Bump the all-maven-dependencies group across 2 directories with 4 updates

[dependabot]

Bumps the all-maven-dependencies group with 4 updates in the / directory: com.sap.cds:cds-services-bom, com.sap.cds:cds-maven-plugin, com.sap.cloud.security:java-bom and com.diffplug.spotless:spotless-maven-plugin.
Bumps the all-maven-dependencies group with 4 updates in the /srv directory: com.sap.cds:cds-maven-plugin, com.sap.cds:cds-services-bom, com.sap.cloud.security:java-bom and com.diffplug.spotless:spotless-maven-plugin.

Updates com.sap.cds:cds-services-bom from 4.9.0 to 4.9.1

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 4.9.1

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.7

• Fix mTLS handshake regression in SSLContextFactory
  • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
• Add missing no-arg constructor to DefaultOAuth2TokenService
  • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
  • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
  • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

... (truncated)

Commits

• 9d34661 chore: Release 3.7.4
• 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
• 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
• 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
• See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 4.9.1

Updates com.diffplug.spotless:spotless-maven-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.7.0

Fixed

• Parse standard git year output in LicenseHeaderStep. (#2940)
• <toggleOffOn> no longer disables lint-only steps such as <forbidWildcardImports>. (#2962)
• Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Added

• Add support for AsciiDoc formatting via adocfmt. (#2960)
• <flexmark> step now supports arbitrary formatter options via <formatterOptions>. (#2968)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.7.0] - 2026-06-16

Added

• Add support for AsciiDoc formatting via adocfmt. (#2960)
• flexmark step now supports arbitrary formatter options via a formatterOptions map. (#2968)

Fixed

• FenceStep.preserveWithin now forwards lints from nested steps while still suppressing lints inside preserved blocks. (#2962)
• Support ktfmt 0.63 and use its new builder API for formatting options to better avoid future breaking changes.
• Parse standard git year output in LicenseHeaderStep. (#2940)
• Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Changes

• Bump default greclipse version to latest 4.35 -> 4.39. (#2924)

[4.6.2] - 2026-05-27

Fixed

• P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
• forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
• versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

• EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
• Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
• expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

• LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

• scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
• Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)

... (truncated)

Commits

• ef7703a Published maven/3.7.0
• 91113e0 Published gradle/8.7.0
• 611b48e Published lib/4.7.0
• 5f3a85f ci(deploy): use base64 -w0 so the auth header has no embedded newline
• f84f025 ci(deploy): force HTTP/1.1 on git fetch origin main
• 780f0f6 fix(spotless/gradle-plugin): Fix StringIndexOutOfBoundsException in scenari...
• b0328c8 Update plugin rewrite to v7.34.0 (#2972)
• 9a502ce Update plugin com.gradle.develocity to v4.4.2 (#2971)
• b4d9ec0 Revert the changes to assertUnchanged() and use assertTransform() when ne...
• 787819d Remove unneeded debug comments
• Additional commits viewable in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 4.9.1

Updates com.sap.cds:cds-services-bom from 4.9.0 to 4.9.1

Updates com.sap.cloud.security:java-bom from 3.7.3 to 3.7.4

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.4

• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.7

• Fix mTLS handshake regression in SSLContextFactory
  • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
• Add missing no-arg constructor to DefaultOAuth2TokenService
  • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
  • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
  • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
• Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
  • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
  • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
  • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.com → authentication.cert.eu10.hana.ondemand.com
  • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

... (truncated)

Commits

• 9d34661 chore: Release 3.7.4
• 009f89d docs: Add CHANGELOG entry for XSUAA multi-tenant token exchange fix
• 681e39e fix: Replace authentication. with authentication.cert. for X.509 uaadomain
• 74f931f fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
• See full diff in compare view

Updates com.sap.cds:cds-maven-plugin from 4.9.0 to 4.9.1

Updates com.diffplug.spotless:spotless-maven-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from com.diffplug.spotless:spotless-maven-plugin's releases.

Maven Plugin v3.7.0

Fixed

• Parse standard git year output in LicenseHeaderStep. (#2940)
• <toggleOffOn> no longer disables lint-only steps such as <forbidWildcardImports>. (#2962)
• Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Added

• Add support for AsciiDoc formatting via adocfmt. (#2960)
• <flexmark> step now supports arbitrary formatter options via <formatterOptions>. (#2968)

Changelog

Sourced from com.diffplug.spotless:spotless-maven-plugin's changelog.

spotless-lib and spotless-lib-extra releases

If you are a Spotless user (as opposed to developer), then you are probably looking for:

• https://github.com/diffplug/spotless/blob/main/plugin-gradle/CHANGES.md
• https://github.com/diffplug/spotless/blob/main/plugin-maven/CHANGES.md

This document is intended for Spotless developers.

We adhere to the keepachangelog format (starting after version 1.27.0).

[Unreleased]

[4.7.0] - 2026-06-16

Added

• Add support for AsciiDoc formatting via adocfmt. (#2960)
• flexmark step now supports arbitrary formatter options via a formatterOptions map. (#2968)

Fixed

• FenceStep.preserveWithin now forwards lints from nested steps while still suppressing lints inside preserved blocks. (#2962)
• Support ktfmt 0.63 and use its new builder API for formatting options to better avoid future breaking changes.
• Parse standard git year output in LicenseHeaderStep. (#2940)
• Fix StringIndexOutOfBoundsException in scenarios where copyright year is surrounded by whitespace. (#2973)

Changes

• Bump default greclipse version to latest 4.35 -> 4.39. (#2924)

[4.6.2] - 2026-05-27

Fixed

• P2Provisioner now passes cache directory overrides directly to Solstice. (#2944)
• forbidWildcardImports and forbidModuleImports now detect imports that have leading whitespace (indentation/tabs). (#2939)
• versionCatalog step no longer splits long inline tables across multiple lines — Gradle's TOML 1.0 parser cannot read multi-line inline tables. The maxLineLength option has been removed. (#2948)

Changes

• EclipseJdtFormtterStep now can conditionally set compiler source/compliance options. Allows for better parsing of AST Node for newer language features and more correct sorting; e.g. records or seal classes. (#2942)
• Formatter no longer recomputes line-ending normalization (LineEnding.toUnix) a second time for every formatter step that changes content, removing redundant O(n) work from the core formatting loop. (#2934)
• expandWildcardImports support pom type dependency. (#2839)

[4.6.1] - 2026-05-15

Fixed

• LicenseHeaderStep in SET_FROM_GIT year mode no longer invokes git log through bash -c / cmd /c, eliminating a shell-injection vector when processing repositories that contain files whose names include shell metacharacters.

[4.6.0] - 2026-05-14

Added

• scalafmt() now reads the version from the version field in the scalafmt config file when no version is explicitly set in the plugin config, falling back to the built-in default only if neither is available. (#2922)
• Add versionCatalog step for formatting and sorting Gradle version catalog (.toml) files. (#2916)
• Add javaparserVersion option to the Cleanthat step, allowing callers to override the JavaParser version pulled in transitively by Cleanthat. (#2903)

Fixed

• Preserve case of JDBI named bind params that collide with SQL keywords (e.g. :limit, :offset) in the DBeaver SQL formatter. (#2899)
• Fix non-idempotent formatting when importOrder() is combined with greclipse(): a single catch-all group no longer strips blank lines that greclipse() independently inserted between import groups. (#2914)

Changes

• Fix expandWildcardImports failing on JDK XML types such as org.xml.sax.InputSource. (#2921)

... (truncated)

Commits

• ef7703a Published maven/3.7.0
• 91113e0 Published gradle/8.7.0
• 611b48e Published lib/4.7.0
• 5f3a85f ci(deploy): use base64 -w0 so the auth header has no embedded newline
• f84f025 ci(deploy): force HTTP/1.1 on git fetch origin main
• 780f0f6 fix(spotless/gradle-plugin): Fix StringIndexOutOfBoundsException in scenari...
• b0328c8 Update plugin rewrite to v7.34.0 (#2972)
• 9a502ce Update plugin com.gradle.develocity to v4.4.2 (#2971)
• b4d9ec0 Revert the changes to assertUnchanged() and use assertTransform() when ne...
• 787819d Remove unneeded debug comments
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
com.sap.cloud.security:java-bom	[>= 4.a0, < 5]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions