chore(deps): bump the observability group across 1 directory with 2 updates

[dependabot]

Bumps the observability group with 2 updates in the / directory: ch.qos.logback:logback-classic and net.logstash.logback:logstash-logback-encoder.

Updates ch.qos.logback:logback-classic from 1.5.32 to 1.5.33

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

• PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

• HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• 124e8b4 prepare release 1.5.33
• d8fd6f2 escapeTags in message field when printing status messages
• 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
• b768a96 remove spurious java.swing.* import
• 12cf2c5 classes in java.lang and java.util are now whitelisted individually
• e9133ed fix typo
• 47089a2 added Filip Egeric icla
• 85735f7 Modified ConversionRuleAction.java: Updated validPreconditions() to
• 614f7a7 the official name for initial instructions file foe coding agents is AGENTS.md
• fe50bb5 fix: do not warn when both converterClass and class attributes are specified ...
• Additional commits viewable in compare view

Updates net.logstash.logback:logstash-logback-encoder from 8.1 to 9.0

Release notes

Sourced from net.logstash.logback:logstash-logback-encoder's releases.

logstash-logback-encoder-9.0

This major release migrates to Jackson 3, and bumps the minimum Java version to 17.

The migration to Jackson 3 introduced some backwards incompatibilities. See #1095 for upgrade details.

Special thanks to new contributors @​tommyulfsparre, @​patrickjbarry, and @​maxxedev!

What's Changed

⚠️ Update considerations and deprecations

• Bump minimum version of Java to 17 by @​philsttr in logfellow/logstash-logback-encoder#1088
• Migrate to Jackson 3 by @​philsttr in logfellow/logstash-logback-encoder#1095

✨ New features and improvements

• Add ability to suppress messages from stacktrace by @​patrickjbarry in logfellow/logstash-logback-encoder#1104
• Make it possible to pretty print throwables as array of strings. by @​maxxedev in logfellow/logstash-logback-encoder#1043

🐞 Bug fixes

• Allow setting droppedWarnFrequency=0 to disable logging dropped message warnings by @​tommyulfsparre in logfellow/logstash-logback-encoder#1086
• Fix flaky flushWithNullOutputStream test by @​philsttr in logfellow/logstash-logback-encoder#1101

📖 Documentation, Tests and Build

• Migrate artifact publishing to Maven Central Portal by @​philsttr in logfellow/logstash-logback-encoder#1090
• Switch release flow to manual GitHub action trigger by @​philsttr in logfellow/logstash-logback-encoder#1091
• Bump CodeQL action to v3 by @​philsttr in logfellow/logstash-logback-encoder#1102
• Bump maven to 3.9.11 by @​philsttr in logfellow/logstash-logback-encoder#1103
• Document Thread and ThreadLocal cleanup by @​philsttr in logfellow/logstash-logback-encoder#1105

🆙 Dependency Upgrades

• Bump org.junit:junit-bom from 5.12.1 to 6.0.0 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1085
• Bump org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.13 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1066
• Bump mockito.version from 5.16.1 to 5.20.0 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1067
• Bump org.apache.felix:maven-bundle-plugin from 5.1.9 to 6.0.0 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1068
• Upgrade various dependencies and plugins by @​philsttr in logfellow/logstash-logback-encoder#1089
• Bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1092
• Bump com.puppycrawl.tools:checkstyle from 12.0.0 to 12.0.1 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1093
• Upgrade lmax disruptor to 4.0.0 by @​philsttr in logfellow/logstash-logback-encoder#1096
• Bump org.codehaus.mojo:xml-maven-plugin from 1.1.0 to 1.2.0 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1098
• Bump com.puppycrawl.tools:checkstyle from 12.0.1 to 12.1.0 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1099
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1100
• Bump logback-core.version from 1.5.19 to 1.5.20 by @​dependabot[bot] in logfellow/logstash-logback-encoder#1097

New Contributors

• @​patrickjbarry made their first contribution in logfellow/logstash-logback-encoder#1104
• @​tommyulfsparre made their first contribution in logfellow/logstash-logback-encoder#1086
• @​maxxedev made their first contribution in logfellow/logstash-logback-encoder#1043

Full Changelog: logfellow/logstash-logback-encoder@logstash-logback-encoder-8.1...logstash-logback-encoder-9.0

Commits

• e8a1c8e [maven-release-plugin] prepare release logstash-logback-encoder-9.0
• eecb205 Add link to discussions in contributing.md
• 572543c fix build badge in readme
• c64b998 Use alert at top of readme
• f74c821 Make it possible to pretty print throwables as array of strings. (#1043)
• 358f644 Document Thread and ThreadLocal cleanup (#1105)
• 0d553cf Add ability to suppress messages from stacktrace (#1104)
• c9318cd Bump maven to 3.9.11 (#1103)
• ef58694 Bump codeql action to v3 (#1102)
• 3059741 Bump logback-core.version from 1.5.19 to 1.5.20 (#1097)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.