fix(deps): update all dependencies j:cdx-227

[renovate-coveo]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
ossf/scorecard-action	action	patch	v2.4.2 -> v2.4.3
step-security/harden-runner	action	patch	v2.13.0 -> v2.13.1
org.mockito:mockito-core	test	minor	5.19.0 -> 5.20.0
com.google.code.gson:gson	compile	patch	2.13.1 -> 2.13.2
org.apache.logging.log4j:log4j-core (source)	compile	patch	2.25.1 -> 2.25.2
org.apache.maven.plugins:maven-javadoc-plugin (source)	build	minor	3.11.3 -> 3.12.0

[skip release]

---

Release Notes

ossf/scorecard-action (ossf/scorecard-action)

v2.4.3

Compare Source

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in #​1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in #​1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in #​1566
• setup codeowners for requesting reviews by @​spencerschrock in #​1576
• 🌱 Improve printing options by @​deivid-rodriguez in #​1584

New Contributors

• @​timothyklee made their first contribution in #​1566
• @​pankajtaneja5 made their first contribution in #​1574
• @​deivid-rodriguez made their first contribution in #​1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

step-security/harden-runner (step-security/harden-runner)

v2.13.1

Compare Source

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

mockito/mockito (org.mockito:mockito-core)

v5.20.0

Compare Source

^{Changelog generated by Shipkit Changelog Gradle Plugin}

5.20.0

• 2025-09-20 - 11 commit(s) by Adrian-Kim, Giulio Longfils, Rafael Winterhalter, dependabot[bot]
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#​3730)
• Introducing the Ability to Mock Construction of Generic Types (#​2401) (#​3729)
• Bump com.gradle.develocity from 4.1.1 to 4.2 (#​3726)
• Bump graalvm/setup-graalvm from 1.3.6 to 1.3.7 (#​3725)
• Bump org.eclipse.platform:org.eclipse.osgi from 3.23.100 to 3.23.200 (#​3720)
• Bump graalvm/setup-graalvm from 1.3.5 to 1.3.6 (#​3719)
• Bump actions/setup-java from 4 to 5 (#​3715)
• Bump com.gradle.develocity from 4.1 to 4.1.1 (#​3713)
• Bump bytebuddy from 1.17.6 to 1.17.7 (#​3712)
• test: Use Assume.assumeThat for SequencedCollection tests (#​3711)
• Fix #​3709 (#​3710)
• feat: Add support for JDK21 Sequenced Collections. (#​3708)
• Introducing the Ability to Mock Construction of Generic Types (#​2401)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/Toronto, Automerge - "after 9:00am and before 12:00pm on tuesday, wednesday, thursday" in timezone America/Toronto.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.