Bump the gradle-all group across 1 directory with 7 updates

[dependabot]

Bumps the gradle-all group with 7 updates in the / directory:

Package	From	To
io.papermc.paper:paper-api	1.21.11-R0.1-SNAPSHOT	26.1.2.build.59-stable
com.velocitypowered:velocity-api	3.3.0-SNAPSHOT	4.0.0-SNAPSHOT
com.gradleup.shadow	9.3.1	9.4.1
org.postgresql:postgresql	42.7.3	42.7.11
com.zaxxer:HikariCP	5.1.0	7.0.2
me.clip:placeholderapi	2.11.6	2.12.2
gradle-wrapper	9.3.1	9.5.0

Updates io.papermc.paper:paper-api from 1.21.11-R0.1-SNAPSHOT to 26.1.2.build.59-stable

Updates com.velocitypowered:velocity-api from 3.3.0-SNAPSHOT to 4.0.0-SNAPSHOT

Updates com.gradleup.shadow from 9.3.1 to 9.4.1

Release notes

Sourced from com.gradleup.shadow's releases.

9.4.1

Changed

• Update Kotlin to 2.3.20. (#1978)

9.4.0

Added

• Support Isolated Projects. (#1139)

Changed

• Allow opting out of adding shadowJar into assemble lifecycle. (#1939)

  shadow {
    // Disable making `assemble` task depend on `shadowJar`. This is enabled by default.
    addShadowJarToAssembleLifecycle = false
  }

• Stop catching ZipException when writing entries. (#1970)

Fixed

• Fix interaction with Gradle artifact transforms. (#1345)
• Fix skipStringConstants per-relocator behavior in mapName. (#1968)
• Fix failing for non-existent class directories. (#1976)

9.3.2

Changed

• Stop moving gradleApi dependency from api to compileOnly for Gradle 9.4+. (#1919)
• Log warnings for duplicates in the final JAR. (#1931)

Fixed

• Fix relocation patterns not included in task fingerprint. (#1933)

Commits

• f98d8f2 Prepare version 9.4.1
• 7cf1ac5 Note #1978 in changelog
• 539d532 Update plugin jetbrains-dokka to v2.2.0 (#1994)
• 0fb99ca Update actions/deploy-pages action to v5 (#1993)
• 38ec3e2 Update Develocity to v4.4.0 (#1992)
• e519072 Update gradle/actions action to v6 (#1990)
• ca0dd71 Update pluginPublish to v2.1.1 (#1989)
• 5a1ab58 Update Gradle to v9.4.1 (#1988)
• 69dfdfc Improve file type check for AAR (#1987)
• 1395087 Document excluding non-JAR transitive dependencies (#1986)
• Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.7.3 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

[42.7.10] (2026-02-11)

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance [PR #3925](pgjdbc/pgjdbc#3925)
• style: fix lambda argument indentation for checkstyle compliance [PR #3922](pgjdbc/pgjdbc#3922)
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #3917](pgjdbc/pgjdbc#3917)

Fixed

• fix: non-standard strings failing test for version 19 [PR #3934](pgjdbc/pgjdbc#3934)
• fix: small issues in ConnectionFactoryImpl [PR #3929](pgjdbc/pgjdbc#3929)
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos [PR #3911](pgjdbc/pgjdbc#3911)
• doc: datasource.md, fix minor formatting issue [PR #3912](pgjdbc/pgjdbc#3912)
• doc: add the new PGP signing key to the official documentation [PR #3912](pgjdbc/pgjdbc#3813)

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#3837) (#3887)" [PR #3932](pgjdbc/pgjdbc#3932)

[42.7.9] (2026-01-14)

Added

... (truncated)

Commits

• 78e261f fix: Add sources and javadocs to shaded published lib generation
• 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
• d479fa5 Fix scram fix location in changelog and update published artifact developer l...
• b04fc46 docs: Add scram max iters fix to changelog
• cf54822 test: Disable scram test on older version without scram_iterations GUC
• 7dbcc79 test: Add SCRAM max iteration tests
• c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
• a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
• 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
• 23af03b chore(deps): update actions/checkout action to v6
• Additional commits viewable in compare view

Updates com.zaxxer:HikariCP from 5.1.0 to 7.0.2

Changelog

Sourced from com.zaxxer:HikariCP's changelog.

HikariCP Changes

Changes in 7.0.2

• decrease thread yield frequency in ConcurrentBag.unreserve()

Changes in 7.0.1

• merged #2346 fix regression with setSchema behavior

• decrease thread yield frequency in ConcurrentBag.requite()

Changes in 7.0.0

• merged #2340 NoSuchMethodException error that is thrown when setting a metric registry, fixes to UtilityElf reflection code to use the correct method signature.

• fixed #1294 add support for HikariCredentialsProvider class

• fixed #2265 bail out of the pool filling loop if the thread is interrupted

Changes in 6.3.3

• backport #2340 NoSuchMethodException error that is thrown when setting a metric registry, fixes to UtilityElf reflection code to use the correct method signature.

Changes in 6.3.2

• fixed #2342 restore module-info.class to jar file, which was lost in 6.3.1

• fixed #2256 add support for legacy override of getUsername()/getPassword() of HikariDataSource. See project page for documentation of system property com.zaxxer.hikari.legacy.supportUserPassDataSourceOverride.

• fixed #2323 right or wrong (wrt driver behavior) return to previous Connection.get/setSchema behavior

• fixed #2288 upgrade dependencies and fix build warnings

Changes in 6.3.1

• fixed #2315 source jar contains also binary .class files and missing some .java files

• fixed #2307 remove improper hardcoded timout, use validationTimeout

• fixed #2305 keep properties key and values as is rather than forcing stringification. Also fixes #2286 and #2304

• upgraded various maven plugin dependencies to latest versions

Changes in 6.3.0

• increase keepaliveTime variance from 10% to 20%

... (truncated)

Commits

• 80c46ae [maven-release-plugin] prepare release HikariCP-7.0.2
• cba7ebe decrease thread yield frequency in ConcurrentBag.unreserve()
• 22cc9bd Update README.md
• 86915ee [maven-release-plugin] prepare for next development iteration
• 217bcc8 [maven-release-plugin] prepare release HikariCP-7.0.1
• 29ad2f4 update changes log
• b81bbc9 fixes #2323 always reset schema upon connection retrieval (#2346)
• ee5328d decrease yield() frequency during direct hand-off attempts
• 1da3a33 Update README.md
• 17c4b33 Update README.md
• Additional commits viewable in compare view

Updates me.clip:placeholderapi from 2.11.6 to 2.12.2

Updates gradle-wrapper from 9.3.1 to 9.5.0

Release notes

Sourced from gradle-wrapper's releases.

9.5.0

The Gradle team is excited to announce Gradle 9.5.0.

Here are the highlights of this release:

• Task provenance in reports and failure messages
• Type-safe accessors for precompiled Kotlin Settings plugins

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: atm1020, mataha, Adam, Attila Kelemen, Benedikt Ritter, Björn Kautler, Caro Silva Rode, CHANHAN, Dmitry Nezavitin, Eng Zer Jun, KugelLibelle, Madalin Valceleanu, Markus Gaisbauer, Oliver Kopp, Philip Wedemann, ploober, Roberto Perez Alcolea, Rohit Anand, Suvrat Acharya, Ujwal Suresh Vanjare, Victor Merkulov

Upgrade instructions

Switch your build to use Gradle 9.5.0 by updating your wrapper:

./gradlew wrapper --gradle-version=9.5.0 && ./gradlew wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.5.0 RC4

... (truncated)

Commits

• 3fe117d Update jdks.yaml (#37703)
• 33d145a Update jdks.yaml
• f7a05d1 Update Gradle wrapper to version 9.5.0-rc-4 (#37654)
• 266facd Update Gradle wrapper to version 9.5.0-rc-4
• 0ad6dd8 Suppress OSC taskbar reset on plain/piped stdout (#37646)
• 966025d Suppress OSC taskbar reset on plain/piped stdout
• e745573 Polish IP docs (#37642)
• d5cfd07 Ensure BuildOperationQueue will progress without extra leases (#37629)
• acdf0c3 Ensure BuildOperationQueue will progress without extra leases
• f7d0e4f Rename anchor
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions