Bump the gradle-all group across 1 directory with 5 updates

[dependabot]

Bumps the gradle-all group with 5 updates in the / directory:

Package	From	To
io.papermc.paper:paper-api	1.21.11-R0.1-SNAPSHOT	26.1.2.build.53-stable
com.google.code.gson:gson	2.13.2	2.14.0
net.dv8tion:JDA	6.4.0	6.4.1
org.postgresql:postgresql	42.7.10	42.7.11
gradle-wrapper	9.4.1	9.5.0

Updates io.papermc.paper:paper-api from 1.21.11-R0.1-SNAPSHOT to 26.1.2.build.53-stable

Updates com.google.code.gson:gson from 2.13.2 to 2.14.0

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.14.0

What's Changed

• Add type adapters for java.time classes by @​eamonnmcmanus in google/gson#2948

  When the java.time API is available, Gson automatically can read and write instances of classes like Instant and Duration. The format it uses essentially freezes the JSON representation that ReflectiveTypeAdapterFactory established by default, based on the private fields of java.time classes. That's not a great representation, but it is understandable. Changing it to anything else would break compatibility with systems that are expecting the current format.

  With this change, Gson no longer tries to access private fields of these classes using reflection. So it is no longer necessary to run with --add-opens for these classes on recent JDKs.

• Remove com.google.gson.graph by @​eamonnmcmanus in google/gson#2990.

  This package was not part of any released artifact and depended on Gson internals in potentially problematic ways.

• Validate that strings being parsed as integers consist of ASCII characters by @​eamonnmcmanus in google/gson#2995

  Previously, strings could contain non-ASCII Unicode digits and still be parsed as integers. That's inconsistent with how JSON numbers are treated.

• Fix duplicate key detection when first value is null by @​andrewstellman in google/gson#3006

  This could potentially break code that was relying on the incorrect behaviour. For example, this JSON string was previously accepted but will no longer be: {"foo": null, "foo": bar}.

• Remove Serializable from internal Type implementation classes. by @​eamonnmcmanus in google/gson#3011

  The nested classes ParameterizedTypeImpl, GenericArrayTypeImpl, and WildcardTypeImpl in GsonTypes are implementations of the corresponding types (without Impl) in java.lang.reflect. For some reason, they were serializable, even though the java.lang.reflect implementations are not. Having unnecessarily serializable classes could conceivably have been a security problem if they were part of a larger exploit using serialization. (We do not consider this a likely scenario and do not suggest that you need to update Gson just to get this change.)

• Add LegacyProtoTypeAdapterFactory. by @​eamonnmcmanus in google/gson#3014

  This is not part of any released artifact, but may be of use when trying to fix code that is currently accessing the internals of protobuf classes via reflection.

• Make AppendableWriter do flush and close if delegation object supports by @​MukjepScarlet in google/gson#2925

Other less visible changes

• Add default capacity to EnumTypeAdapter maps by @​MukjepScarlet in google/gson#2959
• refactor: move derived adapters from Gson to TypeAdapters by @​MukjepScarlet in google/gson#2951
• Optimize new Gson() by @​MukjepScarlet in google/gson#2864

New Contributors

• @​ThirdGoddess made their first contribution in google/gson#2944
• @​lmj798 made their first contribution in google/gson#2988
• @​Eng-YasminKotb made their first contribution in google/gson#3005
• @​andrewstellman made their first contribution in google/gson#3006

Full Changelog: google/gson@gson-parent-2.13.2...gson-parent-2.14.0

Commits

• 3ff35d6 [maven-release-plugin] prepare release gson-parent-2.14.0
• a3024fd Bump the maven group with 13 updates (#3002)
• 5689ffe Bump the github-actions group across 1 directory with 3 updates (#3018)
• 48db33c Add LegacyProtoTypeAdapterFactory. (#3014)
• 53d703e Update outdated comment regarding serializable types (#3012)
• 0189b72 Remove Serializable from internal Type implementation classes. (#3011)
• f4d371d Fix duplicate key detection when first value is null (#3006)
• 27d9ba1 Fix typo in README (JPMS dependencies section) (#3005)
• 1fa9b7a Validate that strings being parsed as integers consist of ASCII characters (#...
• b7d5954 Add iterator fail-fast tests for LinkedTreeMap.clear() (#2992)
• Additional commits viewable in compare view

Updates net.dv8tion:JDA from 6.4.0 to 6.4.1

Release notes

Sourced from net.dv8tion:JDA's releases.

v6.4.1

Bug Fixes

• Fixed CheckboxGroup.Builder.setRequiredRange() incorrectly setting min and max by @​replaceitem in discord-jda/JDA#3065
• Fix getCommandType reading value of interaction type instead of command type by @​freya022 in discord-jda/JDA#3074

Full Changelog: discord-jda/JDA@v6.4.0...v6.4.1

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.4.1")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.4.1</version> 
</dependency>

Commits

• 2cda370 Bump version to 6.4.1 (#3075)
• c3f4eb4 Fix copy paste error in Mentions#getMembers (#3072)
• c5951e2 Fix getCommandType reading value of interaction type instead of command typ...
• 230ed33 Fixed CheckboxGroup.Builder.setRequiredRange() incorrectly setting min and ...
• See full diff in compare view

Updates org.postgresql:postgresql from 42.7.10 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

Commits

• 78e261f fix: Add sources and javadocs to shaded published lib generation
• 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
• d479fa5 Fix scram fix location in changelog and update published artifact developer l...
• b04fc46 docs: Add scram max iters fix to changelog
• cf54822 test: Disable scram test on older version without scram_iterations GUC
• 7dbcc79 test: Add SCRAM max iteration tests
• c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
• a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
• 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
• 23af03b chore(deps): update actions/checkout action to v6
• Additional commits viewable in compare view

Updates gradle-wrapper from 9.4.1 to 9.5.0

Release notes

Sourced from gradle-wrapper's releases.

9.5.0

The Gradle team is excited to announce Gradle 9.5.0.

Here are the highlights of this release:

• Task provenance in reports and failure messages
• Type-safe accessors for precompiled Kotlin Settings plugins

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: atm1020, mataha, Adam, Attila Kelemen, Benedikt Ritter, Björn Kautler, Caro Silva Rode, CHANHAN, Dmitry Nezavitin, Eng Zer Jun, KugelLibelle, Madalin Valceleanu, Markus Gaisbauer, Oliver Kopp, Philip Wedemann, ploober, Roberto Perez Alcolea, Rohit Anand, Suvrat Acharya, Ujwal Suresh Vanjare, Victor Merkulov

Upgrade instructions

Switch your build to use Gradle 9.5.0 by updating your wrapper:

./gradlew wrapper --gradle-version=9.5.0 && ./gradlew wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.5.0 RC4

... (truncated)

Commits

• 3fe117d Update jdks.yaml (#37703)
• 33d145a Update jdks.yaml
• f7a05d1 Update Gradle wrapper to version 9.5.0-rc-4 (#37654)
• 266facd Update Gradle wrapper to version 9.5.0-rc-4
• 0ad6dd8 Suppress OSC taskbar reset on plain/piped stdout (#37646)
• 966025d Suppress OSC taskbar reset on plain/piped stdout
• e745573 Polish IP docs (#37642)
• d5cfd07 Ensure BuildOperationQueue will progress without extra leases (#37629)
• acdf0c3 Ensure BuildOperationQueue will progress without extra leases
• f7d0e4f Rename anchor
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions