Bump the plugins group with 6 updates

[dependabot]

Bumps the plugins group with 6 updates:

Package	From	To
org.apache.maven.plugins:maven-archetype-plugin	3.4.0	3.4.1
org.apache.maven.plugins:maven-dependency-plugin	3.8.1	3.9.0
org.apache.maven.plugins:maven-enforcer-plugin	3.6.1	3.6.2
org.jacoco:jacoco-maven-plugin	0.8.13	0.8.14
org.apache.maven.plugins:maven-pmd-plugin	3.27.0	3.28.0
org.owasp:dependency-check-maven	12.1.6	12.1.8

Updates org.apache.maven.plugins:maven-archetype-plugin from 3.4.0 to 3.4.1

Release notes

Sourced from org.apache.maven.plugins:maven-archetype-plugin's releases.

3.4.1

🐛 Bug Fixes

• Restore http in archetype descriptors (#945) @​slawekjaranowski
• [ARCHETYPE-548] - Resource files without extension missing in create-from-project (#273) @​Harry-Pootha

📝 Documentation updates

• Remove not existing module archetype-testing from documentation (#948) @​slawekjaranowski

👻 Maintenance

• feat: enable prevent branch protection rules (#938) @​sebtiem

📦 Dependency updates

• Use Maven 3.9.11 in dependencies, still requires 3.6.3 as minimum (#947) @​slawekjaranowski
• Bump org.codehaus.plexus:plexus-archiver from 4.10.1 to 4.10.2 (#946) @dependabot[bot]
• Bump m-invoker-p to 3.9.1 - to allow build by JDK 25 (#944) @​slawekjaranowski
• Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#943) @dependabot[bot]
• Bump org.xmlunit:xmlunit-matchers from 2.10.3 to 2.10.4 (#940) @dependabot[bot]
• Bump org.apache.maven:maven-archiver from 3.6.3 to 3.6.4 (#934) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1 (#935) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0 (#936) @dependabot[bot]
• Bump org.apache.groovy:groovy-bom from 4.0.27 to 4.0.28 (#933) @dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#932) @dependabot[bot]
• Bump org.easymock:easymock from 5.5.0 to 5.6.0 (#272) @dependabot[bot]
• Bump org.xmlunit:xmlunit-matchers from 2.10.2 to 2.10.3 (#929) @dependabot[bot]
• Bump org.apache.groovy:groovy-bom from 4.0.26 to 4.0.27 (#276) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 (#930) @dependabot[bot]
• Bump org.apache.maven:maven-parent from 44 to 45 (#927) @dependabot[bot]
• Bump org.xmlunit:xmlunit-matchers from 2.10.0 to 2.10.2 (#275) @dependabot[bot]

Commits

• 9097959 [maven-release-plugin] prepare release maven-archetype-3.4.1
• 38d00bf Use RESOLVED_VERSION for tag-template in release-drafter
• e344a94 Remove jira from README, update social media links
• 4a40785 Remove not existing module archetype-testing from documentation
• 7a4e240 Use Maven 3.9.11 in dependencies, still requires 3.6.3 as minimum
• 741ed2e Bump org.codehaus.plexus:plexus-archiver from 4.10.1 to 4.10.2
• 0fbc317 Restore http in archetype descriptors
• 444324a - Fixed resource files without extension missing in create-from-project
• 9cab90f Add hacktoberfest label to project
• ff25739 Bump m-invoker-p to 3.9.1 - to allow build by JDK 25
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.9.0

🚀 New features and improvements

• Use Resolver API in go-offline for dependencies resolving (#1533) @​slawekjaranowski
• Use Resolver API in go-offline for plugins resolving (#1532) @​slawekjaranowski
• Fixes #1522, add render-dependencies mojo (#1523) @​rmannibucau
• Use Resolver API in resolve-plugin (#1521) @​slawekjaranowski
• [MEDP-964] - unconditionally ignore dependencies known to be loaded by reflection (#1492) @​elharo
• Update maven-dependency-analyzer to support Java24 (#528) @​talios
• [MDEP-972] - copy-dependencies: copy signatures alongside artifacts (#514) @​Ndacyayisenga-droid
• [MDEP-776] - Warn when multiple dependencies have the same file name (#463) @​elharo
• [MDEP-966] - Migrate AnalyzeDepMgt to Sisu (#473) @​elharo
• [MDEP-957] - By default, don't report slf4j-simple as unused (#433) @​elharo

🐛 Bug Fixes

• ProjectBuildingRequest should not be modified (#1520) @​slawekjaranowski
• Fix - markersDirectory is not working when unpack goal is executed from command line (#537) @​vaibhavbatra15
• Fix broken link for analyze-exclusions-mojo on usage-page (#521) @​Bukama
• [MDEP-839] - Avoid extra blank lines in file (#495) @​elharo
• Update collect URL (#510) @​elharo
• [MDEP-689] - Fixes ignored dependency filtering in go-offline goal (#417) @​ldhardy
• [MDEP-960] - Repair silent logging (#447) @​elharo

📝 Documentation updates

• [MDEP-933] - Document dependency tree output formats (#535) @​Ndacyayisenga-droid
• Add additional comment to clarify the minimal supported version of ou… (#465) @​gluxhappy
• [MNGSITE-529] - Rename "Goals" to "Plugin Documentation" (#511) @​Bukama
• Unix file separators (#507) @​elharo

👻 Maintenance

• Simplify usage of RepositoryManager and DependencyResolver (#1518) @​slawekjaranowski
• Use Resolver API in copy and unpack (#1514) @​slawekjaranowski
• Update site descriptor to 2.0.0 (#1508) @​slawekjaranowski
• Enable prevent branch protection rules (#1503) @​slawekjaranowski
• Fix [MDEP-931] - Replace PrintWriter with Writer in AbstractSerializing Visitor and subclasses (#530) @​Ndacyayisenga-droid
• Cleanups dependencies (#1496) @​slawekjaranowski
• Copy edit parameter descriptions (#1488) @​elharo
• Small Javadoc clarifications (#533) @​elharo
• [MDEP-967] - Change info to debug logging in AbstractFromConfigurationMojo (#529) @​Ndacyayisenga-droid
• fix: remove duplicate maven-resolver-api and maven-resolver-util dependencies in pom.xml (#526) @​Ndacyayisenga-droid
• Enable GH issues (#522) @​Bukama
• Remove redundant/unneeded code (#519) @​elharo
• Add PR Automation and Stale actions (#513) @​slawekjaranowski
• Keep files in temporary directory to be deleted after test (#508) @​pzygielo
• Drop unnecessary call (#509) @​pzygielo
• Avoid deprecated ArtifactFactory (#489) @​elharo

... (truncated)

Commits

• 826e5f0 [maven-release-plugin] prepare release maven-dependency-plugin-3.9.0
• 0db1acc Use Resolver API in go-offline for dependencies resolving (#1533)
• e50031a Use Resolver API in go-offline for plugins resolving
• 6ed4b1a Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0
• 8776c61 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6
• d2af78e Ignore Mockito 5.x and SLF4j 2.x by dependabot
• dcd4b7d Bump org.assertj:assertj-core from 3.27.4 to 3.27.5
• 7523948 Strict check of dependencies usage
• 23186d4 Fixes #1522, add render-dependencies mojo (#1523)
• bc1893f Use Resolver API in resolve-plugin
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-enforcer-plugin from 3.6.1 to 3.6.2

Release notes

Sourced from org.apache.maven.plugins:maven-enforcer-plugin's releases.

3.6.2

🐛 Bug Fixes

• Use SessionData for cache storage (#930) @​slawekjaranowski

📝 Documentation updates

• Update Version Ranges link in site.xml (#926) @​ctubbsii
• Fix formatting typo in dependencyConvergence.apt.vm (#928) @​ascopes
• Correct support parameters documentation for banned repositories rule (#922) @​Harmelodic

👻 Maintenance

• Fixes #920 - Remove usage of Stack (#921) @​khmarbaise
• feat: enable prevent branch protection rules (#925) @​sebtiem
• Fixes #917 - Remove usage of Hashtable (#918) @​khmarbaise

📦 Dependency updates

• Bump m-invoker-p to 3.9.1 (#935) @​slawekjaranowski
• Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#933) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#932) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#931) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0 (#923) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#919) @dependabot[bot]
• Bump commons-codec:commons-codec from 1.18.0 to 1.19.0 (#915) @dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#914) @dependabot[bot]
• Bump mavenVersion from 3.9.10 to 3.9.11 (#912) @dependabot[bot]

Commits

• 82ba770 [maven-release-plugin] prepare release enforcer-3.6.2
• 5313c70 Bump m-invoker-p to 3.9.1
• ee5abee Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0
• 6c5a152 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6
• 89ccb70 Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#931)
• 03ed82d Update Version Ranges link in site.xml (#926)
• d282dc4 Fixes #920 - Remove usage of Stack
• 27e1f46 Use SessionData for cache storage (#930)
• a1bac9b Fix formatting typo in dependencyConvergence.apt.vm
• 870a1ed Correct support parameters documentation for banned repositories rule
• Additional commits viewable in compare view

Updates org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14

Release notes

Sourced from org.jacoco:jacoco-maven-plugin's releases.

0.8.14

New Features

• JaCoCo now officially supports Java 25 (GitHub #1950).
• Experimental support for Java 26 class files (GitHub #1870).
• Branches added by the Kotlin compiler for default argument number 33 or higher are filtered out during generation of report (GitHub #1655).
• Part of bytecode generated by the Kotlin compiler for elvis operator that follows safe call operator is filtered out during generation of report (GitHub #1814, #1954).
• Part of bytecode generated by the Kotlin compiler for more cases of chained safe call operators is filtered out during generation of report (GitHub #1956).
• Part of bytecode generated by the Kotlin compiler for invocations of suspendCoroutineUninterceptedOrReturn intrinsic is filtered out during generation of report (GitHub #1929).
• Part of bytecode generated by the Kotlin compiler for suspending lambdas with parameters is filtered out during generation of report (GitHub #1945).
• Part of bytecode generated by the Kotlin compiler for suspending functions and lambdas with suspension points that return inline value class is filtered out during generation of report (GitHub #1871).
• Part of bytecode generated by the Kotlin Compose compiler plugin for pausable composition is filtered out during generation of report (GitHub #1911).
• Methods generated by the Kotlin serialization compiler plugin are filtered out (GitHub #1885, #1970, #1971).

Fixed bugs

• Fixed handling of implicit else clause of when with String subject in Kotlin (GitHub #1813, #1940).
• Fixed handling of implicit default clause of switch by String in Java when compiled by ECJ (GitHub #1813, #1940). Fixed handling of exceptions in chains of safe call operators in Kotlin (GitHub #1819).

Non-functional Changes

• JaCoCo now depends on ASM 9.9 (GitHub #1965).

Commits

• 2eb2483 Prepare release v0.8.14
• de76181 KotlinSerializableFilter should filter more methods (#1971)
• 89c4bd5 Fix NPE in KotlinSerializableFilter (#1970)
• 0981128 Migrate release staging to the Central Publisher Portal (#1968)
• d07bc6b Add filter for bytecode generated by Kotlin serialization compiler plugin (#1...
• 5e35fd5 Upgrade maven-dependency-plugin to 3.9.0 (#1966)
• c2fe5cc Upgrade ASM to 9.9 (#1965)
• b0f8e23 KotlinSafeCallOperatorFilter should filter "unoptimized" safe call followed b...
• c7bd3f4 Upgrade spotless-maven-plugin to 3.0.0 (#1961)
• faa289d KotlinSafeCallOperatorFilter should not be affected by presence of pseudo ins...
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-pmd-plugin from 3.27.0 to 3.28.0

Release notes

Sourced from org.apache.maven.plugins:maven-pmd-plugin's releases.

3.28.0

🚀 New features and improvements

• Bump pmdVersion from 7.16.0 to 7.17.0 (#661) @​timpeeters
• Bump pmdVersion from 7.15.0 to 7.16.0 (#652) @dependabot[bot]
• Bump pmdVersion from 7.14.0 to 7.15.0 (#643) @dependabot[bot]

📝 Documentation updates

• Update historical PMD version in docs (#662) @​slawekjaranowski
• Document that excludes takes priority over includes (#645) @​elharo

👻 Maintenance

• feat: enable prevent branch protection rules (#653) @​sparsick
• Add Apache 2.0 LICENSE file (#650) @​Ndacyayisenga-droid
• Prefer JDK built-in methods for string joining (#646) @​elharo
• [MPMD-412] - More specific catch blocks (#642) @​elharo

📦 Dependency updates

• Bump org.apache.commons:commons-lang3 from 3.8.1 to 3.18.0 in ITs (#648) @dependabot[bot]
• Bump pmdVersion from 7.16.0 to 7.17.0 (#661) @​timpeeters
• Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#658) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-resources from 1.3.0 to 1.3.1 (#654) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0 (#655) @dependabot[bot]
• Bump pmdVersion from 7.15.0 to 7.16.0 (#652) @dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#651) @dependabot[bot]
• Bump mavenVersion from 3.9.10 to 3.9.11 (#649) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 (#647) @dependabot[bot]
• Bump resolverVersion from 1.9.23 to 1.9.24 (#644) @dependabot[bot]
• Bump pmdVersion from 7.14.0 to 7.15.0 (#643) @dependabot[bot]

Commits

• f152a3a [maven-release-plugin] prepare release maven-pmd-plugin-3.28.0
• 0678fd1 Update historical PMD version in docs
• 41d5069 Bump org.apache.commons:commons-lang3 from 3.8.1 to 3.18.0 in ITs (#648)
• 3ef805b Bump pmdVersion from 7.16.0 to 7.17.0
• 592d703 Add hacktoberfest label to project
• ced9373 Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#658)
• 3cf5bc1 Bump org.codehaus.plexus:plexus-resources from 1.3.0 to 1.3.1 (#654)
• 9077c3b Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0 (#655)
• 12ed57a feat: enable prevent branch protection rules (#653)
• fff2b95 Bump pmdVersion from 7.15.0 to 7.16.0 (#652)
• Additional commits viewable in compare view

Updates org.owasp:dependency-check-maven from 12.1.6 to 12.1.8

Release notes

Sourced from org.owasp:dependency-check-maven's releases.

Version 12.1.8

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Version 12.1.7

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.1.8 (2025-10-13)

• fix: improve VulnerableSoftware comparison (#8031)
• build: fix flaky central test (#8039)
• docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration (#8036)
• docs: add note about central analyzer for gradle (#8038)

See the full listing of changes

Version 12.1.7 (2025-10-12)

• fix: disable central analyzer after failures (#7993)
• fix: Suppress JVM warnings from Lucene within CLI (#8003)
• fix: Clean up Apache Lucene logging via SLF4j redirect (#7979)
• fix: Correct Archive Analyzer behaviour on certain tgz archives (#7986)
• fix: Update NVD CPE search URLs in generated reports to match new search interface (#7970)
• fix: improve OSS Index Error Reporting (#7977)
• fix(fp): Consolidate false positive suppression for false positives on Redis client libs (#8017)
• fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names (#7994)
• docs: improve slack notification documentation (#8026)
• docs: Documentation artifactory settings fix (#7999)
• docs: Clarify Nexus Analyzer requirements and usage (#8000)
• build: Build amd64 and arm64 multi-platform Docker image (#7952)

See the full listing of changes

Commits

• 2d29a0b build: prepare release v12.1.8
• a06ba2e docs: release 12.1.8
• 8230ba2 fix: improve VulnerableSoftware comparison (#8031)
• c4696c0 docs: add note about central analyzer for gradle (#8038)
• a8e00c8 build: fix flaky central test (#8039)
• 52eefb7 build(deps): bump org.apache.maven.plugins:maven-artifact-plugin from 3.6.0 t...
• fd8371c build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 ...
• 5ac1edb build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (#8032)
• 8ceb175 docs: Improve Gradle docs wrt experimental analyzers, use of Central and Prox...
• 986afb0 build: release 12.1.7 (#8030)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions