build(deps-dev): bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.3 to 4.10.3.0#509
Merged
bertysentry merged 3 commits intoJul 15, 2026
Conversation
Contributor
|
@dependabot rebase |
Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.8.3 to 4.10.3.0. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](spotbugs/spotbugs-maven-plugin@spotbugs-maven-plugin-4.9.8.3...spotbugs-maven-plugin-4.10.3.0) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.10.3.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
a0adc76 to
64c6730
Compare
SpotBugs 4.10.x (bundled with spotbugs-maven-plugin 4.10.3.0) reports 5 new bugs that fail the build: - USO_UNSAFE_OBJECT_SYNCHRONIZATION in BlockManager: synchronize on a private lock object instead of the publicly visible instance, and route notification through a private method so the lock never escapes the class. - CT_CONSTRUCTOR_THROW in StdinExtension, JRT and StreamInputSource: suppressed with justification; the constructors only perform fail-fast argument validation and the classes hold no security-sensitive state exploitable via finalizer attacks. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The parent pom (oss-parent 4) pins spotbugs-maven-plugin 4.9.3.0 in its reporting section, so `mvn verify site` ran the verify-phase check with 4.10.3.0 but then re-analyzed with the older 4.9.3 engine during site generation, overwriting target/spotbugsXml.xml. SpotBugs 4.9.3 raises false US_USELESS_SUPPRESSION_ON_METHOD warnings for suppressions on constructors (fixed in 4.10), which made the spotbugs GitHub check report warnings even though spotbugs:check passed. Declare the plugin version once in a spotbugs-maven-plugin.version property (which Dependabot can bump) and reference it from both the build and reporting sections. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
bertysentry
added a commit
that referenced
this pull request
Jul 15, 2026
…ss-parent Inline everything jawk actually inherited from oss-parent:5 so that all plugin versions and configuration live in this repository and are managed by Dependabot here: - distributionManagement (Maven Central Portal repositories) - maven-artifact-plugin buildinfo execution (reproducible builds) - maven-source-plugin / maven-javadoc-plugin attach executions and the full javadoc configuration (doclint, sourcepath, etc.) - license-maven-plugin header configuration (copyrightOwners, process tags, section delimiter) merged with the local LGPL settings, plus the check-license execution - UTF-8 encoding properties - default-lifecycle plugin versions (compiler, resources, install, deploy) and explicit versions on surefire, failsafe, jar - reporting section: jxr, checkstyle, pmd, javadoc, project-info-reports (same reportSet as before) - maven-central profile (central-publishing-maven-plugin, activated by MAVEN_CENTRAL_TOKEN) and release profile (gpg signing, release plugin) Intentional differences from the inherited build: - checkstyle and pmd now use a shared version property for the build check and the site report, like spotbugs (see #509); this bumps the pmd site report from 3.26.0 to 3.28.0 so it matches the verify-phase check - the changelog report is gone entirely (it was only declared locally to skip the report inherited from the parent) - enforcer/jacoco pluginManagement entries were not carried over: the parent never bound executions for them, so they had no effect Verified with mvn clean verify site (BUILD SUCCESS, same artifacts: jar, sources, javadoc, standalone, buildinfo, full site) and by diffing help:effective-pom before/after, including with -Prelease and MAVEN_CENTRAL_TOKEN set. Closes #512 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.3 to 4.10.3.0.
Release notes
Sourced from com.github.spotbugs:spotbugs-maven-plugin's releases.
... (truncated)
Commits
f0e6f45[maven-release-plugin] prepare release spotbugs-maven-plugin-4.10.3.086af8d5Merge pull request #1473 from spotbugs/renovate/spotbugs.version2fc1232Update dependency com.github.spotbugs:spotbugs to v4.10.38938370Merge pull request #1472 from hazendaz/antwork68ee04dReplace 'ant' usage with process builder4fcdf58Merge pull request #1471 from hazendaz/masterc97f85e[ci] Minor cleanup after toolchain adjustmentsf7dde3a[nio] Change 'spotbugsAuxClasspath' file to a temp file and remove larger try...ce2addbMerge pull request #1470 from hazendaz/restructurebc53d37[ci] readme update to reproducible builesd info