requirements
SCANMAVEN-356 Add automated release workflow
SCANMAVEN-357 Licence packaging standard - Maven Scanner
SCANMAVEN-358 Create SonarUpdateCenterRelease.yml
SCANMAVEN-361 Add issue-categories in automated release
SCANMAVEN-363 Fix e2e tests with Maven 4
SCANMAVEN-364 Do not run nightly builds on weekends
SCANMAVEN-365 Set up orchestrator cache
SCANMAVEN-366 Update sonar-scanner-java-library to 4.1.0.1619
SCANMAVEN-367 Update sonar-scanner-java-library to 4.1.1.1633
SCANMAVEN-369 Update parent pom to 87.0.0.3057

Feature

SCANMAVEN-281 Irrelevant encrypted properties are not filtered out in multi-module project with "sonar" in the name

dependency-check/DependencyCheck (org.owasp:dependency-check-maven)

v12.2.1

Compare Source

• build: improve GHA workflow experience for forks (#​8285)
• build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 (#​8292)
• chore: avoid use of parent pom and maven properties where unnecessary (#​8322)
• chore: bump java development to 25.0 (#​8365)
• chore: fix Charset warnings; preferring typed charsets (#​8326)
• chore: fix Maven scm tags after 12.2.1-SNAPSHOT bump (#​8265)
• chore: pin GitHub actions to specific SHAs rather than mutable tags (#​8381)
• chore: remove unused properties and schemas (#​8378)
• docs: define schema locations in XML examples (#​8254)
• docs: document external data sources and hostnames (#​8219)
• docs: ensure OSS Index URL override is consistently documented (#​8338)
• docs: fix minor typo in README (#​8246)
• fix(core): correct xml schema validation handling without needing external access (#​8272)
• fix(deps): upgrade slf4j and logback (#​8306)
• fix(test): disable pnpm analyzer during test (#​8305)
• fix: Correct published/hosted suppressions namespace header and indent (#​8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#​8248)
• fix: #​8140 AssemblyAnalyzer version resolution issue (#​8352)
• fix: #​8140 fix version resolution
• fix: #​8140 hint azure_identity_library_for_.net
• fix: #​8356 narrow down VersionFilterAnalyzer scope to JAR files (#​8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#​8377)
• fix: evidence source in Retire JS analyzer (#​8303)
• fix: exclude deprecations from Yarn Berry audit results (#​8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#​8245)
• fix: improve configuration consistency (casing) (#​8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#​8250)
• fix: raw type warning in ProcessReader (#​8324)
• fix: suppress false positives for zabbix-utils #​8087 (#​8218)
• fix: update docs (#​8405)
• fix: warn if deprecated configs are used (#​8366)
• test: Make tests locale independent (#​8328)
• test: #​8140 reproduce current behavior
• test: avoid polluting test classpaths with sample dependencies to be scanned (#​8267)

See the full listing of changes

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (3.x@baf498a). Learn more about missing BASE report.

Additional details and impacted files

@@          Coverage Diff           @@
##             3.x     #295   +/-   ##
======================================
  Coverage       ?   89.35%           
  Complexity     ?      244           
======================================
  Files          ?       16           
  Lines          ?      827           
  Branches       ?       63           
======================================
  Hits           ?      739           
  Misses         ?       63           
  Partials       ?       25           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.