Bump the maven-dependencies group with 3 updates

[dependabot]

Bumps the maven-dependencies group with 3 updates: ch.qos.logback:logback-classic, org.jboss.forge.roaster:roaster-api and org.jboss.forge.roaster:roaster-jdt.

Updates ch.qos.logback:logback-classic from 1.5.34 to 1.5.36

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

• ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

• JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 9b94c37 prepare release 1.5.36
• e6a8280 prevent attacks using disallowed references
• 24c4b63 start work on 1.5.36-SNAPSHOT
• 08bd159 preapre release 1.5.35
• 37d256b indentation changes only
• d3d7307 minor comment
• fa0411a radomize file location
• 834fdba disable consoleCharset test
• 42eabc3 fix messages in IfModelHandler
• 347efc8 add unicode escape prevention
• Additional commits viewable in compare view

Updates org.jboss.forge.roaster:roaster-api from 2.31.0.Final to 2.31.1.Final

Commits

• da2b435 [maven-release-plugin] prepare release 2.31.1.Final
• ffbc7cc Harden FormatterProfileReader against XXE and entity expansion attacks (#400)
• 530d40d Bump actions/checkout from 6 to 7 (#398)
• 11bbe76 Bump org.eclipse.jdt:org.eclipse.jdt.core from 3.45.0 to 3.46.0 (#396)
• b70da80 Bump org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0 (#395)
• 050e928 Bump org.eclipse.jdt:org.eclipse.jdt.core from 3.44.0 to 3.45.0 (#394)
• 9e11814 Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 in /tests (#391)
• 8df2e00 Bump org.junit.jupiter:junit-jupiter from 6.0.2 to 6.0.3 (#392)
• b56cfb1 Bump org.sonatype.central:central-publishing-maven-plugin (#389)
• fbb5601 Bump org.junit.jupiter:junit-jupiter from 6.0.1 to 6.0.2 (#388)
• Additional commits viewable in compare view

Updates org.jboss.forge.roaster:roaster-jdt from 2.31.0.Final to 2.31.1.Final

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions