fix(deps): update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
github/codeql-action	action	patch	v3.30.1 -> v3.30.5
gradle (source)		minor	9.0.0 -> 9.1.0
org.jetbrains.kotlinx.kover	plugin	patch	0.9.1 -> 0.9.2
dev.aga.gradle.version-catalog-generator	plugin	patch	3.3.0 -> 3.3.2
org.springframework.boot:spring-boot-starter-test (source)	dependencies	patch	3.5.5 -> 3.5.6
org.springframework.boot:spring-boot-autoconfigure (source)	dependencies	patch	3.5.5 -> 3.5.6
org.springframework.boot:spring-boot-starter (source)	dependencies	patch	3.5.5 -> 3.5.6
io.quarkus	plugin	minor	3.26.2 -> 3.28.1
io.quarkus:quarkus-junit5	dependencies	minor	3.26.2 -> 3.28.1
io.quarkus:quarkus-arc	dependencies	minor	3.26.2 -> 3.28.1
io.quarkus:quarkus-bom	dependencies	minor	3.26.2 -> 3.28.1

---

Release Notes

github/codeql-action (github/codeql-action)

v3.30.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #​3160

See the full CHANGELOG.md for more information.

v3.30.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #​3099 and #​3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #​3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #​3130
• Update default CodeQL bundle version to 2.23.1. #​3118

See the full CHANGELOG.md for more information.

v3.30.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #​3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #​3064

See the full CHANGELOG.md for more information.

gradle/gradle (gradle)

v9.1.0

Compare Source

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-test)

v3.5.6

quarkusio/quarkus (io.quarkus:quarkus-junit5)

v3.28.1

Compare Source

Complete changelog

• #​32361 - Error when using withTransaction in RedisDataSource in clustered mode
• #​49405 - [quarkus-kubernetes-client]: DevServicesKubernetesProcessor always shuts down cluster because of broken equals method
• #​49531 - BlockingRedisDataSourceImpl doesn't call DISCARD if consumer function throws an exception
• #​49593 - After Hibernate ORM 7.1.0.CR2 bump, the jakarta.data.repository.BasicRepository#saveAll method fails if Hibernate Validator is present and entity has OneToMany relation
• #​49719 - Redis: if enqueued operation returns an error don't discard them
• #​49780 - @QuarkusMainTest fails with classloader error with continuous testing
• #​49936 - Include suggestions on what to customize when migrating to own FormatMappers
• #​50031 - Set up config correctly for isolated @QuarkusMainTests
• #​50053 - Bump hibernate-orm.version from 7.1.0.Final to 7.1.1.Final
• #​50071 - Upgrade Gradle to 9.1 which supports Java 25
• #​50075 - Quarkus AWS Lambda API Gateway v2 - Multiple Set-Cookie Headers Not Handled Correctly
• #​50076 - Please update to surefire plugin 3.5.4
• #​50086 - Update quarkus-fs-util to 1.2.0
• #​50092 - Update Maven Surefire & Failsafe plugins to 3.5.4
• #​50095 - Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4
• #​50106 - Quarkus-Flyway is throwing NoSuchMethodException when native compiled with Quarkus >= 3.24
• #​50108 - Fix native issue with FlywaySqlException
• #​50110 - Bump smallrye-reactive-messaging from 4.28.0 to 4.29.0
• #​50111 - Fix deprecated javax Hibernate properties
• #​50124 - Redis: improvements
• #​50125 - Change the max connections defaults for the Hibernate Search's Elasticsearch client
• #​50132 - Bump bouncycastle.version from 1.81 to 1.82
• #​50136 - Fix mouse move on active cards
• #​50137 - Correctly handle multiple Set-Cookie headers for API Gateway v2
• #​50140 - io.vertx.mutiny.sqlclient.Pool.pool(...) doesn't find the (postgres) db driver in native compilation being called from code
• #​50141 - NoClassDefFoundError: org/hibernate/community/dialect/CommunityDatabase when no default datasource
• #​50143 - Bump Gradle version to 9.1.0
• #​50145 - quarkus-messaging-kafka (Kotlin) – Error MetadataExtensions: Provider JvmMetadataExtensions not found in 3.26.4 and lower (works in <= 3.20.2 LTS)
• #​50146 - Simplify inference of the SupportedDbKind and avoid NoClassDefFoundError on CommunityDatabase
• #​50158 - Bump org.postgresql:postgresql from 42.7.7 to 42.7.8
• #​50163 - Prevent simultaneous usage of @InjectMock and @InjectSpy on the same bean during build
• #​50165 - Fix improper equals method implementation
• #​50167 - Register Reactive SQL Client Drivers
• #​50182 - Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 in /devtools/gradle
• #​50185 - Bump Elasticsearch version to 9.1.4
• #​50189 - Bump org.assertj:assertj-core from 3.27.4 to 3.27.5
• #​50191 - Bump jakarta.mail:jakarta.mail-api from 2.1.4 to 2.1.5
• #​50194 - Bump io.quarkus:quarkus-platform-bom-maven-plugin from 0.0.123 to 0.0.124
• #​50195 - LGTM: Update grafana-dashboard-opentelemetry-logging.json TimeStamp
• #​50198 - Prevent simultaneous use of @InjectMock and @InjectSpy
• #​50199 - Fix Kotlin reflection issue in native mode
• #​50211 - ArC: fix NPE in InvokerGenerator
• #​50213 - Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 in /devtools/gradle
• #​50217 - Bump org.bouncycastle:bc-fips from 2.1.1 to 2.1.2
• #​50220 - Bump org.assertj:assertj-core from 3.27.5 to 3.27.6
• #​50225 - Build fails if a param with a primitive type and type annotation is declared on a method that is called via Invoker
• #​50230 - Bump Keycloak version to 26.3.4

v3.28.0

Compare Source

Complete changelog

• #​48976 - Hard-coded proxy connect timeout in REST client overrides connect timeout of REST client.
• #​49381 - quarkus.kubernetes-client.devservices.manifests does not work well with multiple dev services
• #​49415 - Still produce KubernetesDevServiceInfoBuildItem when a dev service already exists
• #​49808 - Set fixed file/dir permissions for zip entries when building an archive
• #​49870 - Bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0
• #​49903 - MCP Registry for Extensions
• #​50001 - Bump version.kotlin from 2.2.10 to 2.2.20
• #​50023 - Bump org.eclipse.angus:angus-activation from 2.0.2 to 2.0.3
• #​50024 - Bump jakarta.activation:jakarta.activation-api from 2.1.3 to 2.1.4
• #​50027 - Dev MCP: Allow enable/disable of methods
• #​50036 - Update Maven wrapper to 3.3.4
• #​50038 - Jandex: upgrade to 3.5.0
• #​50045 - Bump version.kotlin from 2.2.10 to 2.2.20
• #​50061 - Add support for the Proxy connect timeout in Quarkus REST Client

v3.27.0

Compare Source

Complete changelog

v3.26.4

Compare Source

Complete changelog

• #​49431 - Regression in native build container user handling and new warnings in Quarkus 3.25.0 (Docker-in-Docker CI)
• #​49545 - Bump the hibernate group with 5 updates
• #​49885 - Fix typos and make minor copyedits in the OIDC auth documentation
• #​49901 - Hibernate Reactive does not init database when using multiple named persistence units
• #​49916 - LGTM: Otel log output incorrect in Logging Dashboard
• #​49917 - OTEL logging dashboard correct timestamp
• #​49939 - Manage more Bouncy Castle artifacts to help enforcing dependency convergence throughout Quarkiverse
• #​49946 - Update IncludedQuarkusBuildTest to support Gradle 9.1
• #​49963 - CLI app created for latest LTS selects unsupported Gradle version, build fails
• #​49967 - Remove outdated Renarde references in OIDC and web guides
• #​49977 - Trivial: Fix typo in docs
• #​49982 - Bump the hibernate group with 5 updates
• #​49987 - Bean Validation via JSF broken from 3.24.1+
• #​49990 - Account for the null root bean when performing value validation
• #​49995 - Log invalid host name in the DevUi CORS filter
• #​49999 - Build Cycle error when SmallRye OpenAPI and JFR are used in the same project
• #​50000 - Fix Cycle when SmallRye OpenAPI is used with the JFR extension
• #​50005 - Bump com.google.code.gson:gson from 2.13.1 to 2.13.2
• #​50006 - Small fixes to Dev UI
• #​50014 - Agroal - DB connection pool Dev UI empty for MSSQL
• #​50016 - Hibernate does not init database when using multiple named persistence units
• #​50025 - Bump org.mariadb.jdbc:mariadb-java-client from 3.5.5 to 3.5.6
• #​50026 - Fix Build Cycle error when specific extensions and JFR are used in the same project
• #​50028 - Copy the Gradle wrapper instead of running the exec goal
• #​50029 - Remove outdated note about REST Client logging
• #​50030 - Fix for Kafka client config logs reappearing by default
• #​50035 - Update an example about REST Client logging
• #​50040 - This Gauge has been already registered "http.server.active.connections"
• #​50042 - Install appropriate Gradle wrapper in generated projects
• #​50043 - Bump smallrye-fault-tolerance.version from 6.9.2 to 6.9.3
• #​50050 - Dev UI Agroal: Fix jdbc url parsing for url with ; in it
• #​50051 - Hibernate Dev UI: Fix allowed jdbc url with ;
• #​50054 - Apply server.port tag to all the created Vert.x metrics
• #​50062 - Bump org.hibernate.tool:hibernate-tools-language from 7.1.0.Final to 7.1.1.Final in the hibernate group
• #​50068 - Bump io.smallrye.common:smallrye-common-bom from 2.13.8 to 2.13.9
• #​50074 - Fix hostname when starting Keycloak devServices in shared network
• #​50079 - Fix build failure when quarkus-rest-data-panache is used

v3.26.3

Compare Source

Complete changelog

• #​38996 - Intellij: Task sequence for task 'compileQuarkusGeneratedSourcesJava' not correct (Gradle, Kotlin, Multi-Module Project)
• #​45057 - Gradle build: "compileKotlin" depends from "compileQuarkusGeneratedSourcesJava"
• #​47028 - HTTP Compression still not working with quarkus-amazon-lambda-rest dependency
• #​49297 - quarkus-maven-plugin: dependency information is stored in the maven context and not properly cleaned up
• #​49561 - Updates Native build and runtime guides, Visual Studio 2022, UBI9, ArchLinux
• #​49652 - Task dependency error with gradle 9.0.0
• #​49742 - In Gradle, properly handle relocated artifacts in conditional dependency resolution
• #​49753 - Try to handle relocation artifacts gracefully in QuarkusComponentVariants
• #​49788 - Quarkus issue with quarkus-confluent-registry-avro and smallrye-config-jasypt
• #​49824 - Pass all the configuration minus Quarkus defaults to Gradle code generator task
• #​49833 - Make sure Amazon Lambda mock server doesn't interfere with HTTP compression
• #​49835 - Add a copy-to-clipboard feature for the MCP URL in server details
• #​49836 - Clarify Recorder config injection
• #​49844 - Manage more smallrye-fault-tolerance artifacts to help enforcing dependency convergence throughout Quarkiverse
• #​49847 - Catch Throwable in ApplicationLifecycleManager
• #​49850 - Update docs for Blaze-Persistence 1.6.17
• #​49854 - Datasource DevUI - get rid of duplicit DS in the list
• #​49856 - Bump org.hibernate.reactive:hibernate-reactive-core from 3.1.2.Final to 3.1.3.Final in the hibernate group
• #​49864 - Make sure compileJava and compileKotlin run after compileQuarkusGeneratedSourcesXXX tasks
• #​49867 - Bump to Vert.x 4.5.21 and Netty 4.1.127.Final
• #​49871 - memory leak in RestClientBuilderImpl when creating RestClient from Builder with TLSRegistry
• #​49873 - PermitAllInterceptor Executing a RolesAllowed Check in Dev Mode When quarkus.security.auth.enabled-in-dev-mode=false
• #​49874 - Clean up TLS config bookkeeping when a REST Client is closed
• #​49875 - Duplicate Transfer-Encoding: chunked headers in Quarkus response
• #​49879 - quarkus.http.enable-compression=true adds content-encoding gzip even for http 204 No content
• #​49880 - Remove Content-Encoding header when response is 204
• #​49882 - Fix link
• #​49883 - Quarkus MCP Tools no loading
• #​49886 - Fix: @PermitAll security annotation now correctly handle disabled authorization
• #​49887 - Manage more prometheus artifacts to help enforcing dependecy convergence throughout Quarkiverse
• #​49888 - Clone POM model before modifying it
• #​49894 - Filter out "Transfer-Encoding" header from a REST Response
• #​49897 - Fix "Go Home" on Dev UI
• #​49900 - Support for a custom OIDC resource metadata's authorization server URL
• #​49907 - Update OidcConfigMetadata to return supported properties such as subject and response types
• #​49912 - Bump wildfly-elytron.version from 2.6.4.Final to 2.6.5.Final
• #​49923 - In dev-ui -> Continuous Testing -> After running all, the table columns are not resizable and therefore Test Class and Name are truncated
• #​49924 - Dev UI: Make Continuous Testing Grid resizable
• #​49933 - MethodTooLargeException is thrown in compilation when the project has large number of rest clients (even unused)
• #​49934 - Allow registry offering configuration with an environment variable
• #​49935 - Ensure that a large numbers of REST Client interfaces doesn't break the build

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.