dependabot[bot] opened a new pull request, #673: URL: https://github.com/apache/creadur-rat/pull/673
Bumps [com.github.spotbugs:spotbugs-annotations](https://github.com/spotbugs/spotbugs) from 4.9.8 to 4.10.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/spotbugs/spotbugs/releases";>com.github.spotbugs:spotbugs-annotations's releases</a>.</em></p> <blockquote> <h2>4.10.1</h2> <p>SpotBugs 4.10.1</p> <p>Note</p> <p>SpotBugs 4.10.0 was superseded by 4.10.1 due to a release issue. Users should use 4.10.1. See the discussion below for additional details:</p> <p><a href="https://github.com/spotbugs/spotbugs/discussions/4155";>https://github.com/spotbugs/spotbugs/discussions/4155</a></p> <h3>CHANGELOG</h3> <ul> <li><a href="https://github.com/spotbugs/spotbugs/blob/4.10.1/CHANGELOG.md";>https://github.com/spotbugs/spotbugs/blob/4.10.1/CHANGELOG.md</a></li> </ul> <h3>CHECKSUM</h3> <table> <thead> <tr> <th>file</th> <th>checksum (sha256)</th> </tr> </thead> <tbody> <tr> <td>spotbugs-4.10.1-javadoc.jar</td> <td>582dc49e95b080333b1025dc23e76630e5f6f1648b2f9fa71ee34918f6d9dd2c</td> </tr> <tr> <td>spotbugs-4.10.1-sources.jar</td> <td>76476f61ce6dc0eb0c38801e21da44e77043ba21226aef6c1b9d21df06d2395a</td> </tr> <tr> <td>spotbugs-4.10.1.tgz</td> <td>9264ee04afc8a3945c065916ffb5180d13b938245be91f90ef65c4a4cc1d4f5b</td> </tr> <tr> <td>spotbugs-4.10.1.zip</td> <td>010fdccc06430588a8eeab40db8c6708d836a4dd321623f785aee19343fd682f</td> </tr> <tr> <td>spotbugs-annotations-4.10.1-javadoc.jar</td> <td>1c878bc3dd98eff234149725a7acfaa2dcae11397d793b8d03cd8abf49f1f516</td> </tr> <tr> <td>spotbugs-annotations-4.10.1-sources.jar</td> <td>87974d23caffbc8c6e66c567747627267b5ed06573cee966d7af6d236b8d65bd</td> </tr> <tr> <td>spotbugs-annotations.jar</td> <td>3e2aa962f3099b55362483a6db3e92afa579dc1e030d967093bbcd0935fd67a1</td> </tr> <tr> <td>spotbugs-ant-4.10.1-javadoc.jar</td> <td>c3b2376b23dbcd8a161c8b9e7e251d61dbcd9ecd34a835c5b3c59b239c6b79f6</td> </tr> <tr> <td>spotbugs-ant-4.10.1-sources.jar</td> <td>91477d93b1fd1bebae35d318427b5238fb458e726478dc1a8ac41ce74838a1e6</td> </tr> <tr> <td>spotbugs-ant.jar</td> <td>22f2fa397e86663adcd4828cc1c91e63aa6cc2bfc56832885b749a86fac5c784</td> </tr> <tr> <td>spotbugs.jar</td> <td>736a409ecfd5b86ec6746fd809ef4c75d507f6f6528810f165663d12564a2c20</td> </tr> <tr> <td>test-harness-4.10.1-javadoc.jar</td> <td>579974414765d90bd1fc0d1998de0a6a66e8566a1aaf34753f0243536c56c57c</td> </tr> <tr> <td>test-harness-4.10.1-sources.jar</td> <td>805d2d124b0d4ea513ee9262d4ad6027c3471d45defd80fd7d20e23425d17df7</td> </tr> <tr> <td>test-harness-4.10.1.jar</td> <td>bd10d1f11a1b93e4ca4db4d27772f611bd3407f9452dbbd2d1ba62584ddc171f</td> </tr> <tr> <td>test-harness-core-4.10.1-javadoc.jar</td> <td>6b7c82de6f040717d4557257d20886b086de20d57e184a7aa74d73768047f903</td> </tr> <tr> <td>test-harness-core-4.10.1-sources.jar</td> <td>043a55d99a517c0d9cf702b0c183b4afd3f03af9eff4a86d59bb37df1b35b532</td> </tr> <tr> <td>test-harness-core-4.10.1.jar</td> <td>1f9a0ee8f150dd71f960ca4f59dcf7912a45d0e9e6aefc4585fd44b975454bc0</td> </tr> <tr> <td>test-harness-jupiter-4.10.1-javadoc.jar</td> <td>2762335276588d3787d7940bfc65181d37b1629b7c579e01ddad81d184ea3fac</td> </tr> <tr> <td>test-harness-jupiter-4.10.1-sources.jar</td> <td>17144f315686bfd01c02fa4ae7c916060c41de8eed58d5b8470416fa08f46ced</td> </tr> <tr> <td>test-harness-jupiter-4.10.1.jar</td> <td>a91146da3e993479cfefd2690781cbd102c6360ecc63a96d88995be3bd60fcbb</td> </tr> </tbody> </table> <h2>4.10.0</h2> <h3>Note: SpotBugs 4.10.0 has been superseded by 4.10.1 due to a release issue. Please use 4.10.1 instead. See <a href="https://github.com/spotbugs/spotbugs/discussions/4155";>https://github.com/spotbugs/spotbugs/discussions/4155</a></h3> <p>SpotBugs 4.10.0-SNAPSHOT</p> <h3>CHANGELOG</h3> <h3>Refactor</h3> <ul> <li>Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3858";>#3858</a>)</li> <li>Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3861";>#3861</a>)</li> <li>Renamed methods from <code>edu.umd.cs.findbugs.SwitchHandler</code> to reflect that they return a PC, not an offset (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3869";>#3869</a>)</li> <li>Make the progress bar more visually appealing by adding some borders (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3896";>#3896</a>)</li> <li>Reuse DismantleBytecode.isIf introduced in (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3869";>#3869</a>)</li> </ul> <h3>Added</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md";>com.github.spotbugs:spotbugs-annotations's changelog</a>.</em></p> <blockquote> <h2>4.10.1 - 2026-06-08</h2> <ul> <li>4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.</li> </ul> <h2>4.10.0 - 2026-06-07</h2> <h3>Refactor</h3> <ul> <li>Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3858";>#3858</a>)</li> <li>Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3861";>#3861</a>)</li> <li>Renamed methods from <code>edu.umd.cs.findbugs.SwitchHandler</code> to reflect that they return a PC, not an offset (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3869";>#3869</a>)</li> <li>Make the progress bar more visually appealing by adding some borders (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3896";>#3896</a>)</li> <li>Reuse DismantleBytecode.isIf introduced in (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3869";>#3869</a>)</li> </ul> <h3>Added</h3> <ul> <li>Add partial support for <code>org.jspecify.annotations.Nullable</code>, <code>org.jspecify.annotations.NonNull</code>, <code>org.jspecify.annotations.NullUnmarked</code> and <code>org.jspecify.annotations.NullMarked</code> annotations. These are aliased to the closest existing SpotBugs nullness annotations. This is not a complete implementation of the JSpecify spec; scope-level semantics of <code>@NullMarked</code> and <code>@NullUnmarked</code> are not yet supported. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3996";>#3996</a>)</li> <li>Recognize <code>jakarta.annotation.Nonnull</code> and <code>jakarta.annotation.Nullable</code> (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3780";>#3780</a>)</li> <li>Detect use of <code>sun.misc.Unsafe</code> and <code>jdk.internal.misc.Unsafe</code> (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3804";>#3804</a>)</li> <li>New bug type is introduced: <code>NCR_NOT_PROPERLY_CHECKED_READ</code>. Improper validation of the return value from the read() method in InputStream and Reader classes may result in an array not being fully filled. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3766";>#3766</a>)</li> <li>New detector <code>FindImproperSynchronization</code> and introduced new bug types: <ul> <li><code>USO_UNSAFE_METHOD_SYNCHRONIZATION</code> is reported when using synchronized methods with the class' accessible intrinsic lock,</li> <li><code>USO_UNSAFE_STATIC_METHOD_SYNCHRONIZATION</code> is reported when using static synchronized methods with the class' exposed intrinsic lock,</li> <li><code>USO_UNSAFE_OBJECT_SYNCHRONIZATION</code> is reported when the lock used for synchronization is visible from the outside,</li> <li><code>USO_UNSAFE_ACCESSIBLE_OBJECT_SYNCHRONIZATION</code> is reported when the lock used for synchronization is made accessible, with methods that update or return the lock, to the outside,</li> <li><code>USO_UNSAFE_INHERITABLE_OBJECT_SYNCHRONIZATION</code> is reported when the lock used for synchronization is can be altered by subclasses,</li> <li><code>USO_UNSAFE_EXPOSED_OBJECT_SYNCHRONIZATION</code> is reported when the lock used for synchronization is later exposed in the subclasses.</li> <li><code>USBC_UNSAFE_SYNCHRONIZATION_WITH_BACKING_COLLECTION</code> is reported when the backing collection of a lock is visible from the outside,</li> <li><code>USBC_UNSAFE_SYNCHRONIZATION_WITH_ACCESSIBLE_BACKING_COLLECTION</code> is reported when the backing collection of a lock is made accessible, with methods that update or return the lock, to the outside,</li> <li><code>USBC_UNSAFE_SYNCHRONIZATION_WITH_INHERITABLE_BACKING_COLLECTION</code> is reported when the backing collection of a lock can be altered by subclasses. (See <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK00-J.+Use+private+final+lock+objects+to+synchronize+classes+that+may+interact+with+untrusted+code";>SEI CERT rule LCK00-J</a> and <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK04-J.+Do+not+synchronize+on+a+collection+view+if+the+backing+collection+is+accessible";>SEI CERT rule LCK04-J</a>)</li> </ul> </li> <li>New detector <code>FindIncreasedAccessibilityOfMethods</code> for new bug type <code>IAOM_DO_NOT_INCREASE_METHOD_ACCESSIBILITY</code>. This detector reports a bug if a class increases the accessibility of overridden or hidden methods. (See <a href="https://wiki.sei.cmu.edu/confluence/display/java/MET04-J.+Do+not+increase+the+accessibility+of+overridden+or+hidden+methods";>SEI CERT rule MET04-J</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Fix <code>DM_STRING_TOSTRING</code> false negative when <code>toString()</code> is chained before a method call (e.g., <code>s.toString().toLowerCase()</code>); multiple occurrences in the same method are now all reported (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3966";>#3966</a>)</li> <li>Stop exposing JUnit BOM as a transitive dependency to consumers (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3908";>#3908</a>)</li> <li>Fix incorrect bug counts and sizes when unioning reports (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3721";>#3721</a>)</li> <li>Classes containing only methods throwing <code>UnsupportedOperationException</code> with setter-like names are no longer considered as mutable (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/1601";>#1601</a>)</li> <li>Enhanced SARIF output with full description sections - adding markdown is still an open issue (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/2339";>#2339</a>)</li> <li>Added missing null check to <code>MultipleInstantiationsOfSingletons</code> detector (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3823";>#3823</a>)</li> <li>Fix invalid syntax in findbugsfilter.xsd (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3832";>#3832</a>)</li> <li>Fix <code>CT_CONSTRUCTOR_THROW</code> FP with public and private constructors (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3822";>#3822</a>)</li> <li>Fix tool name in usage info, (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3847";>#3847</a>)</li> <li>Fix the building of relative chains of ./././ in filenames in fbp files (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3852";>#3852</a>)</li> <li>Fix IllegalArgumentException initializing spotbugs when inside a fat jar on Java 25 (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3875";>#3875</a>)</li> <li>Do not report <code>DM_DEFAULT_ENCODING</code> for classes compiled with target >= 18 (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3866";>#3866</a>)</li> <li>Fix <code>FS_BAD_DATE_FORMAT_FLAG_COMBO</code> not suppressed by field-level annotation (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3838";>#3838</a>)</li> <li>Fix <code>SF_SWITCH_FALLTHROUGH</code> false positives (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3767";>#3767</a>)</li> <li>Recognize well-known exception-throwing utility methods when looking for exceptions thrown from constructors (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3821";>#3821</a>)</li> <li>Fix <code>RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE</code> false negative when non-null value is on the left side of null comparison (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3920";>#3920</a>)</li> <li>Fix <code>IM_BAD_CHECK_FOR_ODD</code> false negative when using Yoda-style comparison (<code>1 == i % 2</code>) (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3886";>#3886</a>)</li> <li>Fix <code>PluginLoader.close()</code> to continue closing all <code>URLClassLoader</code>s when one close operation fails, suppressing subsequent <code>IOException</code>s. (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/3958";>#3958</a>)</li> <li>Fix broken <code>bugDescriptions.html#TYPE</code> links by restoring legacy bug type anchors in generated docs (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/2113";>#2113</a>)</li> <li>Fix <code>EI_EXPOSE_REP</code> false negative in package-private classes that expose mutable state through methods overriding a public super-type (<a href="https://redirect.github.com/spotbugs/spotbugs/pull/4027";>#4027</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/spotbugs/spotbugs/commit/7460889fe10f3f4820c8dafc893d8a791796e74e";><code>7460889</code></a> release v4.10.1</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/f6c459787639dcc6ab9f1ad5a8e482e997e63330";><code>f6c4597</code></a> prepare for next release</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/6e64d996fae75e8665eac37219861274a89e7967";><code>6e64d99</code></a> release v4.10.0</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/73a6f5946b64fe5ebd0e20bd62e835963d6f61c3";><code>73a6f59</code></a> feat: add partial JSpecify annotations support (from PR <a href="https://redirect.github.com/spotbugs/spotbugs/issues/3142";>#3142</a>) (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/3996";>#3996</a>)</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/85a0cba538ee9a5e7b8f9ba3d38479c63cb5db47";><code>85a0cba</code></a> Add targeted tests for UI launch and class feature transformations (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/4153";>#4153</a>)</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/3404e1d044073542b944c76a7e760bfc50722e88";><code>3404e1d</code></a> Raise SpotBugs core coverage with focused unit tests for previously untested ...</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/654c208e605a93ae7bb1085cd5fff5581a6612f7";><code>654c208</code></a> Add VS Code link to README</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/70e5d151644fa56f0731e04df67d07e8d73f7929";><code>70e5d15</code></a> Clarify detector-fix guidance for Copilot agents (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/4151";>#4151</a>)</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/d6db5658f184c08fd8a5e5e370968cfdec94ca33";><code>d6db565</code></a> chore(build): Update comments for commons-compress version details (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/4150";>#4150</a>)</li> <li><a href="https://github.com/spotbugs/spotbugs/commit/9d7cc2f0778ce84cd2c19fcdd77e2b7ec064fa0d";><code>9d7cc2f</code></a> Update dependency jaxen:jaxen to v2.0.6 (<a href="https://redirect.github.com/spotbugs/spotbugs/issues/4145";>#4145</a>)</li> <li>Additional commits viewable in <a href="https://github.com/spotbugs/spotbugs/compare/4.9.8...4.10.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
