Skip to content

Bump org.junit.jupiter:junit-jupiter from 5.7.2 to 6.1.1#46

Open
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/gradle/org.junit.jupiter-junit-jupiter-6.1.1
Open

Bump org.junit.jupiter:junit-jupiter from 5.7.2 to 6.1.1#46
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/gradle/org.junit.jupiter-junit-jupiter-6.1.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps org.junit.jupiter:junit-jupiter from 5.7.2 to 6.1.1.

Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 6.1.1 = Platform 6.1.1 + Jupiter 6.1.1 + Vintage 6.1.1

See Release Notes.

Full Changelog: junit-team/junit-framework@r6.1.0...r6.1.1

JUnit 6.1.0 = Platform 6.1.0 + Jupiter 6.1.0 + Vintage 6.1.0

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.0.3...r6.1.0

JUnit 6.1.0-RC1 = Platform 6.1.0-RC1 + Jupiter 6.1.0-RC1 + Vintage 6.1.0-RC1

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.1.0-M1...r6.1.0-RC1

JUnit 6.1.0-M1 = Platform 6.1.0-M1 + Jupiter 6.1.0-M1 + Vintage 6.1.0-M1

See Release Notes.

New Contributors

Full Changelog: junit-team/junit-framework@r6.0.0...r6.1.0-M1

JUnit 6.0.3 = Platform 6.0.3 + Jupiter 6.0.3 + Vintage 6.0.3

See Release Notes.

... (truncated)

Commits
  • 0d85889 Release 6.1.1
  • 0363eee Finalize 6.1.1 release notes
  • a6d540a Move entry to 6.1.1 release notes
  • 69339d5 Only pass timeout when publishing to avoid failure in nmcp plugin
  • dec2eb9 Allow excluding engines from memory cleanup mode (#5786)
  • a5f4270 Publish sha256/sha512 checksums again but filter out signature ones (#5796)
  • 8213012 Update plugin nmcp-settings to v1.6.0 (#5787)
  • d1bf847 Generate Javadoc for aggregator modules
  • d721de5 Pass --no-fonts to javadoc convention
  • d289ec6 Restore original SetSystemProperty values in a ParameterizedTest (#5720)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit-framework) from 5.7.2 to 6.1.1.
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](junit-team/junit-framework@r5.7.2...r6.1.1)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
JUnit 6 requires Java 17+ at runtime, which conflicts with this
project's Java 8 sourceCompatibility/targetCompatibility and with
Gradle's variant-aware dependency resolution (it refuses to resolve
junit-jupiter:6.1.1 against a testCompileClasspath targeting JVM 8).
Scope the test source set's compile target to 17 independently of the
shipped library's Java 8 target, which is unaffected since test
classes aren't published.

Also add an explicit junit-platform-launcher:6.1.1 testRuntimeOnly
dependency, since Gradle 8.14's bundled launcher is incompatible with
junit-platform-engine 6.1.1 ("OutputDirectoryCreator not available").

Regenerate lib/gradle.lockfile, which dependabot did not update -
without this the build fails immediately since junit-jupiter is
locked to 5.7.2.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UNVF4uDsN8UroVU635P69h
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedmaven/​org.junit.platform/​junit-platform-launcher@​6.1.1361009010070
Updatedmaven/​org.junit.jupiter/​junit-jupiter@​5.7.2 ⏵ 6.1.11001009010070
Updatedmaven/​org.junit/​junit-bom@​5.7.2 ⏵ 6.1.11001009010070 -30

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: maven org.junit.jupiter:junit-jupiter-api under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.jupiter/junit-jupiter-api@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.jupiter/junit-jupiter-api@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.jupiter:junit-jupiter-engine under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.jupiter/junit-jupiter-engine@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.jupiter/junit-jupiter-engine@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: maven org.junit.jupiter:junit-jupiter-params is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.jupiter/junit-jupiter-params@6.1.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.jupiter/junit-jupiter-params@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.jupiter:junit-jupiter-params under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.jupiter/junit-jupiter-params@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.jupiter/junit-jupiter-params@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.jupiter:junit-jupiter under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.jupiter/junit-jupiter@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.platform:junit-platform-commons under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.platform/junit-platform-launcher@6.1.1maven/org.junit.platform/junit-platform-commons@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.platform/junit-platform-commons@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.platform:junit-platform-engine under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.jupiter/junit-jupiter@6.1.1maven/org.junit.platform/junit-platform-launcher@6.1.1maven/org.junit.platform/junit-platform-engine@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.platform/junit-platform-engine@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit.platform:junit-platform-launcher under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.platform/junit-platform-launcher@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.platform/junit-platform-launcher@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: maven org.junit:junit-bom under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (Maven pom file)

From: lib/gradle.lockfilemaven/org.junit/junit-bom@6.1.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit/junit-bom@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copy link
Copy Markdown

Review summary

I reviewed this bump, tested the build locally, and pushed fixes to this branch (2 files, lib/build.gradle and lib/gradle.lockfile). Details below.

Usage across the codebase

junit-jupiter is used only under lib/src/test/java (18 test files, testImplementation scope — never shipped in the published artifact). APIs in use: @Test, @BeforeEach, @ParameterizedTest/@MethodSource, @Timeout, and Assertions (assertEquals, assertThrows, assertNull, fail), plus WireMock's @WireMockTest (from wiremock-jre8:2.32.0), which relies on the JUnit 5 extension/ParameterResolver API. None of this usage is affected by anything removed/renamed in JUnit 6 — no @Nested, @Tag, @ExtendWith, EngineTestKit, or Constants usage that hit the deprecated/removed surface called out in the 6.0/6.1 release notes.

Changelog (5.7.2 → 6.1.1)

The only breaking change relevant here is JUnit 6.0 raised the baseline to Java 17 at runtime ("JUnit requires Java 17 or higher at runtime" per the official user guide) — Platform, Jupiter, and Vintage were also consolidated to one version number. Everything else in the 6.0/6.1 notes (removal of junit-platform-runner/junit-platform-jfr, Vintage deprecation, Constants package move, Kotlin suspend support, FastCSV for @CsvSource) doesn't touch anything this repo uses.

What I actually found breaks the build

This is the important part — the PR as submitted does not build at all, for two independent reasons, verified by running gradle locally against the PR branch:

  1. The dependency lockfile was never updated. This repo turned on Gradle dependency locking (lib/gradle.lockfile) in the immediately preceding commit, and Dependabot's gradle support doesn't update lockfiles. The lockfile still strictly pins junit-jupiter:5.7.2, so resolution fails outright: Cannot find a version of 'org.junit.jupiter:junit-jupiter' that satisfies the version constraints. This looks to be the first bump PR to hit this repo since locking was added, so it's a gap in the new locking+Dependabot setup rather than a one-off.
  2. JUnit 6 refuses to resolve against this project's Java 8 target. lib/build.gradle sets sourceCompatibility/targetCompatibility = VERSION_1_8 for the whole project (main and test). Gradle's variant-aware resolution then rejects junit-jupiter:6.1.1 outright: "Dependency resolution is looking for a library compatible with JVM runtime version 8, but 'org.junit.jupiter:junit-jupiter:6.1.1' is only compatible with JVM runtime version 17 or newer." This isn't a JDK-8-runtime problem, it fails on any JDK, including 17/21, as long as the target attribute says 8.
  3. (Found after fixing Jhonny/ev 806 create a java sdk #2) Gradle 8.14's bundled junit-platform-launcher is too old for junit-platform-engine:6.1.1 (OutputDirectoryCreator not available; probably due to unaligned versions...), which is a known/documented requirement when moving to newer JUnit Platform — needs an explicit testRuntimeOnly dependency.

What I changed

  • lib/build.gradle: added tasks.named('compileTestJava') { sourceCompatibility/targetCompatibility = VERSION_17 }, scoped only to the test source set — the shipped library jar still targets Java 8 (compileJava untouched), so this doesn't change the SDK's compatibility promise to consumers.
  • lib/build.gradle: added testRuntimeOnly 'org.junit.platform:junit-platform-launcher:6.1.1' to fix the launcher/engine mismatch above.
  • lib/gradle.lockfile: regenerated (--write-locks) to actually reflect 6.1.1 across the junit artifacts, plus their transitive bumps (opentest4j 1.2.0→1.3.0, apiguardian-api 1.1.0→1.1.2, new jspecify dependency).

With these changes: full gradle build succeeds, and gradle test runs all 121 tests — 106 pass. The remaining 15 failures are in EndToEndTests (real HTTP calls to api.evervault.com using TEST_EV_APP_ID/TEST_EV_API_KEY CI secrets); I confirmed these fail identically on the unmodified master baseline with the old JUnit 5.7.2 in my sandbox (no network/credentials available there), so they're pre-existing and unrelated to this bump.

Is this safe to merge? — Not without also touching CI

The code changes above are correct and sufficient to make the project build and test successfully on JDK 17 and 21. However, .github/workflows/sdk.yml runs the unit test job across a matrix of java-version: ['8', '11', '16', '17', '21']. JUnit 6 cannot execute on JDK 8, 11, or 16 at all — this is a hard, documented requirement change, not something fixable with build.gradle tweaks — so those three CI legs will fail even with my fixes applied, every time, regardless of what else changes.

That leaves two real options for a maintainer to choose (not something I felt was mine to decide unilaterally in a dependency-bump PR):

  1. Drop JDK 8/11/16 from the CI test matrix if the team is fine no longer verifying the SDK against those runtimes (note: this doesn't change what the published jar targets — compileJava is still Java 8 — only what's tested in CI), or
  2. Don't take this major bump. Stay on the JUnit 5.x line (e.g. latest 5.13.x) instead, which has no such runtime floor and needs none of the above workarounds. Given this repo's dependabot config only auto-groups minor/patch updates, you may want to ·@·d·ependabot i·gnore t·his major version here and let it continue proposing 5.x patch/minor bumps instead.

I did not modify the CI workflow myself. Recommend holding this PR until one of the two options above is chosen.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Development

Successfully merging this pull request may close these issues.

2 participants