Dependency Dashboard

[renovate[bot]]

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

[!WARNING] These dependencies are deprecated:

Datasource	Name	Replacement PR?
npm	request

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• [ ] build(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• [ ] build(deps): update actions/setup-java digest to 2dfa201
• [ ] build(deps): update actions/setup-java action to v4.3.0
• [ ] build(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.5.0
• [ ] build(deps): update dependency org.apache.maven.plugins:maven-project-info-reports-plugin to v3.7.0
• [ ] build(deps): update dependency org.apache.maven.plugins:maven-site-plugin to v3.20.0
• [ ] build(deps): update dependency org.jgrapht:jgrapht-core to v1
• [ ] build(deps): update dependency org.slf4j:slf4j-api to v2
• [ ] build(deps): update jetbrains/qodana-action action to v2024
• [ ] Click on this checkbox to rebase all open PRs at once

Detected dependencies

dockerfile

doc/jenkins/Dockerfile

- `stackbrew/ubuntu 16.04@sha256:cd39646de5628c8188396c506fdc76dd94c7652a82439cc4318cfc05cc93fbb7`

github-actions

.github/actions/setup-tests/action.yml

- `DeterminateSystems/nix-installer-action v13@ab6bcb2d5af0e904d04aea750e2089e9dc4cbfdd` - `DeterminateSystems/magic-nix-cache-action v7@b46e247b898aa56e6d2d2e728dc6df6c84fdb738` - `DeterminateSystems/flake-checker-action v8@ae43dea95bc73541287cfd10e2dee994d1877291` - `actions/cache v4.0.2@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9`

.github/workflows/jreleaser.yml

- `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/upload-artifact v4@50769540e7f4bd5e21e526ee35c689e35e0d6874`

.github/workflows/qodana.yml

- `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `JetBrains/qodana-action v2023.3.2@a040a784cc28cb9cabdf884c4e8c32d0aa3fcdb3` - `github/codeql-action v3@4dd16135b69a43b6c8efb853346f8437d92d3c93` - `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `JetBrains/qodana-action v2023.3.2@a040a784cc28cb9cabdf884c4e8c32d0aa3fcdb3` - `github/codeql-action v3@4dd16135b69a43b6c8efb853346f8437d92d3c93` - `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `JetBrains/qodana-action v2023.3.2@a040a784cc28cb9cabdf884c4e8c32d0aa3fcdb3` - `github/codeql-action v3@4dd16135b69a43b6c8efb853346f8437d92d3c93`

.github/workflows/sbom.yml

- `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/setup-java v4.2.2@6a0805fcefea3d4657a47ac4c165951e33482018` - `actions/cache v4.0.2@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9` - `slsa-framework/github-actions-demo v0.1@9474e92bbf825d5b4b46810fc9367dfc73429a2a`

.github/workflows/scorecards.yml

- `step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde` - `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `ossf/scorecard-action v2.4.0@62b2cac7ed8198b15735ed49ab1e5cf35480ba46` - `actions/upload-artifact v4.4.0@50769540e7f4bd5e21e526ee35c689e35e0d6874` - `github/codeql-action v3.26.6@4dd16135b69a43b6c8efb853346f8437d92d3c93`

.github/workflows/tests.yml

- `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/setup-java v4@6a0805fcefea3d4657a47ac4c165951e33482018` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332` - `actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332`

gradle

spoon-dataflow/settings.gradle

spoon-dataflow/build.gradle

- `se.patrikerdes.use-latest-versions 0.2.18` - `com.github.ben-manes.versions 0.51.0` - `com.github.johnrengelman.shadow 8.1.1` - `commons-cli:commons-cli 1.9.0` - `tools.aqua:z3-turnkey 4.13.0` - `org.junit.jupiter:junit-jupiter 5.11.0`

gradle-wrapper

spoon-dataflow/gradle/wrapper/gradle-wrapper.properties

- `gradle 8.10.1`

html

doc/_includes/head.html

- `jquery 3.7.1` - `jquery-cookie 1.4.1`

maven

pom.xml

- `org.eclipse.jdt:org.eclipse.jdt.core 3.38.0` - `com.martiansoftware:jsap 2.1` - `org.slf4j:slf4j-api 1.7.36` - `commons-io:commons-io 2.16.1` - `org.apache.commons:commons-lang3 3.17.0` - `org.tukaani:xz 1.10` - `com.fasterxml.jackson.core:jackson-databind 2.17.2` - `org.apache.commons:commons-compress 1.27.1` - `org.jspecify:jspecify 1.0.0` - `org.assertj:assertj-core 3.26.3` - `com.google.guava:guava 33.3.0-jre` - `ch.qos.logback:logback-classic 1.5.8` - `com.mysema.querydsl:querydsl-core 3.7.4` - `org.apache.maven.shared:maven-invoker 3.3.0` - `javax.validation:validation-api 2.0.1.Final` - `uk.org.lidalia:slf4j-test 1.2.0` - `org.kohsuke.metainf-services:metainf-services 1.11` - `org.apache.maven.plugins:maven-checkstyle-plugin 3.4.0` - `com.diffplug.spotless:spotless-maven-plugin 2.43.0`

spoon-control-flow/pom.xml

- `org.apache.maven.plugins:maven-checkstyle-plugin 3.4.0` - `fr.inria.gforge.spoon:spoon-core 11.1.0` - `org.jgrapht:jgrapht-core 0.9.2` - `junit:junit 4.13.2`

spoon-decompiler/pom.xml

- `fr.inria.gforge.spoon:spoon-core 11.1.0` - `org.jboss.windup.decompiler.fernflower:fernflower 2.5.0.Final` - `org.bitbucket.mstrobel:procyon-compilertools 0.6.0` - `org.benf:cfr 0.152` - `org.apache.maven.plugins:maven-checkstyle-plugin 3.4.0`

spoon-javadoc/pom.xml

- `org.assertj:assertj-core 3.26.3`

spoon-pom/pom.xml

- `org.mockito:mockito-core 5.13.0` - `org.junit.jupiter:junit-jupiter-engine 5.11.0` - `org.junit.jupiter:junit-jupiter-params 5.11.0` - `org.junit.platform:junit-platform-launcher 1.11.0` - `org.mockito:mockito-junit-jupiter 5.13.0` - `org.hamcrest:hamcrest 3.0` - `org.assertj:assertj-core 3.26.3` - `org.apache.maven.plugins:maven-jar-plugin 3.4.2` - `org.kohsuke.metainf-services:metainf-services 1.11` - `se.kth.castor:depclean-maven-plugin 2.0.6` - `org.apache.maven.plugins:maven-antrun-plugin 3.1.0` - `org.apache.maven.plugins:maven-assembly-plugin 3.7.1` - `org.apache.maven.plugins:maven-clean-plugin 3.4.0` - `org.apache.maven.plugins:maven-compiler-plugin 3.13.0` - `org.apache.maven.plugins:maven-dependency-plugin 3.8.0` - `org.apache.maven.plugins:maven-deploy-plugin 3.1.3` - `org.apache.maven.plugins:maven-install-plugin 3.1.3` - `org.apache.maven.plugins:maven-javadoc-plugin 3.10.0` - `org.apache.maven.plugins:maven-project-info-reports-plugin 3.6.2` - `org.apache.maven.plugins:maven-release-plugin 3.1.1` - `org.apache.maven.plugins:maven-resources-plugin 3.3.1` - `org.apache.maven.plugins:maven-site-plugin 3.12.1` - `org.apache.maven.plugins:maven-surefire-plugin 3.5.0` - `com.mycila:license-maven-plugin 4.5` - `org.jacoco:jacoco-maven-plugin 0.8.12` - `org.eluder.coveralls:coveralls-maven-plugin 4.3.0` - `javax.xml.bind:jaxb-api 2.3.1` - `org.sonatype.plugins:nexus-staging-maven-plugin 1.7.0` - `org.apache.maven.wagon:wagon-ssh 3.5.3` - `org.apache.maven.plugins:maven-source-plugin 3.3.1` - `org.apache.maven.plugins:maven-gpg-plugin 3.2.5` - `org.apache.maven.plugins:maven-deploy-plugin 3.1.3` - `org.apache.maven.plugins:maven-source-plugin 3.3.1` - `org.apache.maven.plugins:maven-deploy-plugin 3.1.3` - `org.jacoco:jacoco-maven-plugin 0.8.12`

spoon-smpl/pom.xml

- `org.apache.maven.plugins:maven-checkstyle-plugin 3.4.0` - `fr.inria.gforge.spoon:spoon-core 11.1.0` - `fr.inria.gforge.spoon:spoon-control-flow 0.0.2-SNAPSHOT`

spoon-visualisation/pom.xml

- `org.apache.maven.plugins:maven-shade-plugin 3.6.0` - `org.openjfx:javafx-maven-plugin 0.0.8` - `io.github.interacto:interacto-javafx 4.3.1` - `fr.inria.gforge.spoon:spoon-core 11.1.0` - `org.openjfx:javafx-base 24-ea+5` - `org.openjfx:javafx-graphics 24-ea+5` - `org.openjfx:javafx-controls 24-ea+5` - `org.openjfx:javafx-fxml 24-ea+5` - `org.jetbrains:annotations 24.1.0` - `org.junit.jupiter:junit-jupiter-engine 5.11.0` - `org.testfx:testfx-junit5 4.0.18` - `org.testfx:openjfx-monocle 21.0.2`

nix

flake.nix

- `nixpkgs nixos-unstable`

npm

doc/_release/changelog_generator/package.json

- `git-log-parser ^1.2.0` - `request ^2.72.0` - `through2 ^4.0.0`

---

• [ ] Check this box to trigger a request for Renovate to run again on this repository

[monperrus]

@cesarsotovalero this PR shows a new cool feature of @renovate-bot

[MartinWitt]

We may use this issue for discussion about blocked dependency updates. @I-Al-Istannen had a fun debugging session for this problem(https://github.com/INRIA/spoon/pull/4699#issuecomment-1152383529) and it seems like we need a newer version of maven-project-info plugin. The update was closed unmerged a while ago. Was there any concern with the new version, or can we update it?

[slarse]

The update was closed unmerged a while ago.

Which update? Linkety link?

[I-Al-Istannen]

I assume https://github.com/INRIA/spoon/pull/4456. I think we should explicitly list the default plugins (like maven-site-plugin) we rely on, so renovate can update them too. It seems to have missed the site plugin update, as it is not declared anywhere? Once we update the site plugin, we can update the javadoc plugin and probably also the report plugin without further breakage.

[slarse]

I think we should explicitly list the default plugins (like maven-site-plugin)

Agreed. This is best practice AFAIK.

[slarse]

@MartinWitt There are some dependency lookup errors. Maybe that's causing trouble? I also don't see why it would and there's nothing I can find in the docs about it, but eh, it's something.

[MartinWitt]

Okay, I believe the branch protection was the problem. I will investigate this further and try to enable it. The UI is a bit confusing because we somehow have 2 ways now to do the same. GitHub rules and branch protection.

Currently, the master is not protected, so please don't test the branch protection and try to push to master.

[MartinWitt]

To keep the conversation about dependencies and renovate focused, let's use this issue for this topic. As the configuration is new for us, there will still be some changes needed.

https://github.com/INRIA/spoon/pull/5180 we currently don't automerge pinning of hashes. Anyone against enabling it?

[slarse]

Dependency pinning is good, I vote for automerge.

[monperrus]

me too.

[MartinWitt]

Current unmerged dependency updates

• chore(deps): update dependency org.testfx:openjfx-monocle to v1.8.0_20

  UI related and the UI needs an update.

• chore(deps): update jetbrains/qodana-action action to v2023 I am working on it.
• chore(deps): update plugin com.github.johnrengelman.shadow to v8y gradle 8 breaked some behaivour will have a look.
• fix(deps): update dependency org.jgrapht:jgrapht-core to v1 open to debug
• fix(deps): update dependency org.slf4j:slf4j-api to v2 We decided against this pr because breaking.
• fix(deps): update jfx.version to v21 (major) (org.openjfx:javafx-fxml, org.openjfx:javafx-controls, org.openjfx:javafx-graphics, org.openjfx:javafx-base) UI related.

Looks, we finally have the dependencies back in our control.

[monperrus]

About the last lookup problem, I've asked at https://github.com/renovatebot/renovate/issues/6894#issuecomment-1537044261

[monperrus]

no more dependency lookup problem thanks to https://github.com/SpoonLabs/spoon-dependencies/commit/4b8a7afad36643502aa2fd1f02111c2cda760aed