fix(deps): update gradle

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jacoco (source)	0.8.7 -> 0.8.12
com.github.tomakehurst:wiremock-jre8 (source)	2.32.0 -> 2.35.2
com.github.stefanbirkner:system-rules (source)	1.17.2 -> 1.19.0
org.junit.jupiter:junit-jupiter (source)	5.10.1 -> 5.11.3
org.junit.jupiter:junit-jupiter-engine (source)	5.10.1 -> 5.11.3
eu.maveniverse.maven.mima.runtime:standalone-static (source)	2.4.20 -> 2.4.21
eu.maveniverse.maven.mima:context (source)	2.4.20 -> 2.4.21
org.jboss:jandex (source)	2.2.3.Final -> 2.4.5.Final
org.slf4j:jcl-over-slf4j (source, changelog)	1.7.30 -> 1.7.36
org.slf4j:slf4j-nop (source, changelog)	1.7.30 -> 1.7.36
org.jsoup:jsoup (source)	1.17.1 -> 1.18.3
com.google.code.gson:gson	2.10.1 -> 2.11.0
org.codehaus.plexus:plexus-java (source)	1.2.0 -> 1.3.0
io.quarkus.qute:qute-core	1.12.2.Final -> 1.13.7.Final
info.picocli:picocli (source)	4.7.5 -> 4.7.6
org.apache.commons:commons-compress (source)	1.25.0 -> 1.27.1
org.apache.commons:commons-text (source)	1.11.0 -> 1.12.0
org.sonarqube	4.0.0.2929 -> 4.4.1.3373
com.diffplug.spotless	6.13.0 -> 6.25.0
io.toolebox.git-versioner	1.6.5 -> 1.6.7
com.github.breadmoirai.github-release	2.4.1 -> 2.5.2
com.github.johnrengelman.shadow	8.0.0 -> 8.1.1
com.gradle.enterprise	3.7.2 -> 3.18.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

jacoco/jacoco (jacoco)

v0.8.12: 0.8.12

New Features

• JaCoCo now officially supports Java 22 (GitHub #​1596).
• Experimental support for Java 23 class files (GitHub #​1553).

Fixed bugs

• Branches added by the Kotlin compiler for functions with default arguments and having more than 32 parameters are filtered out during generation of report (GitHub #​1556).
• Branch added by the Kotlin compiler version 1.5.0 and above for reading from lateinit property is filtered out during generation of report (GitHub #​1568).

Non-functional Changes

• JaCoCo now depends on ASM 9.7 (GitHub #​1600).

v0.8.11: 0.8.11

New Features

• JaCoCo now officially supports Java 21 (GitHub #​1520).
• Experimental support for Java 22 class files (GitHub #​1479).
• Part of bytecode generated by the Java compilers for exhaustive switch expressions is filtered out during generation of report (GitHub #​1472).
• Part of bytecode generated by the Java compilers for record patterns is filtered out during generation of report (GitHub #​1473).

Fixed bugs

• Instrumentation should not cause VerifyError when the last local variable of method parameters is overridden in the method body to store a value of type long or double (GitHub #​893).
• Restore exec file compatibility with versions from 0.7.5 to 0.8.8 in case of class files with zero line numbers (GitHub #​1492).

Non-functional Changes

• jacoco-maven-plugin now requires at least Java 8 (GitHub #​1466, #​1468).
• JaCoCo build now requires at least Maven 3.5.4 (GitHub #​1467).
• Maven 3.9.2 should not produce warnings for jacoco-maven-plugin (GitHub #​1468).
• JaCoCo build now requires JDK 17 (GitHub #​1482).
• JaCoCo now depends on ASM 9.6 (GitHub #​1518).

v0.8.10: 0.8.10

Fixed bugs

• Agent should not require configuration of permissions for SecurityManager outside of its codeBase (GitHub #​1425).

v0.8.9: 0.8.9

New Features

• JaCoCo now officially supports Java 19 and 20 (GitHub #​1371, #​1386).
• Experimental support for Java 21 class files (GitHub #​1386).
• Add parameter to include the current project in the report-aggregate Maven goal (GitHub #​1007).
• Component accessors generated by the Java compilers for records are filtered out during generation of report. Contributed by Tesla Zhang (GitHub #​1393).

Fixed bugs

• Agent should not open java.lang package to unnamed module of the application class loader (GitHub #​1334).

Non-functional Changes

• JaCoCo now depends on ASM 9.5 (GitHub #​1299, #​1368, #​1416).
• JaCoCo build now requires JDK 11 (GitHub #​1413).

v0.8.8: 0.8.8

New Features

• JaCoCo now officially supports Java 17 and 18 (GitHub #​1282, #​1198).
• Experimental support for Java 19 class files (GitHub #​1264).
• Part of bytecode generated by the Java compilers for assert statement is filtered out during generation of report (GitHub #​1196).
• Branch added by the Kotlin compiler version 1.6.0 and above for "unsafe" cast operator is filtered out during generation of report (GitHub #​1266).
• Improved support for multiple JaCoCo runtimes in the same VM (GitHub #​1057).

Fixed bugs

• Fixed NullPointerException during filtering (GitHub #​1189).
• Fix range for debug symbols of method parameters (GitHub #​1246).

Non-functional Changes

• JaCoCo now depends on ASM 9.2 (GitHub #​1206).
• Messages of exceptions occurring during analysis or instrumentation now include JaCoCo version (GitHub #​1217).

wiremock/wiremock (com.github.tomakehurst:wiremock-jre8)

v2.35.2

Compare Source

v2.35.1: - Security Release

Compare Source

🔒 This is a security release that addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.6 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS
  Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.9 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

Credits: @​W0rty, @​numacanedo, @​Mahoney, @​tomakehurst, @​oleg-nenashev

v2.35.0

Compare Source

Enhancements

• Add a negative contains matcher - thanks Damian Orzepowski
• Expose a Java API method for removing stubs by ID - thanks Patryk Fraczek
• Document the import API in the OpenAPI doc - thanks to user i-whammy
• Added the ability to restrict the addresses WireMock can proxy/record to, as a security measure.

Fixes

• Strip Maven directories from the standalone JAR as some were appearing that weren't related to dependencies actually present, confusing scanning tools - thanks to user krageon
• Dropped back to slf4j 1.7.36 and relocate it in the standalone JAR (ensuring 2.x users won't experience conflicts).

v2.34.0

Compare Source

This will be the final 2.x.x release and also the last to support Java 8.

Fixes

• Fixed #​1689 - incorrect HTTP version header - thanks to user Poojitha
• Fixed #​1882 - bug preventing matching of date/time query params/headers with custom format - thanks Klaas Dellschaft
• #​1930 - Fixed a partial path traversal vulnerability in the file source code - thanks Jonathan Leitschuh
• Fixed #​1783 - proxyUrlPrefixToRemove ignored when using a response definition transformer - thanks to user Ross-H-Projects
• Fixed #​1872 - create a request entity for POST, PUT etc. proxied requests when a content-length header is present, regardless of whether the size is 0.
• Fixed #​1946 - maths helper now supports epoch dates as inputs.

Enhancements

• Added a public, non-static getScenarios() method allowing access to all scenarios.

All dependencies brought up to date including Jetty to 9.4.48.v20220622.

v2.33.2

Compare Source

WireMock 2.33.1 was accidentally released using Java 11 rather than 8, resulting in class incompatibilities in places.

This release is functionally identical but built using Java 8.

v2.33.1

Compare Source

Fixes

• Put name field back on scenario API object having accidentally removed it.
• Improved validation of scenario set and reset so that reasonable errors are returned when attempting to use non-existent scenario names or states.

v2.33.0

Compare Source

This is primarily a maintenance release that brings all dependency versions up to date including a version of Jackson containing the fix for CVE-2020-36518.

Enhancements

• Added the ability to set and reset a single scenario's state
• Proxy will now send a request body for any request method.
• CORS response headers are now passed back from proxy responses when stub CORS is disabled.

Performance

• Improved performance of Request.getHeaders() - thanks Doug Roper.
• Improved performance of response body JSON parsing - thanks also Doug Roper.

maveniverse/mima (eu.maveniverse.maven.mima.runtime:standalone-static)

v2.4.21

Compare Source

jhy/jsoup (org.jsoup:jsoup)

v1.18.3

Bug Fixes

• When serializing to XML, attribute names containing -, ., or digits were incorrectly marked as invalid and
  removed. 2235

v1.18.2

Improvements

• Optimized the throughput and memory use throughout the input read and parse flows, with heap allocations and GC
  down between -6% and -89%, and throughput improved up to +143% for small inputs. Most inputs sizes will see
  throughput increases of ~ 20%. These performance improvements come through recycling the backing byte[] and char[]
  arrays used to read and parse the input. 2186
• Speed optimized html() and Entities.escape() when the input contains UTF characters in a supplementary plane, by
  around 49%. 2183
• The form associated elements returned by FormElement.elements() now reflect changes made to the DOM,
  subsequently to the original parse. 2140
• In the TreeBuilder, the onNodeInserted() and onNodeClosed() events are now also fired for the outermost /
  root Document node. This enables source position tracking on the Document node (which was previously unset). And
  it also enables the node traversor to see the outer Document node. 2182
• Selected Elements can now be position swapped inline using
  Elements#set(). 2212

Bug Fixes

• Element.cssSelector() would fail if the element's class contained a *
  character. 2169
• When tracking source ranges, a text node following an invalid self-closing element may be left
  untracked. 2175
• When a document has no doctype, or a doctype not named html, it should be parsed in Quirks
  Mode. 2197
• With a selector like div:has(span + a), the has() component was not working correctly, as the inner combining
  query caused the evaluator to match those against the outer's siblings, not
  children. 2187
• A selector query that included multiple :has() components in a nested :has() might incorrectly
  execute. 2131
• When cookie names in a response are duplicated, the simple view of cookies available via
  Connection.Response#cookies() will provide the last one set. Generally it is better to use
  the Jsoup.newSession method to maintain a cookie jar, as that
  applies appropriate path selection on cookies when making requests. 1831
• When parsing named HTML entities, base entities should resolve if they are a prefix of the input token (and not in an
  attribute). 2207
• Fixed incorrect tracking of source ranges for attributes merged from late-occurring elements that were implicitly
  created (html or body). 2204
• Follow the current HTML specification in the tokenizer to allow < as part of a tag name, instead of emitting it as a
  character node. 2230
• Similarly, allow a < as the start of an attribute name, vs creating a new element. The previous behavior was
  intended to parse closer to what we anticipated the author's intent to be, but that does not align to the spec or to
  how browsers behave. 1483

v1.18.1

Improvements

• Stream Parser: A StreamParser provides a progressive parse of its input. As each Element is completed, it is
  emitted via a Stream or Iterator interface. Elements returned will be complete with all their children, and an
  (empty) next sibling, if applicable. Elements (or their children) may be removed from the DOM during the parse,
  for e.g. to conserve memory, providing a mechanism to parse an input document that would otherwise be too large to fit
  into memory, yet still providing a DOM interface to the document and its elements. Additionally, the parser provides
  a selectFirst(String query) / selectNext(String query), which will run the parser until a hit is found, at which
  point the parse is suspended. It can be resumed via another select() call, or via the stream() or iterator()
  methods. 2096
• Download Progress: added a Response Progress event interface, which reports progress and URLs are downloaded (and
  parsed). Supported on both a session and a single connection
  level. 2164, 656
• Added Path accepting parse methods: Jsoup.parse(Path), Jsoup.parse(path, charsetName, baseUri, parser),
  etc. 2055
• Updated the button tag configuration to include a space between multiple button elements in the Element.text()
  method. 2105
• Added support for the ns|* all elements in namespace Selector. 1811
• When normalising attribute names during serialization, invalid characters are now replaced with _, vs being
  stripped. This should make the process clearer, and generally prevent an invalid attribute name being coerced
  unexpectedly. 2143

Changes

• Removed previously deprecated internal classes and methods. 2094
• Build change: the built jar's OSGi manifest no longer imports itself. 2158

Bug Fixes

• When tracking source positions, if the first node was a TextNode, its position was incorrectly set
  to -1. 2106
• When connecting (or redirecting) to URLs with characters such as {, } in the path, a Malformed URL exception would
  be thrown (if in development), or the URL might otherwise not be escaped correctly (if in
  production). The URL encoding process has been improved to handle these characters
  correctly. 2142
• When using W3CDom with a custom output Document, a Null Pointer Exception would be
  thrown. 2114
• The :has() selector did not match correctly when using sibling combinators (like
  e.g.: h1:has(+h2)). 2137
• The :empty selector incorrectly matched elements that started with a blank text node and were followed by
  non-empty nodes, due to an incorrect short-circuit. 2130
• Element.cssSelector() would fail with "Did not find balanced marker" when building a selector for elements that had
  a ( or [ in their class names. And selectors with those characters escaped would not match as
  expected. 2146
• Updated Entities.escape(string) to make the escaped text suitable for both text nodes and attributes (previously was
  only for text nodes). This does not impact the output of Element.html() which correctly applies a minimal escape
  depending on if the use will be for text data or in a quoted
  attribute. 1278
• Fuzz: a Stack Overflow exception could occur when resolving a crafted <base href> URL, in the normalizing regex.
  2165

---

v1.17.2

Improvements

• Attribute object accessors: Added Element.attribute(String) and Attributes.attribute(String) to more simply
  obtain an Attribute object. 2069
• Attribute source tracking: If source tracking is on, and an Attribute's key is changed (
  via Attribute.setKey(String)), the source range is now still tracked
  in Attribute.sourceRange(). 2070
• Wildcard attribute selector: Added support for the [*] element with any attribute selector. And also restored
  support for selecting by an empty attribute name prefix ([^]). 2079

Bug Fixes

• Mixed-cased source position: When tracking the source position of attributes, if the source attribute name was
  mix-cased but the parser was lower-case normalizing attribute names, the source position for that attribute was not
  tracked correctly. 2067
• Source position NPE: When tracking the source position of a body fragment parse, a null pointer
  exception was thrown. 2068
• Multi-point emoji entity: A multi-point encoded emoji entity may be incorrectly decoded to the replacement
  character. 2074
• Selector sub-expressions: (Regression) in a selector like parent [attr=va], other, the , OR was binding
  to [attr=va] instead of parent [attr=va], causing incorrect selections. The fix includes a EvaluatorDebug class
  that generates a sexpr to represent the query, allowing simpler and more thorough query parse
  tests. 2073
• XML CData output: When generating XML-syntax output from parsed HTML, script nodes containing (pseudo) CData
  sections would have an extraneous CData section added, causing script execution errors. Now, the data content is
  emitted in a HTML/XML/XHTML polyglot format, if the data is not already within a CData
  section. 2078
• Thread safety: The :has evaluator held a non-thread-safe Iterator, and so if an Evaluator object was
  shared across multiple concurrent threads, a NoSuchElement exception may be thrown, and the selected results may be
  incorrect. Now, the iterator object is a thread-local. 2088

---

Older changes for versions 0.1.1 (2010-Jan-31) through 1.17.1 (2023-Nov-27) may be found in
change-archive.txt.

quarkusio/quarkus (io.quarkus.qute:qute-core)

v1.13.7.Final

Compare Source

Major changes

Complete changelog

• #​17763 - SimpleScheduler - fix CronTrigger#evaluate()
• #​17758 - Also register CustomResource implementors fully for reflection.
• #​17727 - Add resteasy extension to generated app in the AMQP guide
• #​17724 - Scheduler is not triggered or triggered 2 times randomly with native image
• #​17721 - Add artemis-mqtt-protocol dependency
• #​17720 - Add artemis-mqtt-protocol in the bom
• #​17688 - Use Maven version 3.8.1 in the generated projects
• #​17668 - Quarkus bundles generated projects with maven wrapper 3.6.3
• #​17632 - Correctly propagate dispatchToWorker to websockets
• #​17605 - Pass max frame size to VertxServerWebSocketContainer
• #​17599 - Bump gradle jandex plugin version in test and doc
• #​17580 - Create log file parent directories for @​QuarkusIntegrationTest
• #​17571 - Option quarkus.websocket.dispatch-to-worker=true doesn't work anymore in Quarkus 1.13
• #​17565 - @​QuarkusIntegrationTest with docker image fails on unable to create logfile
• #​17555 - Make VertxInputStream#available not fail on large content-type
• #​17551 - Don't write error response when it's already been written
• #​17473 - Gradle: create quarkusDeploymentOnlyClasspath configuration
• #​17455 - Resteasy fails with NumberFormatException if file is larger than 2047 MB
• #​17206 - maxFramePayloadLength seems to be hardcoded when using WebSocketClient
• #​16727 - Ensure that a non-indexed entry doesn't break generic type resolution

v1.13.6.Final

Compare Source

Major changes

Complete changelog

• #​17493 - Hibernate Validator - Work around Jandex issue in enclosingTarget()
• #​17472 - Introduce build item to override weak reflection semantics
• #​17464 - Fix the indentation of the smallrye-metrics example

v1.13.5.Final

Compare Source

Major changes

• #​16249 - Update to Maven 3.8.1 and use mvnw consequently in GH workflows

Complete changelog

• #​17454 - Hibernate Validator - Fix container element constraints detection
• #​17452 - Injected Bean Validator has different behavior than the static default Hibernate one
• #​17433 - Add ChangeStreamDocument Mongo class for reflection
• #​17432 - MongoDB Client Extension - NullPointerException in native mode with ChangeStreamDocumentCodec
• #​17390 - Update SmallRye Config to 1.13.1
• #​17377 - Suspend GET requests as well
• #​17366 - Fix case of lost TCCL in dev-mode when RESTEasy Reactive reads the HTTP body
• #​17359 - Dev mode fails to reload classes when using reactive rest client
• #​17354 - ArC dev mode - fix business method invocations monitoring
• #​17352 - Depend on Keycloak 12.0.4 for the moment
• #​17333 - Bump xstream from 1.4.16 to 1.4.17
• #​17327 - WebSockets in Extensions
• #​17322 - Quarkus random ConcurrentModificationException
• #​17296 - Use StandardCharsets.UTF_8 where appropriate
• #​17294 - Add configuration reference to Deploying to OpenShift
• #​17278 - More config issues in Quarkus 1.13.4.Final
• #​17216 - Resteasy hangs on null header
• #​17202 - Workaround jpa-oracle failure when using Mandrel
• #​17199 - Honor GenerateResourceBuildItem while building UberJar
• #​17179 - Keycloak Authorization 'policy-enforcer.lazy-load-paths=true' regression
• #​17168 - Null as HTTP header value results in hanging thread
• #​16999 - Fix case where REST Client returns JAX-RS Response from a JAX-RS endpoint
• #​16277 - Update aws-sdk to 2.16.36
• #​16249 - Update to Maven 3.8.1 and use mvnw consequently in GH workflows
• #​16233 - Maven 3.8.1 update causes warning
• #​16139 - [native] 1.13.0.Final Fails To Build Native Image
• #​15897 - Runtime initialize amazon-services classes using j.u.Random
• #​15611 - Add ConstraintVerifier infomation to OptaPlanner documentation

v1.13.4.Final

Compare Source

Major changes

Complete changelog

• #​17154 - Fix last modified and CL for memory resources
• #​17144 - Update to RestEasy 4.5.12
• #​17108 - Update SmallRye Config to 1.13.0
• #​17099 - Jacoco does not report on other modules
• #​17087 - Update to Keycloak 13.0.0
• #​17086 - Jacoco Extension does not report on sub projects as of 1.13.3
• #​17085 - Fixed typo in Kafka documentation: @​Output -> @​Outgoing
• #​17077 - Introduce UberJarMergedResourceBuildItem and UberJarIgnoredResourceBuildItem
• #​17076 - Doc: working with reactive batch query results
• #​17026 - Update OIDC to use GET for UserInfo
• #​17023 - Update OidcClient to recognize non-standard grant response properties
• #​17020 - OIDC does not work with Azure Hosted Keycloak (HTTP Error 411)
• #​17012 - Allow defining a fixed port for datasource DevServices
• #​16984 - Enable synthetic beans to be application classes
• #​16974 - Reactive routes - fix the way a return value const violation is detected
• #​16957 - Enhance OidcClient to accept non-standard token grant responses
• #​16936 - Allow injection of RoutingContext in RESTEasy Reactive
• #​16934 - Resteasy-reactive : JPA TenantResolver fails with Normal scoped producer method may not return null: io.quarkus.vertx.http.runtime.CurrentVertxRequest
• #​16911 - Improve documentation around native resources
• #​16907 - Fix generic type handling of body parameter in RESTEasy Reactive
• #​16906 - Fix possible NPE resolving user settings.xml
• #​16905 - Resteasy reactive - Handling Generics in request body
• #​16903 - When using random ports in a docker test, resort to host networking
• #​16900 - QuarkusIntegrationTest failing on containerized native image with quarkus.http.test-(ssl-)port set to 0
• #​16883 - Removed extra char in docs
• #​16879 - OIDC: Fix IllegalStateException when processing opaque tokens
• #​16823 - Allow to support inheritance in JAX-RS Resource included via Application#getClasses
• #​16768 - Being able to fix the Postgres listening port property with DevServices
• #​16490 - Bump jackson-bom from 2.12.1 to 2.12.3
• #​16338 - Quarkus sql client PreparedQuery.executeBatch number of rows affected always equal to 1
• #​16105 - Substitute BouncyCastle self-tests which rely on SecureRandom
• #​16020 - Refactor spring-data-jpa integration-test
• #​16018 - [-Dnative] JPA class Person in integration-tests/spring-data-jpa uses j.u.Random
• #​16017 - Runtime initialize jgit classes using j.u.Random
• #​16008 - Runtime initialize grpc class using j.u.Random
• #​15952 - Runtime initialize RandomUtil in artemis-core extension
• #​15889 - Bouncycastle FIPs leaving a SecureRandom in heap
• #​15879 - Initialize classes using j.u.Random at runtime in kafka-client
• #​15864 - Initialize vertx redis client classes using SplittableRandom at runtime
• #​12755 - OIDC introspection of opaque access-token does not fill principal of SecurityIdentity
• #​5677 - shade-like transformers for uberjar creation

v1.13.3.Final

Compare Source

Major changes

Complete changelog

• #​16834 - Fix minor typos in the OIDC docs
• #​16832 - Downgrade Keycloak image to 12.0.3 as we have problems with the 12.0.4 image
• #​16824 - Fix RESTEasy Reactive Default Codestart on 1.13
• #​16819 - Bump kubernetes-client-bom from 5.3.0 to 5.3.1
• #​16811 - Switch to using s01.oss.sonatype.org everywhere
• #​16800 - Add Jackson extension dependency in the Kafka Client extension
• #​16796 - Fix typo in cdi-integration.adoc
• [#​16795](https://redirect.github.com/q

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.