Update Mend: high confidence minor and patch dependency updates

[mend-for-gb.xjqchip.workers.dev]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
net.sf.ehcache:ehcache (source)	2.10.4 -> 2.10.9.2
commons-io:commons-io (source)	2.5 -> 2.19.0
net.minidev:json-smart (source)	2.5.1 -> 2.5.2
com.nimbusds:nimbus-jose-jwt	9.37.3 -> 9.48
org.slf4j:slf4j-api (source, changelog)	1.7.25 -> 1.7.36
joda-time:joda-time (source)	2.10.10 -> 2.14.0
com.google.guava:guava	32.0.1-jre -> 32.1.3-jre
com.google.code.gson:gson	2.11.0 -> 2.13.1
com.google.protobuf:protobuf-java (source)	4.27.0 -> 4.31.1
org.ow2.asm:asm (source)	9.3 -> 9.8
javax.xml.bind:jaxb-api	2.2.2 -> 2.3.1
net.minidev:json-smart (source)	2.5.0 -> 2.5.2
com.github.javaparser:javaparser-core (source)	3.18.0 -> 3.26.4
io.dropwizard.metrics:metrics-core (source)	4.1.4 -> 4.2.32
io.grpc:grpc-context	1.49.2 -> 1.73.0
commons-cli:commons-cli (source)	1.2 -> 1.9.0
org.xmlunit:xmlunit-core (source)	2.8.2 -> 2.10.2
com.github.tomakehurst:wiremock-jre8-standalone (source)	2.23.2 -> 2.35.2
io.projectreactor:reactor-core	3.4.38 -> 3.7.6
org.yaml:snakeyaml	2.0 -> 2.4
com.google.http-client:google-http-client-jackson2	1.42.3 -> 1.47.0
org.hdrhistogram:HdrHistogram (source)	2.1.9 -> 2.2.2
org.reflections:reflections	0.9.12 -> 0.10.2
org.apache.maven:maven-model	3.6.2 -> 3.9.9
org.apache.commons:commons-lang3 (source)	3.14.0 -> 3.17.0
org.apache.commons:commons-compress (source)	1.26.1 -> 1.27.1
com.google.auth:google-auth-library-oauth2-http	1.11.0 -> 1.36.0
org.apache.commons:commons-collections4 (source)	4.4 -> 4.5.0
com.unboundid:unboundid-ldapsdk	6.0.3 -> 6.0.11
joda-time:joda-time (source)	2.10.14 -> 2.14.0
org.apache.commons:commons-lang3 (source)	3.11 -> 3.17.0
commons-io:commons-io (source)	2.8.0 -> 2.19.0
com.sun.xml.bind:jaxb-impl (source)	2.2.3-1 -> 2.3.9
com.google.code.gson:gson	2.10 -> 2.13.1
net.java.dev.jna:jna	5.10.0 -> 5.17.0
javax.mail:mail (source)	1.4.5 -> 1.4.7
com.microsoft.azure:msal4j	1.16.2 -> 1.20.1
commons-io:commons-io (source)	2.15.1 -> 2.19.0
io.grpc:grpc-context	1.27.2 -> 1.73.0
org.slf4j:slf4j-nop (source, changelog)	2.0.10 -> 2.0.17
org.slf4j:jcl-over-slf4j (source, changelog)	2.0.10 -> 2.0.17
commons-codec:commons-codec (source)	1.16.1 -> 1.18.0
com.sun.activation:jakarta.activation	1.2.1 -> 1.2.2
org.apache.poi:poi-ooxml	5.2.5 -> 5.4.1
org.apache.pdfbox:pdfbox (source)	2.0.31 -> 2.0.34
com.azure:azure-storage-blob	12.27.1 -> 12.30.0
org.apache.tika:tika-parser-text-module (source)	2.9.2 -> 2.9.4
org.skyscreamer:jsonassert	1.5.0 -> 1.5.3
com.azure:azure-identity	1.13.2 -> 1.16.1
com.maxmind.geoip2:geoip2 (source)	4.2.0 -> 4.3.1
com.azure:azure-core	1.51.0 -> 1.55.3
org.ow2.asm:asm (source)	9.7 -> 9.8
com.google.cloud:google-cloud-storage	2.13.1 -> 2.52.3
gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext	1.1.4 -> 1.1.10
com.github.spullara.mustache.java:compiler	0.9.10 -> 0.9.14
org.apache.httpcomponents:httpcore	4.4.12 -> 4.4.16
org.fusesource.jansi:jansi (source)	2.4.0 -> 2.4.2
org.checkerframework:checker-qual (source)	3.42.0 -> 3.49.3
commons-io:commons-io (source)	2.2 -> 2.19.0
com.fasterxml.jackson.core:jackson-core	2.17.2 -> 2.19.0
commons-codec:commons-codec (source)	1.11 -> 1.18.0
com.gradle.develocity	3.17.4 -> 3.19.2
net.bytebuddy:byte-buddy	1.14.12 -> 1.17.5
org.apache.ant:ant (source)	1.10.12 -> 1.10.15
com.fasterxml.jackson.core:jackson-databind (source)	2.15.0 -> 2.19.0
com.fasterxml.jackson.core:jackson-core	2.15.0 -> 2.19.0
org.ow2.asm:asm (source)	9.6 -> 9.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

netplex/json-smart-v2 (net.minidev:json-smart)

v2.5.2

Compare Source

About CVE-2024-57699

Thanks for @​ccudennec-otto Some remarks on the CVE, more discussions in #​236

• as mentioned here it is quite unlikely that the vulnerability is exploited if you come here because of Spring Security / com.nimbusds:oauth2-oidc-sdk
• the code changes for the upcoming release will "only" fix the default modes provided by JSONParser, e.g. MODE_RFC4627
• if you create the JSONParser manually / with custom options, make sure you set option LIMIT_JSON_DEPTH
  • since that's what "connect2id" is doing in their library, they were responsible for fixing it. They've already provided a new 11.x release that fixes the JSONParser setup on their side, i.e. you rather need their fixed version and not version 2.5.2 of json-smart
  • as stated here, they would also need to backport the fix to the versions that Spring Security needs IMHO

What's Changed

• fix CVE-2024-57699 for predefined parsers by @​ccudennec-otto in https://github.com/netplex/json-smart-v2/pull/233
• update maintainer github id and email by @​hezhangjian in https://github.com/netplex/json-smart-v2/pull/234
• Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart-action by @​dependabot in https://github.com/netplex/json-smart-v2/pull/189
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart-action by @​dependabot in https://github.com/netplex/json-smart-v2/pull/190
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart-action by @​dependabot in https://github.com/netplex/json-smart-v2/pull/191
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart by @​dependabot in https://github.com/netplex/json-smart-v2/pull/194
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart by @​dependabot in https://github.com/netplex/json-smart-v2/pull/193
• Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart by @​dependabot in https://github.com/netplex/json-smart-v2/pull/192
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart by @​dependabot in https://github.com/netplex/json-smart-v2/pull/188
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart-action by @​dependabot in https://github.com/netplex/json-smart-v2/pull/185
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart-action by @​dependabot in https://github.com/netplex/json-smart-v2/pull/196
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart by @​dependabot in https://github.com/netplex/json-smart-v2/pull/197
• Bump org.apache.maven.p

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box