chore:SP-3893 upgrade dependencies

[agustingroh]

What's Changed

Changed

• Updated slf4j from 2.0.16 to 2.0.17
• Updated commons-codec from 1.17.1 to 1.20.0
• Updated tika-core from 2.9.2 to 3.2.2
• Updated gson from 2.11.0 to 2.13.2
• Updated picocli from 4.7.6 to 4.7.7
• Updated lombok from 1.18.36 to 1.18.42
• Updated jgit from 6.10.0 to 6.10.1

Fix: #35

Summary by CodeRabbit

• Chores
  • Released patch version 0.12.1.
  • Updated changelog with 0.12.1 entry.
  • Bumped project version and updated multiple dependencies: slf4j, commons-codec, tika-core, gson, picocli, lombok, and jgit.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumped project version from 0.12.0 to 0.12.1 and updated multiple dependency versions (slf4j, commons-codec, tika-core, gson, picocli, lombok, org.eclipse.jgit). Added a new 0.12.1 entry to CHANGELOG.md and updated release link references.

Changes

Cohort / File(s)	Summary
Version & Dependencies pom.xml	Project version set to 0.12.1; property slf4jVersion -> 2.0.17; dependencies updated: commons-codec 1.17.1→1.20.0, tika-core 2.9.2→3.2.2, gson 2.11.0→2.13.2, picocli 4.7.6→4.7.7, lombok 1.18.36→1.18.42, org.eclipse.jgit 6.10.0.*→6.10.1.*
Changelog / Release Notes CHANGELOG.md	Inserted 0.12.1 entry (dated 2026-01-07) under Unreleased documenting dependency bumps; updated 0.12.0 link range to v0.11.0...v0.12.0; added link for v0.12.0...v0.12.1; minor newline adjustments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I hopped a quick update, neat and spry,
Dependencies polished, versions high,
Changelog scribbled, links set right,
A tiny release, tidy and light —
🥕 cheers from a rabbit, off I fly!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore:SP-3893 upgrade dependencies' accurately reflects the primary change—upgrading dependencies across the project as documented in the changeset.
Linked Issues check	✅ Passed	The pull request addresses issue #35 by upgrading vulnerable dependencies (slf4j, commons-codec, tika-core, gson, picocli, lombok, jgit) to patched versions, directly mitigating the security vulnerabilities identified in the linked issue.
Out of Scope Changes check	✅ Passed	All changes are within scope—version bumps in pom.xml and a changelog entry documenting the dependency updates. No unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6469b42 and 3cca36f.

📒 Files selected for processing (2)

• CHANGELOG.md
• pom.xml

🚧 Files skipped from review as they are similar to previous changes (1)

• CHANGELOG.md

🔇 Additional comments (8)

pom.xml (8)

9-9: LGTM! Version bump is appropriate.

The patch version increment from 0.12.0 to 0.12.1 is appropriate for a dependency update release.

---

93-93: Picocli patch version update is safe.

Version 4.7.7 exists on Maven Central with all artifacts properly signed and available.

---

100-100: The lombok version 1.18.42 update is safe and verified.

The update from 1.18.36 to 1.18.42 is a stable patch release available on Maven Central. Version 1.18.42 (released September 18, 2025) maintains full Java 11 compatibility and includes feature improvements (@log annotation configurability) and targeted bugfixes (JDK25 Javadoc parsing). No breaking changes.

---

107-107: JGit 6.10.1 patch update verified and safe.

The version 6.10.1.202505221210-r exists on Maven Central and is a legitimate patch release. This update addresses CVE-2025-4949 (XXE vulnerability), making it a security improvement over 6.10.0.

---

63-63: Commons-codec 1.20.0 is a safe update with no breaking changes.

Version 1.20.0 exists on Maven Central and the official release notes document only bug fixes and minor features with no breaking changes. The update from 1.17.1 is backward compatible; note that several constructors are now deprecated in favor of Builder APIs, but this does not prevent compilation or execution.

---

81-81: Gson 2.13.2 is available and compatible with Java 11.

Version 2.13.2 exists on Maven Central, supports Java 11, and has no known security vulnerabilities. The minimum Java requirement for this version is Java 8.

---

75-75: No action required. The update from tika-core 2.9.2 to 3.2.2 is compatible with this codebase.

The project already targets Java 11 (maven.compiler.source and maven.compiler.target are both set to 11), which satisfies Tika 3.x's minimum requirement. The codebase uses only the high-level Tika facade API and stable MediaType classes, which remain backwards compatible across major versions. The breaking changes in Tika 3.x (AbstractParser deprecation, HTML parser migration, boilerpipe relocation, Xerces removal) do not affect this code, as none of these low-level or specialized features are used.

Likely an incorrect or invalid review comment.

---

41-41: Version 2.0.17 is confirmed as the current stable release.

2.0.17 (released 25 Feb 2025) is available on Maven Central and includes bug fixes for MDC initialization race conditions and security improvements referenced in vendor advisories. Safe to use.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @pom.xml:
- Line 75: You bumped tika-core to 3.2.2 which has breaking changes; update
build and tests to target Java 11+ (adjust maven-compiler-plugin/source & target
or project toolchain), run and fix integration tests exercising Tika usage (look
for references to Tika, MediaType, MediaTypeRegistry), and validate/adjust
behavior for HTML parsing (TagSoup→JSoup), custom-mimetypes classpath lookup,
and MIME mapping changes (e.g., JavaScript → text/javascript); if your code
relied on Xerces or Boilerpipe classes add explicit dependencies (xercesImpl or
the new boilerpipe package) or refactor usages to the new APIs, and add explicit
tests that assert detected MIME types and parsed HTML output to lock expected
behavior under 3.2.2.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2eec9bf and 6469b42.

📒 Files selected for processing (2)

• CHANGELOG.md
• pom.xml

🔇 Additional comments (4)

CHANGELOG.md (2)

13-21: LGTM! Changelog documentation is accurate.

The changelog entry correctly documents all seven dependency updates and follows the Keep a Changelog format consistently.

---

143-144: LGTM! Version link references are correct.

The link references have been properly updated to reflect the new 0.12.1 release.

pom.xml (2)

9-9: LGTM! Version bump is appropriate.

The project version bump from 0.12.0 to 0.12.1 is appropriate for a dependency update release.

---

41-41: Dependency versions verified and confirmed secure.

All updated dependencies have been checked against NVD and security advisories. No known CVEs affect these versions:

• slf4j 2.0.17: No upstream CVE
• commons-codec 1.20.0: Safe (Base32 issue fixed in 1.14+)
• tika-core 3.2.2: Fixed for XXE vulnerabilities (CVE-2025-54988, CVE-2025-66516)
• gson 2.13.2: Safe
• picocli 4.7.7: No known CVE
• lombok 1.18.42: No known CVE
• jgit 6.10.1: Fixed for XXE vulnerability (CVE-2025-4949)
• okhttp 4.12.0: No known CVE

The project has appropriately updated to patched versions for recent critical vulnerabilities.