Bump the all-maven-dependencies group across 2 directories with 4 updates

[dependabot]

Bumps the all-maven-dependencies group with 4 updates in the / directory: org.springframework.boot:spring-boot-starter-parent, com.sap.cds:cds-services-bom, com.sap.cds:cds-maven-plugin and com.sap.cloud.security:java-bom.
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: org.springframework.boot:spring-boot-starter-parent, com.sap.cds:cds-maven-plugin, com.sap.cds:cds-services-bom and com.sap.cloud.security:java-bom.

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v3.5.16

🔨 Dependency Upgrades

• Upgrade to Spring AMQP 3.2.12 #50818
• Upgrade to Spring Data Bom 2025.0.13 #50819
• Upgrade to Spring Integration 6.5.10 #50820

Commits

• 0566f69 Release v3.5.16
• 93edd16 Next development version (v3.5.16-SNAPSHOT)
• 5bafd0a Upgrade to Spring Integration 6.5.10
• baf3290 Upgrade to Spring AMQP 3.2.12
• 2c5964a Upgrade to Spring Data Bom 2025.0.13
• dbb08aa Upgrade Antora dependencies
• 9b281d5 Upgrade to actions/checkout 7.0.0
• a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
• fc236ae Start building against Spring Integration 6.5.10 snapshots
• 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
• Additional commits viewable in compare view

Updates com.sap.cds:cds-services-bom from 4.9.0 to 5.0.0

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.1.0

• Update dependencies:
  • Spring Boot: 4.0.6 → 4.1.0
  • Spring Framework: 7.0.7 → 7.0.8
  • Spring Security: 7.0.5 → 7.1.0
  • Jetty: 12.1.9 → 12.1.10
  • Reactor: 3.8.2 → 3.8.6
  • JUnit: 6.0.3 → 6.1.0
  • SpotBugs annotations: 4.9.8 → 4.10.2
  • SpotBugs Maven Plugin: 4.9.8.3 → 4.10.2.0
  • org.json: 20251224 → 20260522
  • logcaptor: 2.12.2 → 2.12.6
  • assertj-core (samples): 3.24.2 → 3.27.7
  • maven-surefire-plugin: 3.5.5 → 3.5.6
  • jacoco-maven-plugin: 0.8.14 → 0.8.15
  • central-publishing-maven-plugin: 0.10.0 → 0.11.0
• Fix junit-bom import in the root pom — entry was missing <type>pom</type><scope>import</scope>, so JUnit platform/jupiter versions were silently resolved through Spring Boot's BOM. Now correctly imported and ordered ahead of spring-boot-dependencies so junit-bom wins for all JUnit 6 artifacts.

4.0.7

• Fix mTLS handshake regression in SSLContextFactory
  • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
• Add missing no-arg constructor to DefaultOAuth2TokenService
  • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
  • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
  • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility
  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider

... (truncated)

Commits

• 9d34661 chore: Release 3.7.4
• 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
• 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
• 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
• See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.15 to 3.5.16

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v3.5.16

🔨 Dependency Upgrades

• Upgrade to Spring AMQP 3.2.12 #50818
• Upgrade to Spring Data Bom 2025.0.13 #50819
• Upgrade to Spring Integration 6.5.10 #50820

Commits

• 0566f69 Release v3.5.16
• 93edd16 Next development version (v3.5.16-SNAPSHOT)
• 5bafd0a Upgrade to Spring Integration 6.5.10
• baf3290 Upgrade to Spring AMQP 3.2.12
• 2c5964a Upgrade to Spring Data Bom 2025.0.13
• dbb08aa Upgrade Antora dependencies
• 9b281d5 Upgrade to actions/checkout 7.0.0
• a854058 Upgrade to jfrog/setup-jfrog-cli 5.1.0
• fc236ae Start building against Spring Integration 6.5.10 snapshots
• 5271da7 Start building against Spring Data Bom 2025.0.13 snapshots
• Additional commits viewable in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Updates com.sap.cds:cds-services-bom from 4.9.0 to 5.0.0

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.1.0

• Update dependencies:
  • Spring Boot: 4.0.6 → 4.1.0
  • Spring Framework: 7.0.7 → 7.0.8
  • Spring Security: 7.0.5 → 7.1.0
  • Jetty: 12.1.9 → 12.1.10
  • Reactor: 3.8.2 → 3.8.6
  • JUnit: 6.0.3 → 6.1.0
  • SpotBugs annotations: 4.9.8 → 4.10.2
  • SpotBugs Maven Plugin: 4.9.8.3 → 4.10.2.0
  • org.json: 20251224 → 20260522
  • logcaptor: 2.12.2 → 2.12.6
  • assertj-core (samples): 3.24.2 → 3.27.7
  • maven-surefire-plugin: 3.5.5 → 3.5.6
  • jacoco-maven-plugin: 0.8.14 → 0.8.15
  • central-publishing-maven-plugin: 0.10.0 → 0.11.0
• Fix junit-bom import in the root pom — entry was missing <type>pom</type><scope>import</scope>, so JUnit platform/jupiter versions were silently resolved through Spring Boot's BOM. Now correctly imported and ordered ahead of spring-boot-dependencies so junit-bom wins for all JUnit 6 artifacts.

4.0.7

• Fix mTLS handshake regression in SSLContextFactory
  • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
• Add missing no-arg constructor to DefaultOAuth2TokenService
  • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
  • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
  • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility
  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider

... (truncated)

Commits

• 9d34661 chore: Release 3.7.4
• 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
• 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
• 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
• See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 5.0.0

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
org.springframework.boot:spring-boot-starter-parent	[>= 4.a0, < 5]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions