fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
grafana/grafana		patch	12.3.0 → 12.3.1
prom/prometheus		minor	v3.8.0 → v3.9.1
org.sonatype.central:central-publishing-maven-plugin (source)	build	minor	0.9.0 → 0.10.0
org.junit.jupiter:junit-jupiter (source)	test	patch	6.0.1 → 6.0.2
org.apache.httpcomponents.client5:httpclient5 (source)	compile	minor	5.5.1 → 5.6
org.testcontainers:testcontainers-postgresql (source)	test	patch	2.0.2 → 2.0.3
org.testcontainers:testcontainers (source)	test	patch	2.0.2 → 2.0.3
org.testcontainers:testcontainers-junit-jupiter (source)	test	patch	2.0.2 → 2.0.3
org.springdoc:springdoc-openapi-starter-webmvc-ui (source)	compile	patch	2.8.14 → 2.8.15
org.flywaydb:flyway-database-postgresql (source)	compile	minor	11.19.0 → 11.20.0
org.flywaydb:flyway-core (source)	compile	minor	11.19.0 → 11.20.0
org.jsoup:jsoup (source)	compile	minor	1.21.2 → 1.22.1
org.jsoup:jsoup (source)	test	minor	1.21.2 → 1.22.1
org.springframework.boot:spring-boot-starter-parent (source)	parent	patch	3.5.8 → 3.5.9

---

Release Notes

grafana/grafana (grafana/grafana)

v12.3.1

Compare Source

Features and enhancements

• Alerting: Update alerting dependency #​114259, @​moustafab
• Azure: Improved column handling in logs query builder #​114841, @​aangelisc
• Azure: Include aggregate columns in logs builder #​114835, @​aangelisc
• Dependencies: Bump Go to v1.25.5 #​114751, @​macabu
• Docs: Clarify section title for repeating rows and tabs #​115346, @​imatwawana
• Plugins: Add PluginContext to plugins when scenes is disabled #​115064, @​hugohaggmark
• QueryEditorRows: Clear hideSeriesFrom override on query edit #​114628, @​Sergej-Vlasov

Bug fixes

• Azure: Fix dcount aggregation #​114907, @​aangelisc
• Azure: Fix percentile syntax #​114707, @​aangelisc
• Dashboards: Fix empty space under time controls when a dashboard has a lot of variables #​114730, @​oscarkilhed
• Plugins: Datasource breadcrumb link should link to settings tab #​113910, @​wbrowne
• Postgresql: Fix variable interpolation logic when the variable has multiple values #​114876, @​itsmylife

prometheus/prometheus (prom/prometheus)

v3.9.1

Compare Source

v3.9.0

Compare Source

v3.8.1: 3.8.1 / 2025-12-16

Compare Source

• [BUGFIX] remote: Fix Remote Write receiver, so it does not send wrong response headers for v1 flow and cause Prometheus senders to emit false partial error log and metrics. #​17683

apache/httpcomponents-client (org.apache.httpcomponents.client5:httpclient5)

v5.6

This is the first ALPHA release in the 5.6 release series. It adds several features
such as transport content decompression and content compression for the async transport,
support for Unix sockets, experimental support for SCRAM-SHA-256 authentication scheme,
and Micrometer/OTel observations & metrics.

Commons Compress, Brotli codec, and ZStd codec are optional dependencies and get
wired into the execution pipeline only if present on the classpath.

Notable changes and features included in the 5.6 series:

• Unix domain socket support.

• Support for pluggable content codecs via Commons-Compress in the classic transport.
  (optional).

• Support for transparent content decompression and content compression with deflate,
  gzip, zstd (optional), and brotli (optional) codecs in the async transport.

• Micrometer/OTel observations & metrics (optinal).

• Off-lock connection disposal by the classic pooling connection manager. Experimental.

• SCRAM-SHA-256 authentication scheme (RFC 7804). Experimental.

• Request Priority support (RFC 9218). Experimental.

Compatibility notes:

• As of this version, HttpClient uses BUILTIN HostnameVerificationPolicy by default, delegating
  host verification to JSSE security manager. One must explicitly configure the TLS strategy
  to continue using the hostname verifier shipped with HttpClient.

• Five-second TCP keep-alive is now enabled by default.

testcontainers/testcontainers-java (org.testcontainers:testcontainers-postgresql)

v2.0.3

Compare Source

What's Changed

• Update questdb/questdb image version to 9.2.2 (#​11347) @​eddumelendez
• Fix GitHub-Action Generate PR descriptions (#​11129) @​JackPGreen
• Update testcontainers version to ${GITHUB_REF##*/} (#​11220) @​github-actions[bot]
• Update docs version to ${GITHUB_REF##*/} (#​11221) @​github-actions[bot]

🐛 Bug Fixes

• Fix compatibility with older Docker Engines by falling back to v1.32 (#​11346) @​eddumelendez

📖 Documentation

• Dead links in CircleCI reference documentation (#​10789) @​JohnWill14

📦 Dependency updates

7 changes

• Combined dependencies PR (#​11353) @​eddumelendez
• Combined dependencies PR (#​11352) @​eddumelendez
• Combined dependencies PR (#​11341) @​eddumelendez
• Combined dependencies PR (#​11334) @​eddumelendez
• Combined dependencies PR (#​11333) @​eddumelendez
• Combined dependencies PR (#​11332) @​eddumelendez
• Combined dependencies PR (#​11323) @​eddumelendez

springdoc/springdoc-openapi (org.springdoc:springdoc-openapi-starter-webmvc-ui)

v2.8.15

Compare Source

Added

• #​3122 – Add log notifications when SpringDocs / Scalar are enabled by default
• #​3123 – Add support for serving static resources
• #​3151 – Add @Order to ApplicationReadyEvent listener
• #​3158 – Add support for API groups in Scalar
• #​3187 – Add Scalar WebMVC and WebFlux support
• #​3185 – Disable creation of blank GitHub issues (GitHub settings & workflow)
• #​3186 – Decouple Web Server APIs following Spring Boot modularization
• #​3131 - Improve warning messages when documentation is explicitly enabled
• #​3183 - Remove unused operations consumer from route builder methods
• #​3141 - Change handling so useReturnTypeSchema is evaluated at HTTP status code level instead of method level

Changed

• Upgrade Spring Boot to version 3.5.9
• Upgrade swagger-core to version 2.2.41
• Upgrade swagger-ui to version 5.31.0
• Upgrade Scalar to version 0.4.3

Fixed

• #​3133 – Fix regression where content type from Swagger @RequestBody did not take precedence
• #​3146 – Fix WebJar resource handler mappings for Swagger UI resources
• #​3168 – Support @Schema annotations on Kotlin value classes
• #​3178 – Fix regression when generating documentation for Kotlin LinkedHashSet
• #​3170 – Fix warnings when setting title and description in application.yml
• #​3187 – Add scalar scalar-webmvc and scalar-webflux support

flyway/flyway (org.flywaydb:flyway-database-postgresql)

v11.20.0: Flyway 11.20.0

See release notes here

v11.19.1: Flyway 11.19.1

See release notes here

jhy/jsoup (org.jsoup:jsoup)

v1.22.1

Improvements

• Added support for using the re2j regular expression engine for regex-based CSS selectors (e.g. [attr~=regex], :matches(regex)), which ensures linear-time performance for regex evaluation. This allows safer handling of arbitrary user-supplied query regexes. To enable, add the com.google.re2j dependency to your classpath, e.g.:

  <dependency>
    <groupId>com.google.re2j</groupId>
    <artifactId>re2j</artifactId>
    <version>1.8</version>
  </dependency>

(If you already have that dependency in your classpath, but you want to keep using the Java regex engine, you can disable re2j via System.setProperty("jsoup.useRe2j", "false").) You can confirm that the re2j engine has been enabled correctly by calling org.jsoup.helper.Regex.usingRe2j(). #​2407

• Added an instance method Parser#unescape(String, boolean) that unescapes HTML entities using the parser's configuration (e.g. to support error tracking), complementing the existing static utility Parser.unescapeEntities(String, boolean). #​2396
• Added a configurable maximum parser depth (to limit the number of open elements on stack) to both HTML and XML parsers. The HTML parser now defaults to a depth of 512 to match browser behavior, and protect against unbounded stack growth, while the XML parser keeps unlimited depth by default, but can opt into a limit via org.jsoup.parser.Parser#setMaxDepth. #​2421
• Build: added CI coverage for JDK 25 #​2403
• Build: added a CI fuzzer for contextual fragment parsing (in addition to existing full body HTML and XML fuzzers). oss-fuzz #​14041

Changes

• Set a removal schedule of jsoup 1.24.1 for previously deprecated APIs.

Bug Fixes

• Previously cached child Elements of an Element were not correctly invalidated in Node#replaceWith(Node), which could lead to incorrect results when subsequently calling Element#children(). #​2391
• Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. [attr=" foo "]). Now matches align with the CSS specification and browser engines. #​2380
• When using the JDK HttpClient, any system default proxy (ProxySelector.getDefault()) was ignored. Now, the system proxy is used if a per-request proxy is not set. #​2388, #​2390
• A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. #​2393
• Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. #​2395
• An IndexOutOfBoundsException could be thrown when parsing a body fragment with crafted input. Now logged as a parse error. #​2397, #​2406
• When using StructuralEvaluators (e.g., a parent child selector) across many retained threads, their memoized results could also be retained, increasing memory use. These results are now cleared immediately after use, reducing overall memory consumption. #​2411
• Cloning a Parser now preserves any custom TagSet applied to the parser. #​2422, #​2423
• Custom tags marked as Tag.Void now parse and serialize like the built-in void elements: they no longer consume following content, and the XML serializer emits the expected self-closing form. #​2425
• The <br> element is once again classified as an inline tag (Tag.isBlock() == false), matching common developer expectations and its role as phrasing content in HTML, while pretty-printing and text extraction continue to treat it as a line break in the rendered output. #​2387, #​2439
• Fixed an intermittent truncation issue when fetching and parsing remote documents via Jsoup.connect(url).get(). On responses without a charset header, the initial charset sniff could sometimes (depending on buffering / available() behavior) be mistaken for end-of-stream and a partial parse reused, dropping trailing content. #​2448
• TagSet copies no longer mutate their template during lazy lookups, preventing cross-thread ConcurrentModificationException when parsing with shared sessions. #​2453
• Fixed parsing of <svg> foreignObject content nested within a <p>, which could incorrectly move the HTML subtree outside the SVG. #​2452

Internal Changes

• Deprecated internal helper org.jsoup.internal.Functions (for removal in v1.23.1). This was previously used to support older Android API levels without full java.util.function coverage; jsoup now requires core library desugaring so this indirection is no longer necessary. #​2412

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v3.5.9

Compare Source

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.