fix(deps): bump the prod-deps group across 1 directory with 9 updates

[dependabot]

Bumps the prod-deps group with 9 updates in the / directory:

Package	From	To
org.apache.logging.log4j:log4j-bom	2.20.0	2.25.4
io.vertx:vertx-stack-depchain	5.0.8	5.0.10
org.apache.httpcomponents.client5:httpclient5	5.2.1	5.6
commons-codec:commons-codec	1.17.1	1.21.0
com.sun.xml.bind:jaxb-impl	2.3.9	4.0.7
org.apache.commons:commons-lang3	3.12.0	3.20.0
javax.ws.rs:javax.ws.rs-api	2.0.1	2.1.1
org.folio:util	35.2.2	36.0.0
org.folio.okapi:okapi-common	7.0.0	7.0.3

Updates org.apache.logging.log4j:log4j-bom from 2.20.0 to 2.25.4

Release notes

Sourced from org.apache.logging.log4j:log4j-bom's releases.

2.25.4

This patch release delivers fixes for configuration inconsistencies and formatting issues across several layouts.

• Restores alignment between documented and actual configuration attributes.
• Fixes formatting and sanitization issues in XML and RFC5424 layouts.
• Improves handling of invalid characters and non-standard values.

The authoritative list of recognized configuration attributes is available in the PluginReference.

Fixed

• Don't issue warnings if extra argument in parameterized logging is null. (#3975, #4014)
• Restore support for documented Rfc5424Layout parameter names. (#4022, #4074)
• Take Throwable#toString() into account while rendering stack traces in Pattern Layout. (#3623, #4033)
• Added debug level logs for successful resource loading in Loader class. (#4058, #4060)
• Align SslConfiguration factory method usage with Log4j 2.12+ API. The verifyHostname attribute is now correctly recognized. (#4061, #4075)
• Fix sanitization of structured data parameter names in RFC5424 layout. (#4073)
• Replace invalid characters in XmlLayout output with the Unicode replacement character (U+FFFD). (#4077)
• Replace invalid characters in Log4j1XmlLayout output with the Unicode replacement character (U+FFFD). (#4078)
• Replace invalid characters in MapMessage.asXml() output with the Unicode replacement character (U+FFFD). (#4079)
• Write non-finite floating-point numbers as strings in JsonWriter. (#4080)

2.25.3

This patch release addresses issues detailed in the changelog below. In particular, it includes an important fix for the host name verification in SSL/TLS configuration. This is used by Socket Appender.

Changed

• Optimize DefaultThreadContextMap.getCopy() performance by avoiding megamorphic calls in HashMap constructor (#3935, #3939)

Fixed

• Fix GraalVM metadata for nested classes to use binary names instead of canonical names (#3871, #3996)
• Fix failures caused by null SslConfiguration (#3947, #3953)
• Fix incorrect handling of the host name verification in SSL/TLS configuration, which is used by Socket Appender when SSL/TLS is enabled (#4002)

Removed

• Remove the com.github.spotbugs:spotbugs-annotations dependency (#3984, #3985)

2.25.2

This patch release addresses certain minor issues detailed in the changelog.

Fixed

• Fix potential memory leak involving LogBuilder in Log4j API to Logback bridge (#3819, #3824)
• Prevent unnecessary warnings in AbstractDriverManagerConnectionSource (#3828, #3831)
• Fix missing newlines in default logging configuration for log4j-core (#3835, #3851)
• Fix missing default Target value in Console Appender (#3852)
• Discard the sub-second part while obtaining the initial time (i.e., creation time) of a file in RollingFileManager (#3068, #3872)
• Fix Pattern Layout exception stack trace converters to no longer prepend newlines based on context (#3873, #3919)

... (truncated)

Commits

• 0628e53 Update the project.build.outputTimestamp property
• a2590b4 Add debug logs for successful resource loading in Loader (#4060)
• b788154 Changelog for additional fixes
• 59bd6b3 Avoid referring to PluginBuilderAttribute.class in PluginProcessor (#4041)
• 79568db Take Throwable#toString() into account while rendering stack traces in Patt...
• 0881bc5 Add versioning and support policy information (#3341)
• 0543b52 docs: recommend use of appropriately scoped trust roots (#4006)
• 7a1e0ad Fix warning when last argument is null (#4014)
• 5286148 Remove Log4j Jakarta EE link from navigation file (#4025)
• adcda32 Retire Log4j Scala (#4030)
• Additional commits viewable in compare view

Updates io.vertx:vertx-stack-depchain from 5.0.8 to 5.0.10

Updates org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.6

Changelog

Sourced from org.apache.httpcomponents.client5:httpclient5's changelog.

Release 5.6 ALPHA1

This is the first ALPHA release in the 5.6 release series. It adds several features such as transport content decompression and content compression for the async transport, support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme, and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport. (optional).

• Support for transparent content decompression and content compression with deflate, gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating host verification to JSSE security manager. One must explicitly configure the TLS strategy to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

Change Log

• RequestConfig: Un-deprecate #setProxy. Contributed by Ryan Schmitt

• Stale connection check support in PoolingAsyncClientConnectionManager. Contributed by Ryan Schmitt

• ConnectionConfig: #idleTimeout support. Contributed by Ryan Schmitt

... (truncated)

Commits

• decd193 HttpClient 5.6 release
• 11ea8e5 Updated release notes for HttpClient 5.6 release
• 77fa61a Limit the length of content codec list that can be processed automatically
• 81b7971 Upgraded HttpCore to version 5.4
• 2c7fe0f Add OFFLOCK pool concurrency policy backed by RouteSegmentedConnPool (#765)
• 1f4dea7 Fixed Micrometer and OpenTelemetry dependency declaration
• d2fadd2 Tag TLS handshake timeout tests with slow
• e52e466 TestTlsHandshakeTimeout: Disable assertions on Java 8
• 77f52f0 Upgraded HttpClient version to 5.6-alpha2-SNAPSHOT
• 48e0f25 HttpClient 5.6-alpha1 release
• Additional commits viewable in compare view

Updates commons-codec:commons-codec from 1.17.1 to 1.21.0

Changelog

Sourced from commons-codec:commons-codec's changelog.

Apache Commons Codec 1.21.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.21.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

New features

• CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats. Thanks to Aleksandr Beliakov, Gary Gregory.

Fixed Bugs

•         Fix oak leaf icon references in overview.html when running `mvn clean javadoc:javadoc`. Thanks to Gary Gregory.
  

•         Fix Apache RAT plugin console warnings. Thanks to Gary Gregory.
  

•         Fix malformed Javadoc comments. Thanks to Gary Gregory.
  

Changes

•         Bump org.apache.commons:commons-parent from 91 to 96 [#415](https://github.com/apache/commons-codec/issues/415), [#418](https://github.com/apache/commons-codec/issues/418). Thanks to Gary Gregory, Dependabot.
  

•         Bump commons-io:commons-io from 2.20.0 to 2.21.0. Thanks to Gary Gregory.
  

•         Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0. Thanks to Gary Gregory, Dependabot.
  

For complete information on Apache Commons Codec, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Codec website:

https://commons.apache.org/proper/commons-codec/

Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi

---

Apache Commons Codec 1.20.0 Release Notes

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.20.0.

The Apache Commons Codec component contains encoders and decoders for formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

... (truncated)

Commits

• 91c4404 Prepare for the release candidate 1.21.0 RC1
• 21fe1d7 Prepare for the next release candidate
• d4ea4d0 Bump actions/checkout from 6.0.1 to 6.0.2
• e30b1f6 Bump actions/setup-java from 5.1.0 to 5.2.0
• 2e4891c Bump org.apache.commons:commons-parent from 95 to 96
• d02c003 Use a URL to a prettier page: https://www.ietf.org/rfc/rfc2045
• 3c961b8 Checkstyle
• 99cf6b7 Javadoc and exception messages: "base 32" -> "Base32".
• 2df7b9a Javadoc and exception messages: "base 64" -> "Base64".
• 0643fdd Javadoc 8 doesn't know how to find this link
• Additional commits viewable in compare view

Updates com.sun.xml.bind:jaxb-impl from 2.3.9 to 4.0.7

Updates org.apache.commons:commons-lang3 from 3.12.0 to 3.20.0

Updates javax.ws.rs:javax.ws.rs-api from 2.0.1 to 2.1.1

Commits

• See full diff in compare view

Updates org.folio:util from 35.2.2 to 36.0.0

Release notes

Sourced from org.folio:util's releases.

v36.0.0

Trillium (2026 R1) release, see upgrade notes.

• RMB-1025 Create schema even if role already exists
• RMB-1028 readonly custom field should delete property
• RMB-785 Replace GenerateRunner with domain-models-maven-plugin in README.md
• RMB-1027 Migrate Vert.x from 4 to 5
• RMB-1031 validate module_to which will be stored in DB
• RMB-1023 Remove/Reduce Ineffective/Verbose Log Lines For CQL2PgJSON
• RMB-1032 Add futurized TenantAPI.postTenantSync
• RMB-1033 RestRouting null removal: allow array in path
• FAT-22537 Added upgrading note about ServicesResourceTransformer to avoid race condition during FolioLocal initialization
• RMB-1036 Initialize loggers before setting log level
• RMB-1029 TRUNCATE rmb_internal_analyze; ERROR: canceling statement due to lock timeout (55P03)
• RMB-1026 DB_MAX_LIFETIME option with default of 30 minutes
• RMB-1040 Don't "WARN TenantLoading TenantLoading.perform No X-Okapi-Url-to header"
• RMB-1041 HttpStatus, HttpHeaders - drop-in replacement of httpcomponents
• RMB-1042 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection request smuggling
• RMB-1045 upgrade to test-containers 2.0.3
• RMB-1046 Avoid regex in .replaceAll(" +[*]", "")
• RMB-1047 Fix polynomial runtime regex in PgUtil - Support ) and = in error message fields
• RMB-1030 CachedConnectionManager "permission denied": Better recovery from error state, warn about buggy DB_MAXSHAREDPOOLSIZE
• RMB-1051 Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
• RMB-1052 ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
• RMB-1048 Enable maven workflows, disable Jenkins workflow

v35.4.2

• RMB-1043 Vert.x 4.5.23 fixing CVE-2025-67735 Netty CRLF injection

Vert.x compatibility

Restrictions when using RMB's or Vert.x' Postgres client:

• RMB >= 35.4.2 requires Vert.x >= 4.5.23.
• RMB 35.4.0 and 35.4.1 require Vert.x <= 4.5.22.

v35.4.1

• RMB-1023 Suppress verbose logging in CQL2PgJSON, CQLWrapper, LogUtil
• RMB-1036 Initialize loggers before setting log level
• RMB-1038 Vertx 4.5.22 fixing Netty DDoS CVE-2025-55163

v35.4.0

Sunflower (2025 R1) release.

• RMB-1010: PostgreSQLContainer withStartupAttempts(3)
• RMB-1011: Timeout when trying to connect to DB_HOST:DB_PORT
• RMB-1013: make helper functions public in PgUtil class
• RMB-1021: Upgrade Java from 17 to 21
• RMB-1022, RMB-1014: Vert.x 4.5.13, other dep upgrades for Sunflower

... (truncated)

Changelog

Sourced from org.folio:util's changelog.

36.0.0 2026-04-09

Trillium (2026 R1) release, see upgrade notes.

• RMB-1025 Create schema even if role already exists
• RMB-1028 readonly custom field should delete property
• RMB-785 Replace GenerateRunner with domain-models-maven-plugin in README.md
• RMB-1027 Migrate Vert.x from 4 to 5
• RMB-1031 validate module_to which will be stored in DB
• RMB-1023 Remove/Reduce Ineffective/Verbose Log Lines For CQL2PgJSON
• RMB-1032 Add futurized TenantAPI.postTenantSync
• RMB-1033 RestRouting null removal: allow array in path
• FAT-22537 Added upgrading note about ServicesResourceTransformer to avoid race condition during FolioLocal initialization
• RMB-1036 Initialize loggers before setting log level
• RMB-1029 TRUNCATE rmb_internal_analyze; ERROR: canceling statement due to lock timeout (55P03)
• RMB-1026 DB_MAX_LIFETIME option with default of 30 minutes
• RMB-1040 Don't "WARN TenantLoading TenantLoading.perform No X-Okapi-Url-to header"
• RMB-1041 HttpStatus, HttpHeaders - drop-in replacement of httpcomponents
• RMB-1042 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection request smuggling
• RMB-1045 upgrade to test-containers 2.0.3
• RMB-1046 Avoid regex in .replaceAll(" +[*]", "")
• RMB-1047 Fix polynomial runtime regex in PgUtil - Support ) and = in error message fields
• RMB-1030 CachedConnectionManager "permission denied": Better recovery from error state, warn about buggy DB_MAXSHAREDPOOLSIZE
• RMB-1051 Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
• RMB-1052 ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
• RMB-1048 Enable maven workflows, disable Jenkins workflow

35.4.0 2025-02-28

Sunflower (2025 R1) release, see upgrade notes.

• RMB-1010: PostgreSQLContainer withStartupAttempts(3)
• RMB-1011: Timeout when trying to connect to DB_HOST:DB_PORT
• RMB-1013: make helper functions public in PgUtil class
• RMB-1021: Upgrade Java from 17 to 21
• RMB-1022, RMB-1014: Vert.x 4.5.13, other dep upgrades for Sunflower

35.3.0 2024-10-14

Ramsons (2024 R2) release, see upgrade notes.

New features:

• RMB-993 Set db connection application_name for Postgres' pg_stat_activity
• RMB-994 Cache loading of schema.json in CQL2PgJSON
• RMB-997 Avoid left(...,600) for sqlExpression/sqlExpressionQuery
• RMB-998, RMB-1007 Upgrade dependencies for Ramsons; add license
• RMB-985 Avoid SET ROLE/SET SCHEMA in Shared Pool
• RMB-1000 Provide ObjectMapperTool.valueAsString
• RMB-975 Define DB_HOST_ASYNC_READER, DB_PORT_ASYNC_READER
• RMB-1003 Replace deprecated io.vertx.core.logging.Logger by org.apache.logging.log4j.Logger

... (truncated)

Commits

• fe9bccc [maven-release-plugin] prepare release v36.0.0
• c21ab01 NEWS for Trillium release 36.0.0
• 3c202f5 Merge pull request #1230 from folio-org/RMB-1052
• 428d058 Merge branch 'master' into RMB-1052
• 431d87a Merge pull request #1231 from folio-org/RMB-1048-workflows-maven
• cdc1b9d Enable maven workflows RMB-1048
• fa87407 RMB-1052: ERROR: 42501: permission denied for "CREATE SCHEMA IF NOT EXISTS"
• 347df22 Merge pull request #1229 from folio-org/RMB-1051
• 39262ac RMB-1051: Trillium: Bump dependencies (Vertx 5.0.10, log4j 2.25.4, …)
• a670973 RMB-1030: CachedConnectionManager can return permission denied for schema (#1...
• Additional commits viewable in compare view

Updates org.folio.okapi:okapi-common from 7.0.0 to 7.0.3

Release notes

Sourced from org.folio.okapi:okapi-common's releases.

v7.0.3

• OKAPI-1241 Jackson 2.18.6 fixing DoS when parsing long number - GHSA-72hv-8253-57qq
• #1439 MD post check=false param loosen MDs immutable check
• OKAPI-1242 Bump dependencies for Trillium (Vert.x 5.0.10, …)

v7.0.2

• OKAPI-1230 Add optional "required" property to EnvEntry.json of module descriptor
• OKAPI-1231 Migrate from AbstractVerticle to VerticleBase
• OKAPI-1232 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection
• OKAPI-1234 Support Docker 29 and later
• OKAPI-1236 upgrade to test-containers 2.0.3
• OKAPI-1238 log4j 4.5.23 fixing SocketAppender TLS hostname verification CVE-2025-68161
• OKAPI-1239 Vertx 5.0.7 (CVE-2026-1002), assertj 3.27.7, micrometer 1.16.2

v7.0.1

• OKAPI-1224 Upgrade Vert.x from 5.0.3 to 5.0.4 fixing CVE-2025-58056
• OKAPI-1229 Bump Vert.x from 5.0.4 to 5.0.5 fixing CVE-2025-59432, CVE-2025-11965, CVE-2025-11966
• OKAPI-1220 timer_wait_sync, timer_wait_extra options
• #1420 Remove unused scram client 2.1
• #1421 Update deps; allow JDK 25 compilation
• OKAPI-1228 Add META-INF VertxServiceProvider fixing FolioLoggingContext and FolioLocal

Changelog

Sourced from org.folio.okapi:okapi-common's changelog.

7.0.3 2026-04-01

• OKAPI-1241 Jackson 2.18.6 fixing DoS when parsing long number - GHSA-72hv-8253-57qq
• #1439 MD post check=false param loosen MDs immutable check
• OKAPI-1242 Bump dependencies for Trillium (Vert.x 5.0.10, …)

7.0.2 2026-02-11

• OKAPI-1228 Add javadoc about ServicesResourceTransformer requirement
• OKAPI-1230 Add optional "required" property to EnvEntry.json of module descriptor
• OKAPI-1231 Migrate from AbstractVerticle to VerticleBase
• OKAPI-1232 Vert.x 5.0.6 fixing CVE-2025-67735 Netty CRLF injection
• OKAPI-1234 Support Docker 29 and later
• OKAPI-1236 upgrade to test-containers 2.0.3 (#1432)
• OKAPI-1238 log4j 4.5.23 fixing SocketAppender TLS hostname verification CVE-2025-68161
• OKAPI-1239 Vertx 5.0.7 (CVE-2026-1002), assertj 3.27.7, micrometer 1.16.2

7.0.1 2025-11-13

• OKAPI-1224 Upgrade Vert.x from 5.0.3 to 5.0.4 fixing CVE-2025-58056
• OKAPI-1229 Bump Vert.x from 5.0.4 to 5.0.5 fixing CVE-2025-59432, CVE-2025-11965, CVE-2025-11966
• OKAPI-1220 timer_wait_sync, timer_wait_extra options
• #1420 Remove unused scram client 2.1
• #1421 Update deps; allow JDK 25 compilation
• OKAPI-1228 Add META-INF VertxServiceProvider fixing FolioLoggingContext and FolioLocal

Commits

• 742baee [maven-release-plugin] prepare release v7.0.3
• 01b66d4 NEWS for 7.0.3
• 7e07cd6 Merge pull request #1441 from folio-org/release-7.1.0
• b59e928 [maven-release-plugin] prepare for next development iteration
• a741e97 [maven-release-plugin] prepare release v7.1.0
• 62afc98 NEWS for 7.1.0 (Trillium)
• 54d66d9 Merge pull request #1440 from folio-org/OKAPI-1242
• 174af40 byte-buddy/byte-buddy-agent 1.18.7
• 89b5c60 OKAPI-1242: Bump dependencies for Trillium (Vert.x 5.0.10, …)
• 85952cb MD post check param loosen MDs immutable check (#1439)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions