Bump com.github.spotbugs:spotbugs from 4.9.8 to 4.10.1

[dependabot]

Bumps com.github.spotbugs:spotbugs from 4.9.8 to 4.10.1.

Release notes

Sourced from com.github.spotbugs:spotbugs's releases.

4.10.1

SpotBugs 4.10.1

Note

SpotBugs 4.10.0 was superseded by 4.10.1 due to a release issue. Users should use 4.10.1. See the discussion below for additional details:

spotbugs/spotbugs#4155

CHANGELOG

• https://github.com/spotbugs/spotbugs/blob/4.10.1/CHANGELOG.md

CHECKSUM

file	checksum (sha256)
spotbugs-4.10.1-javadoc.jar	582dc49e95b080333b1025dc23e76630e5f6f1648b2f9fa71ee34918f6d9dd2c
spotbugs-4.10.1-sources.jar	76476f61ce6dc0eb0c38801e21da44e77043ba21226aef6c1b9d21df06d2395a
spotbugs-4.10.1.tgz	9264ee04afc8a3945c065916ffb5180d13b938245be91f90ef65c4a4cc1d4f5b
spotbugs-4.10.1.zip	010fdccc06430588a8eeab40db8c6708d836a4dd321623f785aee19343fd682f
spotbugs-annotations-4.10.1-javadoc.jar	1c878bc3dd98eff234149725a7acfaa2dcae11397d793b8d03cd8abf49f1f516
spotbugs-annotations-4.10.1-sources.jar	87974d23caffbc8c6e66c567747627267b5ed06573cee966d7af6d236b8d65bd
spotbugs-annotations.jar	3e2aa962f3099b55362483a6db3e92afa579dc1e030d967093bbcd0935fd67a1
spotbugs-ant-4.10.1-javadoc.jar	c3b2376b23dbcd8a161c8b9e7e251d61dbcd9ecd34a835c5b3c59b239c6b79f6
spotbugs-ant-4.10.1-sources.jar	91477d93b1fd1bebae35d318427b5238fb458e726478dc1a8ac41ce74838a1e6
spotbugs-ant.jar	22f2fa397e86663adcd4828cc1c91e63aa6cc2bfc56832885b749a86fac5c784
spotbugs.jar	736a409ecfd5b86ec6746fd809ef4c75d507f6f6528810f165663d12564a2c20
test-harness-4.10.1-javadoc.jar	579974414765d90bd1fc0d1998de0a6a66e8566a1aaf34753f0243536c56c57c
test-harness-4.10.1-sources.jar	805d2d124b0d4ea513ee9262d4ad6027c3471d45defd80fd7d20e23425d17df7
test-harness-4.10.1.jar	bd10d1f11a1b93e4ca4db4d27772f611bd3407f9452dbbd2d1ba62584ddc171f
test-harness-core-4.10.1-javadoc.jar	6b7c82de6f040717d4557257d20886b086de20d57e184a7aa74d73768047f903
test-harness-core-4.10.1-sources.jar	043a55d99a517c0d9cf702b0c183b4afd3f03af9eff4a86d59bb37df1b35b532
test-harness-core-4.10.1.jar	1f9a0ee8f150dd71f960ca4f59dcf7912a45d0e9e6aefc4585fd44b975454bc0
test-harness-jupiter-4.10.1-javadoc.jar	2762335276588d3787d7940bfc65181d37b1629b7c579e01ddad81d184ea3fac
test-harness-jupiter-4.10.1-sources.jar	17144f315686bfd01c02fa4ae7c916060c41de8eed58d5b8470416fa08f46ced
test-harness-jupiter-4.10.1.jar	a91146da3e993479cfefd2690781cbd102c6360ecc63a96d88995be3bd60fcbb

4.10.0

Note: SpotBugs 4.10.0 has been superseded by 4.10.1 due to a release issue. Please use 4.10.1 instead. See spotbugs/spotbugs#4155

SpotBugs 4.10.0-SNAPSHOT

CHANGELOG

Refactor

• Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (#3858)
• Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (#3861)
• Renamed methods from edu.umd.cs.findbugs.SwitchHandler to reflect that they return a PC, not an offset (#3869)
• Make the progress bar more visually appealing by adding some borders (#3896)
• Reuse DismantleBytecode.isIf introduced in (#3869)

Added

... (truncated)

Changelog

Sourced from com.github.spotbugs:spotbugs's changelog.

4.10.1 - 2026-06-08

• 4.10.0 was not released due to a release process error (artifacts were built from a -SNAPSHOT version). 4.10.1 is the corrected release and contains the intended 4.10.0 contents.

4.10.0 - 2026-06-07

Refactor

• Move internal usage of 'javax.annotation.Nonnull' to 'jakarta.annotation.NonNull'. (#3858)
• Move internal usage of 'javax.annotation.Nullable' to 'jakarta.annotation.Nullable'. (#3861)
• Renamed methods from edu.umd.cs.findbugs.SwitchHandler to reflect that they return a PC, not an offset (#3869)
• Make the progress bar more visually appealing by adding some borders (#3896)
• Reuse DismantleBytecode.isIf introduced in (#3869)

Added

• Add partial support for org.jspecify.annotations.Nullable, org.jspecify.annotations.NonNull, org.jspecify.annotations.NullUnmarked and org.jspecify.annotations.NullMarked annotations. These are aliased to the closest existing SpotBugs nullness annotations. This is not a complete implementation of the JSpecify spec; scope-level semantics of @NullMarked and @NullUnmarked are not yet supported. (#3996)
• Recognize jakarta.annotation.Nonnull and jakarta.annotation.Nullable (#3780)
• Detect use of sun.misc.Unsafe and jdk.internal.misc.Unsafe (#3804)
• New bug type is introduced: NCR_NOT_PROPERLY_CHECKED_READ. Improper validation of the return value from the read() method in InputStream and Reader classes may result in an array not being fully filled. (#3766)
• New detector FindImproperSynchronization and introduced new bug types:
  • USO_UNSAFE_METHOD_SYNCHRONIZATION is reported when using synchronized methods with the class' accessible intrinsic lock,
  • USO_UNSAFE_STATIC_METHOD_SYNCHRONIZATION is reported when using static synchronized methods with the class' exposed intrinsic lock,
  • USO_UNSAFE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is visible from the outside,
  • USO_UNSAFE_ACCESSIBLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is made accessible, with methods that update or return the lock, to the outside,
  • USO_UNSAFE_INHERITABLE_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is can be altered by subclasses,
  • USO_UNSAFE_EXPOSED_OBJECT_SYNCHRONIZATION is reported when the lock used for synchronization is later exposed in the subclasses.
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_BACKING_COLLECTION is reported when the backing collection of a lock is visible from the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_ACCESSIBLE_BACKING_COLLECTION is reported when the backing collection of a lock is made accessible, with methods that update or return the lock, to the outside,
  • USBC_UNSAFE_SYNCHRONIZATION_WITH_INHERITABLE_BACKING_COLLECTION is reported when the backing collection of a lock can be altered by subclasses. (See SEI CERT rule LCK00-J and SEI CERT rule LCK04-J)
• New detector FindIncreasedAccessibilityOfMethods for new bug type IAOM_DO_NOT_INCREASE_METHOD_ACCESSIBILITY. This detector reports a bug if a class increases the accessibility of overridden or hidden methods. (See SEI CERT rule MET04-J)

Fixed

• Fix DM_STRING_TOSTRING false negative when toString() is chained before a method call (e.g., s.toString().toLowerCase()); multiple occurrences in the same method are now all reported (#3966)
• Stop exposing JUnit BOM as a transitive dependency to consumers (#3908)
• Fix incorrect bug counts and sizes when unioning reports (#3721)
• Classes containing only methods throwing UnsupportedOperationException with setter-like names are no longer considered as mutable (#1601)
• Enhanced SARIF output with full description sections - adding markdown is still an open issue (#2339)
• Added missing null check to MultipleInstantiationsOfSingletons detector (#3823)
• Fix invalid syntax in findbugsfilter.xsd (#3832)
• Fix CT_CONSTRUCTOR_THROW FP with public and private constructors (#3822)
• Fix tool name in usage info, (#3847)
• Fix the building of relative chains of ./././ in filenames in fbp files (#3852)
• Fix IllegalArgumentException initializing spotbugs when inside a fat jar on Java 25 (#3875)
• Do not report DM_DEFAULT_ENCODING for classes compiled with target >= 18 (#3866)
• Fix FS_BAD_DATE_FORMAT_FLAG_COMBO not suppressed by field-level annotation (#3838)
• Fix SF_SWITCH_FALLTHROUGH false positives (#3767)
• Recognize well-known exception-throwing utility methods when looking for exceptions thrown from constructors (#3821)
• Fix RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE false negative when non-null value is on the left side of null comparison (#3920)
• Fix IM_BAD_CHECK_FOR_ODD false negative when using Yoda-style comparison (1 == i % 2) (#3886)
• Fix PluginLoader.close() to continue closing all URLClassLoaders when one close operation fails, suppressing subsequent IOExceptions. (#3958)
• Fix broken bugDescriptions.html#TYPE links by restoring legacy bug type anchors in generated docs (#2113)
• Fix EI_EXPOSE_REP false negative in package-private classes that expose mutable state through methods overriding a public super-type (#4027)

... (truncated)

Commits

• 7460889 release v4.10.1
• f6c4597 prepare for next release
• 6e64d99 release v4.10.0
• 73a6f59 feat: add partial JSpecify annotations support (from PR #3142) (#3996)
• 85a0cba Add targeted tests for UI launch and class feature transformations (#4153)
• 3404e1d Raise SpotBugs core coverage with focused unit tests for previously untested ...
• 654c208 Add VS Code link to README
• 70e5d15 Clarify detector-fix guidance for Copilot agents (#4151)
• d6db565 chore(build): Update comments for commons-compress version details (#4150)
• 9d7cc2f Update dependency jaxen:jaxen to v2.0.6 (#4145)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)