chore: [DevOps] bump the production-minor-patch group with 5 updates

[dependabot]

Bumps the production-minor-patch group with 5 updates:

Package	From	To
com.sap.cloud.sdk:sdk-bom	5.30.0	5.31.0
io.projectreactor:reactor-core	3.8.5	3.8.6
io.micrometer:micrometer-core	1.16.5	1.17.0
io.micrometer:micrometer-observation	1.16.5	1.17.0
org.springframework.boot:spring-boot-dependencies	3.5.14	3.5.15

Updates com.sap.cloud.sdk:sdk-bom from 5.30.0 to 5.31.0

Release notes

Sourced from com.sap.cloud.sdk:sdk-bom's releases.

Release 5.31.0

5.31.0 - June 10, 2026

All Release Changes

✨ New Functionality

• OAuth token requests to IAS now attempt to dynamically resolve the IAS tenant host, if not given. When the current tenant does not contain a subdomain, and the IAS service binding contains the property btp-tenant-api, then an HTTP call to that URL is performed to obtain the IAS tenant host.

📈 Improvements

• (Generic OData Client) Allow for parameters in OData v4 expand sub-queries.

What's Changed

• chore: Update netty versions by @​Jonas-Isr in SAP/cloud-sdk-java#1171
• chore: [DevOps] bump the test group with 4 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1176
• chore: [DevOps] bump the production-minor-patch group with 10 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1175
• [IAS] Dynamically Resolve IAS Host On-Demand by @​MatKuhr in SAP/cloud-sdk-java#1177
• fix: [OData Generic] Enable query params on odatav4 expand by @​newtork in SAP/cloud-sdk-java#1181
• chore: Set permissions for GH workflows explicitly by @​Jonas-Isr in SAP/cloud-sdk-java#1182
• chore: [DevOps] bump the test group with 4 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1193
• chore: [DevOps] bump org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0 in the plugins group by @​dependabot[bot] in SAP/cloud-sdk-java#1192
• chore: [DevOps] bump slackapi/slack-github-action from 3.0.2 to 3.0.3 in the github-actions group by @​dependabot[bot] in SAP/cloud-sdk-java#1189
• fix: [OpenAPI] Api client method with oneOf primitive param stays simplified in OpenAPI generator 7.22.0 by @​CharlesDuboisSAP in SAP/cloud-sdk-java#1179
• chore: [DevOps] bump the production-minor-patch group across 1 directory with 13 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1194
• chore: [DevOps] bump org.json:json from 20251224 to 20260522 in the production-major group by @​dependabot[bot] in SAP/cloud-sdk-java#1191
• chore: [DevOps] Update Jackson to 2.22.0 by @​rpanackal in SAP/cloud-sdk-java#1195
• chore: [DevOps] bump net.bytebuddy:byte-buddy from 1.18.9 to 1.18.10 in the test group by @​dependabot[bot] in SAP/cloud-sdk-java#1200
• chore: [DevOps] bump org.jacoco:jacoco-maven-plugin from 0.8.14 to 0.8.15 in the plugins group by @​dependabot[bot] in SAP/cloud-sdk-java#1199
• chore: [DevOps] bump the production-minor-patch group with 2 updates by @​dependabot[bot] in SAP/cloud-sdk-java#1198
• fix: [Connectivity] Change (almost) all JKS usage to PKCS12 by @​rpanackal in SAP/cloud-sdk-java#1185

Full Changelog: https://github.com/SAP/cloud-sdk-java/commits/rel/5.31.0

Commits

• e92c7cb Update to version 5.31.0
• 59ff59f fix: [Connectivity] Change (almost) all JKS usage to PKCS12 (#1185)
• 1f54450 chore: [DevOps] bump the production-minor-patch group with 2 updates (#1198)
• ce2edb0 chore: [DevOps] bump org.jacoco:jacoco-maven-plugin from 0.8.14 to 0.8.15 in ...
• a568465 chore: [DevOps] bump net.bytebuddy:byte-buddy from 1.18.9 to 1.18.10 in the t...
• 65c23fe chore: [DevOps] Update Jackson to 2.22.0 (#1195)
• 0691c51 chore: [DevOps] bump org.json:json from 20251224 to 20260522 in the productio...
• f5480c9 chore: [DevOps] bump the production-minor-patch group across 1 directory with...
• 11c7bcd fix: [OpenAPI] Api client method with oneOf primitive param stays simplified ...
• fd2cdb7 chore: [DevOps] bump slackapi/slack-github-action from 3.0.2 to 3.0.3 in the ...
• Additional commits viewable in compare view

Updates io.projectreactor:reactor-core from 3.8.5 to 3.8.6

Release notes

Sourced from io.projectreactor:reactor-core's releases.

v3.8.6

Reactor Core 3.8.6 is part of the 2025.0.6 Release Train.

What's Changed

✨ New features and improvements

• Bump ByteBuddy from 1.18.8 to 1.18.10 by @​dependabot[bot] in #4260
• Bump BlockHound from 1.0.16.RELEASE to 1.0.17.RELEASE by @​violetagg in edccbec5931696eb68f2323d568a5c584730a15f
• Depend on Micrometer v1.16.6 by @​violetagg in edccbec5931696eb68f2323d568a5c584730a15f
• Depend on Micrometer Tracing v1.6.6 by @​violetagg in edccbec5931696eb68f2323d568a5c584730a15f

📖 Documentation

• Preserve nullability annotations in Javadoc by @​chemicL in #4242
• Swap javadoc.io for jspecify.dev for JSpecify links by @​chemicL in #4251
• Modernize Antora setup by @​chemicL in #4262
• Fix an outdated link in the Mono class javadoc by @​RenanMarques in #4206

New Contributors

• @​RenanMarques made their first contribution in #4206

Full Changelog: reactor/reactor-core@v3.8.5...v3.8.6

Commits

• edccbec [release] Prepare and release 3.8.6
• 5c0d5f9 Merge-ignore release 3.7.19 into 3.8.6
• 1c7af05 [release] Next development version 3.7.20-SNAPSHOT
• c84e170 [release] Prepare and release 3.7.19
• 9ea8793 [doc] Fix an outdated link in the Mono class javadoc (#4206)
• 60752ef Merge #4265 into 3.8.6
• e3ea874 Bump com.gradle.shadow from 8.3.7 to 9.4.2 (#4265)
• 5822ae6 Merge #4263 into 3.8.6
• 00c7b5a Bump actions/checkout from 6.0.2 to 6.0.3 in /.github/workflows (#4263)
• fbed057 Bump com.uber.nullaway:nullaway from 0.13.4 to 0.13.5 (#4261)
• Additional commits viewable in compare view

Updates io.micrometer:micrometer-core from 1.16.5 to 1.17.0

Release notes

Sourced from io.micrometer:micrometer-core's releases.

1.17.0

See also the 1.17 migration guide and the release notes for 1.17.0-RC1, 1.17.0-M3, 1.17.0-M2, 1.17.0-M1.

🐞 Bug Fixes

• ArrayIndexOutOfBoundsException when using LongTaskTimer #3877
• Jetty 12's TimedHandler marks some requests with outcome UNKNOWN #7276
• MeterRegistry closes HighCardinalityTagsDetector twice if the registry is closed twice #7409
• Reduce allocation in HTTP server instrumentation #7580
• Reduce allocation in gRPC server convention #7581

📔 Documentation

• Clarify time series produced by LongTaskTimer when using Prometheus #6507
• Document metrics that need to close the MeterBinder #4624
• Multigauge Documentation lacks overwrite=true #4403

🔨 Dependency Upgrades

• Bump com.dynatrace.metric.util:dynatrace-metric-utils-java from 2.4.0 to 2.5.0 #7452
• Bump com.google.auth:google-auth-library-oauth2-http from 1.43.0 to 1.48.0 #7397
• Bump com.google.cloud:google-cloud-monitoring from 3.89.0 to 3.94.0 #7398
• Bump com.google.cloud:libraries-bom from 26.79.0 to 26.83.0 #7497
• Bump com.netflix.spectator:spectator-reg-atlas from 1.9.6 to 1.9.9 #7552
• Bump dropwizard-metrics from 4.2.38 to 4.2.39 #7527
• Bump io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0 #7572
• Bump software.amazon.awssdk:cloudwatch from 2.42.32 to 2.46.4 #7494

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​blaspat, @​codingkiddo, @​izeye, @​jewoodev, and @​schiemon

1.17.0-RC1

⭐ New Features

• Add meter for ForkJoinPool#getDelayedTaskCount #6381
• Add support for JDK 26's MemoryPoolMXBean.getTotalGcCpuTime() #7245
• Clear the state of the ObservationValidator #7337
• Improve exemplars sizing and add exemplarsSize config #7324
• Log warning when a registry is added to composite after meter registration #6908
• Treat OkHttp Request as non-nullable #7388
• Validate Observation.Scope closing when using TestObservationRegistry #6329

🐞 Bug Fixes

• Invalid reflection hint in micrometer-core for native GraalVM 25 build #7316
• ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #7380

... (truncated)

Commits

• 8466fea Merge branch '1.16.x'
• fa2ed32 Merge branch '1.15.x' into 1.16.x
• dc2e5e2 Reduce allocation in gRPC server convention
• 36da131 Reduce allocation in HTTP server instrumentation
• 9591cb4 Bump com.uber.nullaway:nullaway from 0.13.5 to 0.13.6 (#7575)
• 7a92a44 Bump software.amazon.awssdk:cloudwatch from 2.46.3 to 2.46.4 (#7576)
• e11e7c6 Merge branch '1.16.x'
• d8e8bcb Merge branch '1.15.x' into 1.16.x
• cf6ac02 Reduce flakiness of PushMeterRegistryTest (#7574)
• d74759a Bump com.google.cloud:google-cloud-monitoring from 3.93.0 to 3.94.0 (#7573)
• Additional commits viewable in compare view

Updates io.micrometer:micrometer-observation from 1.16.5 to 1.17.0

Release notes

Sourced from io.micrometer:micrometer-observation's releases.

1.17.0

See also the 1.17 migration guide and the release notes for 1.17.0-RC1, 1.17.0-M3, 1.17.0-M2, 1.17.0-M1.

🐞 Bug Fixes

• ArrayIndexOutOfBoundsException when using LongTaskTimer #3877
• Jetty 12's TimedHandler marks some requests with outcome UNKNOWN #7276
• MeterRegistry closes HighCardinalityTagsDetector twice if the registry is closed twice #7409
• Reduce allocation in HTTP server instrumentation #7580
• Reduce allocation in gRPC server convention #7581

📔 Documentation

• Clarify time series produced by LongTaskTimer when using Prometheus #6507
• Document metrics that need to close the MeterBinder #4624
• Multigauge Documentation lacks overwrite=true #4403

🔨 Dependency Upgrades

• Bump com.dynatrace.metric.util:dynatrace-metric-utils-java from 2.4.0 to 2.5.0 #7452
• Bump com.google.auth:google-auth-library-oauth2-http from 1.43.0 to 1.48.0 #7397
• Bump com.google.cloud:google-cloud-monitoring from 3.89.0 to 3.94.0 #7398
• Bump com.google.cloud:libraries-bom from 26.79.0 to 26.83.0 #7497
• Bump com.netflix.spectator:spectator-reg-atlas from 1.9.6 to 1.9.9 #7552
• Bump dropwizard-metrics from 4.2.38 to 4.2.39 #7527
• Bump io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0 #7572
• Bump software.amazon.awssdk:cloudwatch from 2.42.32 to 2.46.4 #7494

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​blaspat, @​codingkiddo, @​izeye, @​jewoodev, and @​schiemon

1.17.0-RC1

⭐ New Features

• Add meter for ForkJoinPool#getDelayedTaskCount #6381
• Add support for JDK 26's MemoryPoolMXBean.getTotalGcCpuTime() #7245
• Clear the state of the ObservationValidator #7337
• Improve exemplars sizing and add exemplarsSize config #7324
• Log warning when a registry is added to composite after meter registration #6908
• Treat OkHttp Request as non-nullable #7388
• Validate Observation.Scope closing when using TestObservationRegistry #6329

🐞 Bug Fixes

• Invalid reflection hint in micrometer-core for native GraalVM 25 build #7316
• ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #7380

... (truncated)

Commits

• 8466fea Merge branch '1.16.x'
• fa2ed32 Merge branch '1.15.x' into 1.16.x
• dc2e5e2 Reduce allocation in gRPC server convention
• 36da131 Reduce allocation in HTTP server instrumentation
• 9591cb4 Bump com.uber.nullaway:nullaway from 0.13.5 to 0.13.6 (#7575)
• 7a92a44 Bump software.amazon.awssdk:cloudwatch from 2.46.3 to 2.46.4 (#7576)
• e11e7c6 Merge branch '1.16.x'
• d8e8bcb Merge branch '1.15.x' into 1.16.x
• cf6ac02 Reduce flakiness of PushMeterRegistryTest (#7574)
• d74759a Bump com.google.cloud:google-cloud-monitoring from 3.93.0 to 3.94.0 (#7573)
• Additional commits viewable in compare view

Updates io.micrometer:micrometer-observation from 1.16.5 to 1.17.0

Release notes

Sourced from io.micrometer:micrometer-observation's releases.

1.17.0

See also the 1.17 migration guide and the release notes for 1.17.0-RC1, 1.17.0-M3, 1.17.0-M2, 1.17.0-M1.

🐞 Bug Fixes

• ArrayIndexOutOfBoundsException when using LongTaskTimer #3877
• Jetty 12's TimedHandler marks some requests with outcome UNKNOWN #7276
• MeterRegistry closes HighCardinalityTagsDetector twice if the registry is closed twice #7409
• Reduce allocation in HTTP server instrumentation #7580
• Reduce allocation in gRPC server convention #7581

📔 Documentation

• Clarify time series produced by LongTaskTimer when using Prometheus #6507
• Document metrics that need to close the MeterBinder #4624
• Multigauge Documentation lacks overwrite=true #4403

🔨 Dependency Upgrades

• Bump com.dynatrace.metric.util:dynatrace-metric-utils-java from 2.4.0 to 2.5.0 #7452
• Bump com.google.auth:google-auth-library-oauth2-http from 1.43.0 to 1.48.0 #7397
• Bump com.google.cloud:google-cloud-monitoring from 3.89.0 to 3.94.0 #7398
• Bump com.google.cloud:libraries-bom from 26.79.0 to 26.83.0 #7497
• Bump com.netflix.spectator:spectator-reg-atlas from 1.9.6 to 1.9.9 #7552
• Bump dropwizard-metrics from 4.2.38 to 4.2.39 #7527
• Bump io.prometheus:prometheus-metrics-bom from 1.5.1 to 1.7.0 #7572
• Bump software.amazon.awssdk:cloudwatch from 2.42.32 to 2.46.4 #7494

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​blaspat, @​codingkiddo, @​izeye, @​jewoodev, and @​schiemon

1.17.0-RC1

⭐ New Features

• Add meter for ForkJoinPool#getDelayedTaskCount #6381
• Add support for JDK 26's MemoryPoolMXBean.getTotalGcCpuTime() #7245
• Clear the state of the ObservationValidator #7337
• Improve exemplars sizing and add exemplarsSize config #7324
• Log warning when a registry is added to composite after meter registration #6908
• Treat OkHttp Request as non-nullable #7388
• Validate Observation.Scope closing when using TestObservationRegistry #6329

🐞 Bug Fixes

• Invalid reflection hint in micrometer-core for native GraalVM 25 build #7316
• ObservationGrpcClientInterceptor throws NPE when NameResolver returns empty authority #7380

... (truncated)

Commits

• 8466fea Merge branch '1.16.x'
• fa2ed32 Merge branch '1.15.x' into 1.16.x
• dc2e5e2 Reduce allocation in gRPC server convention
• 36da131 Reduce allocation in HTTP server instrumentation
• 9591cb4 Bump com.uber.nullaway:nullaway from 0.13.5 to 0.13.6 (#7575)
• 7a92a44 Bump software.amazon.awssdk:cloudwatch from 2.46.3 to 2.46.4 (#7576)
• e11e7c6 Merge branch '1.16.x'
• d8e8bcb Merge branch '1.15.x' into 1.16.x
• cf6ac02 Reduce flakiness of PushMeterRegistryTest (#7574)
• d74759a Bump com.google.cloud:google-cloud-monitoring from 3.93.0 to 3.94.0 (#7573)
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.14 to 3.5.15

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.15

🐞 Bug Fixes

• Artemis auto-configuration uses a predictable default location for the embedded broker's data #50743
• MailSender auto-configuration does not enable hostname verification #50742
• SSL should not be enabled when a SSL bundle is overridden to an empty string #50624
• Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50501
• Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50451
• RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50429
• GraphQL WebSocket support does not configure allowed origins #50391
• Buildpack module does not validate long-to-int casts #50382
• MappingsEndpoint reports the context's own ID as parentId when a parent exists #50373
• Created StackTracePrinter instances have no access to the Environment #50303
• NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50301
• Spring Boot Loader Does Not Support RSA and EC Signed Jars #50292
• ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50273
• Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50254
• Meter registries are not removed from the global registry when the context is closed #50235
• ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50225
• Apply HTML escaping to timestamp attribute in Whitelabel error page #50205
• NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50118
• EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50095

📔 Documentation

• Fix reference to Gradle documentation for module replacement #50641
• Remove the use of Optional from Data Neo4j repository examples #50600
• Fix typos in documentation #50593
• Document Java 25 requirement for AOT cache #50482
• Clarify dependency requirement for Bean Validation support #50290
• Document SSL reloading with Let's Encrypt #50222
• Polish InvalidConfigurationPropertyValueException constructor javadoc #50212
• Document known testcontainers lifecycle issues #50210
• Document configuring multiple connectors with Jetty #50206
• Fix typo in Spring Security OAuth2 client registration documentation #50193

🔨 Dependency Upgrades

• Upgrade to Caffeine 3.2.4 #50308
• Upgrade to Cassandra Driver 4.19.3 #50670
• Upgrade to Glassfish JAXB 4.0.9 #50671
• Upgrade to Groovy 4.0.32 #50310
• Upgrade to Hibernate 6.6.53.Final #50721
• Upgrade to Jackson Bom 2.21.4 #50673
• Upgrade to Jakarta Json Bind 3.0.2 #50674
• Upgrade to Jakarta XML Bind 4.0.5 #50313
• Upgrade to Jaxen 2.0.6 #50722
• Upgrade to Jetty 12.0.36 #50676
• Upgrade to Jetty Reactive HTTPClient 4.0.14 #50723
• Upgrade to jOOQ 3.19.35 #50724

... (truncated)

Commits

• c069bce Release v3.5.15
• b068647 Upgrade to Spring Integration 6.5.9
• 327bef3 Enable hostname verification by default in Mail auto-config
• 4218bd7 Fix predictable temp directory in Artemis embedded configuration
• b2a67be Upgrade to Spring GraphQL 1.4.6
• 54ef8d3 Upgrade to Spring Batch 5.2.6
• d3f60fe Upgrade to Spring WS 4.1.4
• 28d4ae8 Upgrade to Spring Session 3.5.7
• 190c452 Upgrade to Spring Security 6.5.11
• 34e7b58 Upgrade to Spring Pulsar 1.2.18
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions