Skip to content

build(deps): bump the all-gradle group across 1 directory with 4 updates#752

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/all-gradle-bc2bd876ab
Open

build(deps): bump the all-gradle group across 1 directory with 4 updates#752
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/gradle/all-gradle-bc2bd876ab

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-gradle group with 4 updates in the / directory: org.junit.jupiter:junit-jupiter, org.postgresql:postgresql, com.microsoft.playwright:playwright and gradle-wrapper.

Updates org.junit.jupiter:junit-jupiter from 6.1.0 to 6.1.1

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Updates org.postgresql:postgresql from 42.7.11 to 42.7.12

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.12: security

Silent channel-binding authentication downgrade (CVE-2026-54291)

channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.

Two issues combine in releases 42.7.4 through 42.7.11:

The bundled com.ongres.scram:scram-client (3.1 or 3.2) returns an empty byte array instead of failing when it cannot derive the binding hash for such a certificate. This is the library issue tracked as GHSA-p9jg-fcr6-3mhf.

pgJDBC does not enforce channelBinding=require where it matters. ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it neither rejects the empty binding nor checks that the negotiated mechanism uses channel binding. The connection therefore downgrades silently.

Only connections that set channelBinding=require are affected. Under the default prefer policy, and under allow or disable, falling back to plain SCRAM is the documented behaviour.

Releases before 42.7.4 are unaffected, because they do not support channel binding.

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.12] (2026-06-29)

Security

  • fix: Enforce SCRAM channel-binding policy and prevent silent downgrade. Under channelBinding=require, the driver silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it) when the server presented a certificate whose signature algorithm has no tls-server-end-point channel-binding hash (e.g. Ed25519, Ed448, or post-quantum algorithms). An attacker who can intercept the TLS connection could exploit this to strip channel-binding protection. The fix enforces channel binding in the driver's own code: it now fails the connection when no binding data can be extracted, and verifies the negotiated mechanism uses channel binding (-PLUS) when require is set. Only connections that set channelBinding=require are affected. The default prefer policy and releases before 42.7.4 (which introduced channel-binding support) are unaffected. See the Security Advisory for more detail. The following CVE-2026-54291 has been issued.
Commits

Updates com.microsoft.playwright:playwright from 1.60.0 to 1.61.0

Release notes

Sourced from com.microsoft.playwright:playwright's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

BrowserContext context = browser.newContext();
// Seed a passkey your backend provisioned for a test user.
context.credentials().create("example.com", new Credentials.CreateOptions()
.setId(credentialId)
.setUserHandle(userHandle)
.setPrivateKey(privateKey)
.setPublicKey(publicKey));
context.credentials().install();
Page page = context.newPage();
page.navigate("https://example.com/login");
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

page.localStorage().setItem("token", "abc");
String token = page.localStorage().getItem("token");
List<NameValue> items = page.sessionStorage().items();

New APIs

🛠️ Other improvements

  • Playwright now supports Ubuntu 26.04.
  • HAR and trace recordings now include WebSocket requests.

Browser Versions

  • Chromium 149.0.7827.55
  • Mozilla Firefox 151.0
  • WebKit 26.5

This version was also tested against the following stable channels:

  • Google Chrome 149

... (truncated)

Commits
  • e8869de chore: mark 1.61.0 (#1942)
  • 20e4edd chore: roll driver to 1.61.1 (#1941)
  • d2d29d4 feat(driver): bundle playwright-core in driver, keep only Node.js in driver-b...
  • 43d2601 fix(fetch): serialize LocalDate in post data (#1934)
  • ace7a12 fix(driver-bundle): exclude driver binaries from sources JAR (#1933)
  • fddd7c3 feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image (#1932)
  • 423cbf4 chore: roll driver to 1.61.0-beta-1781285686000 (#1929)
  • e3f2f6f fix(docker): assemble driver on the host for docker builds (#1930)
  • 1b7d164 chore: extract common skill conventions into CLAUDE.md (#1928)
  • 7a59a68 feat: assemble driver from npm instead of CDN (#1927)
  • Additional commits viewable in compare view

Updates gradle-wrapper from 9.5.1 to 9.6.1

Release notes

Sourced from gradle-wrapper's releases.

9.6.1

The Gradle team is excited to announce Gradle 9.6.1.

Here are the highlights of this release:

  • Improved Configuration Cache hit rates
  • Additional CLI rendering options
  • Important project hierarchy lookup deprecations

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: Aharnish Solanki, Benedikt Johannes, Devendra Reddy Pennabadi, Dmytro Rodionov, Dreeam, Elías Hernández Rodríguez, Eng Zer Jun, FinlayRJW, Kamal Kansal, Marcono1234, Nelson Osacky, Philip Wedemann, Ravi, Roberto Perez Alcolea, Ryan Schmitt, Sebastian Schuberth, seunghun.ham, sk-reddy17, Suvrat Acharya, Vedant Madane.

Upgrade instructions

Switch your build to use Gradle 9.6.1 by updating your wrapper:

./gradlew :wrapper --gradle-version=9.6.1 && ./gradlew :wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.6.0

... (truncated)

Commits
  • 309d128 Update fixed issues in release notes for 9.6.1 (#38328)
  • 040a978 Update fixed issues in release notes for 9.6.1
  • e0b8325 Restore --non-interactive flag instead of --interactive/--no-interactive (#38...
  • 946f3e6 Limit explicit temp file permission setting to intended use case (#38300)
  • 65f8224 Restore --non-interactive flag instead of --interactive/--no-interactive
  • e346a5e Adjust CLI flag to configure non-interactive console (#38301)
  • 9b53be9 Adjust CLI flag to configure non-interactive console
  • 0dd3b53 Limit explicit temp file permission setting to intended use case
  • 48e5ac2 Add reproducers
  • 25598fd Prepare 9.6.1 patch release (#38293)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all-gradle group with 4 updates in the / directory: [org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit-framework), [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc), [com.microsoft.playwright:playwright](https://github.com/microsoft/playwright-java) and [gradle-wrapper](https://github.com/gradle/gradle).


Updates `org.junit.jupiter:junit-jupiter` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r6.1.0...r6.1.1)

Updates `org.postgresql:postgresql` from 42.7.11 to 42.7.12
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.7.11...REL42.7.12)

Updates `com.microsoft.playwright:playwright` from 1.60.0 to 1.61.0
- [Release notes](https://github.com/microsoft/playwright-java/releases)
- [Commits](microsoft/playwright-java@v1.60.0...v1.61.0)

Updates `gradle-wrapper` from 9.5.1 to 9.6.1
- [Release notes](https://github.com/gradle/gradle/releases)
- [Commits](gradle/gradle@v9.5.1...v9.6.1)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-gradle
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-gradle
- dependency-name: com.microsoft.playwright:playwright
  dependency-version: 1.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-gradle
- dependency-name: gradle-wrapper
  dependency-version: 9.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-gradle
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants