chore(deps): bump the low-risk group across 1 directory with 8 updates

[dependabot]

Bumps the low-risk group with 8 updates in the / directory:

Package	From	To
org.projectlombok:lombok	1.18.44	1.18.46
nl.jqno.equalsverifier:equalsverifier	4.4.2	4.5
io.projectreactor:reactor-bom	2025.0.4	2025.0.5
org.springframework.boot:spring-boot-dependencies	3.5.13	3.5.14
io.projectreactor.netty:reactor-netty-core	1.3.4	1.3.5
org.pitest:pitest-parent	1.23.0	1.23.1
org.pitest:pitest-maven	1.23.0	1.23.1
com.google.code.gson:gson	2.13.2	2.14.0

Updates org.projectlombok:lombok from 1.18.44 to 1.18.46

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.46 (April 22nd, 2026)

• PLATFORM: JDK26 support added #4019.
• PLATFORM: Spring Tools Suite 5 supported #3985.
• BUGFIX: @Jacksonized no longer stops generating @JsonProperty once an explicit @JsonIgnore annotations is encountered #4022.
• BUGFIX: In eclipse, mixing @Jacksonized and fluent = true no longer causes the error com.fasterxml.jackson.annotation.JsonProperty is not a repeatable annotation interface. #3934.
• BUGFIX: Some finishing touches for v1.18.44's support of Jackson3 #4004.

Commits

• 936ca59 [build] lombok's launcher is still intended to be 1.4 compatible, or at least...
• fcdab3f [version] pre-release version bump
• 1cb7d49 [changelog]#4004 Mention Jackson3 final touches in changelog.
• 12a15b0 Fix: Bump EA_JDK to 27 (25 and 26 have been released)
• 2be766c Merge branch 'jackson3-final-touches'
• 290fa4c [trivial] constantize the warning we spit out for ambiguous jackson2/3, and m...
• e6567b6 test: Add Jackson 3 test cases and version ambiguity warnings
• 45e72e2 feat: Add Jackson 3 databind/dataformat annotations to HandlerUtil copy lists
• 184d423 feat: Add Jackson 3 support to @​Jacksonized handlers
• e027ad0 refactored to ShadowClassLoader use Collections::enumeration instead of Vector
• Additional commits viewable in compare view

Updates nl.jqno.equalsverifier:equalsverifier from 4.4.2 to 4.5

Release notes

Sourced from nl.jqno.equalsverifier:equalsverifier's releases.

Release equalsverifier-4.5

For a list of changes in this version, see CHANGELOG.md.

Changelog

Sourced from nl.jqno.equalsverifier:equalsverifier's changelog.

[4.5] - 2026-04-17

Added

• EqualsVerifier now detects when java.net.URL fields are used in equals or hashCode, since URL.equals() and URL.hashCode() perform DNS resolution, making them network-dependent and non-deterministic. Consider using URI.create(url.toString()) instead. This check can be suppressed with Warning.URL_EQUALITY. (Issue #1203)

Commits

• 3f72cbc Bumps version to 4.5
• abd5aa9 Updates CHANGELOG for release
• 04f89c1 Merge pull request #1204 from jqno/add-url-fieldcheck
• ffc7f03 Streamlines UrlTest
• e9cf3be Adds URL FieldCheck
• 472e8b1 Update copyright year in README.md
• 94ebdf6 Merge pull request #1202 from jqno/vendors-signedjar-test
• 8d6327d Excludes equalsverifier-test-signedjar from PITest coverage
• 7b828dc All signed-jar tests should run via failsafe so it runs through the actual ja...
• 377c217 Incorporates SignedJarTest from separate repository
• Additional commits viewable in compare view

Updates io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5

Release notes

Sourced from io.projectreactor:reactor-bom's releases.

2025.0.5

2025.0.5 release train is made of:

• reactor-core 3.8.5
• reactor-pool 1.2.5
• reactor-netty 1.3.5

These artifacts didn't have any changes:

• reactor-addons 3.6.0
• reactor-kotlin-extensions 1.3.0

Commits

• 23647bf [release] Prepare and release BOM 2025.0.5
• a06b97c Merge-ignore release 2024.0.17 into 2025.0.5
• 5d94ca6 [release] Back to snapshots, next BOM will be SR 18
• 2f52f4a [release] Prepare and release BOM 2024.0.17
• e68d8ad Merge bbbf5d86 into 2025.0.5
• bbbf5d8 Fix Gradle deprecation warnings scheduled for removal in Gradle 10
• 1e8ee7c Merge #777 into 2025.0.5
• 997c971 Bump gradle-wrapper from 9.4.0 to 9.4.1 (#777)
• ba97cff Remove dependabot ignore configuration
• b8cb92a Merge 5e94cb91 into 2025.0.5
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.13 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.14

🐞 Bug Fixes

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129

... (truncated)

Commits

• 7d7b3ac Release v3.5.14
• 9dc5aa2 Polish
• f533a45 Do not follow symlinks when writing PID file
• f3b8eb0 Use SecureRandom in RandomValuePropertySource
• e22083a Enable hostname verification for SSL connections to Cassandra
• 5ceb1a2 Improve ApplicationTemp's temporary directory creation
• 4b0862c Use constant-time comparison for remote DevTools secret
• e4febe2 Apply verify-hostname consistently
• 2c2ffe5 Fix Windows test failure
• 0046a44 Protect against corrupt buildpack archives
• Additional commits viewable in compare view

Updates io.projectreactor.netty:reactor-netty-core from 1.3.4 to 1.3.5

Release notes

Sourced from io.projectreactor.netty:reactor-netty-core's releases.

v1.3.5

Reactor Netty 1.3.5 is part of 2025.0.5 Release Train.

What's Changed

✨ New features and improvements

• Depend on Reactor Core v3.8.5 by @​violetagg in b68dacab12f5ff46575f9009f34ea676a212879d, see release notes
• Depend on Netty v4.2.12.Final by @​violetagg in #4167
• Depend on Netty QUIC Codec v0.0.75.Final by @​violetagg in #4148
• Depend on Brave v6.3.1 by @​dependabot[bot] in #4159
• Optimise uri construction with baseUrl in HttpClientHandler by @​violetagg in #4130
• Optimise UriEndpoint#toSocketAddressStringWithoutDefaultPort by @​violetagg in #4131
• Store resolved SocketAddress in UriEndpoint for absolute URLs by @​violetagg in #4132
• Lazily compute HttpClientOperations#resourceUrl by @​violetagg in #4135
• Pre-compute path in UriEndpoint when URI is provided by @​violetagg in #4136
• Cleanup HTTP/2 WebSocket extension handlers by @​violetagg in #4152
• Optimise Flux body accumulation for GET/HEAD/DELETE requests by @​violetagg in #4164
• Fix HTTP/3 connection pool max streams handling by @​violetagg in #4182

🐞 Bug fixes

• Ensure connection concurrency and acquired counters are updated before delivering the slot by @​violetagg in #4179
• Fix StackOverflowError in ServerTransport graceful shutdown by @​violetagg in #4181
• Fix invalidated connection reuse in Http2Pool by @​violetagg in #4180

New Contributors

• @​Junuu made their first contribution in #4137

Full Changelog: reactor/reactor-netty@v1.3.4...v1.3.5

Commits

• b68daca [release] Prepare and release 1.3.5
• f8fc51b Merge-ignore release 1.2.17 into 1.3.5
• 4cffaf0 [release] Back to snapshots, next is 1.2.18-SNAPSHOT
• 3f6ae4c Defer asciidoctor-pdf check to execution time
• 9f6f3e0 [release] Prepare and release 1.2.17
• 7b2c429 Merge #4190 into 1.3.5
• 6225c6d Bump ruby/setup-ruby from 1.299.0 to 1.301.0 (#4190)
• f4f9b50 Bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 (#4191)
• 5b344dc Merge #4187 into 1.3.5
• e177f39 Bump @​springio/antora-extensions from 1.14.10 to 1.14.11 in /docs (#4187)
• Additional commits viewable in compare view

Updates org.pitest:pitest-parent from 1.23.0 to 1.23.1

Release notes

Sourced from org.pitest:pitest-parent's releases.

1.23.1

• #1463 extend unmodifiable collections filtering

Commits

• 97b4bc4 Merge pull request #1463 from hcoles/feature/extend_unmofiable_filter
• 9f93c02 filter unmodifiable Map.copyOf
• 43be4cf filter unmodifiable Collections.singleton
• aa42551 add support link to report
• f2ec3b2 add funding info
• See full diff in compare view

Updates org.pitest:pitest-maven from 1.23.0 to 1.23.1

Release notes

Sourced from org.pitest:pitest-maven's releases.

1.23.1

• #1463 extend unmodifiable collections filtering

Commits

• 97b4bc4 Merge pull request #1463 from hcoles/feature/extend_unmofiable_filter
• 9f93c02 filter unmodifiable Map.copyOf
• 43be4cf filter unmodifiable Collections.singleton
• aa42551 add support link to report
• f2ec3b2 add funding info
• See full diff in compare view

Updates com.google.code.gson:gson from 2.13.2 to 2.14.0

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.14.0

What's Changed

• Add type adapters for java.time classes by @​eamonnmcmanus in google/gson#2948

  When the java.time API is available, Gson automatically can read and write instances of classes like Instant and Duration. The format it uses essentially freezes the JSON representation that ReflectiveTypeAdapterFactory established by default, based on the private fields of java.time classes. That's not a great representation, but it is understandable. Changing it to anything else would break compatibility with systems that are expecting the current format.

  With this change, Gson no longer tries to access private fields of these classes using reflection. So it is no longer necessary to run with --add-opens for these classes on recent JDKs.

• Remove com.google.gson.graph by @​eamonnmcmanus in google/gson#2990.

  This package was not part of any released artifact and depended on Gson internals in potentially problematic ways.

• Validate that strings being parsed as integers consist of ASCII characters by @​eamonnmcmanus in google/gson#2995

  Previously, strings could contain non-ASCII Unicode digits and still be parsed as integers. That's inconsistent with how JSON numbers are treated.

• Fix duplicate key detection when first value is null by @​andrewstellman in google/gson#3006

  This could potentially break code that was relying on the incorrect behaviour. For example, this JSON string was previously accepted but will no longer be: {"foo": null, "foo": bar}.

• Remove Serializable from internal Type implementation classes. by @​eamonnmcmanus in google/gson#3011

  The nested classes ParameterizedTypeImpl, GenericArrayTypeImpl, and WildcardTypeImpl in GsonTypes are implementations of the corresponding types (without Impl) in java.lang.reflect. For some reason, they were serializable, even though the java.lang.reflect implementations are not. Having unnecessarily serializable classes could conceivably have been a security problem if they were part of a larger exploit using serialization. (We do not consider this a likely scenario and do not suggest that you need to update Gson just to get this change.)

• Add LegacyProtoTypeAdapterFactory. by @​eamonnmcmanus in google/gson#3014

  This is not part of any released artifact, but may be of use when trying to fix code that is currently accessing the internals of protobuf classes via reflection.

• Make AppendableWriter do flush and close if delegation object supports by @​MukjepScarlet in google/gson#2925

Other less visible changes

• Add default capacity to EnumTypeAdapter maps by @​MukjepScarlet in google/gson#2959
• refactor: move derived adapters from Gson to TypeAdapters by @​MukjepScarlet in google/gson#2951
• Optimize new Gson() by @​MukjepScarlet in google/gson#2864

New Contributors

• @​ThirdGoddess made their first contribution in google/gson#2944
• @​lmj798 made their first contribution in google/gson#2988
• @​Eng-YasminKotb made their first contribution in google/gson#3005
• @​andrewstellman made their first contribution in google/gson#3006

Full Changelog: google/gson@gson-parent-2.13.2...gson-parent-2.14.0

Commits

• 3ff35d6 [maven-release-plugin] prepare release gson-parent-2.14.0
• a3024fd Bump the maven group with 13 updates (#3002)
• 5689ffe Bump the github-actions group across 1 directory with 3 updates (#3018)
• 48db33c Add LegacyProtoTypeAdapterFactory. (#3014)
• 53d703e Update outdated comment regarding serializable types (#3012)
• 0189b72 Remove Serializable from internal Type implementation classes. (#3011)
• f4d371d Fix duplicate key detection when first value is null (#3006)
• 27d9ba1 Fix typo in README (JPMS dependencies section) (#3005)
• 1fa9b7a Validate that strings being parsed as integers consist of ASCII characters (#...
• b7d5954 Add iterator fail-fast tests for LinkedTreeMap.clear() (#2992)
• Additional commits viewable in compare view

Updates org.pitest:pitest-maven from 1.23.0 to 1.23.1

Release notes

Sourced from org.pitest:pitest-maven's releases.

1.23.1

• #1463 extend unmodifiable collections filtering

Commits

• 97b4bc4 Merge pull request #1463 from hcoles/feature/extend_unmofiable_filter
• 9f93c02 filter unmodifiable Map.copyOf
• 43be4cf filter unmodifiable Collections.singleton
• aa42551 add support link to report
• f2ec3b2 add funding info
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
org.springframework.boot:spring-boot-dependencies	[>= 4.a0, < 5]

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[RichardSlater]

Patch bump, standard pre-approved change.