Bump the all-maven-dependencies group across 2 directories with 1 update

[dependabot]

Bumps the all-maven-dependencies group with 1 update in the / directory: com.sap.cloud.security:java-bom.
Bumps the all-maven-dependencies group with 1 update in the /srv directory: com.sap.cloud.security:java-bom.

Updates com.sap.cloud.security:java-bom from 3.7.2 to 3.7.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.3

Dependency upgrades

• Bump org.springframework.boot:spring-boot from 3.5.9 to 3.5.14
• Bump org.springframework:spring-core from 6.2.15 to 6.2.18
• Bump org.springframework.security from 6.5.7 to 6.5.10
• Bump org.eclipse.jetty:jetty-bom from 12.1.7 to 12.1.9
• Bump io.projectreactor:reactor-core from 3.8.3 to 3.8.5
• Bump org.apache.logging.log4j from 2.25.3 to 2.25.4
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1
• Bump com.github.ben-manes.caffeine:caffeine from 3.2.0 to 3.2.4
• Bump commons-io:commons-io from 2.21.0 to 2.22.0
• Bump org.mockito:mockito-core from 5.22.0 to 5.23.0
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.1 to 4.9.8.3
• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.21.0 to 0.31.0

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5

... (truncated)

Commits

• 7e719cf chore: Release 3.7.3 (#1959)
• See full diff in compare view

Updates com.sap.cloud.security:java-bom from 3.7.2 to 3.7.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

3.7.3

Dependency upgrades

• Bump org.springframework.boot:spring-boot from 3.5.9 to 3.5.14
• Bump org.springframework:spring-core from 6.2.15 to 6.2.18
• Bump org.springframework.security from 6.5.7 to 6.5.10
• Bump org.eclipse.jetty:jetty-bom from 12.1.7 to 12.1.9
• Bump io.projectreactor:reactor-core from 3.8.3 to 3.8.5
• Bump org.apache.logging.log4j from 2.25.3 to 2.25.4
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1
• Bump com.github.ben-manes.caffeine:caffeine from 3.2.0 to 3.2.4
• Bump commons-io:commons-io from 2.21.0 to 2.22.0
• Bump org.mockito:mockito-core from 5.22.0 to 5.23.0
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.1 to 4.9.8.3
• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.21.0 to 0.31.0

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

Change Log

All notable changes to this project will be documented in this file.

4.0.6

• Update dependencies to address known vulnerabilities:
  • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
  • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
  • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
  • Caffeine: 3.2.0 → 3.2.4
  • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5

... (truncated)

Commits

• 7e719cf chore: Release 3.7.3 (#1959)
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
com.sap.cloud.security:java-bom	[>= 4.a0, < 5]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions