fix(deps): update all dependencies j:cdx-227

[renovate-coveo]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@commitlint/config-conventional (source)	19.5.0 -> 19.8.1					devDependencies	minor
@octokit/auth-app	7.1.2 -> 7.2.2					devDependencies	minor
actions/checkout	v4.2.2 -> v4.3.0					action	minor
actions/checkout	11bd719 -> 08eba0b					action	digest
actions/setup-java	v4.5.0 -> v4.7.1					action	minor
actions/setup-node	v4.1.0 -> v4.4.0					action	minor
actions/upload-artifact	v4.4.3 -> v4.6.2					action	minor
ossf/scorecard-action	v2.4.0 -> v2.4.2					action	patch
step-security/harden-runner	v2.10.1 -> v2.13.0					action	minor
com.diffplug.spotless:spotless-maven-plugin	2.43.0 -> 2.46.1					build	minor
org.apache.maven:maven-model	3.9.9 -> 3.9.11					compile	patch
commons-codec:commons-codec (source)	1.17.1 -> 1.19.0					compile	minor
org.mockito:mockito-core	5.14.2 -> 5.19.0					test	minor
joda-time:joda-time (source)	2.13.0 -> 2.14.0					compile	minor
io.github.cdimascio:dotenv-java	3.0.2 -> 3.2.0					compile	minor
com.google.code.gson:gson	2.11.0 -> 2.13.1					compile	minor
org.apache.logging.log4j:log4j-core (source)	2.24.1 -> 2.25.1					compile	minor
org.apache.maven.plugins:maven-gpg-plugin	3.2.7 -> 3.2.8					build	patch
org.apache.maven.plugins:maven-javadoc-plugin	3.11.1 -> 3.11.3					build	patch

[skip release]

---

Release Notes

conventional-changelog/commitlint (@​commitlint/config-conventional)

v19.8.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v19.8.0

Compare Source

Performance Improvements

• use node: prefix to bypass require.cache call for builtins (#​4302) (0cd8f41)

19.7.1 (2025-02-02)

Note: Version bump only for package @​commitlint/config-conventional

v19.7.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v19.6.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

octokit/auth-app.js (@​octokit/auth-app)

v7.2.2

Compare Source

Bug Fixes

• dont lose this reference for loggers (#​708) (58149ef)

v7.2.1

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#​694) (9c2e714)

v7.2.0

Compare Source

Features

• coalesce concurrent authentication calls (#​689) (76398eb)

v7.1.5

Compare Source

Bug Fixes

• deps: update octokit dependencies to mitigate ReDos vulnerability [security] (#​678) (499d1f6)

v7.1.4

Compare Source

Bug Fixes

• deps: bump Octokit deps to fix Deno compat (#​665) (33fd19f)

v7.1.3

Compare Source

Bug Fixes

• deps: replace lru-cache with toad-cache (#​654) (43b97a6)

actions/checkout (actions/checkout)

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in https://github.com/actions/checkout/pull/1971
• Add internal repos for checking out multiple repositories by @​mouismail in https://github.com/actions/checkout/pull/1977
• Documentation update - add recommended permissions to Readme by @​benwells in https://github.com/actions/checkout/pull/2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in https://github.com/actions/checkout/pull/2044
• Update README.md by @​nebuk89 in https://github.com/actions/checkout/pull/2194
• Update CODEOWNERS for actions by @​TingluoHuang in https://github.com/actions/checkout/pull/2224
• Update package dependencies by @​salmanmkc in https://github.com/actions/checkout/pull/2236
• Prepare release v4.3.0 by @​salmanmkc in https://github.com/actions/checkout/pull/2237

New Contributors

• @​motss made their first contribution in https://github.com/actions/checkout/pull/1971
• @​mouismail made their first contribution in https://github.com/actions/checkout/pull/1977
• @​benwells made their first contribution in https://github.com/actions/checkout/pull/2043
• @​nebuk89 made their first contribution in https://github.com/actions/checkout/pull/2194
• @​salmanmkc made their first contribution in https://github.com/actions/checkout/pull/2236

Full Changelog: actions/checkout@v4...v4.3.0

actions/setup-java (actions/setup-java)

v4.7.1

Compare Source

What's Changed

Documentation changes

• Add Documentation to Recommend Using GraalVM JDK 17 Version to 17.0.12 to Align with GFTC License Terms by @​aparnajyothi-y in https://github.com/actions/setup-java/pull/704
• Remove duplicated GraalVM section in documentation by @​Marcono1234 in https://github.com/actions/setup-java/pull/716

Dependency updates:

• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​aparnajyothi-y in https://github.com/actions/setup-java/pull/766
• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in https://github.com/actions/setup-java/pull/744
• Upgrade ts-jest from 29.1.2 to 29.2.5 by @​dependabot in https://github.com/actions/setup-java/pull/743
• Upgrade @​action/cache to 4.0.3 by @​aparnajyothi-y in https://github.com/actions/setup-java/pull/773

Full Changelog: actions/setup-java@v4...v4.7.1

v4.7.0

Compare Source

What's Changed

• Configure Dependabot settings by @​HarithaVattikuti in https://github.com/actions/setup-java/pull/722
• README Update: Added a permissions section by @​benwells in https://github.com/actions/setup-java/pull/723
• Upgrade cache from version 3.2.4 to 4.0.0 by @​aparnajyothi-y in https://github.com/actions/setup-java/pull/724
• Upgrade @actions/http-client from 2.2.1 to 2.2.3 by @​dependabot in https://github.com/actions/setup-java/pull/728
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in https://github.com/actions/setup-java/pull/727
• Upgrade @types/jest from 29.5.12 to 29.5.14 by @​dependabot in https://github.com/actions/setup-java/pull/729

New Contributors

• @​benwells made their first contribution in https://github.com/actions/setup-java/pull/723

Full Changelog: actions/setup-java@v4...v4.7.0

v4.6.0

Compare Source

What's Changed

Add-ons:

• Add Support for JetBrains Runtime by @​gmitch215 in https://github.com/actions/setup-java/pull/637

 - name: Checkout
   uses: actions/checkout@v4
 - name: Setup-java
   uses: actions/setup-java@v4
   with:
     distribution: ‘jetbrains’
     java-version: '21'

Bug fixes:

• Fix Ubuntu-latest CI failures by @​mahabaleshwars in https://github.com/actions/setup-java/pull/693

New Contributors

• @​gmitch215 made their first contribution in https://github.com/actions/setup-java/pull/637

Full Changelog: actions/setup-java@v4...v4.6.0

actions/setup-node (actions/setup-node)

v4.4.0

Compare Source

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in https://github.com/actions/setup-node/pull/98
• Add support for indented eslint output by @​fregante in https://github.com/actions/setup-node/pull/1245

Enhancement:

• Support private mirrors by @​marco-ippolito in https://github.com/actions/setup-node/pull/1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in https://github.com/actions/setup-node/pull/1262

New Contributors

• @​FloEdelmann made their first contribution in https://github.com/actions/setup-node/pull/98
• @​fregante made their first contribution in https://github.com/actions/setup-node/pull/1245
• @​marco-ippolito made their first contribution in https://github.com/actions/setup-node/pull/1240

Full Changelog: actions/setup-node@v4...v4.4.0

v4.3.0

Compare Source

What's Changed

Dependency updates

• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in https://github.com/actions/setup-node/pull/1200
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​gowridurgad in https://github.com/actions/setup-node/pull/1251
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in https://github.com/actions/setup-node/pull/1203
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot in https://github.com/actions/setup-node/pull/1220

New Contributors

• @​gowridurgad made their first contribution in https://github.com/actions/setup-node/pull/1251

Full Changelog: actions/setup-node@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by @​aparnajyothi-y in https://github.com/actions/setup-node/pull/1174
• Add recommended permissions section to readme by @​benwells in https://github.com/actions/setup-node/pull/1193
• Configure Dependabot settings by @​HarithaVattikuti in https://github.com/actions/setup-node/pull/1192
• Upgrade @actions/cache to ^4.0.0 by @​priyagupta108 in https://github.com/actions/setup-node/pull/1191
• Upgrade pnpm/action-setup from 2 to 4 by @​dependabot in https://github.com/actions/setup-node/pull/1194
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in https://github.com/actions/setup-node/pull/1195
• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in https://github.com/actions/setup-node/pull/1196
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot in https://github.com/actions/setup-node/pull/1201
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in https://github.com/actions/setup-node/pull/1205

New Contributors

• @​benwells made their first contribution in https://github.com/actions/setup-node/pull/1193

Full Changelog: actions/setup-node@v4...v4.2.0

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in https://github.com/actions/upload-artifact/pull/685

New Contributors

• @​salmanmkc made their first contribution in https://github.com/actions/upload-artifact/pull/685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in https://github.com/actions/upload-artifact/pull/673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in https://github.com/actions/upload-artifact/pull/662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in https://github.com/actions/upload-artifact/pull/578
• Add new artifact-digest output by @​bdehamer in https://github.com/actions/upload-artifact/pull/656

New Contributors

• @​hamirmahal made their first contribution in https://github.com/actions/upload-artifact/pull/578
• @​bdehamer made their first contribution in https://github.com/actions/upload-artifact/pull/656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

ossf/scorecard-action (ossf/scorecard-action)

v2.4.2

Compare Source

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

v2.4.1

Compare Source

What's Changed

• This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
• Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • use Scorecard library entrypoint instead of Cobra hooking by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1423
• Some errors were made into annotations to make them more visible
  • Make default branch error more prominent by @​jsoref in https://github.com/ossf/scorecard-action/pull/1459
• There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • add input for specifying --file-mode by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1509
• The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
  • 🌱 publish docker images to GitHub Container Registry by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1453

Docs

• Installation docs update by @​JeremiahAHoward in https://github.com/ossf/scorecard-action/pull/1416

New Contributors

• @​JeremiahAHoward made their first contribution in https://github.com/ossf/scorecard-action/pull/1416
• @​jsoref made their first contribution in https://github.com/ossf/scorecard-action/pull/1459
  Full Changelog: ossf/scorecard-action@v2.4.0...v2.4.1

step-security/harden-runner (step-security/harden-runner)

v2.13.0

Compare Source

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

Compare Source

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

Compare Source

What's Changed

• cache: add support for GitHub Actions cache v2 by @​h0x0er in https://github.com/step-security/harden-runner/pull/529

Full Changelog: step-security/harden-runner@v2...v2.11.1

v2.11.0

Compare Source

What's Changed

Release v2.11.0 in #​498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: step-security/harden-runner@v2...v2.11.0

v2.10.4

Compare Source

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

Compare Source

What's Changed

1. Fixes low-severity command injection weaknesses
   The advisory is here: GHSA-g85v-wf27-67xc

2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2

diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)

v2.45.0

Added

• Support for gofmt (#​2001)
• Support for formatting Java Docs for the Palantir formatter (#​2009)

v2.44.0

Added

• New static method to DiffMessageFormatter which allows to retrieve diffs with their line numbers (#​1960)
• Gradle - Support for formatting shell scripts via shfmt. (#​1994)

Fixed

• Fix empty files with biome >= 1.5.0 when formatting files that are in the ignore list of the biome configuration file. (#​1989 fixes #​1987)
• Fix a regression in BufStep where the same arguments were being provided to every buf invocation. (#​1976)

Changed

• Use palantir-java-format 2.39.0 on Java 21. (#​1948)
• Bump default ktlint version to latest 1.0.1 -> 1.1.1. (#​1973)
• Bump default googleJavaFormat version to latest 1.18.1 -> 1.19.2. (#​1971)
• Bump default diktat version to latest 1.2.5 -> 2.0.0. (#​1972)

apache/commons-codec (commons-codec:commons-codec)

v1.19.0

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.19.0.

The Apache Commons Codec component contains encoders and decoders for
formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

v1.17.2

The Apache Commons Codec component contains encoders and decoders for
formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

mockito/mockito (org.mockito:mockito-core)

v5.19.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.19.0

• 2025-08-15 - 37 commit(s) by Adrian-Kim, Tim van der Lippe, Tran Ngoc Nhan, dependabot[bot], juyeop
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Bump actions/checkout from 4 to 5 (#​3707)
• build: Allow overriding 'Created-By' for reproducible builds (#​3704)
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#​3703)
• Bump androidx.test:runner from 1.6.2 to 1.7.0 (#​3697)
• Bump org.junit.platform:junit-platform-launcher from 1.13.3 to 1.13.4 (#​3694)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.1.0 to 7.2.1 (#​3693)
• Bump junit-jupiter from 5.13.3 to 5.13.4 (#​3691)
• Bump com.gradle.develocity from 4.0.2 to 4.1 (#​3689)
• Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 (#​3688)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.27.0 (#​3686)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.4 to 7.1.0 (#​3685)
• Bump junit-jupiter from 5.13.2 to 5.13.3 (#​3684)
• Bump org.shipkit:shipkit-auto-version from 2.1.0 to 2.1.2 (#​3683)
• Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.2 to 7.0.4 (#​3682)
• Only run release after both Java and Android tests have finished
  (#​3681)
• Bump org.junit.platform:junit-platform-launcher from 1.12.2 to 1.13.3 (#​3680)
• Bump org.codehaus.groovy:groovy from 3.0.24 to 3.0.25 (#​3679)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.0 to 3.23.100 (#​3678)
• Can no longer publish snapshot releases (#​3677)
• Update Gradle to 8.14.2 (#​3676)
• Bump errorprone from 2.23.0 to 2.39.0 (#​3674)
• Correct Junit docs link (#​3672)
• Bump net.ltgt.gradle:gradle-errorprone-plugin from 4.1.0 to 4.3.0 (#​3670)
• Bump junit-jupiter from 5.13.1 to 5.13.2 (#​3669)
• Bump bytebuddy from 1.17.5 to 1.17.6 (#​3668)
• Bump junit-jupiter from 5.12.2 to 5.13.1 (#​3666)
• Bump org.jetbrains.kotlin:kotlin-stdlib from 2.0.21 to 2.2.0 (#​3665)
• Bump org.gradle.toolchains.foojay-resolver-convention from 0.9.0 to 1.0.0 (#​3661)
• Bump org.junit.platform:junit-platform-launcher from 1.11.4 to 1.12.2 (#​3660)
• Add JDK21 sequenced collections for ReturnsEmptyValues (#​3659)
• Bump com.gradle.develocity from 3.19.1 to 4.0.2 (#​3658)
• Bump ru.vyarus:gradle-animalsniffer-plugin from 1.7.2 to 2.0.1 (#​3657)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.22.0 to 3.23.0 (#​3656)
• Bump org.codehaus.groovy:groovy from 3.0.23 to 3.0.24 (#​3655)
• Bump junit-jupiter from 5.11.4 to 5.12.2 (#​3653)
• Reproducible Build: need to inject JDK distribution details to rebuild (#​3563)

v5.18.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.18.0

• 2025-05-20 - 5 commit(s) by Eugene Platonov, Patrick Doyle, Tim van der Lippe, dependabot[bot]
• Make vararg checks Scala friendly (for mockito-scala) (#​3651)
• For UnfinishedStubbingException, suggest the possibility of another thread (#​3636)
• UnfinishedStubbingException ought to suggest the possibility of another thread (#​3635)

v5.17.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.17.0

• 2025-04-04 - 7 commit(s) by Adrian Roos, Andre Kurait, Jan Ouwens, Rafael Winterhalter, Taeik Lim, Thach Le, Tim van der Lippe
• Fixes #​3631: Fix broken banner image link (#​3632)
• Banner image is broken (#​3631)
• Update exception message with mockito-inline (#​3628)
• Clarify structure of commit messages (#​3626)
• Fixes #​3622: MockitoExtension fails cleanup when aborted before setup (#​3623)
• MockitoExtension fails cleanup when aborted before setup (#​3622)
• Since mockito-inline has been removed, the exception messages with mockito-inline should be modified. (#​3621)
• Fixes #​3171: Fall back to Throwable Location strategy on Android (#​3619)
• Fixes #​3615 : broken links to javadoc.io (#​3616)
• Broken links to javadoc.io (#​3615)
• Mocks are not working on particular devices after update Android SDK from 33 to 34 (#​3171)

v5.16.1

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.16.1

• 2025-03-15 - 3 commit(s) by Adrian Roos, Jérôme Prinet, Rafael Winterhalter
• Remove Arrays.asList from critical stubbing path in GenericMetadataSu… (#​3610)
• Rework of injection strategy in the context of modules (#​3608)
• Adjust inline mocking snippet to allow task relocatability (#​3606)
• Inline mocking configuration snippet for Gradle should allow task relocatability (#​3605)

[v5.16.0](https://redirect.github.com/mockito/moc

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/Toronto, Automerge - "after 9:00am and before 12:00pm on tuesday, wednesday, thursday" in timezone America/Toronto.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.