Bump the java-deps group across 1 directory with 6 updates

[dependabot]

Bumps the java-deps group with 6 updates in the / directory:

Package	From	To
org.jsoup:jsoup	1.21.2	1.22.1
org.apache.commons:commons-text	1.14.0	1.15.0
org.yaml:snakeyaml	2.5	2.6
com.deepl.api:deepl-java	1.12.0	1.14.0
org.xerial:sqlite-jdbc	3.51.0.0	3.51.2.0
org.apache.maven.plugins:maven-dependency-plugin	3.9.0	3.10.0

Updates org.jsoup:jsoup from 1.21.2 to 1.22.1

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup Java HTML Parser release 1.22.1

jsoup 1.22.1 is out now, adding support for the re2j regular expression engine for regex-based CSS selectors, a configurable maximum parser depth, and numerous bug fixes and improvements.

jsoup is a Java library for working with real-world HTML and XML. It provides a very convenient API for extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors.

Download jsoup now.

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via Parser.setMaxDepth(). #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

---

My sincere thanks to everyone who contributed to this release! If you have any suggestions for the next release, I would love to hear them; please get in touch via jsoup discussions, or with me directly.

You can also follow me (@jhy@tilde.zone) on Mastodon / Fediverse to receive occasional notes about jsoup releases.

Changelog

Sourced from org.jsoup:jsoup's changelog.

1.22.1 (2026-Jan-01)

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling org.jsoup.helper.Regex.usingRe2j(). #2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via org.jsoup.parser.Parser#setMaxDepth. #2421
• Build: added CI coverage for JDK 25 #2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). [oss-fuzz #14041](google/oss-fuzz#14041)

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #2388, #2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #2397, #2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #2422, #2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #2387, #2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #2412

Commits

• 8dd66fe [maven-release-plugin] prepare release jsoup-1.22.1
• d924385 Changelog prep for v1.22.1
• 0f3100c Bump actions/upload-artifact from 5 to 6 (#2457)
• cf6ac20 Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1 (#2455)
• 6bef938 Fix parsing of SVG foreignObject in paragraphs
• 9b1c0fc Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.0 (#2450)
• 1415e64 Bump actions/checkout from 5 to 6 (#2451)
• 0e99fd9 Isolate TagSet copies to prevent shared mutation (#2453)
• 90019cb Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.24.2 to 0.25.0 (#2...
• 9395269 Don't preemptively close
• Additional commits viewable in compare view

Updates org.apache.commons:commons-text from 1.14.0 to 1.15.0

Changelog

Sourced from org.apache.commons:commons-text's changelog.

Apache Commons Text 1.15.0 Release Notes

The Apache Commons Text team is pleased to announce the release of Apache Commons Text 1.15.0.

Apache Commons Text is a set of utility functions and reusable components for processing and manipulating text in a Java environment.

Release 1.15.0. This is a feature and maintenance release. Java 8 or later is required.

New features

•        Add experimental CycloneDX VEX file [#683](https://github.com/apache/commons-text/issues/683). Thanks to Piotr P. Karwasz, Gary Gregory.
  

• TEXT-235: Add Damerau-Levenshtein distance #687. Thanks to LorgeN, Gary Gregory.

•        Add unit tests to increase coverage [#719](https://github.com/apache/commons-text/issues/719). Thanks to Michael Hausegger, Gary Gregory.
  

•        Add new test for CharSequenceTranslator#with() [#725](https://github.com/apache/commons-text/issues/725). Thanks to Michael Hausegger, Gary Gregory.
  

•        Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage [#727](https://github.com/apache/commons-text/issues/727), [#728](https://github.com/apache/commons-text/issues/728). Thanks to Michael Hausegger.
  

Fixed Bugs

•        Fix exception message typo in XmlStringLookup.XmlStringLookup(Map, Path...). Thanks to Gary Gregory.
  

• TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException. Thanks to Pierre Post, Sumit Bera, Alex Herbert, Gary Gregory.

•        Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type [#724](https://github.com/apache/commons-text/issues/724). Thanks to Michael Hausegger.
  

•        Fix Apache RAT plugin console warnings. Thanks to Gary Gregory.
  

•        Fix site XML to use version 2.0.0 XML schema. Thanks to Gary Gregory.
  

•        Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity [#730](https://github.com/apache/commons-text/issues/730). Thanks to Michael Hausegger.
  

•        Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't [#729](https://github.com/apache/commons-text/issues/729). Thanks to 김민재 (minjas0507), Gary Gregory, Piotr Karwasz.
  

Changes

•        Bump org.apache.commons:commons-parent from 85 to 93 [#704](https://github.com/apache/commons-text/issues/704), [#723](https://github.com/apache/commons-text/issues/723), [#726](https://github.com/apache/commons-text/issues/726). Thanks to Gary Gregory.
  

•        Bump commons.bytebuddy.version from 1.17.6 to 1.18.2 [#696](https://github.com/apache/commons-text/issues/696), [#722](https://github.com/apache/commons-text/issues/722). Thanks to Gary Gregory.
  

•        Bump graalvm.version from 24.2.2 to 25.0.1 [#703](https://github.com/apache/commons-text/issues/703), [#716](https://github.com/apache/commons-text/issues/716). Thanks to Gary Gregory, Dependabot.
  

•        Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0. Thanks to Gary Gregory.
  

•        Bump commons-io:commons-io from 2.20.0 to 2.21.0. Thanks to Gary Gregory.
  

Historical list of changes: https://commons.apache.org/proper/commons-text/changes.html

For complete information on Apache Commons Text, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Text website:

https://commons.apache.org/proper/commons-text

Download page: https://commons.apache.org/proper/commons-text/download_text.cgi

... (truncated)

Commits

• 04e9374 Prepare for the release candidate 1.15.0 RC1
• 502c4c4 Prepare for the next release candidate
• c6e17ec Use direct access
• 58e1e12 Simplify XML FSP (#731)
• b5052c9 Bump actions/setup-java from 5.0.0 to 5.1.0
• 2e2d4bc Revert "Bump actions/setup-java from 5.0.0 to 5.1.0"
• b0ddbd1 Bump actions/setup-java from 5.0.0 to 5.1.0
• 1c2d382 Add tests with external DTD
• ed3df4b Internal clean up
• bb508f3 Bump actions/checkout from 6.0.0 to 6.0.1
• Additional commits viewable in compare view

Updates org.yaml:snakeyaml from 2.5 to 2.6

Commits

• cc19a61 [maven-release-plugin] prepare for next development iteration
• bc4a8f4 Minor fixes in Javadoc
• f18203a Add a test for Y79Y-003
• ad1fceb Less output in tests
• 1db66b7 Add (failing) build with JDK 25
• 88ebaa8 build: fix JKD 25 tests compilation
• 6af8790 Update Javadoc
• a006b7a Update Javadoc
• c143db2 Update changes
• d78d11f Update changes
• Additional commits viewable in compare view

Updates com.deepl.api:deepl-java from 1.12.0 to 1.14.0

Release notes

Sourced from com.deepl.api:deepl-java's releases.

v1.14.0

Added

• Added setTagHandlingVersion() method to TextTranslationOptions to specify which version of the tag handling algorithm to use. Options are v1 and v2.

v1.13.0

Added

• Added setCustomInstructions() method to TextTranslationOptions to customize translation behavior with up to 10 instructions (max 300 characters each). Only supported for target languages: de, en, es, fr, it, ja, ko, zh and their variants. Note: using the custom instructions parameter will use quality_optimized model type as the default. Requests combining custom instructions and the latency_optimized model type will be rejected.

Changelog

Sourced from com.deepl.api:deepl-java's changelog.

[1.14.0] - 2025-12-10

Added

• Added setTagHandlingVersion() method to TextTranslationOptions to specify which version of the tag handling algorithm to use. Options are v1 and v2.

[1.13.0] - 2025-12-03

Added

• Added setCustomInstructions() method to TextTranslationOptions to customize translation behavior with up to 10 instructions (max 300 characters each). Only supported for target languages: de, en, es, fr, it, ja, ko, zh and their variants.

  Note: using the custom instructions parameter will use quality_optimized model type as the default. Requests combining custom instructions and the latency_optimized model type will be rejected.

Commits

• e91115a Bump version to 1.14.0
• 71cc3f4 feat: Add tag_handling_version parameter to translate_text
• b0b941a docs: Bump version to 1.13.0
• f00229c feat: Add support for custom_instructions parameter in text translation
• See full diff in compare view

Updates org.xerial:sqlite-jdbc from 3.51.0.0 to 3.51.2.0

Release notes

Sourced from org.xerial:sqlite-jdbc's releases.

Release 3.51.2.0

Changelog

🚀 Features

sqlite

• upgrade to sqlite 3.51.2 (63a45e7)

🛠 Build

• update location for 2026 (1a7c2a0)

Contributors

We'd like to thank the following people for their contributions: Gauthier Roebroeck

Release 3.51.1.1

Changelog

🚀 Features

sqlite

• enable percentile extension (470c78c), closes #1360

🛠 Build

deps

• bump org.graalvm.sdk:nativeimage from 25.0.1 to 25.0.2 (e5e8aca)
• bump org.graalvm.buildtools:native-maven-plugin (92e995c)
• bump org.jreleaser:jreleaser-maven-plugin (1ba2ff1)
• bump actions/upload-artifact from 5 to 6 (77e1e27)
• bump actions/download-artifact from 6 to 7 (1f35b97)
• bump org.apache.maven.plugins:maven-source-plugin (8384f5b)

deps-dev

• bump org.apache.maven.plugins:maven-compiler-plugin (0d07829)
• bump org.codehaus.mojo:versions-maven-plugin (2a61f25)
• bump org.mockito:mockito-core from 5.20.0 to 5.21.0 (f8de260)

Contributors

We'd like to thank the following people for their contributions: Gauthier, Gauthier Roebroeck

Release 3.51.1.0

Changelog

🚀 Features

sqlite

• upgrade to sqlite 3.51.1 (6868e66)

🛠 Build

... (truncated)

Commits

• 1bda411 chore(release): 3.51.2.0 [skip ci]
• 9a84abd chore: update native libraries
• 1a7c2a0 build: update location for 2026
• 63a45e7 feat(sqlite): upgrade to sqlite 3.51.2
• 92e40c1 chore(release): prepare next snapshot [skip ci]
• 5e1a6a4 chore(release): 3.51.1.1 [skip ci]
• 0d07829 build(deps-dev): bump org.apache.maven.plugins:maven-compiler-plugin
• e5e8aca build(deps): bump org.graalvm.sdk:nativeimage from 25.0.1 to 25.0.2
• 92e995c build(deps): bump org.graalvm.buildtools:native-maven-plugin
• 2a61f25 build(deps-dev): bump org.codehaus.mojo:versions-maven-plugin
• Additional commits viewable in compare view

Updates org.apache.maven.plugins:maven-dependency-plugin from 3.9.0 to 3.10.0

Release notes

Sourced from org.apache.maven.plugins:maven-dependency-plugin's releases.

3.10.0

🚀 New features and improvements

• Introduce graphRoots for dependencyFilter based mojos (#1571) @​rfscholte

🐛 Bug Fixes

• Apply excludeReactor to plugin dependencies in go-offline and resolve-plugins (#1583) @​slawekjaranowski
• Only log dependency classpath when no property/file output is specified (#1551) @​mwalser
• [MDEP-974] - strip ansi codes when writing to a file (#1564) @​elharo

📝 Documentation updates

• Add analyze-only to usage page (#1587) @​slawekjaranowski
• Move doc comment to correct location (#1568) @​elharo
• Focus on most recent version (#1537) @​elharo

👻 Maintenance

• Fix Jenkin bages in README (#1586) @​slawekjaranowski
• Improve dependencies filtering in AbstractAnalyzeMojo (#1579) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1574) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1569) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1563) @​slawekjaranowski
• Migration to JUnit 5 - avoid using AbstractMojoTestCase (#1562) @​slawekjaranowski
• Migration to JUnit 5 (#1558) @​slawekjaranowski
• JUnit Jupiter best practices (#1548) @​slachiewicz
• Migrate JUnit3 based Tests to JUnit 5 (#1541) @​sparsick

📦 Dependency updates

• Bump org.apache.maven.shared:maven-dependency-analyzer from 1.16.0 to 1.17.0 (#1584) @dependabot[bot]
• Bump org.assertj:assertj-core from 2.9.1 to 3.27.7 in /src/it/projects/analyze-testDependencyWithNonTestScope (#1581) @dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#1582) @dependabot[bot]
• Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#1580) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 46 to 47 (#1578) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#1576) @dependabot[bot]
• Bump org.apache.maven.plugins:maven-plugins from 45 to 46 (#1573) @dependabot[bot]
• Bump org.jsoup:jsoup from 1.21.2 to 1.22.1 (#1572) @dependabot[bot]
• Bump mavenVersion from 3.9.11 to 3.9.12 (#1570) @dependabot[bot]
• Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 (#1559) @dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#1552) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.3 to 4.10.4 (#1553) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-io from 3.5.2 to 3.6.0 (#1554) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-i18n from 1.0.0 to 1.1.0 (#1555) @dependabot[bot]
• Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.3.0 to 3.4.0 (#1550) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-io from 3.5.1 to 3.5.2 (#1538) @dependabot[bot]
• Bump org.codehaus.plexus:plexus-archiver from 4.10.1 to 4.10.3 (#1539) @dependabot[bot]

Commits

• 4127c33 [maven-release-plugin] prepare release maven-dependency-plugin-3.10.0
• 68b5e47 Add analyze-only to usage page
• 09d5860 Fix Jenkin bages in README
• 4308f6c Bump org.apache.maven.shared:maven-dependency-analyzer
• ba3c570 Apply excludeReactor to plugin dependencies in go-offline and resolve-plugins
• 0d88b66 Only log dependency classpath when no property/file output is specified
• 0075e31 Bump org.assertj:assertj-core (#1581)
• 65d53bb Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 (#1582)
• eaf54f0 Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#1580)
• ece9a38 Improve dependencies filtering in AbstractAnalyzeMojo
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions