fix(deps): update all dependencies j:cdx-227 (major)

[renovate-coveo]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update	Pending
@actions/core (source)	^1.10.0 → ^3.0.0					devDependencies	major
@commitlint/config-conventional (source)	19.8.1 → 20.4.4					devDependencies	major	20.5.0
@octokit/auth-app	^7.0.0 → ^8.0.0					devDependencies	major
actions/checkout	v4.3.0 → v6.0.2					action	major
actions/checkout	v4 → v6					action	major
actions/setup-java	v4.7.1 → v5.2.0					action	major
actions/setup-node	v4.4.0 → v6.3.0					action	major
actions/upload-artifact	v4.6.2 → v7.0.0					action	major
com.diffplug.spotless:spotless-maven-plugin	2.46.1 → 3.4.0					build	major
io.github.resilience4j:resilience4j-retry (source)	1.7.1 → 2.4.0					compile	major

---

Release Notes

actions/toolkit (@​actions/core)

v3.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

v2.0.3

• Bump @actions/http-client to 3.0.2

v2.0.1

• Bump @​actions/exec from 1.1.1 to 2.0.0 #​2199

v2.0.0

• Add support for Node 24 #​2110
• Bump @​actions/http-client from 2.0.1 to 3.0.0

conventional-changelog/commitlint (@​commitlint/config-conventional)

v20.4.4

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.3

Compare Source

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.0

Compare Source

Features

• upgrade conventional commit packages #​4082 (#​4597) (3aaf0a6)

20.3.1 (2026-01-08)

Note: Version bump only for package @​commitlint/config-conventional

v20.3.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.3.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.2.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.0.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

19.8.1 (2025-05-08)

Note: Version bump only for package @​commitlint/config-conventional

octokit/auth-app.js (@​octokit/auth-app)

v8.2.0

Compare Source

Features

• handling exp is too far in the future (#​699) (6201580)
• Add enterprise installation route to JWT-authenticated routes (#​736) (5b218af)

v8.1.2

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#​731) (016958a)

v8.1.1

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#​721) (8b76e56)

v8.1.0

Compare Source

Features

• support using a remote HSM or JWT signing service in lieu of private keys (#​712) (ef7a95d)

v8.0.2

Compare Source

Bug Fixes

• dont lose this reference for loggers (#​708) (06900f0)

v8.0.1

Compare Source

Bug Fixes

• deps: update octokit monorepo (major) (#​704) (56cded1)

v8.0.0

Compare Source

Continuous Integration

• stop testing against NodeJS v18 (#​702) (a168de5)

BREAKING CHANGES

• Drop support for NodeJS v18

• build: set minimal node version in build script to v20

• ci: stop testing against NodeJS v18

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v4.3.1

Compare Source

• Port v6 cleanup to v4 by @​ericsciple in #​2305

actions/setup-java (actions/setup-java)

v5.2.0

Compare Source

What's Changed

Enhancement

• Retry on HTTP 522 Connection timed out by @​findepi in #​964

Documentation Changes

• Update gradle caching by @​priya-kinthali in #​972
• Update checkout to v6 by @​mahabaleshwars in #​973

Dependency Updates

• Upgrade @​actions/cache to v5 by @​salmanmkc in #​968
• Upgrade actions/checkout from 5 to 6 by @​dependabot in #​961

New Contributors

• @​findepi made their first contribution in #​964

Full Changelog: actions/setup-java@v5...v5.2.0

v5.1.0

Compare Source

What's Changed

New Features

• Add support for .sdkmanrc file in java-version-file parameter by @​guicamest in #​736
• Add support for Microsoft OpenJDK 25 builds by @​the-mod in #​927

Bug Fixes & Improvements

• Update Regex to Support All ASDF Versions for the supported distributions in tool-versions File by @​aparnajyothi-y in #​767
• Enhance error logging for network failures to include endpoint/IP details, add retry mechanism and update workflows to use macos-15-intel by @​priya-kinthali in #​946
• Update SapMachine URLs by @​RealCLanger in #​955
• Add GitHub Token Support for GraalVM and Refactor Code by @​mahabaleshwars in #​849

Documentation changes

• Update documentation to use checkout and Java v5 by @​lmvysakh in #​903
• Clarify JAVA_HOME and PATH setup in README by @​chiranjib-swain in #​841

Dependency updates

• Upgrade prettier from 2.8.8 to 3.6.2 and document breaking changes in v5 by @​dependabot in #​873
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​912

New Contributors

• @​lmvysakh made their first contribution in #​903
• @​chiranjib-swain made their first contribution in #​841
• @​the-mod made their first contribution in #​927
• @​priya-kinthali made their first contribution in #​946
• @​guicamest made their first contribution in #​736

Full Changelog: actions/setup-java@v5...v5.1.0

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in #​888

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency Upgrades

• Upgrade Publish Immutable Action by @​HarithaVattikuti in #​798
• Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @​dependabot[bot] in #​730
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​833
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​887
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​896

Bug Fixes

• Prevent default installation of JetBrains pre-releases by @​priyagupta108 in #​859
• Improve Error Handling for Setup-Java Action to Help Debug Intermittent Failures by @​gowridurgad in #​848

New Contributors

• @​gowridurgad made their first contribution in #​848
• @​salmanmkc made their first contribution in #​888

Full Changelog: actions/setup-java@v4...v5.0.0

v4.8.0

Compare Source

What's Changed

• License and Audit Fixes by @​HarithaVattikuti in #​960
• Update SapMachine URLs by @​RealCLanger in #​965

Full Changelog: actions/setup-java@v4...v4.8.0

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in #​1454
• Correct mirror option typos by @​MikeMcC399 in #​1442
• Readme update on checkout version v6 by @​deining in #​1446
• Readme typo fixes @​munyari in #​1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in #​1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in #​1449

New Contributors

• @​mahabaleshwars made their first contribution in #​1454
• @​MikeMcC399 made their first contribution in #​1442
• @​deining made their first contribution in #​1446
• @​munyari made their first contribution in #​1226

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in #​719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in #​744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in #​745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in #​681
• Update README.md by @​nebuk89 in #​712
• Readme: spell out the first use of GHES by @​danwkennedy in #​727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in #​734

New Contributors

• @​GhadimiR made their first contribution in #​681
• @​nebuk89 made their first contribution in #​712
• @​danwkennedy made their first contribution in #​727
• @​patrikpolyak made their first contribution in #​725

Full Changelog: actions/upload-artifact@v4...v5.0.0

diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)

v3.3.0

Added

• Allow specifying path to Biome JSON config file directly in biome step. Requires biome 2.x. (#​2548)
• GitPrePushHookInstaller, a reusable library component for installing a Git pre-push hook that runs formatter checks. (#​2553)
• Allow setting Eclipse XML config from a string, not only from files (#​2361)

v3.2.0

Added

• Support for idea (#​2020, #​2535)
• Add support for removing wildcard imports via removeWildcardImports step. (#​2517)
• scalafmt: enforce version consistency between the version configured in Spotless and the version declared in Scalafmt config file (#​2460)

Fixed

• SortPom disable expandEmptyElements, to avoid empty body warnings. (#​2520)
• Fix biome formatter for new major release 2.x of biome (#​2537)
• Make sure npm-based formatters use the correct node_modules directory when running in parallel. (#​2542)

Changed

• Bump internal dependencies for npm-based formatters (#​2542)

v3.1.0

Added

• Support forclang-format on maven-plugin (#​2406)
• Allow overriding classLoader for all JarStates to enable spotless-cli (#​2427)

v3.0.0

[3.0.0] - 2025-01-06

resilience4j/resilience4j (io.github.resilience4j:resilience4j-retry)

v2.4.0

Compare Source

What's Changed

• Added support of initializing circuitBreaker in desired state from config by @​agarwalbharat in #​2268
• Issue #​2269: Added getCausingRateLimiterName by @​noomkram in #​2270
• Time limiter registry builder by @​darkius in #​2291
• Issue #​2285: Add HealthContributorAutoConfiguration to ConditionalOnClass by @​obecker in #​2286
• Issue #​2278: Added ThreadPoolBulkhead to some Decorators by @​matsev in #​2284
• Correct registry config in aspect by @​darkius in #​2282
• #​2285 - add configuration to move circuit breaker from half open to closed state by @​victorpasqualino in #​2290
• Bump actions/cache from 4.0.2 to 4.2.0 by @​dependabot[bot] in #​2252
• Remove dependency on kotlin-stdlib-jdk8 from resilience4j-core by @​gavlyukovskiy in #​2301
• Bring back 'slidingWindow' with default synchronization strategy by @​gavlyukovskiy in #​2302
• add withFallback() methods to DecorateFunction by @​matsev in #​2312
• Issue #​2295: Ensure ignoreExceptions take precedence over recordExceptions by @​kssumin in #​2304
• fix spring boot3 customizer application order by @​alexey-grigorovich-savvymoney in #​2321
• chore(1910): update grafana dashboard by @​JoranVanBelle in #​2318
• Provide key for components using SpEL for names by @​doumdoum in #​2329
• Feature #​2224 : Bump jdk from 17 to 21 for support virtual thread by @​ykhfree in #​2331
• Add missing eventConsumerBufferSize merge for Retry config by @​skowrxn in #​2344
• [GH-2334] fix: reject TIME_BASED + LOCK_FREE when slidingWindowSize < 2 by @​bandalgomsu in #​2358
• feat: add setter for bulkheadAspectOrder property by @​NiMv1 in #​2386
• Docs: Clarify Aspect Order defaults for Spring Boot 3 to prevent metric inflation by @​GarimaBokdia in #​2387
• Add support for Spring Boot 4 / Spring Cloud 5 by @​gavlyukovskiy in #​2384
• TimeLimiter, take success path when completing without error by @​TheFrogAndy in #​2374
• Add back OSGi meta data with bnd builder plugin by @​chrisrueger in #​2385
• Issue #​536: Added best practices documentation for instance management by @​fajrizulfikar in #​2389
• Allow to mock nanoTime in RateLimiter by @​strokyl in #​2356
• fix #​2397: compile SPEL regex'es only once by @​stokpop in #​2398
• Update publishing to use new Sonatype urls and add release workflow by @​gavlyukovskiy in #​2393
• Issue #​1450: Fixed Grafana dashboard metric query for call rate panel by @​fajrizulfikar in #​2391
• Issue #​1448: Fixed Duration property binding in Spring Boot 2 by @​fajrizulfikar in #​2390
• Fix #​2327: Correct @​see tag usage in CircuitBreakerConfig Javadoc by @​chanani in #​2400
• Issue #​2368: Fix Retry retryOnResult interrupt handling: throw CancellationException instead of NPE by @​platanus-kr in #​2392
• Fix typo in Spring aspect docs by @​gukin-han in #​2399
• [GH-2354] Remove kotlin-stdlib from resilience4j-core by @​josalmi in #​2359
• Added CheckedSupplierUtils and deprecated CheckedFunctionUtils by @​matsev in #​2313
• Use correct constant for initializing CircuitBreakerConfig.Builder.waitIntervalFunctionInOpenState by @​obecker in #​2402
• Added bulkhead name to BulkheadFullException by @​dominic-miglar in #​2349
• Remove unrelated flaky Clock test from CircuitBreakerEventTest by @​KimDoubleB in #​2409
• Added decorateFunction and executeFunction to TimeLimiter by @​zbnerd in #​2407
• Issue #​2189: Use snapshot reads for actuator event endpoints in Spring Boot 3/4 by @​seokjun7410 in #​2406
• Remove log spam from tests by @​gavlyukovskiy in #​2412
• Set JDK target back to 17 by @​gavlyukovskiy in #​2415
• Fix release workflow: unquoted multi-line GPG key breaks Gradle invocation by @​Copilot in #​2416
• Read env variables from gradle for gpg key by @​gavlyukovskiy in #​2417
• Enable SNAPSHOT artifact signing from master by @​gavlyukovskiy in #​2418
• Remove sign skip on snapshot version by @​gavlyukovskiy in #​2419

New Contributors

• @​agarwalbharat made their first contribution in #​2268
• @​noomkram made their first contribution in #​2270
• @​darkius made their first contribution in #​2291
• @​obecker made their first contribution in #​2286
• @​matsev made their first contribution in #​2284
• @​victorpasqualino made their first contribution in #​2290
• @​kssumin made their first contribution in #​2304
• @​alexey-grigorovich-savvymoney made their first contribution in #​2321
• @​JoranVanBelle made their first contribution in #​2318
• @​doumdoum made their first contribution in #​2329
• @​skowrxn made their first contribution in #​2344
• @​bandalgomsu made their first contribution in #​2358
• @​NiMv1 made their first contribution in #​2386
• @​GarimaBokdia made their first contribution in #​2387
• @​TheFrogAndy made their first contribution in #​2374
• @​chrisrueger made their first contribution in #​2385
• [@​fajrizulfikar](https://redirect.github.com/fajrizulfik

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/Toronto, Automerge - "after 9:00am and before 12:00pm on tuesday, wednesday, thursday" in timezone America/Toronto.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.