Skip to content

Bump com.diffplug.spotless:spotless-maven-plugin from 3.7.0 to 3.8.0#342

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.diffplug.spotless-spotless-maven-plugin-3.8.0
Open

Bump com.diffplug.spotless:spotless-maven-plugin from 3.7.0 to 3.8.0#342
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.diffplug.spotless-spotless-maven-plugin-3.8.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps com.diffplug.spotless:spotless-maven-plugin from 3.7.0 to 3.8.0.

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.8.0

Added

  • Add support for custom string format for license header copyright year via yearStringFormat(). (#2965)

Fixed

  • <expandWildcardImports> no longer triggers a full transitive dependency resolution on every build. Dependency resolution is now deferred until the step actually runs, so projects that do not use <expandWildcardImports> (or that use version ranges) are no longer penalized. (#2983)
Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.8.0] - 2026-06-29

Added

  • Add support for custom string format for license header copyright year via yearStringFormat(). (#2965)

[4.7.0] - 2026-06-16

Added

  • Add support for AsciiDoc formatting via adocfmt. (#2960)
  • flexmark step now supports arbitrary formatter options via a formatterOptions map. (#2968)

Fixed

  • FenceStep.preserveWithin now forwards lints from nested steps while still suppressing lints inside preserved blocks. (#2962)
  • Support ktfmt 0.63 and use its new builder API for formatting options to better avoid future breaking changes.
  • Parse standard git year output in LicenseHeaderStep. (#2940)
  • Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Changes

  • Bump default greclipse version to latest 4.35 -> 4.39. (#2924)

[4.6.2] - 2026-05-27

Fixed

  • P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
  • forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
  • versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

  • EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
  • Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
  • expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

  • LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

  • scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
  • Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
  • Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

... (truncated)

Commits
  • 03d43ba Published maven/3.8.0
  • 8b80c13 Published gradle/8.8.0
  • 8ee6cf9 Published lib/4.8.0
  • 6c02c0b Add missing changelog entry.
  • 264f4cc Add regression test for forbidWildcardImports inside toggleOffOn (#2982)
  • 6abb064 fix #2983, expandWildcardImports triggers a full transitive reso… (#2984)
  • f4536d4 Update plugin spotbugs to v6.5.8 (#2987)
  • 873454a Update plugin spotbugs to v6.5.8
  • 000b8a8 Update dependency org.junit.jupiter:junit-jupiter to v6.1.1 (#2985)
  • 84ebcab Update dependency org.junit.jupiter:junit-jupiter to v6.1.1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 3.7.0 to 3.8.0.
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](diffplug/spotless@maven/3.7.0...maven/3.8.0)

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-maven-plugin
  dependency-version: 3.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Mend Scan Results

Status: ⚠️ Findings detected

⚠️ SCA findings detected

SCA scan output
-------------------------------------------+
| HIGH     | httpcore5-h2-5.4.2.jar       | CVE-2026-54428 | Upgrade to version org.apache.httpcomponents.core5:httpcore5-h2:5.5-beta2,              |
|          |                              |                | https://github.com/apache/httpcomponents-core.git - rel/v5.5-beta2,                     |
|          |                              |                | org.apache.httpcomponents.core5:httpcore5-h2:5.4.3,                                     |
|          |                              |                | https://github.com/apache/httpcomponents-core.git - rel/v5.4.3                          |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| MEDIUM   | amqp-client-5.5.3.jar        | CVE-2023-46120 | Upgrade to version com.rabbitmq:amqp-client:5.18.0                                      |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| MEDIUM   | opentelemetry-api-1.60.1.jar | CVE-2026-45292 | Upgrade to version  https://github.com/open-telemetry/opentelemetry-java.git - v1.62.0, |
|          |                              |                | io.opentelemetry:opentelemetry-extension-trace-propagators:1.62.0                       |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| LOW      | HdrHistogram-2.2.2.jar       | CVE-2026-14683 | N/A                                                                                     |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| LOW      | HdrHistogram-2.2.2.jar       | CVE-2026-14684 | N/A                                                                                     |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| LOW      | HdrHistogram-2.2.2.jar       | CVE-2026-14685 | N/A                                                                                     |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| LOW      | HdrHistogram-2.2.2.jar       | CVE-2026-14686 | N/A                                                                                     |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+
| LOW      | jansi-2.4.0.jar              | CVE-2026-8484  | N/A                                                                                     |
+----------+------------------------------+----------------+-----------------------------------------------------------------------------------------+


Paths at risk

P = policy violation
MSC = malicious vulnerability
CRITICAL/HIGH/MEDIUM/LOW = vulnerability severity

quarkus-micrometer-opentelemetry-3.37.0.jar
|-- opentelemetry-micrometer-1.5-2.26.1-alpha.jar
	|-- opentelemetry-instrumentation-api-2.26.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- quarkus-micrometer-3.37.0.jar
	|-- micrometer-core-1.16.6.jar
		|-- HdrHistogram-2.2.2.jar [4 LOW]
		|-- LatencyUtils-2.0.3.jar
			|-- HdrHistogram-2.2.2.jar [4 LOW]
|-- quarkus-opentelemetry-3.37.0.jar
	|-- opentelemetry-instrumentation-annotations-support-2.26.1-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-instrumentation-annotations-2.26.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-jdbc-2.26.1-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-runtime-telemetry-java17-2.26.1-alpha.jar
		|-- opentelemetry-runtime-telemetry-2.26.1-alpha.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-api-incubator-1.60.1-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-exporter-otlp-common-1.60.1.jar
		|-- opentelemetry-exporter-common-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-exporter-otlp-1.60.1.jar
		|-- opentelemetry-sdk-logs-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
quarkus-logging-kafka-deployment-3.0.5.jar
|-- quarkus-arc-deployment-3.37.0.jar
	|-- quarkus-core-deployment-3.37.0.jar
		|-- readline-2.6.jar
			|-- jansi-2.4.0.jar [1 LOW]
pncmetrics-1.1.3.jar
|-- metrics-graphite-4.1.0.jar
	|-- amqp-client-5.5.3.jar [1 MEDIUM]
bifrost-upload-client-3.5.0.jar
|-- httpclient5-5.5.2.jar
	|-- httpcore5-h2-5.4.2.jar [1 HIGH]
		|-- httpcore5-5.4.2.jar [1 HIGH]
	|-- httpcore5-5.4.2.jar [1 HIGH]
pnc-common-3.5.1-jakarta.jar
|-- opentelemetry-ext-cli-java-2.1.0.jar
	|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-sdk-1.60.1.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-sdk-common-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-sdk-metrics-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-sdk-trace-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- opentelemetry-semconv-1.29.0-alpha.jar
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]


No Policy violations were detected

Project 'environment-driver' was updated, for more information, visit the Mend platform: https://ibmets.whitesourcesoftware.com/app/orgs/Enterprise%20Applications/applications/summary?project=c6e1b9a4-53c2-4c66-bb31-69044d6bb4f3
Or the Core UI: https://ibmets.whitesourcesoftware.com/Wss/WSS.html#!project;token=3e750feb73054f089ae2c02d8f05cabc014ab023b02b4d3da606baa09b54a06f

Mend AI scan succeeded.

Support Token: 1fa0360d0948e496a849fa028b100bea91783405551111
SAST scan output
*no findings*

Full logs and artifacts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants