dependabot[bot] opened a new pull request, #561: URL: https://github.com/apache/maven-parent/pull/561
Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 3.4.0 to 3.5.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/diffplug/spotless/releases";>com.diffplug.spotless:spotless-maven-plugin's releases</a>.</em></p> <blockquote> <h2>Maven Plugin v3.5.1</h2> <h3>Fixed</h3> <ul> <li><code><licenseHeader></code> with <code><yearMode>SET_FROM_GIT</yearMode></code> no longer runs <code>git log</code> through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.</li> <li>Bump transitive <code>plexus-utils</code> <code>4.0.2</code> -> <code>4.0.3</code> to address <a href="https://github.com/advisories/GHSA-6fmv-xxpf-w3cw";>CVE-2025-67030</a>. (<a href="https://redirect.github.com/diffplug/spotless/issues/2919";>#2919</a>)</li> </ul> <h2>Maven Plugin v3.5.0</h2> <h3>Added</h3> <ul> <li><code><scalafmt></code> now reads the version from the <code>version</code> field in the scalafmt config file when no <code><version></code> is explicitly set, falling back to the built-in default only if neither is available. (<a href="https://redirect.github.com/diffplug/spotless/pull/2922";>#2922</a>)</li> <li>Add <code><toml></code> format type with <code><versionCatalog></code> step for formatting and sorting Gradle version catalog files. (<a href="https://redirect.github.com/diffplug/spotless/issues/2916";>#2916</a>)</li> <li>Add <code><javaparserVersion></code> option to <code><cleanthat></code>, allowing users to override the JavaParser version pulled in transitively by Cleanthat. (<a href="https://redirect.github.com/diffplug/spotless/pull/2903";>#2903</a>)</li> <li>Add a <code>expandWildcardImports</code> API for java (<a href="https://redirect.github.com/diffplug/spotless/pull/2930";>#2829</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Preserve case of JDBI named bind params that collide with SQL keywords (e.g. <code>:limit</code>, <code>:offset</code>) in the DBeaver SQL formatter. (<a href="https://redirect.github.com/diffplug/spotless/pull/2899";>#2899</a>)</li> <li>The <code>-Dspotless.ratchetFrom=...</code> user property now takes priority over <code><ratchetFrom></code> configured in the plugin or in individual formatters, instead of being overridden by them. (<a href="https://redirect.github.com/diffplug/spotless/pull/2896";>#2896</a>, fixes <a href="https://redirect.github.com/diffplug/spotless/issues/2842";>#2842</a>)</li> <li>Fix non-idempotent formatting when <code>importOrder()</code> is combined with <code>greclipse()</code>: a single catch-all group no longer strips blank lines that <code>greclipse()</code> independently inserted between import groups. (<a href="https://redirect.github.com/diffplug/spotless/pull/2914";>#2914</a>)</li> </ul> <h3>Changes</h3> <ul> <li>Fix <code>expandWildcardImports</code> failing on JDK XML types such as <code>org.xml.sax.InputSource</code>. (<a href="https://redirect.github.com/diffplug/spotless/pull/2921";>#2921</a>)</li> <li>Use Eclipse JDT's collator-based comparison when sorting Java members to better match Eclipse save actions. (<a href="https://redirect.github.com/diffplug/spotless/pull/2920";>#2920</a>)</li> <li>Bump default <code>cleanthat</code> version <code>2.24</code> -> <code>2.25</code>. (<a href="https://redirect.github.com/diffplug/spotless/pull/2903";>#2903</a>)</li> <li>Bump default <code>eclipse-jdt</code> version from <code>4.35</code> to <code>4.39</code>. (<a href="https://redirect.github.com/diffplug/spotless/pull/2912";>#2912</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/diffplug/spotless/commit/0c48edf9597ec16e82e1a0b6da76a6a6dcc0d5de";><code>0c48edf</code></a> Published maven/3.5.1</li> <li><a href="https://github.com/diffplug/spotless/commit/c1595c815d5fdd344505792aa4df588f467f0ca9";><code>c1595c8</code></a> Published gradle/8.5.1</li> <li><a href="https://github.com/diffplug/spotless/commit/b26b570f7eba32554061b036206f675180cd2384";><code>b26b570</code></a> Published lib/4.6.1</li> <li><a href="https://github.com/diffplug/spotless/commit/ac3f6f14a2e007c2d36223335df96a2c9ba92719";><code>ac3f6f1</code></a> Bump plexus-utils to 4.0.3 to address CVE-2025-67030 (<a href="https://redirect.github.com/diffplug/spotless/issues/2932";>#2932</a>)</li> <li><a href="https://github.com/diffplug/spotless/commit/f5039f633d436a8831d09a934a3490d68968d684";><code>f5039f6</code></a> Bump plexus-utils to 4.0.3 to address CVE-2025-67030</li> <li><a href="https://github.com/diffplug/spotless/commit/0e77837d4789cb43b83c21d566fe4185adc4ae2b";><code>0e77837</code></a> Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode (<a href="https://redirect.github.com/diffplug/spotless/issues/2931";>#2931</a>)</li> <li><a href="https://github.com/diffplug/spotless/commit/84f642329de804615ff16f34d12a2249f1890850";><code>84f6423</code></a> Fix shell-injection in LicenseHeaderStep SET_FROM_GIT mode</li> <li><a href="https://github.com/diffplug/spotless/commit/b87eb75efe54e94a7248ff5e2d07231bcc3a1b55";><code>b87eb75</code></a> Published maven/3.5.0</li> <li><a href="https://github.com/diffplug/spotless/commit/97c3baf34b79d0028a343776bb2c2fb223930355";><code>97c3baf</code></a> Published gradle/8.5.0</li> <li><a href="https://github.com/diffplug/spotless/commit/3dd1a9690270e7191f2c7db8314a9079b127ee76";><code>3dd1a96</code></a> Published lib/4.6.0</li> <li>Additional commits viewable in <a href="https://github.com/diffplug/spotless/compare/maven/3.4.0...maven/3.5.1";>compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | com.diffplug.spotless:spotless-maven-plugin | [>= 2.33.a, < 2.34] | </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
