fix(deps): update all non-major dependencies

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
github/codeql-action	action	patch	v3.30.5 -> v3.30.6
ossf/scorecard-action	action	patch	v2.4.2 -> v2.4.3
io.quarkus	plugin	patch	3.28.1 -> 3.28.2
io.quarkus:quarkus-junit5	dependencies	patch	3.28.1 -> 3.28.2
io.quarkus:quarkus-arc	dependencies	patch	3.28.1 -> 3.28.2
io.quarkus:quarkus-bom	dependencies	patch	3.28.1 -> 3.28.2
org.junit:junit-bom (source)	dependencies	minor	5.13.4 -> 5.14.0

---

Release Notes

github/codeql-action (github/codeql-action)

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

ossf/scorecard-action (ossf/scorecard-action)

v2.4.3

Compare Source

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in #​1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in #​1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in #​1566
• setup codeowners for requesting reviews by @​spencerschrock in #​1576
• 🌱 Improve printing options by @​deivid-rodriguez in #​1584

New Contributors

• @​timothyklee made their first contribution in #​1566
• @​pankajtaneja5 made their first contribution in #​1574
• @​deivid-rodriguez made their first contribution in #​1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

quarkusio/quarkus (io.quarkus:quarkus-junit5)

v3.28.2

Compare Source

Complete changelog

• #​48641 - Messaging kafka: incorrect setting of the graceful shutdown property for dev/test modes
• #​49861 - Correct setting kafka graceful-shutdown property for dev and test profiles
• #​50207 - Allow configuring Cache-Control when OIDC session cookie is created
• #​50224 - Bump org.bouncycastle:bctls-fips from 2.1.20 to 2.1.22
• #​50226 - Micrometer HTTP server requests metrics tags multiple URLs for 404s
• #​50228 - @RestControllerAdvice raise exception
• #​50243 - Use annotationProcessorPathsUseDepMgmt in Jakarta Data docs
• #​50246 - Changes that allows Mcp usage from Chappie
• #​50249 - Add OIDC CacheControl configuration
• #​50250 - Add Transactional config in Infinispan client side
• #​50251 - Polyglot application using truffle-enterprise fails due to missing nativebridge artifact in boot.
• #​50252 - OutboundSseEvents (SSE) are not compressed
• #​50253 - Make test-fixture sources available to continuous testing
• #​50254 - Fix server requests metrics tags for 404s when initialPath ends with /
• #​50259 - Explain where the links go for clarity, in the dev mode docs
• #​50263 - Configure Infinispan tx caches on client side
• #​50264 - Fix initial download of decompiler when version not provided
• #​50265 - 3.28.1: java.util.zip.ZipException: duplicate entry in Quarkus generated jar(s)
• #​50270 - Allow ecosystem extensions to use dev service result builder
• #​50274 - Quarkus 3.18.1 can't find config inner classes during @QuarkusTest tests
• #​50278 - Config - Avoid producing duplicate GeneratedClassBuildItem
• #​50281 - Make compression work in Quarkus REST for streaming responses
• #​50286 - Avoid double scanning mappings that are already included by the Quarkus processor
• #​50288 - Make org.graalvm.sdk:nativebridge dependency parent first
• #​50293 - UriInfo.getBaseUri ignores prefix header handling
• #​50299 - Adding prefix handling to base uri
• #​50300 - Improve documentation to clarify servlet type support is limited to RESTEasy Classic
• #​50312 - Update security-openid-connect-providers.adoc
• #​50314 - Multiple GeneratedClassBuildItem were produced for the same classes when using abstract class
• #​50315 - Issues with quarkus-oidc-redis-token-state-manager
• #​50316 - DevUI MCP Tool Call from Cursor fails => Cannot invoke "java.util.Map.entrySet()" because "parameters" is null
• #​50320 - Dev MCP: Don't set empty params
• #​50325 - Fix issue with multiple generated REST invokers
• #​50327 - Application using Hibernate offline startup tries to connect to database in DEV mode on startup
• #​50333 - Fix OIDC Redis Token State Manager serialization in native mode
• #​50339 - Bump the hibernate group with 9 updates
• #​50343 - Add example of sending back a file with `RestResponse
• #​50348 - Fix Maven Wrapper in platform codestarts

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.