Skip to content

build(deps-dev): bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.3 to 4.10.3.0#509

Merged
bertysentry merged 3 commits into
mainfrom
dependabot/maven/com.github.spotbugs-spotbugs-maven-plugin-4.10.3.0
Jul 15, 2026
Merged

build(deps-dev): bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.3 to 4.10.3.0#509
bertysentry merged 3 commits into
mainfrom
dependabot/maven/com.github.spotbugs-spotbugs-maven-plugin-4.10.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.3 to 4.10.3.0.

Release notes

Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.

Spotbugs Maven Plugin 4.10.3.0

Summary

This release delivers improvements to reliability, maintainability, and reproducibility. The SpotBugs execution path has been modernized by replacing the Ant-based launcher with ProcessBuilder, temporary auxiliary classpath handling has been improved, and toolchain detection has been made more robust. Build tooling has also been cleaned up with Maven modernization efforts, improved reproducible artifact generation, and updated documentation. Additional fixes include improved artifact handling, test coverage improvements, and dependency updates.

What's Changed

New Contributors

Full Changelog: spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.10.2.0...spotbugs-maven-plugin-4.10.3.0

Spotbugs Maven Plugin 4.10.2.0

  • Support spotbugs 4.10.2

What's Changed

Full Changelog: spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.5...spotbugs-maven-plugin-4.10.2.0

Spotbugs Maven Plugin 4.9.8.5

What's Changed

Full Changelog: spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.4...spotbugs-maven-plugin-4.9.8.5

Spotbugs Maven Plugin 4.9.8.4

  • build support for maven 4 with maven 4 plugins
  • spotbugs extensions jars now moved to target/spotbugs instead of root

... (truncated)

Commits
  • f0e6f45 [maven-release-plugin] prepare release spotbugs-maven-plugin-4.10.3.0
  • 86af8d5 Merge pull request #1473 from spotbugs/renovate/spotbugs.version
  • 2fc1232 Update dependency com.github.spotbugs:spotbugs to v4.10.3
  • 8938370 Merge pull request #1472 from hazendaz/antwork
  • 68ee04d Replace 'ant' usage with process builder
  • 4fcdf58 Merge pull request #1471 from hazendaz/master
  • c97f85e [ci] Minor cleanup after toolchain adjustments
  • f7dde3a [nio] Change 'spotbugsAuxClasspath' file to a temp file and remove larger try...
  • ce2addb Merge pull request #1470 from hazendaz/restructure
  • bc53d37 [ci] readme update to reproducible builesd info
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jul 13, 2026
@bertysentry

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.8.3 to 4.10.3.0.
- [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases)
- [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.3...spotbugs-maven-plugin-4.10.3.0)

---
updated-dependencies:
- dependency-name: com.github.spotbugs:spotbugs-maven-plugin
  dependency-version: 4.10.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/com.github.spotbugs-spotbugs-maven-plugin-4.10.3.0 branch from a0adc76 to 64c6730 Compare July 15, 2026 11:17
bertysentry and others added 2 commits July 15, 2026 13:31
SpotBugs 4.10.x (bundled with spotbugs-maven-plugin 4.10.3.0) reports
5 new bugs that fail the build:

- USO_UNSAFE_OBJECT_SYNCHRONIZATION in BlockManager: synchronize on a
  private lock object instead of the publicly visible instance, and
  route notification through a private method so the lock never
  escapes the class.
- CT_CONSTRUCTOR_THROW in StdinExtension, JRT and StreamInputSource:
  suppressed with justification; the constructors only perform
  fail-fast argument validation and the classes hold no
  security-sensitive state exploitable via finalizer attacks.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The parent pom (oss-parent 4) pins spotbugs-maven-plugin 4.9.3.0 in its
reporting section, so `mvn verify site` ran the verify-phase check with
4.10.3.0 but then re-analyzed with the older 4.9.3 engine during site
generation, overwriting target/spotbugsXml.xml. SpotBugs 4.9.3 raises
false US_USELESS_SUPPRESSION_ON_METHOD warnings for suppressions on
constructors (fixed in 4.10), which made the spotbugs GitHub check
report warnings even though spotbugs:check passed.

Declare the plugin version once in a spotbugs-maven-plugin.version
property (which Dependabot can bump) and reference it from both the
build and reporting sections.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@bertysentry bertysentry merged commit 3d27265 into main Jul 15, 2026
5 checks passed
@bertysentry bertysentry deleted the dependabot/maven/com.github.spotbugs-spotbugs-maven-plugin-4.10.3.0 branch July 15, 2026 13:26
bertysentry added a commit that referenced this pull request Jul 15, 2026
…ss-parent

Inline everything jawk actually inherited from oss-parent:5 so that all
plugin versions and configuration live in this repository and are managed
by Dependabot here:

- distributionManagement (Maven Central Portal repositories)
- maven-artifact-plugin buildinfo execution (reproducible builds)
- maven-source-plugin / maven-javadoc-plugin attach executions and the
  full javadoc configuration (doclint, sourcepath, etc.)
- license-maven-plugin header configuration (copyrightOwners, process
  tags, section delimiter) merged with the local LGPL settings, plus the
  check-license execution
- UTF-8 encoding properties
- default-lifecycle plugin versions (compiler, resources, install,
  deploy) and explicit versions on surefire, failsafe, jar
- reporting section: jxr, checkstyle, pmd, javadoc, project-info-reports
  (same reportSet as before)
- maven-central profile (central-publishing-maven-plugin, activated by
  MAVEN_CENTRAL_TOKEN) and release profile (gpg signing, release plugin)

Intentional differences from the inherited build:

- checkstyle and pmd now use a shared version property for the build
  check and the site report, like spotbugs (see #509); this bumps the
  pmd site report from 3.26.0 to 3.28.0 so it matches the verify-phase
  check
- the changelog report is gone entirely (it was only declared locally to
  skip the report inherited from the parent)
- enforcer/jacoco pluginManagement entries were not carried over: the
  parent never bound executions for them, so they had no effect

Verified with mvn clean verify site (BUILD SUCCESS, same artifacts:
jar, sources, javadoc, standalone, buildinfo, full site) and by diffing
help:effective-pom before/after, including with -Prelease and
MAVEN_CENTRAL_TOKEN set.

Closes #512

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant