Bump the dependencies group with 5 updates

[dependabot]

Bumps the dependencies group with 5 updates:

Package	From	To
org.jline:jline	4.1.0	4.1.3
ch.qos.logback:logback-classic	1.5.32	1.5.34
tools.jackson:jackson-bom	3.1.3	3.1.4
org.graalvm.buildtools.native	1.1.0	1.1.1
com.gradleup.shadow	9.4.1	9.4.2

Updates org.jline:jline from 4.1.0 to 4.1.3

Release notes

Sourced from org.jline:jline's releases.

JLine 4.1.3 is a patch release with important fixes for terminal close handling, raw mode signal behavior, FFM memory management, and shell command argument parsing.

Bug Fixes

• fix: terminal.close() blocks when pump thread is reading stdin (#1911, fixes #1909)
• fix: clear ISIG in enterRawMode so Ctrl+C reaches raw-mode readers (#1912)
• fix: use confined arenas instead of auto arenas in FFM CLibrary (#1913, fixes #1872)
• fix: swap rows/columns in openpty winsize constructor call (#1914, fixes #1910)
• fix: fix command argument parsing in DefaultCommandDispatcher (#1924)

Chores

• chore: add OSS AI helper rules for project conventions (#1917)

Dependencies

• chore: Bump org.graalvm.buildtools:native-maven-plugin from 1.1.0 to 1.1.1 (#1915)
• chore: Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6 (#1918)
• chore: Bump com.diffplug.spotless:spotless-maven-plugin from 3.5.1 to 3.6.0 (#1919)

Full Changelog: jline/jline3@4.1.2...4.1.3

JLine 4.1.2 is a patch release focused on correctness fixes across the parser, terminal I/O, and shell modules.

Bug Fixes

• fix: echo preserves backslash before unrecognised escape sequences (#1901, fixes #1863)
• fix: DefaultParser preserves backslashes inside quotes (#1902, fixes #1877)
• fix: NonBlockingInputStream keeps thread alive after EOF (#1903, fixes #1879)
• fix: ensure cursor position after alternate screen init (#1904, fixes #1883)
• fix: use parser for command argument splitting (#1907, fixes #1876)

Dependencies

• chore: Bump eu.maveniverse.maven.nisse:extension from 0.9.1 to 0.9.2 (#1905)

Full Changelog: jline/jline3@4.1.1...4.1.2

JLine 4.1.1 is a patch release focused on stability fixes. The most notable change corrects the POSIX raw mode defaults (VMIN/VTIME) in enterRawMode, which could cause shell REPL sessions to hang or malfunction on certain platforms. This release also fixes a Display bug where the internal line buffer could alias or reject immutable caller-provided lists, hardens signal registration against null returns, and corrects alternate charset handling in ScreenTerminal.

🐛 Bug Fixes

• fix: Fixed Display oldLines being set as possible immutable lists. (#1878) @​Elec332
• fix: use POSIX cfmakeraw defaults (VMIN=1, VTIME=0) in enterRawMode (#1871) @​BryanSant
• fix: skip null returns from signal registration in AbstractUnixSysTerminal (#1869) @​BryanSant
• fix: Fixed ScreenTerminal alt-charset (#1867) @​Elec332

📦 Dependency updates

• chore: Bump com.palantir.javaformat:palantir-java-format from 2.90.0 to 2.91.0 (#1898) @​dependabot

... (truncated)

Commits

• 7f44a23 fix: fix command argument parsing in DefaultCommandDispatcher (#1924)
• 911e3d6 chore: Bump com.diffplug.spotless:spotless-maven-plugin from 3.5.1 to 3.6.0 (...
• 15cdac5 chore: Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5....
• 2d3e1ff chore: Bump org.graalvm.buildtools:native-maven-plugin from 1.1.0 to 1.1.1 (#...
• 0ac019a fix: terminal.close() blocks when pump thread is reading stdin (#1911)
• 1d63740 fix: use confined arenas instead of auto arenas in FFM CLibrary (fixes #1872)
• 1604643 Merge pull request #1912 from jline/dot-tarragon
• 147ee9c chore: add OSS AI helper rules for project conventions (#1917)
• 1735c1f fix: swap rows/columns in openpty winsize constructor call (fixes #1910)
• d9f6b86 fix: add PromptCancelTest from #1908 with timeout and fixture patterns
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• e62272a prepare release 1.5.34
• 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
• 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
• 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
• f7a0654 prevent resolveProxyClass bypass
• 249b81f docs are no longer distributed
• 1c3b26a start work on 1.5.34-SNAPSHOT
• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• Additional commits viewable in compare view

Updates tools.jackson:jackson-bom from 3.1.3 to 3.1.4

Commits

• 4085e4d [maven-release-plugin] prepare release jackson-bom-3.1.4
• f8e1a4e Prep for 3.1.4 release
• 47eb6ea Merge branch '2.x' into 3.1
• 902ec69 Update Woodstox/stax2-api (to 7.2.0/4.3.0)
• d5df403 Post-release dep version bump
• 7ed6798 [maven-release-plugin] prepare for next development iteration
• 2570647 Merge branch '2.21' into 2.x
• 9d3a9d5 Post-release dep version bump
• 84bcf7f [maven-release-plugin] prepare for next development iteration
• 374fbd0 [maven-release-plugin] prepare release jackson-bom-2.21.3
• Additional commits viewable in compare view

Updates org.graalvm.buildtools.native from 1.1.0 to 1.1.1

Release notes

Sourced from org.graalvm.buildtools.native's releases.

1.1.1

What's Changed

• Release 1.1.0 by @​graalvmbot in graalvm/native-build-tools#880
• Bump version to 1.1.1-SNAPSHOT by @​graalvmbot in graalvm/native-build-tools#881
• Adapt missing metadata issues to title-only coordinates by @​jormundur00 in graalvm/native-build-tools#886
• Skip JDK 25 metadata schema check on macOS x64 by @​jormundur00 in graalvm/native-build-tools#888
• Treat not-for-native-image metadata as covered by @​jormundur00 in graalvm/native-build-tools#884
• Skip metadata requests for artifacts unavailable in Maven Central repository by @​jormundur00 in graalvm/native-build-tools#890
• Bump reachability metadata repository to 1.0.2 by @​jormundur00 in graalvm/native-build-tools#897
• Allow empty classpath for layer-create builds by @​jormundur00 in graalvm/native-build-tools#895

Full Changelog: graalvm/native-build-tools@1.1.0...1.1.1

Commits

• fd47dd5 Release 1.1.1
• 0d6e84e Allow empty classpath for layer-create builds (#895)
• 56a974c Bump reachability metadata repository to 1.0.2 (#897)
• 5c091d7 Skip metadata requests for artifacts unavailable in Maven Central repository ...
• e91cd32 Treat not-for-native-image metadata as covered (#884)
• 97565e2 Skip JDK 25 metadata schema check on macOS x64 (#888)
• 6bffd62 Adapt missing metadata issues to title-only coordinates (#886)
• 83ec10d Merge pull request #881 from graalvm/bump-version-to-1.1.1-SNAPSHOT
• a0dee9e Bump version to 1.1.1-SNAPSHOT
• 7852e4c Merge pull request #880 from graalvm/release/1.1.0
• See full diff in compare view

Updates com.gradleup.shadow from 9.4.1 to 9.4.2

Release notes

Sourced from com.gradleup.shadow's releases.

9.4.2

Changed

• Update jdependency to support Java 27. (#2033)

Commits

• 29c432a Prepare version 9.4.2
• 8aa8e6c Update dependency org.vafer:jdependency to v2.16 (#2033)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions