Bump the build-dependencies group with 15 updates

[dependabot]

Bumps the build-dependencies group with 15 updates:

Package	From	To
org.junit.platform:junit-platform-gradle-plugin	1.0.1	1.0.3
biz.aQute.bnd	7.0.0	7.1.0
com.diffplug.spotless	7.0.2	7.0.4
org.checkerframework	0.6.40	0.6.55
org.jetbrains.gradle.plugin.idea-ext	1.0	1.1.10
com.dorongold.task-tree	2.1.1	4.0.1
com.gradle.develocity	3.17.6	4.0.2
com.gradle.common-custom-user-data-gradle-plugin	2.0.2	2.3
org.apache.httpcomponents:httpclient	4.5.13	4.5.14
org.jsoup:jsoup	1.15.3	1.21.1
de.thetaphi:forbiddenapis	3.8	3.9
org.apache.maven:maven-embedder	3.9.9	3.9.10
org.apache.maven:maven-compat	3.9.9	3.9.10
org.apache.maven.resolver:maven-resolver-connector-basic	1.9.18	1.9.23
org.apache.maven.resolver:maven-resolver-transport-http	1.9.18	1.9.23

Updates org.junit.platform:junit-platform-gradle-plugin from 1.0.1 to 1.0.3

Commits

• See full diff in compare view

Updates biz.aQute.bnd from 7.0.0 to 7.1.0

Updates com.diffplug.spotless from 7.0.2 to 7.0.4

Updates org.checkerframework from 0.6.40 to 0.6.55

Updates org.jetbrains.gradle.plugin.idea-ext from 1.0 to 1.1.10

Updates com.dorongold.task-tree from 2.1.1 to 4.0.1

Updates com.gradle.develocity from 3.17.6 to 4.0.2

Updates com.gradle.common-custom-user-data-gradle-plugin from 2.0.2 to 2.3

Updates org.apache.httpcomponents:httpclient from 4.5.13 to 4.5.14

Updates org.jsoup:jsoup from 1.15.3 to 1.21.1

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.21.1

jsoup 1.21.1 is out now, featuring powerful new node selection capabilities that let you target specific DOM nodes like comments and text nodes using CSS selectors, dynamic tag customization through the new TagSet callback system, and improved defense against mutation XSS attacks with simplified attribute escaping. This release also brings HTTP/2 support by default, numerous API improvements for better developer experience, and fixes for several edge-case parsing issues.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class<T> type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull(Object) (replaced by typed Validate#expectNotNull(T)); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class<T> nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace). #2330
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326
• Added Connection.Response#readFully() as a replacement for Connection.Response#bufferUp() with an explicit IOException. Similarly, added Connection.Response#readBody() over Connection.Response#body(). Deprecated Connection.Response#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

• The contents of a script in a svg foreign context should be parsed as script data, not text. #2320
• Tag#isFormSubmittable() was updating the Tag's options. #2323
• The HTML pretty-printer would incorrectly trim whitespace when text followed an inline element in a block element. #2325
• Custom tags with hyphens or other non-letter characters in their names now work correctly as Data or RcData tags. Their closing tags are now tokenized properly. #2332
• When cloning an Element, the clone would retain the source's cached child Element list (if any), which could lead to incorrect results when modifying the clone's child elements. #2334

jsoup 1.20.1

Changes

• To better follow the HTML5 spec and current browsers, the HTML parser no longer allows self-closing tags (<foo />) to close HTML elements by default. Foreign content (SVG, MathML), and content parsed with the XML parser, still supports self-closing tags. If you need specific HTML tags to support self-closing, you can register a custom tag via the TagSet configured in Parser.tagSet(), using Tag#set(Tag.SelfClose). Standard void tags (such as <img>, <br>, etc.) continue to behave as usual and are not affected by this change. #2300.
• The following internal components have been deprecated. If you do happen to be using any of these, please take the opportunity now to migrate away from them, as they will be removed in jsoup 1.21.1.
  • ChangeNotifyingArrayList, Document.updateMetaCharsetElement(), Document.updateMetaCharsetElement(boolean), HtmlTreeBuilder.isContentForTagData(String), Parser.isContentForTagData(String), Parser.setTreeBuilder(TreeBuilder), Tag.formatAsBlock(), Tag.isFormListed(), TokenQueue.addFirst(String), TokenQueue.chompTo(String), TokenQueue.chompToIgnoreCase(String), TokenQueue.consumeToIgnoreCase(String), TokenQueue.consumeWord(), TokenQueue.matchesAny(String...)

Functional Improvements

• Rebuilt the HTML pretty-printer, to simplify and consolidate the implementation, improve consistency, support custom Tags, and provide a cleaner path for ongoing improvements. The specific HTML produced by the pretty-printer may be different from previous versions. #2286.
• Added the ability to define custom tags, and to modify properties of known tags, via the TagSet tag collection. Their properties can impact both the parse and how content is serialized (output as HTML or XML). #2285.
• Element.cssSelector() will prefer to return shorter selectors by using ancestor IDs when available and unique. E.g. #id > div > p instead of html > body > div > div > p #2283.
• Added Elements.deselect(int index), Elements.deselect(Object o), and Elements.deselectAll() methods to remove elements from the Elements list without removing them from the underlying DOM. Also added Elements.asList() method to get a modifiable list of elements without affecting the DOM. (Individual Elements remain linked to the DOM.) #2100.
• Added support for sending a request body from an InputStream with Connection.requestBodyStream(InputStream stream). #1122.
• The XML parser now supports scoped xmlns: prefix namespace declarations, and applies the correct namespace to Tags and Attributes. Also, added Tag#prefix(), Tag#localName(), Attribute#prefix(), Attribute#localName(), and Attribute#namespace() to retrieve these. #2299.
• CSS identifiers are now escaped and unescaped correctly to the CSS spec. Element#cssSelector() will emit appropriately escaped selectors, and the QueryParser supports those. Added Selector.escapeCssIdentifier() and ` Selector.unescapeCssIdentifier(). #2297, #2305

... (truncated)

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.21.1 (2025-Jun-23)

Changes

• Removed previously deprecated methods. #2317
• Deprecated the :matchText pseduo-selector due to its side effects on the DOM; use the new ::textnode selector and the Element#selectNodes(String css, Class type) method instead. #2343
• Deprecated Connection.Response#bufferUp() in lieu of Connection.Response#readFully() which can throw a checked IOException.
• Deprecated internal methods Validate#ensureNotNull (replaced by typed Validate#expectNotNull); protected HTML appenders from Attribute and Node.
• If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.

Improvements

• Enhanced the Selector to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: ::comment:contains(prices) + p will select p elements immediately after a <!-- prices: --> comment. Supported types include ::node, ::leafnode, ::comment, ::text, ::data, and ::cdata. Node contextual selectors like ::node:contains(text), :matches(regex), and :blank are also supported. Introduced Element#selectNodes(String css) and Element#selectNodes(String css, Class nodeType) for direct node selection. #2324
• Added TagSet#onNewTag(Consumer<Tag> customizer): register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace).
• Made TokenQueue and CharacterReader autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.
• Added Selector#evaluatorOf(String css), as a clearer way to obtain an Evaluator from a CSS query. An alias of QueryParser.parse(String css).
• Custom tags (defined via the TagSet) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.
• Added NodeVisitor#traverse(Node) to simplify node traversal calls (vs. importing NodeTraversor).
• Updated the default user-agent string to improve compatibility. #2341
• The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) #2326.
• Added Connection#readFully() as a replacement for Connection#bufferUp() with an explicit IOException. Similarly, added Connection#readBody() over Connection#body(). Deprecated Connection#bufferUp(). #2327
• When serializing HTML, the < and > characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. #2337
• Changed Connection to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via -Djsoup.useHttpClient=false. #2340

Bug Fixes

• The contents of a script in a svg foreign context should be parsed as script data, not text. #2320
• Tag#isFormSubmittable() was updating the Tag's options. #2323
• The HTML pretty-printer would incorrectly trim whitespace when text followed an inline element in a block element. #2325
• Custom tags with hyphens or other non-letter characters in their names now work correctly as Data or RcData tags. Their closing tags are now tokenized properly. #2332
• When cloning an Element, the clone would retain the source's cached child Element list (if any), which could lead to incorrect results when modifying the clone's child elements. #2334

1.20.1 (2025-Apr-29)

Changes

• To better follow the HTML5 spec and current browsers, the HTML parser no longer allows self-closing tags (<foo />) to close HTML elements by default. Foreign content (SVG, MathML), and content parsed with the XML parser, still supports self-closing tags. If you need specific HTML tags to support self-closing, you can register a custom tag via the TagSet configured in Parser.tagSet(), using Tag#set(Tag.SelfClose). Standard void tags (such as <img>, <br>, etc.) continue to behave as usual and are not affected by this change. #2300.
• The following internal components have been deprecated. If you do happen to be using any of these, please take the opportunity now to migrate away from them, as they will be removed in jsoup 1.21.1.
  • ChangeNotifyingArrayList, Document.updateMetaCharsetElement(), Document.updateMetaCharsetElement(boolean), HtmlTreeBuilder.isContentForTagData(String), Parser.isContentForTagData(String), Parser.setTreeBuilder(TreeBuilder), Tag.formatAsBlock(), Tag.isFormListed(), TokenQueue.addFirst(String), TokenQueue.chompTo(String), TokenQueue.chompToIgnoreCase(String), TokenQueue.consumeToIgnoreCase(String), TokenQueue.consumeWord(), TokenQueue.matchesAny(String...)

Functional Improvements

• Rebuilt the HTML pretty-printer, to simplify and consolidate the implementation, improve consistency, support custom Tags, and provide a cleaner path for ongoing improvements. The specific HTML produced by the pretty-printer may be different from previous versions. #2286.
• Added the ability to define custom tags, and to modify properties of known tags, via the TagSet tag collection. Their properties can impact both the parse and how content is

... (truncated)

Commits

• 9a059f4 [maven-release-plugin] prepare release jsoup-1.21.1
• a9f6ad0 Prep 1.21.1 release
• 63ed60b Tidy up exception test
• a4d451f Improved unhandled node type error msg
• cf88221 Added ::cdata node selector
• 893706a Deprecate :matchText selector (#2343)
• 2a73678 Added javadoc note for Connection#timeout
• 3f70665 Fix date format
• 2f48c65 Updated the default UA
• 42dbaa0 Cleanup redundant Syntax parameter
• Additional commits viewable in compare view

Updates de.thetaphi:forbiddenapis from 3.8 to 3.9

Updates org.apache.maven:maven-embedder from 3.9.9 to 3.9.10

Updates org.apache.maven:maven-compat from 3.9.9 to 3.9.10

Release notes

Sourced from org.apache.maven:maven-compat's releases.

3.9.10

Release Notes - Maven - Version 3.9.10

... (truncated)

Commits

• 5f519b9 [maven-release-plugin] prepare release maven-3.9.10
• c2acc2f [MNG-8745] Bump xmlunitVersion from 2.10.1 to 2.10.2 (#2389)
• 1da6ce5 [MNG-8396] Backport: add cache layer to the filtered dep graph (#2393)
• 169219a [MNG-8745] Bump xmlunitVersion from 2.10.0 to 2.10.1 (#2354)
• 88c77b6 [MNG-8734] Make Maven 3.9.10 ignore --raw-streams option (#2361)
• ca55739 [MNG-8728] Build ITs on JDK 21, 24
• dee00c1 [MNG-8728] Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 (#2359)
• c2671d0 Update README.md
• 6559599 [MNG-8711] Fix concurrent cache access
• d213a7b [MNG-8731] Use https for xsi:schemaLocation in generated descriptors
• Additional commits viewable in compare view

Updates org.apache.maven.resolver:maven-resolver-connector-basic from 1.9.18 to 1.9.23

Release notes

Sourced from org.apache.maven.resolver:maven-resolver-connector-basic's releases.

1.9.23

Release Notes - Maven Resolver - Version 1.9.23

... (truncated)

Commits

• 8535d09 [maven-release-plugin] prepare release maven-resolver-1.9.23
• 5eb06ca Refresh links on the configuration page
• d60e7c8 Remove suppressions for checkstyle MagicNumber
• fcc2fcc [MRESOLVER-703] Expose redirect config for http transport
• 2830727 [MRESOLVER-711] Bump org.redisson:redisson from 3.45.1 to 3.46.0 (#714)
• fa94e8d Deploy snapshot artifacts by Jenkins
• 2683c54 Update site descriptors
• 27cb420 [MRESOLVER-717] Bump org.codehaus.plexus:plexus-classworlds from 2.7.0 to 2.9...
• 6a7019f [MRESOLVER-716] Bump com.google.guava:guava from 33.1.0-jre to 33.4.8-jre (#712)
• 79c973e [MRESOLVER-714] Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.2 (#709)
• Additional commits viewable in compare view

Updates org.apache.maven.resolver:maven-resolver-transport-http from 1.9.18 to 1.9.23

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[hibernate-github-bot]

Thanks for your pull request!

This pull request appears to follow the contribution rules.

› This message was automatically generated.

[yrodiere]

Only these two have a major bump:

com.dorongold.task-tree 	2.1.1 	4.0.1
com.gradle.develocity 	3.17.6 	4.0.2

task-tree is for debugging so I'm willing to risk it, and we should know about Develocity soon enough (when the build succeeds, let's just check there actually are reports, and no Develocity build cache failures in logs)