Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
gradle (source)		minor	9.4.1 → 9.5.0
org.postgresql:postgresql (source)	dependencies	patch	42.7.10 → 42.7.11
org.jdbi:jdbi3-core (source)	dependencies	minor	3.52.1 → 3.53.0
com.github.ben-manes.caffeine:caffeine	dependencies	patch	3.2.3 → 3.2.4
org.flywaydb:flyway-database-hsqldb	dependencies	minor	12.4.0 → 12.5.0
org.flywaydb:flyway-database-postgresql	dependencies	minor	12.4.0 → 12.5.0
org.flywaydb:flyway-mysql	dependencies	minor	12.4.0 → 12.5.0
org.flywaydb:flyway-core	dependencies	minor	12.4.0 → 12.5.0
net.fabricmc.fabric-api:fabric-api (source)	dependencies	minor	0.146.1+26.1.2 → 0.148.0+26.1.2

---

Release Notes

gradle/gradle (gradle)

v9.5.0

Compare Source

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server.
  pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
  See the Security Advisory for more detail.
  The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #​3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
• chore: upgrade Gradle to v9 PR #​3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #​3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
• fix: release COPY lock on IOException to prevent connection hang PR #​3957
• fix: return jsonb as PGObject instead of String PR #​3956
• fix: align SSL key file permission check with libpq PR #​3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

jdbi/jdbi (org.jdbi:jdbi3-core)

v3.53.0

Compare Source

Fixes: Jdbi-Freemarker Security Advisory GHSA-mggx-p7jf-jgw4

The Freemarker configuration allows templates to construct arbitrary
Java types, including freemarker.template.utility.Execute.

While exploiting this requires other unsafe practices (letting a user
dictate template input), it seems prudent to disable template class resolution.

Please see GHSA-mggx-p7jf-jgw4 for more details.

Upgrade to testcontainers 2.x

While this required no code changes, the testcontainers project has
renamed a number of their jar files. Jdbi still supports
testcontainers 1.x and now also testcontainers 2.x:

If you are using testcontainers with Jdbi today and can not update to
2.x, make sure that you reference the org.testcontainers:jdbc and
org.testcontainers:junit-jupiter dependencies. Those used to be
available as transitive dependency from jdbi3-testcontainers.

If you upgrade to testcontainers 2.x, the
org.testcontainers:testcontainers-jdbc and
org.testcontainers:testcontainers-junit-jupiter dependencies must be
available.

• Update testcontainers dependency to 2.0.5 (from 1.21.4)
• Add StatementContext parameter to SqlExceptionHandler and remove return value

ben-manes/caffeine (com.github.ben-manes.caffeine:caffeine)

v3.2.4: 3.2.4

• Improved access expiration's read performance by avoiding false sharing effects caused by the timestamp update
• Fixed head-of-line blocking of expiration queues caused by in-flight async entries (#​1954)
• Fixed various minor issues found using AI audits
• Added ObjectInputFilter support to JCache

FabricMC/fabric (net.fabricmc.fabric-api:fabric-api)

v0.148.0+26.1.2: [26.1.2] Fabric API 0.148.0+26.1.2

Compare Source

• Bump version (modmuss50)
• Revert "Update translations (#​5342)" (#​5371) (modmuss)
• Update translations (#​5342) (github-actions[bot], Fabric Bot)
• Implement dynamic block tinting support with BlockTintsFactory integration (#​5357) (Marc Hermans, modmuss50)
• Add String#toLowerCase/toUpperCase without locale checkstyle (#​5367) (Kevin, modmuss)
• Allow using Identifiers in advancement datagen (#​5366) (Celeste, Juuz)
• Add transitive access widener to Minecraft#blockModelResolver (#​5349) (Jab125)
• Add EntityFluidInteractionRegistry and FluidBehaviour api (#​5335) (Patbox)
• feat: ClientHotbarScrollEvents (#​5330) (Sylv, Kilip1000)

v0.147.0+26.1.2: [26.1.2] Fabric API 0.147.0+26.1.2

Compare Source

• Bump version (modmuss50)
• fix VanillaTooltipOrderProvider in remapped development environments (#​5359) (cputnam-a11y)
• client gametest: allow compute methods to return nullable (#​5347) (D. Firmansyah)
• Expand c:hidden_from_recipe_viewers (#​5340) (Cassian Godsted)
• Add ServerEntityEvents.ALLOW_LOAD, Entity.spawnReason() and Entity.isLoadedFromDisk() (#​5329) (DennisOchulor)
• Add constant interfaces to Contributing Guidelines (#​5327) (Sylv)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 6pm on the 6th day of the month"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.