update transitive dependencies

[mkleene]

No description provided.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3085b633-e7a3-45f2-a541-dc06f48eb4e7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dont-expose-so-much

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request refactors the SDK by reducing the visibility of numerous classes and enums to package-private or internal, and updates InvalidZipException to extend SDKException. It also introduces ArchUnit for architectural testing. Feedback focuses on several critical accessibility issues in Manifest.java, where making inner classes package-private would cause compilation errors or break the public API due to their exposure in public fields and methods. A suggestion was also made to implement ArchUnit rules to automatically detect such API leaks in the future.

[gemini-code-assist]

The Segment class is used in the segments field of IntegrityInformation (line 148). Since IntegrityInformation is a public static inner class and segments is a public field, making Segment package-private will cause accessibility issues or compilation errors for external consumers of the SDK.

Suggested change

	static class Segment {
	static public class Segment {

[gemini-code-assist]

The Binding class is used in the binding field of the Assertion class. If Assertion is restored to public visibility to resolve the API leak, Binding must also be public.

Suggested change

	static class Binding {
	static public class Binding {

[gemini-code-assist]

The Assertion class is used in the assertions field of the public Manifest class (line 560). In Java, a public field cannot expose a package-private type. This change will cause a compilation error and prevents external users from interacting with the assertions in a manifest.

Suggested change

	static class Assertion {
	static public class Assertion {

[gemini-code-assist]

The HashValues class is used as a return type for the verify method (line 406) and as a parameter for the sign method (line 379). Since these methods are public members of the Assertion class, HashValues must also be public to avoid compilation errors and ensure API usability.

Suggested change

	static class HashValues {
	static public class HashValues {

[gemini-code-assist]

The addition of ArchUnit is a great step for maintaining architectural integrity. Given the extensive visibility changes in this PR, you should consider adding ArchUnit rules to verify that internal implementation details (like package-private classes) do not leak through public API signatures or fields, which would help catch issues like the ones identified in Manifest.java.

[gemini-code-assist]

For consistency with other components of the Manifest structure that are intended to be accessible, PolicyBinding should remain public. While it is currently exposed via an Object field in KeyAccess, consumers may need to cast it to access its properties.

Suggested change

	static class PolicyBinding {
	static public class PolicyBinding {

[github-actions]

X-Test Failure Report

[github-actions]

X-Test Failure Report