From e56754cc0d3700c7a804468f9e8a644b63b1ed05 Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Wed, 3 Jun 2026 10:17:22 +0300
Subject: [PATCH 1/4] fix(deps): update org.bouncycastle to v1.84

Bump bcmail/bcpkix/bcprov-jdk18on from 1.82 to 1.84 for the latest upstream security and bug fixes. Regenerate dependency verification metadata; bouncycastle is verified by trusted PGP key, so no per-jar checksums change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 gradle/verification-metadata.xml    | 20 ++++++++++++++++++++
 src/bom-thirdparty/build.gradle.kts |  6 +++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index ae138570c88..41a3eddf5f6 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -653,6 +653,21 @@
             <sha256 value="089827a4d9f06cb23fc56f17718c90792e06642f89d73a72f7d4e0a1d4ea4a14" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.activemq" name="activemq-parent" version="6.2.0">
+         <artifact name="activemq-parent-6.2.0.pom">
+            <sha256 value="12af0b4f5d26a4afb4ebe3ef9e254de8914358f138cb6cd148bddb862c9d81eb" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="org.apache.camel" name="camel" version="4.14.2">
+         <artifact name="camel-4.14.2.pom">
+            <sha256 value="f8e3e0c2176cd532b4136a28435405b2472f5f0e7dbce358e6d8707be55dfbd2" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="org.apache.camel" name="camel-bom" version="4.14.2">
+         <artifact name="camel-bom-4.14.2.pom">
+            <sha256 value="924b98a5fbf537d0f571ac15dfe481bfc785d4bb011b412f38046744b37ddc22" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.commons" name="commons-math3" version="3.6.1">
          <artifact name="commons-math3-3.6.1.pom">
             <sha256 value="fad72336ea7d7dd06da103144e3740db508fa4b17d9c54d7847737edc24a7e60" origin="Generated by Gradle"/>
@@ -959,6 +974,11 @@
             <sha256 value="faf0c6538e53ddc0499a63664d8e763c216580b2e18e722ccbdf1b431a6afe26" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.jetbrains.kotlinx" name="kotlinx-coroutines-bom" version="1.7.3">
+         <artifact name="kotlinx-coroutines-bom-1.7.3.pom">
+            <sha256 value="4e5d1900e6379ef3f5970d04a8f30529adc82f859e8cc107c21ce8149ef666c4" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.jetbrains.kotlinx" name="kotlinx-coroutines-bom" version="1.8.0">
          <artifact name="kotlinx-coroutines-bom-1.8.0.pom">
             <sha256 value="1239e9dbe1397cd5971342956b2511bc3ace7b641842e4372a088dcfa8b9ad55" origin="Generated by Gradle"/>
diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts
index 51d51af50c7..9e739b4a0e9 100644
--- a/src/bom-thirdparty/build.gradle.kts
+++ b/src/bom-thirdparty/build.gradle.kts
@@ -122,9 +122,9 @@ dependencies {
         api("org.apache.velocity:velocity:1.7")
         api("org.apache.xmlgraphics:xmlgraphics-commons:2.11")
         api("org.apiguardian:apiguardian-api:1.1.2")
-        api("org.bouncycastle:bcmail-jdk18on:1.82")
-        api("org.bouncycastle:bcpkix-jdk18on:1.82")
-        api("org.bouncycastle:bcprov-jdk18on:1.82")
+        api("org.bouncycastle:bcmail-jdk18on:1.84")
+        api("org.bouncycastle:bcpkix-jdk18on:1.84")
+        api("org.bouncycastle:bcprov-jdk18on:1.84")
         api("org.brotli:dec:0.1.2")
         api("org.freemarker:freemarker:2.3.34")
         api("org.glassfish.jaxb:txw2:4.0.6")

From 08010862b0cfc3ba2e4f5cedc6773fdfdf1cecad Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Wed, 3 Jun 2026 10:20:55 +0300
Subject: [PATCH 2/4] fix(deps): update org.apache.logging.log4j to v2.26.0

Bump log4j-1.2-api/api/core/slf4j2-impl from 2.25.3 to 2.26.0. Regenerate dependency verification metadata and the expected release jar list.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 gradle/verification-metadata.xml            | 5 +++++
 src/bom-thirdparty/build.gradle.kts         | 8 ++++----
 src/dist/src/dist/expected_release_jars.csv | 8 ++++----
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 41a3eddf5f6..9309e455537 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -257,6 +257,11 @@
             <sha256 value="25eafd96dae242b6b5a7108f55b2c14015b828daa5abe234289fd6e774a1ce57" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml" name="oss-parent" version="69">
+         <artifact name="oss-parent-69.pom">
+            <sha256 value="3856d584aaa1c8e33ce94c67244f71f6f70538a259ffe8e781761b9faaad875f" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson" name="jackson-bom" version="2.15.3">
          <artifact name="jackson-bom-2.15.3.pom">
             <sha256 value="66fc9945c16716bc202f4b9d7e6d969df3f509feffbe1acf1a31511b753d5c9d" origin="Generated by Gradle"/>
diff --git a/src/bom-thirdparty/build.gradle.kts b/src/bom-thirdparty/build.gradle.kts
index 9e739b4a0e9..ffd0b4073f5 100644
--- a/src/bom-thirdparty/build.gradle.kts
+++ b/src/bom-thirdparty/build.gradle.kts
@@ -112,10 +112,10 @@ dependencies {
         api("org.apache.httpcomponents:httpcore-nio:4.4.16")
         api("org.apache.httpcomponents:httpcore:4.4.16")
         api("org.apache.httpcomponents:httpmime:4.5.14")
-        api("org.apache.logging.log4j:log4j-1.2-api:2.25.3")
-        api("org.apache.logging.log4j:log4j-api:2.25.3")
-        api("org.apache.logging.log4j:log4j-core:2.25.3")
-        api("org.apache.logging.log4j:log4j-slf4j2-impl:2.25.3")
+        api("org.apache.logging.log4j:log4j-1.2-api:2.26.0")
+        api("org.apache.logging.log4j:log4j-api:2.26.0")
+        api("org.apache.logging.log4j:log4j-core:2.26.0")
+        api("org.apache.logging.log4j:log4j-slf4j2-impl:2.26.0")
         api("org.apache.rat:apache-rat:0.17")
         api("org.apache.tika:tika-core:3.2.3")
         api("org.apache.tika:tika-parsers:3.2.3")
diff --git a/src/dist/src/dist/expected_release_jars.csv b/src/dist/src/dist/expected_release_jars.csv
index 01ee126af4f..12ef9a5b9e2 100644
--- a/src/dist/src/dist/expected_release_jars.csv
+++ b/src/dist/src/dist/expected_release_jars.csv
@@ -102,10 +102,10 @@
 675271,kotlinx-datetime-jvm-0.6.2.jar
 996,lets-plot-batik-4.8.0.jar
 996,lets-plot-common-4.8.0.jar
-359213,log4j-1.2-api-2.25.3.jar
-350610,log4j-api-2.25.3.jar
-2018402,log4j-core-2.25.3.jar
-30213,log4j-slf4j2-impl-2.25.3.jar
+359197,log4j-1.2-api-2.26.0.jar
+351126,log4j-api-2.26.0.jar
+2015101,log4j-core-2.26.0.jar
+30211,log4j-slf4j2-impl-2.26.0.jar
 519087,mail-1.5.0-b01.jar
 120556,miglayout-core-11.4.3.jar
 23361,miglayout-swing-11.4.3.jar

From ced20eb2d0f1a062b3012c1fecc8dc9653aaa90e Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Wed, 3 Jun 2026 10:23:24 +0300
Subject: [PATCH 3/4] fix(deps): update org.apache.activemq to v6.2.6

Bump activemq-broker/client/spring (test scope) from 6.2.0 to 6.2.6. Regenerate dependency verification metadata; activemq is test-only, so the release jar list is unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 gradle/verification-metadata.xml | 10 +++++++++-
 src/bom-testing/build.gradle.kts |  6 +++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 9309e455537..69fb2e633dd 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -211,7 +211,10 @@
          <trusted-key id="EED6202038849B47FEEAD1EC9266326161C26F29" group="net.javacrumbs.json-unit"/>
          <trusted-key id="F254B35617DC255D9344BCFA873A8E86B4372146" group="org.apache"/>
          <trusted-key id="F3184BCD55F4D016E30D4C9BF42E87F9665015C9" group="org.jsoup"/>
-         <trusted-key id="F4DD59C90148BDC52BEB90A4530AA5F25C25011F" group="commons-logging"/>
+         <trusted-key id="F4DD59C90148BDC52BEB90A4530AA5F25C25011F">
+            <trusting group="commons-logging"/>
+            <trusting group="org.apache.commons"/>
+         </trusted-key>
          <trusted-key id="F5FEBA84EB26C56457B2CF819E31AB27445478DB" group="org.infinispan"/>
          <trusted-key id="FA77DCFEF2EE6EB2DEBEDD2C012579464D01C06A">
             <trusting group="org.codehaus.plexus"/>
@@ -633,6 +636,11 @@
             <sha256 value="ea297dcd114136e8b8e8b630230d52a76c2fc69f6c5db25d672b1857000728b8" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache" name="apache" version="37">
+         <artifact name="apache-37.pom">
+            <sha256 value="524ec4787aff73af6b3a9fafa154c7f1881b648299b663fdbfcadda1286f2353" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache" name="apache" version="4">
          <artifact name="apache-4.pom">
             <sha256 value="9e9323a26ba8eb2394efef0c96d31b70df570808630dc147cab1e73541cc5194" origin="Generated by Gradle"/>
diff --git a/src/bom-testing/build.gradle.kts b/src/bom-testing/build.gradle.kts
index 62af8d9d0e6..a79455bce90 100644
--- a/src/bom-testing/build.gradle.kts
+++ b/src/bom-testing/build.gradle.kts
@@ -44,9 +44,9 @@ dependencies {
         api("net.bytebuddy:byte-buddy:1.17.8")
         api("nl.jqno.equalsverifier:equalsverifier:4.3")
         // activemq-all should not be used as it provides secondary slf4j binding
-        api("org.apache.activemq:activemq-broker:6.2.0")
-        api("org.apache.activemq:activemq-client:6.2.0")
-        api("org.apache.activemq:activemq-spring:6.2.0")
+        api("org.apache.activemq:activemq-broker:6.2.6")
+        api("org.apache.activemq:activemq-client:6.2.6")
+        api("org.apache.activemq:activemq-spring:6.2.6")
         api("org.apache.ftpserver:ftplet-api:1.2.1")
         api("org.apache.ftpserver:ftpserver-core:1.2.1")
         api("org.apache.mina:mina-core:2.2.5")

From 1270596b5e3092707ea4bc6bcf5c92683b459495 Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Wed, 3 Jun 2026 10:29:52 +0300
Subject: [PATCH 4/4] fix(deps): update org.apache.mina to v2.2.8

Bump mina-core (test scope) from 2.2.5 to 2.2.8, the latest stable 2.x release. Verification metadata is unchanged: mina is test-only and already covered by a trusted PGP key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/bom-testing/build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bom-testing/build.gradle.kts b/src/bom-testing/build.gradle.kts
index a79455bce90..d7d81cb21c2 100644
--- a/src/bom-testing/build.gradle.kts
+++ b/src/bom-testing/build.gradle.kts
@@ -49,7 +49,7 @@ dependencies {
         api("org.apache.activemq:activemq-spring:6.2.6")
         api("org.apache.ftpserver:ftplet-api:1.2.1")
         api("org.apache.ftpserver:ftpserver-core:1.2.1")
-        api("org.apache.mina:mina-core:2.2.5")
+        api("org.apache.mina:mina-core:2.2.8")
         api("org.hamcrest:hamcrest-core:3.0")
         api("org.hamcrest:hamcrest-library:3.0")
         api("org.hamcrest:hamcrest:3.0")